ACLs, shared, public, virtual mailboxes not working
Aki Tuomi
aki.tuomi at dovecot.fi
Thu Feb 15 19:58:31 EET 2018
Since you have obfuscated your data it is hard to tell what's going on, especially as in your previous log you have 'user=user' and now you have user1 and user2.
You can try
doveadm rights -u victim folder
to see what sort of rights dovecot thinks it's seeing.
Aki
> On 15 February 2018 at 18:11 David Mehler <dave.mehler at gmail.com> wrote:
>
>
> Hello,
>
> Thank you for your reply. Here's my acl files:
>
>
> public/TestFolder dovecot-acl
> anyone lr
> user=user1 akxeilprwts
> -user=user1
> user=user2 lr
>
> public/TestFolder1 dovecot-acl
> user=user1 lr
> user=user2 lr
>
> public/dovecot-acl
> user=user1 lr
> user=user2 lr
>
> and I have another dovecot-acl file in shared/office folder:
>
> user=user1 at domain.com lrwstipekxa
> user=user2 at domain.com lrwstipekxa
>
> Thanks.
> Dave.
>
>
> On 2/15/18, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
> > Hi!
> >
> > It seems you are running 2.2.33.2 =)
> >
> > Also,
> >
> > Feb 12 08:48:40 imap(user at example.com): Debug: Mailbox
> > 'public/TestFolder' matches global ACL pattern 'public/TestFolder'
> > Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: reading file
> > /home/vmail/public/TestFolder/dovecot-acl
> > Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: reading file
> > /home/vmail/public/dovecot-acl
> >
> > it seems there are some folder specific ACLs, can you check these?
> >
> > Aki
> >
> > On 15.02.2018 10:40, David Mehler wrote:
> >> Hello,
> >>
> >> I'm running Dovecot 2.2.3, and am having issues with my public
> >> folders, shared folders, and virtual/ALl folders apparently ACLs are
> >> on that list as well.
> >>
> >> I was debugging an unrelated problem with my smtp server and got the
> >> following dovecot debug log output. Below is also a doveconf -n output
> >> as well as my shared-folder definition file and my global-acls file.
> >>
> >> What I'm trying to accomplish is:
> >>
> >> 1. Have a public folder that any user on the system can put messages
> >> into and respond to.
> >> 2. Have a shared folder in which user1 at example.com and
> >> user1 at example2.com can exchange messages.
> >> 3. For each user on the system give them a Virtual/All folder for *all
> >> of their messages.
> >>
> >> I'd appreciate any help. As an aside if anyone sees an issue with my
> >> SSL ciphers list i'd appreciate knowing that as well, in brief I'm
> >> trying to get the most secure list, pfs, and not worrying about
> >> backware compatibility. If it's not TLS 1.2 I don't touch it.
> >>
> >> Thanks.
> >> Dave.
> >> Feb 12 08:48:40 imap(user at example.com): Debug: Module loaded:
> >> /usr/local/lib/dovecot/lib01_acl_plugin.so
> >> Feb 12 08:48:40 imap(user at example.com): Debug: Module loaded:
> >> /usr/local/lib/dovecot/lib02_imap_acl_plugin.so
> >> Feb 12 08:48:40 imap(user at example.com): Debug: Effective uid=999,
> >> gid=999, home=/home/vmail/example.com/user
> >> Feb 12 08:48:40 imap(user at example.com): Debug: Namespace inbox:
> >> type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes,
> >> subscriptions=yes location=maildir:~/mail/:LAYOUT=fs:INDEX=~/mail/
> >> Feb 12 08:48:40 imap(user at example.com): Debug: fs:
> >> root=/home/vmail/example.com/user/mail, index=, indexpvt=, control=,
> >> inbox=/home/vmail/example.com/user/mail, alt=
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl: initializing
> >> backend with data:
> >> vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl: acl username =
> >> user at example.com
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl: owner = 1
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: Global ACL
> >> file: /usr/local/etc/dovecot/global-acls
> >> Feb 12 08:48:40 imap(user at example.com): Debug: Namespace :
> >> type=public, prefix=public/, sep=/, inbox=no, hidden=no, list=yes,
> >> subscriptions=yes
> >> location=maildir:/home/vmail/public/:LAYOUT=fs:CONTROL=~/mail/public:INDEXPVT=~/mail/public:INDEX=~/mail/public
> >> Feb 12 08:48:40 imap(user at example.com): Debug: fs:
> >> root=/home/vmail/public,
> >> index=/home/vmail/example.com/user/mail/public,
> >> indexpvt=/home/vmail/example.com/user/mail/public,
> >> control=/home/vmail/example.com/user/mail/public, inbox=, alt=
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl: initializing
> >> backend with data:
> >> vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl: acl username =
> >> user at example.com
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl: owner = 0
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: Global ACL
> >> file: /usr/local/etc/dovecot/global-acls
> >> Feb 12 08:48:40 imap(user at example.com): Debug: Namespace :
> >> type=shared, prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=yes,
> >> subscriptions=yes location=maildir:~/mail/:INDEX=~/mail/shared/%Ld/%Ln
> >> Feb 12 08:48:40 imap(user at example.com): Debug: shared:
> >> root=/var/run/dovecot, index=, indexpvt=, control=, inbox=, alt=
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl: initializing
> >> backend with data:
> >> vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl: acl username =
> >> user at example.com
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl: owner = 0
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: Global ACL
> >> file: /usr/local/etc/dovecot/global-acls
> >> Feb 12 08:48:40 imap(user at example.com): Debug: Namespace :
> >> type=private, prefix=virtual/, sep=/, inbox=no, hidden=no, list=yes,
> >> subscriptions=yes location=virtual:/usr/local/etc/dovecot/virtual
> >> Feb 12 08:48:40 imap(user at example.com): Debug: fs:
> >> root=/usr/local/etc/dovecot/virtual, index=, indexpvt=, control=,
> >> inbox=, alt=
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl: initializing
> >> backend with data:
> >> vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl: acl username =
> >> user at example.com
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl: owner = 1
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: Global ACL
> >> file: /usr/local/etc/dovecot/global-acls
> >> Feb 12 08:48:40 imap(user at example.com): Debug: quota: quota_over_flag
> >> check: quota_over_script unset - skipping
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/Drafts/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/Spam/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/Trash/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/Sent/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/Archives/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/logcheck/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/public/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: Mailbox
> >> 'public/TestFolder' matches global ACL pattern 'public/TestFolder'
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/public/TestFolder/dovecot-acl not
> >> found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/virtual/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/.Junk/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/ham/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/fail2ban/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/.Sent/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/.Trash/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/Maildir/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/Maildir/public/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/Maildir/public/.TestFolder/dovecot-acl
> >> not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/Deleted Items/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/Archive/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /home/vmail/example.com/user/mail/Junk/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: Mailbox
> >> 'public/TestFolder' matches global ACL pattern 'public/TestFolder'
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: reading file
> >> /home/vmail/public/TestFolder/dovecot-acl
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: reading file
> >> /home/vmail/public/TestFolder1/dovecot-acl
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: reading file
> >> /home/vmail/public/dovecot-acl
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl: No lookup right to
> >> mailbox: public/TestFolder1
> >> Feb 12 08:48:40 imap(user at example.com): Debug: Namespace shared/:
> >> Using permissions from : mode=0700 gid=default
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /usr/local/etc/dovecot/virtual/dovecot-acl not found
> >> Feb 12 08:48:40 imap(user at example.com): Debug: acl vfile: file
> >> /usr/local/etc/dovecot/virtual/All/dovecot-acl not found
> >>
> >> doveconf -n
> >> # 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf
> >> # Pigeonhole version 0.4.21 (92477967)
> >> # OS: FreeBSD 11.1-RELEASE-p4 amd64
> >> auth_default_realm = example.com
> >> auth_mechanisms = plain login
> >> auth_realms = example.com example2.com
> >> dict {
> >> acl = mysql:/usr/local/etc/dovecot/shared-folders.conf
> >> sqlquota = mysql:/usr/local/etc/dovecot/quota.conf
> >> }
> >> first_valid_gid = 999
> >> first_valid_uid = 999
> >> hostname = mail.example.com
> >> imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
> >> tb-lsub-flags
> >> last_valid_gid = 999
> >> last_valid_uid = 999
> >> lda_mailbox_autocreate = yes
> >> lda_mailbox_autosubscribe = yes
> >> listen = 127.0.0.1 xxx.xxx.xxx.xxx
> >> lmtp_rcpt_check_quota = yes
> >> mail_access_groups = vmail
> >> mail_fsync = never
> >> mail_gid = vmail
> >> mail_home = /home/vmail/%d/%n
> >> mail_location = maildir:~/mail/:LAYOUT=fs:INDEX=~/mail/
> >> mail_plugins = acl mail_log notify quota quota_clone trash virtual welcome
> >> zlib
> >> mail_server_admin = mailto:postmaster at example.com
> >> mail_uid = vmail
> >> mailbox_list_index = yes
> >> managesieve_notify_capability = mailto
> >> managesieve_sieve_capability = fileinto reject envelope
> >> encoded-character vacation subaddress comparator-i;ascii-numeric
> >> relational regex imap4flags copy include variables body enotify
> >> environment mailbox date index ihave duplicate mime foreverypart
> >> extracttext imapflags notify imapsieve vnd.dovecot.imapsieve
> >> namespace {
> >> hidden = no
> >> list = yes
> >> location =
> >> maildir:/home/vmail/public/:LAYOUT=fs:CONTROL=~/mail/public:INDEXPVT=~/mail/public:INDEX=~/mail/public
> >> mailbox TestFolder {
> >> auto = subscribe
> >> comment = Public Folder for message sharing
> >> }
> >> prefix = public/
> >> separator = /
> >> subscriptions = yes
> >> type = public
> >> }
> >> namespace {
> >> list = yes
> >> location = maildir:~/mail/:INDEX=~/mail/shared/%%Ld/%%Ln
> >> prefix = shared/%%u/
> >> separator = /
> >> subscriptions = yes
> >> type = shared
> >> }
> >> namespace {
> >> location = virtual:/usr/local/etc/dovecot/virtual
> >> mailbox All {
> >> auto = subscribe
> >> comment = All my messages
> >> special_use = \All
> >> }
> >> prefix = virtual/
> >> separator = /
> >> }
> >> namespace inbox {
> >> inbox = yes
> >> location =
> >> mailbox Archive {
> >> auto = no
> >> special_use = \Archive
> >> }
> >> mailbox Archives {
> >> auto = subscribe
> >> special_use = \Archive
> >> }
> >> mailbox "Deleted Messages" {
> >> auto = no
> >> autoexpunge = 30 days
> >> special_use = \Trash
> >> }
> >> mailbox Drafts {
> >> auto = subscribe
> >> special_use = \Drafts
> >> }
> >> mailbox Junk {
> >> auto = no
> >> autoexpunge = 30 days
> >> special_use = \Junk
> >> }
> >> mailbox "Junk E-mail" {
> >> auto = no
> >> autoexpunge = 30 days
> >> special_use = \Junk
> >> }
> >> mailbox Sent {
> >> auto = subscribe
> >> special_use = \Sent
> >> }
> >> mailbox "Sent Items" {
> >> auto = no
> >> special_use = \Sent
> >> }
> >> mailbox "Sent Messages" {
> >> auto = no
> >> special_use = \Sent
> >> }
> >> mailbox Spam {
> >> auto = subscribe
> >> autoexpunge = 30 days
> >> special_use = \Junk
> >> }
> >> mailbox Trash {
> >> auto = subscribe
> >> autoexpunge = 30 days
> >> special_use = \Trash
> >> }
> >> prefix =
> >> separator = /
> >> type = private
> >> }
> >> passdb {
> >> args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
> >> driver = sql
> >> }
> >> plugin {
> >> acl = vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300
> >> acl_anyone = allow
> >> acl_shared_dict = proxy::acl
> >> imapsieve_mailbox1_before =
> >> file:/usr/local/lib/dovecot/sieve/report-spam.sieve
> >> imapsieve_mailbox1_causes = COPY
> >> imapsieve_mailbox1_name = Spam
> >> imapsieve_mailbox2_before =
> >> file:/usr/local/lib/dovecot/sieve/report-ham.sieve
> >> imapsieve_mailbox2_causes = COPY
> >> imapsieve_mailbox2_from = Spam
> >> imapsieve_mailbox2_name = *
> >> mail_log_events = delete undelete expunge copy mailbox_delete
> >> mailbox_rename
> >> mail_log_fields = uid box msgid size
> >> quota = count:User quota
> >> quota_clone_dict = proxy::sqlquota
> >> quota_exceeded_message = Storage quota for this account has been
> >> exceeded, please try again later.
> >> quota_grace = 10%%
> >> quota_status_nouser = DUNNO
> >> quota_status_overquota = 552 5.2.2 Mailbox is full
> >> quota_status_success = DUNNO
> >> quota_vsizes = true
> >> quota_warning = storage=100%% quota-exceeded 100 %u
> >> quota_warning2 = storage=95%% quota-warning 95 %u
> >> quota_warning3 = storage=90%% quota-warning 90 %u
> >> quota_warning4 = storage=85%% quota-warning 85 %u
> >> quota_warning5 = storage=75%% quota-warning 75 %u
> >> sieve = ~/.dovecot.sieve
> >> sieve_before = /home/vmail/sieve/before.d
> >> sieve_default = /home/vmail/sieve/default.sieve
> >> sieve_dir = ~/sieve
> >> sieve_extensions = +notify +imapflags
> >> sieve_global_dir = /home/vmail/sieve
> >> sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
> >> sieve_max_redirects = 30
> >> sieve_max_script_size = 1M
> >> sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
> >> sieve_plugins = sieve_imapsieve sieve_extprograms
> >> sieve_user_log = /home/vmail/sieve/sieve_error.log
> >> trash = /usr/local/etc/dovecot/trash.conf
> >> welcome_script = welcome %u
> >> welcome_wait = yes
> >> }
> >> postmaster_address = postmaster at example.com
> >> protocols = imap lmtp sieve
> >> sendmail_path = /usr/local/sbin/sendmail
> >> service auth-worker {
> >> user = $default_internal_user
> >> }
> >> service auth {
> >> unix_listener /var/spool/postfix/private/auth {
> >> group = postfix
> >> mode = 0660
> >> user = postfix
> >> }
> >> unix_listener auth-userdb {
> >> group = vmail
> >> mode = 0666
> >> user = vmail
> >> }
> >> }
> >> service dict {
> >> unix_listener dict {
> >> group = vmail
> >> mode = 0660
> >> user = vmail
> >> }
> >> }
> >> service imap-login {
> >> inet_listener imap {
> >> address = 127.0.0.1
> >> port = 143
> >> }
> >> inet_listener imaps {
> >> address = xxx.xxx.xxx.xxx
> >> port = 993
> >> ssl = yes
> >> }
> >> }
> >> service imap {
> >> executable = imap
> >> }
> >> service lmtp {
> >> unix_listener /var/spool/postfix/private/dovecot-lmtp {
> >> group = postfix
> >> mode = 0660
> >> user = postfix
> >> }
> >> }
> >> service managesieve-login {
> >> inet_listener sieve {
> >> address = 127.0.0.1
> >> port = 4190
> >> }
> >> }
> >> service quota-status {
> >> client_limit = 1
> >> executable = quota-status -p postfix
> >> unix_listener /var/spool/postfix/private/dovecot-quota {
> >> group = postfix
> >> mode = 0660
> >> user = postfix
> >> }
> >> }
> >> service quota-warning {
> >> executable = script /usr/local/etc/dovecot/quota-warning.sh
> >> unix_listener quota-warning {
> >> group = vmail
> >> mode = 0660
> >> user = vmail
> >> }
> >> user = vmail
> >> }
> >> service welcome {
> >> executable = script /usr/local/etc/dovecot/welcome.sh
> >> unix_listener welcome {
> >> user = vmail
> >> }
> >> user = vmail
> >> }
> >> ssl = required
> >> ssl_cert = </usr/local/etc/ssl/acme/example.com/fullchain.pem
> >> ssl_cipher_list =
> >> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 at STRENGTH
> >> ssl_dh_parameters_length = 2048
> >> ssl_key = # hidden, use -P to show it
> >> ssl_options = no_compression
> >> ssl_prefer_server_ciphers = yes
> >> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> >> userdb {
> >> args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
> >> driver = sql
> >> }
> >> protocol lmtp {
> >> mail_plugins = acl mail_log notify quota quota_clone trash virtual
> >> welcome zlib quota sieve
> >> }
> >> protocol lda {
> >> mail_fsync = optimized
> >> mail_plugins = acl mail_log notify quota quota_clone trash virtual
> >> welcome zlib sieve
> >> }
> >> protocol imap {
> >> mail_plugins = acl mail_log notify quota quota_clone trash virtual
> >> welcome zlib imap_acl imap_quota imap_sieve imap_zlib last_login
> >> }
> >>
> >> shared-folders.conf
> >> connect = DatabaseConnectionParameters
> >> # For shared mailboxes
> >> map {
> >> pattern = shared/shared-boxes/user/$to/$from
> >> table = user_shares
> >> value_field = dummy
> >>
> >> fields {
> >> from_user = $from
> >> to_user = $to
> >> }
> >> }
> >>
> >> # To share mailbox to anyone uncomment acl_anyone=allow in
> >> # 90-acl.conf
> >> map {
> >> pattern = shared/shared-boxes/anyone/$from
> >> table = anyone_shares
> >> value_field = dummy
> >>
> >> fields {
> >> from_user = $from
> >> }
> >> }
> >>
> >> global-acls
> >> public/TestFolder user=user lrwstipekxa
> >
> >
More information about the dovecot
mailing list