[Dovecot] user login on behalf of another user

[rog7993 at web.de]

Hello,

we are searching for a possibility to configure a user login on behalf 
of another user with a PAM backend. This reminds to the behavior of a 
master user. But a master user can access the mailboxes of all users. We 
need this more restricted.

Example:

User "user1" and "user2" shall get access to the mailbox "info". We 
define the accounts "info~user1" and "info~user2" with the same home 
directory like "info".

Until now, we use a passwd-file backend. With this setup we can simply 
copy the password hash from "user1" to "info~user1" and from "user2" to 
"info~user2". But we intend to change the passdb backend from a flat 
file to PAM for authentication against Active Directory. This seems to 
be simple with pam_krb5. But then we can't simply copy password hashes 
anymore. Is their another possibility for configuring this?

Surely the preferable alternative would be the use of ACLs to give 
acccess to other users mailboxes. But we started this setup with Dovecot 
1.0 or 1.1. And with these versions, ACLs weren't available. And now we 
have too much accounts and clients, which are configured this way and 
can't change this for the short term.

The passdb/userdb file from the above example looks like this:

info:!:501:501:Info:/home/mail01/info::

info~user1:PASSWORD_USER1:501:501:Info:/home/mail01/info:: \
   userdb_mail=maildir:~/Maildir: \
   INDEX=/srv/dovecot/index/info: \
   CONTROL=/srv/dovecot/control/info

info~user2:PASSWORD_USER2:501:501:Info:/home/mail01/info:: \
   userdb_mail=maildir:~/Maildir: \
   INDEX=/srv/dovecot/index/info: \
   CONTROL=/srv/dovecot/control/info

user1:PASSWORD_USER1:501:501:Info:/home/mail01/user1::

user2:PASSWORD_USER2:501:501:Info:/home/mail01/user2::


Ingo Rogalsky