[Dovecot] permission problem when using public namespace and "subscription = yes"

Lars Uhlmann dovecot at lars-uhlmann.de
Wed Sep 4 17:20:39 EEST 2013

I have configured an public namespace "Test" for a group of users:

| namespace public {
|    separator = .
|    prefix = Test.
|    location = maildir:/mailroot/public/Test
|    hidden = no
|    list = yes
|    subscriptions = yes
| }

Using each users own subscription file for a public mailbox doesn't
make sense when the mailbox is heavily used. Every directory operation
(create/rename) needs to be synced between all subscribers
automatically and immediately. So I set "subscriptions = yes".

My ACLS look like this:

| user=mark lrwstiekx
| user=tim lrwstiekx
| user=max lr
| user=jenny lrwstiekx
| user=louis lr

Nevertheless _all_ my mail users still have access to the namespace's
directory tree.
It is my understanding that when a user doesn't has 'lookup' access, he
should not be able to subscribe to this mailbox.
In my opinion this is a security problem. ACLs must be processed
_before_ a shared subscrition file is parsed.


More information about the dovecot mailing list