I have noticed a difference in the behavior of ACLs. When used in a MUA the following global ACL works fine and has the desired effect - new mailboxes can be created by a user being part of the 'PublicMailboxAdmins' group:
[ global-acl: ] INBOX owner lrwstiekxap Public/* group=PublicMailboxAdmins lrwsipk Public/* anyone lr Public/* authenticated lrws Creating the same mailbox via doveadm however fails with a permission problem: doveadm(t...@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(t...@leuxner.net): Debug: Namespace : type=public, prefix=Public/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=no location=mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public doveadm(t...@leuxner.net): Debug: fs: root=/var/vmail/public, index=, indexpvt=/var/vmail/domains/leuxner.net/tlx/mdbox/public, control=, inbox=, alt= doveadm(t...@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 doveadm(t...@leuxner.net): Debug: acl: acl username = t...@leuxner.net doveadm(t...@leuxner.net): Debug: acl: owner = 0 doveadm(t...@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(t...@leuxner.net): Debug: Namespace : type=private, prefix=Virtual/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=virtual:~/mdbox/virtual doveadm(t...@leuxner.net): Debug: fs: root=/var/vmail/domains/leuxner.net/tlx/mdbox/virtual, index=, indexpvt=, control=, inbox=, alt= doveadm(t...@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 doveadm(t...@leuxner.net): Debug: acl: acl username = t...@leuxner.net doveadm(t...@leuxner.net): Debug: acl: owner = 1 doveadm(t...@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(t...@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/dovecot-acl not found doveadm(t...@leuxner.net): Error: Can't create mailbox Public/Archive/Newsletters/heise-security/2014: Permission denied Interestingly, doveadm succeeds when dovecot-acl is present in the namespace root - which of course is not desirable in the light of the global ACL: [ dovecot-acl: ] group=PublicMailboxAdmins lrwsipk doveadm(t...@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(t...@leuxner.net): Debug: Namespace : type=public, prefix=Public/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=no location=mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public doveadm(t...@leuxner.net): Debug: fs: root=/var/vmail/public, index=, indexpvt=/var/vmail/domains/leuxner.net/tlx/mdbox/public, control=, inbox=, alt= doveadm(t...@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 doveadm(t...@leuxner.net): Debug: acl: acl username = t...@leuxner.net doveadm(t...@leuxner.net): Debug: acl: owner = 0 doveadm(t...@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(t...@leuxner.net): Debug: Namespace : type=private, prefix=Virtual/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=virtual:~/mdbox/virtual doveadm(t...@leuxner.net): Debug: fs: root=/var/vmail/domains/leuxner.net/tlx/mdbox/virtual, index=, indexpvt=, control=, inbox=, alt= doveadm(t...@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 doveadm(t...@leuxner.net): Debug: acl: acl username = t...@leuxner.net doveadm(t...@leuxner.net): Debug: acl: owner = 1 doveadm(t...@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(t...@leuxner.net): Debug: acl vfile: reading file /var/vmail/public/mailboxes/dovecot-acl doveadm(t...@leuxner.net): Debug: Namespace Public/: /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014 doesn't exist yet, using default permissions doveadm(t...@leuxner.net): Debug: Namespace Public/: Using permissions from /var/vmail/public: mode=0700 gid=default doveadm(t...@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/dbox-Mails/dovecot-acl not found doveadm(t...@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014/dbox-Mails/dovecot-acl not found doveadm(t...@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014/dbox-Mails/dovecot-acl not found doveadm(t...@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014/dbox-Mails/dovecot-acl not found # 2.2.15 (6078354e6238): /etc/dovecot/dovecot.conf I know there have been some changes in Mercurial as to how global ACLs are interpreted. Is doveadm probably behind on them? Regards Thomas
signature.asc
Description: Digital signature