On Tue, Aug 23, 2011 at 11:11:31AM -0400, Wietse Venema wrote: > Kasper Loopstra: > > Dear list members, > > > > In our setup we have various mailboxes that have to be read (and edited) > > by groups of people. All these groups are defined in LDAP, as are the > > members (everything uses PAM, so all these accounts are on the system as > > well). The email is accessed by Dovecot, binding with the LDAP server as > > the user owning the mail. This means that all the mail for a certain > > user has to be accessible to that user on the system, otherwise Dovecot > > cannot read it. We use public namespaces in Dovecot to achieve this. > > > > Our problem is that postfix gives permissions 700 to all messages > > (overriding default ACL's). The messages may be owned by the correct > > group for a user, and be in the right folder, but still cannot be read > > by Dovecot (and our users). Hopefully, there is a more elegant solution > > then monitoring the filesystem for edits and changing the permissions > > when a mail folder is edited. > > In this case, the solution would be to deliver and read the mail > with dovecot, and to configure the permissions with Dovecot if > possible. > > Postfix implements only bare-bones email delivery and does not > support access by multiple UIDs other than the owner and root.
Support for multi-user access is the job of the mail-store, not the MTA. IMAP servers like Cyrus, Dovecot, ... have appropriate mailbox access-control mechanisms that allow access by multiple (typically IMAP) users, and in some cases access to the underlying files via local clients running as the user. Work with the mail-store. Direct access to the underlying files is probably not a good idea. -- Viktor.