ACL problems on shared folder

Thomas Robers robers at tutech.de
Mon Jun 26 11:47:50 EEST 2017 

Hello,

I've a Dovecot Server Version 2.2.30.2 running on CentOS 6.9
and there's a problem with acls on shared folder. We have
some mailboxes which are shared and used as a "group mailbox"
and also some user who share their inbox and only the inbox
when they are on holiday e.g..
When I set

	"acl_defaults_from_inbox = yes"

it's not possible to restrict the access to only the inbox,
meaning that the user who wants to share only their inbox
have to share the whole mailbox. On the other hand when I set

	"acl_defaults_from_inbox = no"

it is not possible to create a folder direct under the inbox
of a "group mailbox" and one gets a "permission denied" message.
Is this the normal behavior normal? Although the user who wants
to create the folder has all rights he gets a "permission denied"
message? Why? Am I missing something important? Does anyone who
uses shared mailboxes had the same problem and solved this?
Any suggestion or information, that I probably miss is welcome.

If needed here's my Dovecot configuration:


> # 2.2.30.2 (c0c463e): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.18 (29cc74d)
> # OS: Linux 2.6.32-696.3.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) ext4
> auth_debug = yes
> auth_master_user_separator = *
> auth_mechanisms = plain login
> auth_verbose = yes
> disable_plaintext_auth = no
> mail_debug = yes
> mail_location = maildir:/export/home/imap/%Lu/Maildir
> mail_plugins = acl zlib mail_log notify
> mailbox_idle_check_interval = 10 secs
> mailbox_list_index = yes
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
> mbox_write_locks = fcntl
> namespace {
>   hidden = no
>   ignore_on_failure = no
>   inbox = no
>   list = children
>   location = maildir:%%h/Maildir:INDEXPVT=%h/shared/%%u
>   prefix = shared/%%u/
>   separator = /
>   subscriptions = yes
>   type = shared
> }
> namespace inbox {
>   hidden = no
>   inbox = yes
>   list = yes
>   location = 
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix = INBOX/
>   separator = /
>   type = private
> }
> passdb {
>   args = /etc/dovecot/master-users
>   driver = passwd-file
>   master = yes
> }
> passdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> plugin {
>   acl = vfile:/etc/dovecot/global-acls:cache_secs=300
>   acl_shared_dict = file:/export/home/shared-db/shared-mailboxes
>   mail_log_events = append delete undelete expunge copy mailbox_delete mailbox_rename flag_change
>   mail_log_fields = uid box msgid size from flags
>   sieve = ~/.dovecot.sieve
>   sieve_dir = ~/sieve
>   sieve_global = /var/lib/dovecot/sieve/global/
>   sieve_user_log = ~/.dovecot.sieve.log
>   zlib_save = gz
>   zlib_save_level = 6
> }
> protocols = imap pop3 lmtp sieve
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     mode = 0666
>   }
>   unix_listener auth-userdb {
>     group = vmail
>     mode = 0660
>     user = vmail
>   }
> }
> service imap-login {
>   process_limit = 500
>   process_min_avail = 20
> }
> service lmtp {
>   inet_listener lmtp {
>     address = 127.0.0.1
>     port = 24
>   }
> }
> service managesieve-login {
>   inet_listener sieve {
>     port = 4190
>   }
>   inet_listener sieve_deprecated {
>     port = 2000
>   }
> }
> ssl = required
> ssl_cert = </etc/pki/dovecot/certs/mail.tutech.de.crt_chain
> ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!EXPORT
> ssl_key =  # hidden, use -P to show it
> ssl_protocols = !SSLv3 !SSLv2
> syslog_facility = local6
> userdb {
>   args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
>   driver = ldap
> }
> protocol lmtp {
>   mail_plugins = acl zlib mail_log notify sieve
> }
> protocol imap {
>   mail_max_userip_connections = 100
>   mail_plugins = acl zlib mail_log notify imap_zlib imap_acl
> }


TIA & Regards,
Thomas

More information about the dovecot mailing list