[Dovecot] Dovecot, Shared Mailboxes (via symlink), and ACLs
Hello! I just joined the list and will be happy to help where I can in my limited experience, but also come to the table with a question. I think there's something I'm missing regarding shared mailboxes and ACLs, so I will describe my situation and see if I am understanding correctly (running Dovecot 1.1.10). I have read over the Dovecot Wiki many times and have scoured many forums but still can't seem to find a solution. I have an IMAP mailbox that is working fine (user imapuser), so the maildir and related structure is in: /home/imapuser/Maildir I have another IMAP mailbox for another imap user, newuser1, also working fine, with maildir and related structure in: /home/newuser1/Maildir I have created a symlink under newuser1's Maildir to imapuser's Maildir so as to give newuser1 access to the things in imapusers's inbox. I have also symlinked inside the newuser1 Maildir to a folder under imapusers's inbox, let's call it MailingList, basically settiing up something like: /home/newuser1/Maildir: cur/ .imapuserinbox - /home/imapuser/Maildir .imapusermailinglist - /home/imapuser/Maildir/MailingList new/ tmp/ (... and various other Dovecot-related files, nothing ACL related.) Now, I have gotten the shared boxes to work IF I changed the permissions to be rwx for user and group on /home/imapuser/Maildir/*, but this makes procmail (and .procmailrc) unhappy and it starts sending things to mbox files (old system) instead of sending them on to the Maildir. So that doesn't seem to work. Which led me to ACLs. Now, I've tried (after enabling the two appropriate lines in dovecot.conf and restarting dovecot, etc) both per-directory ACL files and global ACLs, and while I can get some things to *change* as viewed by my mail client, I can't seem to create consistent behavior. I know that's fairly vague, but it's like I'll change something in the global ACL and folders are affected that I wouldn't anticipate, based on what I'm understanding of ACLs. So, in the example above, if I enable global ACLs, what names do I use to refer to those shared boxes I'm trying to access? Do I use the link name I made, .imapuserinbox or .imapusermailinglist (without leading periods), like /etc/dovecot/acls/imapuserinbox, or is it based off of the original dir name? Like do I need something like /etc/dovecot/acls/MailingList ? What about the inbox I'm sharing in /home/imapuser/Maildir, how do I reference that? Is there a way to do it without affecting or changing permissions of other IMAP users and inboxes on the same system? One thing I am receiving consistently in the error logs is: mail dovecot: IMAP(newuser1): stat(/home/newuser1/Maildir/.imapuserinbox/tmp) failed: Permission denied (euid=152(newuser1) egid=100(usergroup) UNIX perms seem ok, ACL problem?) So it seems if I get the ACL stuff right, I will be in business. Any ideas?? Thanks for any help anyone can give!! Dave
Re: [Dovecot] Dovecot, Shared Mailboxes (via symlink), and ACLs
Hello! I think, if you keep maildirs by different uid then you must change file permissons to permit access to shared maildir. I don`t now about procmail delivery options, but in dovecots deliver - if you create in shared maildir file called dovecot-shared, than deliver will keep permissions like this file. After long experiments i choose dovecots v1.2 shared maildir scheme with imap acls. Best Regards! Michael 27.10.2009 22:51, Dave пишет: Hello! I just joined the list and will be happy to help where I can in my limited experience, but also come to the table with a question. I think there's something I'm missing regarding shared mailboxes and ACLs, so I will describe my situation and see if I am understanding correctly (running Dovecot 1.1.10). I have read over the Dovecot Wiki many times and have scoured many forums but still can't seem to find a solution. I have an IMAP mailbox that is working fine (user imapuser), so the maildir and related structure is in: /home/imapuser/Maildir I have another IMAP mailbox for another imap user, newuser1, also working fine, with maildir and related structure in: /home/newuser1/Maildir I have created a symlink under newuser1's Maildir to imapuser's Maildir so as to give newuser1 access to the things in imapusers's inbox. I have also symlinked inside the newuser1 Maildir to a folder under imapusers's inbox, let's call it MailingList, basically settiing up something like: /home/newuser1/Maildir: cur/ .imapuserinbox - /home/imapuser/Maildir .imapusermailinglist - /home/imapuser/Maildir/MailingList new/ tmp/ (... and various other Dovecot-related files, nothing ACL related.) Now, I have gotten the shared boxes to work IF I changed the permissions to be rwx for user and group on /home/imapuser/Maildir/*, but this makes procmail (and .procmailrc) unhappy and it starts sending things to mbox files (old system) instead of sending them on to the Maildir. So that doesn't seem to work. Which led me to ACLs. Now, I've tried (after enabling the two appropriate lines in dovecot.conf and restarting dovecot, etc) both per-directory ACL files and global ACLs, and while I can get some things to *change* as viewed by my mail client, I can't seem to create consistent behavior. I know that's fairly vague, but it's like I'll change something in the global ACL and folders are affected that I wouldn't anticipate, based on what I'm understanding of ACLs. So, in the example above, if I enable global ACLs, what names do I use to refer to those shared boxes I'm trying to access? Do I use the link name I made, .imapuserinbox or .imapusermailinglist (without leading periods), like /etc/dovecot/acls/imapuserinbox, or is it based off of the original dir name? Like do I need something like /etc/dovecot/acls/MailingList ? What about the inbox I'm sharing in /home/imapuser/Maildir, how do I reference that? Is there a way to do it without affecting or changing permissions of other IMAP users and inboxes on the same system? One thing I am receiving consistently in the error logs is: mail dovecot: IMAP(newuser1): stat(/home/newuser1/Maildir/.imapuserinbox/tmp) failed: Permission denied (euid=152(newuser1) egid=100(usergroup) UNIX perms seem ok, ACL problem?) So it seems if I get the ACL stuff right, I will be in business. Any ideas?? Thanks for any help anyone can give!! Dave -- Системный администратор ООО НПП СПЕЦСТРОЙ-СВЯЗЬ Захаренко Михаил тел. +78634 311562 доб. 478
Re: [Dovecot] Dovecot, Shared Mailboxes (via symlink), and ACLs
On Tue, 2009-10-27 at 14:51 -0500, Dave wrote: Now, I have gotten the shared boxes to work IF I changed the permissions to be rwx for user and group on /home/imapuser/Maildir/*, but this makes procmail (and .procmailrc) unhappy and it starts sending things to mbox files (old system) instead of sending them on to the Maildir. So that doesn't seem to work. You'll need to set UNIX permissions in a way that it works. Which led me to ACLs. Dovecot ACLs won't get you around UNIX permission problems. One thing I am receiving consistently in the error logs is: mail dovecot: IMAP(newuser1): stat(/home/newuser1/Maildir/.imapuserinbox/tmp) failed: Permission denied (euid=152(newuser1) egid=100(usergroup) UNIX perms seem ok, ACL problem?) So it seems if I get the ACL stuff right, I will be in business. No. What that means is that there's probably a bug in the code that tries to check what permission problem you have (hopefully fixed in later version, v1.1.10 is getting a bit old). The ACL it mentions isn't Dovecot ACLs, but filesystem ACLs or perhaps SELinux or something else. I guess I should change the error message. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Dovecot, Shared Mailboxes (via symlink), and ACLs
Now, I have gotten the shared boxes to work IF I changed the permissions to be rwx for user and group on /home/imapuser/Maildir/*, but this makes procmail (and .procmailrc) unhappy You'll need to set UNIX permissions in a way that it works. Thank you for the responses! OK, it seems from some reading and experimentation that procmail will bail very quickly if it doesn't like permissions on its user directories and procmailrc files, so what I discovered was that I can give EVERYTHING user and group permissions under imapuser's Maildir (either rwx or rw depending on context) but that still won't let the shared folders work... although that's part of it. Only when I change the permissions of the main imapuser folder (/home/imapuser in this example) to 770 will it work. But, that breaks procmail. As does 760 or apparently giving any write permissions to anyone besides the owner. If I change the permissions to 750, everything automagically works. I can move messages, delete, view, etc. So, I guess that is that! later version, v1.1.10 is getting a bit old). The ACL it mentions isn't Dovecot ACLs, but filesystem ACLs or perhaps SELinux or something else. I guess I should change the error message. Thanks for letting me know the difference in the ACLs mentioned in the error message, that was definitely part of my confusion!! That put me on the path to figuring it out. :) Dave
