ACL on shared folder
T.Robers at smtp.tutech.de
T.Robers at smtp.tutech.de
Mon Nov 13 17:01:51 EET 2017
Hello everybody,
we're using shared mailboxes as an archive to which
everyone has full rights, set with doveadm. The rights
look like this:
doveadm acl get -u bob at example.com shared/archive at example.com
ID Global Rights
user=bob at example.com admin create delete expunge insert lookup \
post read write write-deleted write-seen
Looking at this i would this i would think i should be able to
move an existing folder to shared/archive at example.com. But i get
a "permission denied".
A rawlog session from trying to copy looks like this:
1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY
THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT
CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES
WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE NOTIFY ACL RIGHTS=texk] Logged in
* ID ("name" "Dovecot")
2 OK ID completed (0.001 + 0.000 secs).
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 0 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1510573115] UIDs valid
* OK [UIDNEXT 1] Predicted next UID
3 OK [READ-WRITE] Select completed (0.005 + 0.000 + 0.004 secs).
* MYRIGHTS shared/archive at example.com/IT-Sachen/blablub lrwstipekxacd
4 OK Myrights completed (0.001 + 0.000 secs).
+ idling
* OK Still here
5 OK Idle completed (4.007 + 4.006 + 4.006 secs).
6 OK NOOP completed (0.001 + 0.000 secs).
+ idling
7 OK Idle completed (42.014 + 42.013 + 42.013 secs).
8 OK List completed (0.015 + 0.000 + 0.014 secs).
9 OK Close completed (0.001 + 0.000 secs).
10 NO [NOPERM] Permission denied (0.005 + 0.000 + 0.004 secs).
I don't understand why there's a permission denied because doveadm tells something else.
The shared mailbox folder ist the inbox of the account archive at example.com
What has to be changed that it's possible to save messages or to create folders
in resp. under a shared inbox, or is this not possible?
Any suggestion is welcome.
Tia
Thomas
My configuration:
# 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.21 (92477967)
# OS: Linux 2.6.32-696.13.2.el6.x86_64 x86_64 CentOS release 6.9 (Final) ext4
auth_debug = yes
auth_debug_passwords = yes
auth_master_user_separator = *
auth_mechanisms = plain login
auth_verbose = yes
disable_plaintext_auth = no
doveadm_password = # hidden, use -P to show it
doveadm_port = 12345
imap_max_line_length = 2 M
mail_debug = yes
mail_location = maildir:/export/home/imap/%Lu/Maildir
mail_plugins = acl mail_log notify
mailbox_idle_check_interval = 10 secs
mailbox_list_index = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress
comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace {
hidden = no
ignore_on_failure = no
inbox = no
list = children
location = maildir:%%h/Maildir:INDEXPVT=%h/shared/%%u
prefix = shared/%%u/
separator = /
subscriptions = yes
type = shared
}
namespace inbox {
hidden = no
inbox = yes
list = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix = INBOX/
separator = /
type = private
}
passdb {
args = /etc/dovecot/master-users
driver = passwd-file
master = yes
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
acl = vfile:/etc/dovecot/global-acls:cache_secs=300
acl_shared_dict = file:/export/home/shared-db/shared-mailboxes
mail_log_events = append delete undelete expunge copy mailbox_delete mailbox_rename flag_change
mail_log_fields = uid box msgid size from flags
mail_replica = tcp:mail2.example.com
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_global = /var/lib/dovecot/sieve/global/
sieve_user_log = ~/.dovecot.sieve.log
}
protocols = imap pop3 lmtp sieve
service aggregator {
fifo_listener replication-notify-fifo {
mode = 0666
user = vmail
}
unix_listener replication-notify {
mode = 0666
user = vmail
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
unix_listener auth-userdb {
group = vmail
mode = 0660
user = vmail
}
}
service config {
unix_listener config {
user = vmail
}
}
service doveadm {
inet_listener {
port = 12345
}
user = vmail
}
service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
process_limit = 500
process_min_avail = 20
}
service imap {
executable = imap postlogin
}
service lmtp {
inet_listener lmtp {
address = 127.0.0.1
port = 24
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
inet_listener sieve_deprecated {
port = 2000
}
}
}
service pop3-login {
inet_listener pop3s {
port = 995
ssl = yes
}
}
service pop3 {
executable = pop3 postlogin
}
service postlogin {
executable = script-login -d rawlog
}
service replicator {
unix_listener replicator-doveadm {
mode = 0666
}
}
ssl = required
ssl_cert = </etc/pki/dovecot/certs/mail2.example.com.crt_chain
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!EXPORT
ssl_key = # hidden, use -P to show it
ssl_protocols = !SSLv3 !SSLv2
syslog_facility = local6
userdb {
args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
driver = ldap
}
protocol lmtp {
mail_plugins = acl mail_log notify sieve
}
protocol imap {
mail_max_userip_connections = 100
mail_plugins = acl mail_log notify imap_acl
rawlog_dir = /tmp/rawlog/%u
}
More information about the dovecot
mailing list