Re: [Dovecot] Public Namespace and ACLs with pure virtual users
On Mon, Jun 04, 2007 at 05:50:01AM +0300, Timo Sirainen wrote: On Sun, 2007-06-03 at 22:26 -0400, Adam McDougall wrote: On Mon, Jun 04, 2007 at 04:28:56AM +0300, Timo Sirainen wrote: ACL plugin shouldn't have anything to do with that decision. The \Seen flag is stored privately if you have created dovecot-shared file to the maildir. Is it possible to have dovecot enforce the file mode and group owner of inserted mails without causing flags to be stored privately? Its looking like I will have to use a cron job to fix file permissions on mails added to shared mail folders by imap clients. I'd be willing to implement a local permanent patch but I haven't looked into how easy it would be yet because I did not (until now) realize that this behavior was intended. src/lib-storage/index/maildir/maildir-storage.c around line 539: mbox-private_flags_mask = MAIL_SEEN; Set that to 0. Thanks, finally got around to testing it in my environment and it seems to work fine.
Re: [Dovecot] Public Namespace and ACLs with pure virtual users
On Mon, 2007-06-04 at 13:53 -0400, Charles Marcus wrote: On 6/3/2007 Timo Sirainen ([EMAIL PROTECTED]) wrote: ACL plugin shouldn't have anything to do with that decision. The \Seen flag is stored privately if you have created dovecot-shared file to the maildir. There isn't yet support for separate shared and private flags (and I'm not sure if there ever will be). Yikes! Or maybe I musunderstood... I have a real need to have (at least) one shared folder (inbound faxes) with shared \Seen flags - so the 5 people assigned to monitor it will know when someone else has seen/forwarded a new fax - and private \Seen flags on other shared maildirs (like distribution lists, etc)... Are you saying this may never be possible? No, not never. I'll probably add private_flags setting to dovecot-shared file or something. But if you use a single UID for all users you can already do this by not adding dovecot-shared file for mailboxes where you don't want private \Seen flags. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Public Namespace and ACLs with pure virtual users
I have a real need to have (at least) one shared folder (inbound faxes) with shared \Seen flags - so the 5 people assigned to monitor it will know when someone else has seen/forwarded a new fax - and private \Seen flags on other shared maildirs (like distribution lists, etc)... Are you saying this may never be possible? No, not never. I'll probably add private_flags setting to dovecot-shared file or something. Ak, ok, gotcha... But if you use a single UID for all users you can already do this by not adding dovecot-shared file for mailboxes where you don't want private \Seen flags. Gak! I can't believe I missed that... thanks! -- Best regards, Charles
Re: [Dovecot] Public Namespace and ACLs with pure virtual users
On Sun, 2007-06-03 at 22:26 -0400, Adam McDougall wrote: On Mon, Jun 04, 2007 at 04:28:56AM +0300, Timo Sirainen wrote: ACL plugin shouldn't have anything to do with that decision. The \Seen flag is stored privately if you have created dovecot-shared file to the maildir. Is it possible to have dovecot enforce the file mode and group owner of inserted mails without causing flags to be stored privately? Its looking like I will have to use a cron job to fix file permissions on mails added to shared mail folders by imap clients. I'd be willing to implement a local permanent patch but I haven't looked into how easy it would be yet because I did not (until now) realize that this behavior was intended. src/lib-storage/index/maildir/maildir-storage.c around line 539: mbox-private_flags_mask = MAIL_SEEN; Set that to 0. signature.asc Description: This is a digitally signed message part
[Dovecot] Public Namespace and ACLs with pure virtual users
hi!
i would appreciate to have some comments on my below scenario:
# from the config
userdb static {
args = uid=vmail gid=mail home=/vmail/%d/%n
}
namespace public {
separator = /
prefix = All/
location = maildir:/vmail/%d/all/Maildir:CONTROL=~/Maildir/control/
all:INDEX=~/Maildir/index/all
inbox = no
hidden = no
}
namespace private {
separator = /
prefix =
location = maildir:~/Maildir
inbox = yes
hidden = no
}
# end config
the public namespace is also the maildir of the user [EMAIL PROTECTED].
a sieve skript is dropping mail for [EMAIL PROTECTED] to the appropriate
maildir within this maildir/namespace (e.g. .Support/)
first of all: this works to some point but is such a configuration
valid? can a public namespace be the maildir of a user?
if a new mail for [EMAIL PROTECTED] comes in, all subscribed users (of
this domain) can view it and it is marked as /Seen individually.
the important feature to me: the /Seen flags are managed per user as
configured in the public namespace
now the problem:
the whole mail system runs with one uid/gid and virtual users, which
has the effect that some user can delete mails in the public
namespace or drop mails into it, create folders etc. this is not
wanted. i wanted a read-only public namespace. so i decided to use
acls. as namespace prefixes are ignored i needed to create them
globally. my first try was:
/etc/dovecot/acls/Support:
owner lrwstiekxa
authenticated lr
which lead to the result that other users than [EMAIL PROTECTED] cannot
manipulate the public namespace at all, including setting their /Seen
flag. that was the first surprise to me as i thought this flag would
be managed seperately in the users homes.
after a (very short) thought i came to this (allow setting the /Seen
flag for others):
owner lrwstiekxa
authenticated lrs
which lead to another unexpected result: the /Seen flag is now set
globally. if one user marks a mail /Seen, it is /Seen for all other
users too.
where is the problem? except for the iso/osi layer 8 problem i am
aware of...
marc
