RE: I can't configure shared mailbox ACLs using LDAP information

[Marc via dovecot]

> I thought it was just a lack of skill on my part in finding/making the
> correct configuration.

I am curious about your results, so keep posting! :)


> But what do large email servers that use Dovecot do?
> 
> I thought it was an orchestration between OpenLDAP, Postfix and Dovecot
> because theoretically LDAP is the best place to store users, groups,
> passwords and permissions.

I agree, however I am currently configuring ldap users on the os, and have 
dovecot use the os. I think it is also a little more secure having the os 
manage users. I once tested dovecot in a container with direct ldap access but 
can't remember much from it.
Does dovecot take settings from ldap.conf so you can have redundant ldap 
servers configured?


> 
> b) with the query below in [ /etc/postfix/ldap-senders.cf ] users with
> permission to access shared mailboxes can send mail using the shared
> mailbox address; however, the mail is in the Sent folder of the user who
> sent it and not in the Sent folder of the shared mailbox (where I would
> like it to be); The idea is that if three people have access to a shared
> mailbox, the first one to read and respond to an email will leave it
> saved in the Sent folder of the shared mailbox so that the other two can
> see that the email has already been responded to

Maybe global sieve rule that check this? Afaik you can enable in outlook that 
send messages should go to the active folder if you are not on the inbox, but 
it does not work on all folders. I can remember thinking about having a module 
made that would do this automatically.



___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: I can't configure shared mailbox ACLs using LDAP information

[moso.mosoleu--- via dovecot]

Wow, hard to believe.

I thought it was just a lack of skill on my part in finding/making the correct 
configuration.

But what do large email servers that use Dovecot do?

I thought it was an orchestration between OpenLDAP, Postfix and Dovecot because 
theoretically LDAP is the best place to store users, groups, passwords and 
permissions.

Anyway, below is the bash script that I used to do a minimal automation of ACLs.

[ apply_ACLs_for_shared_mailboxes.sh ]

#!/bin/bash

# LDAP base DN
BASE_DN="dc=mydomain,dc=com,dc=br"

# LDAP search filter for enabled shared mailboxes
LDAP_FILTER="(&(objectClass=groupOfUniqueNamesWithMail)(mailEnabled=TRUE))"

# LDAP server details
LDAP_SERVER="ldap://ldap;
LDAP_BIND_DN="cn=admin,dc=mydomain,dc=com,dc=br"
LDAP_PASSWORD="Secret-pwd"

# temporary file to store the results of the LDAP search
TEMP_FILE="/tmp/shared_mailboxes.ldif"

# perform LDAP search to get shared mailboxes and their members
ldapsearch -x -H $LDAP_SERVER -D $LDAP_BIND_DN -w $LDAP_PASSWORD -b 
"ou=shared-mailboxes,$BASE_DN" "$LDAP_FILTER" mail uniqueMember > $TEMP_FILE

# read the LDIF file and generate the doveadm acl commands
while IFS= read -r line; do
if [[ $line =~ ^mail: ]]; then
SHARED_MAILBOX=$(echo $line | awk '{print $2}')
fi
if [[ $line =~ ^uniqueMember: ]]; then
USER=$(echo $line | awk '{print $2}' | cut -d ',' -f 1 | cut -d '=' -f 
2)
# generate the doveadm acl command for INBOX
COMMAND_INBOX="doveadm acl set -u $SHARED_MAILBOX INBOX user=$USER 
lookup read write write-seen write-deleted insert post expunge create delete"
echo $COMMAND_INBOX
# execute the command for INBOX
eval $COMMAND_INBOX
# generate the doveadm acl command for Sent folder
COMMAND_SENT="doveadm acl set -u $SHARED_MAILBOX INBOX/Sent user=$USER 
lookup read write write-seen write-deleted insert post expunge create delete"
echo $COMMAND_SENT
# execute the command for Sent folder
eval $COMMAND_SENT
fi
done < $TEMP_FILE

# clean up temporary file
rm $TEMP_FILE


I would like to take this opportunity to ask two things:

a) what would be the most appropriate permissions so that users with access to 
shared mailboxes can only read emails (delete, only users "owners of shared 
boxes")

b) with the query below in [ /etc/postfix/ldap-senders.cf ] users with 
permission to access shared mailboxes can send mail using the shared mailbox 
address; however, the mail is in the Sent folder of the user who sent it and 
not in the Sent folder of the shared mailbox (where I would like it to be); The 
idea is that if three people have access to a shared mailbox, the first one to 
read and respond to an email will leave it saved in the Sent folder of the 
shared mailbox so that the other two can see that the email has already been 
responded to
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: I can't configure shared mailbox ACLs using LDAP information

[Aki Tuomi via dovecot]

> On 23/05/2024 04:42 EEST moso.mosoleu--- via dovecot  
> wrote:
> 
>  
> It shouldn't be impossible, but I've tried countless ways and not even 
> ChatGPT 4o was able to help me! :D
> 
> I use three LDIF files to get OpenLDAP ready for testing. In the first LDIF I 
> just modify the schema to add the associatedDomain attributes (then I could 
> configure the server to serve more than one domain). The second LDIF is to 
> add 4 objects to the schema that I use to differentiate accounts that 
> actually receive/send emails and have a password; another thing done in it is 
> to add a "groupOfUniqueNamesWithMail" object that allows the "mail" and 
> "mailEnabled" attributes that are then necessary to use in the entries 
> created in the "shared-mailboxes" OU. Finally, the third LDIF populates the 
> LDAP by creating OUs, user accounts and creating entries in 
> "shared-mailboxes" that serve to say which user accounts have access to which 
> other user accounts.
> 
> When I start the email server, sending and receiving emails works perfectly.
> 
> And mailbox shares work as expected if I manually use, for each share, the 
> command:
> 
> doveadm acl set -u ad...@mydomain.com.br INBOX user=use...@mydomain.com.br 
> lookup read write write-seen write-deleted insert post expunge create delete
> 
> But just as authentication works perfectly via LDAP, I believe there must be 
> a way to configure Dovecot to dynamically adjust ACLs via LDAP.
> 

Hi!

This has not yet been implemented in Dovecot.

Aki
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

I can't configure shared mailbox ACLs using LDAP information

[moso.mosoleu--- via dovecot]

It shouldn't be impossible, but I've tried countless ways and not even ChatGPT 
4o was able to help me! :D

I use three LDIF files to get OpenLDAP ready for testing. In the first LDIF I 
just modify the schema to add the associatedDomain attributes (then I could 
configure the server to serve more than one domain). The second LDIF is to add 
4 objects to the schema that I use to differentiate accounts that actually 
receive/send emails and have a password; another thing done in it is to add a 
"groupOfUniqueNamesWithMail" object that allows the "mail" and "mailEnabled" 
attributes that are then necessary to use in the entries created in the 
"shared-mailboxes" OU. Finally, the third LDIF populates the LDAP by creating 
OUs, user accounts and creating entries in "shared-mailboxes" that serve to say 
which user accounts have access to which other user accounts.

When I start the email server, sending and receiving emails works perfectly.

And mailbox shares work as expected if I manually use, for each share, the 
command:

doveadm acl set -u ad...@mydomain.com.br INBOX user=use...@mydomain.com.br 
lookup read write write-seen write-deleted insert post expunge create delete

But just as authentication works perfectly via LDAP, I believe there must be a 
way to configure Dovecot to dynamically adjust ACLs via LDAP.

The configuration in principle would be this:

acl_search_base = ou=shared-mailboxes,dc=mydomain,dc=com,dc=br

acl_search_filter = 
(&(objectClass=groupOfUniqueNamesWithMail)(|(uniqueMember=mail=%u,ou=system-accounts,dc=mydomain,dc=com,dc=br)(uniqueMember=mail=%u,ou=department-accounts
 
,dc=mydomain,dc=com,dc=br)(uniqueMember=mail=%u,ou=mailing-accounts,dc=mydomain,dc=com,dc=br)(uniqueMember=mail=%u,ou=person
 -accounts,dc=mydomain,dc=com,dc=br)))

acl_user = %u

Testing this filter on the command line with "ldapsearch" the expected results 
are returned. I mean, I enter an email address from a user account and the 
result is all the other user account email addresses that the first one would 
have access to.

Any charitable soul who is willing to help and needs more information, just say 
what you need and I will try to respond as quickly as possible.

I will place the content of the three LDIFs below.

[ 01-modify_domain.ldif ]

dn: dc=mydomain,dc=com,dc=br
changetype: modify
add: objectClass
objectClass: domainRelatedObject
-
add: associatedDomain
associatedDomain: mydomain.com.br
-
add: associatedDomain
associatedDomain: anotherdomain.com.br


[ 02-add_my_object_classes_to_schema.ldif ]

# Object class for system user accounts
dn: cn=SystemAccount,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: SystemAccount
olcObjectClasses: ( 1.3.6.1.4.1.9.1.1 NAME 'SystemAccount' DESC 'Object 
class for system accounts' SUP top AUXILIARY )

# Object class for department user accounts
dn: cn=DepartmentAccount,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: DepartmentAccount
olcObjectClasses: ( 1.3.6.1.4.1.9.1.2 NAME 'DepartmentAccount' DESC 'Object 
class for department accounts' SUP top AUXILIARY )

# Object class for mailing user accounts
dn: cn=MailingAccount,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: MailingAccount
olcObjectClasses: ( 1.3.6.1.4.1.9.1.3 NAME 'MailingAccount' DESC 'Object 
class for mailing accounts' SUP top AUXILIARY )

# Object class for person user accounts
dn: cn=PersonAccount,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: PersonAccount
olcObjectClasses: ( 1.3.6.1.4.1.9.1.4 NAME 'PersonAccount' DESC 'Object 
class for person accounts' SUP top AUXILIARY )

# Object class that allows groupOfUniqueNames to have a mail attribute
dn: cn=groupOfUniqueNamesWithMail,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: groupOfUniqueNamesWithMail
olcObjectClasses: ( 1.3.6.1.4.1.9.1.5 NAME 'groupOfUniqueNamesWithMail' SUP 
groupOfUniqueNames STRUCTURAL MAY ( mail $ mailEnabled ) )


[ 03-initialize_mydomain.com.br.ldif ]

### Create organizaitonal units

dn: ou=system-accounts,dc=mydomain,dc=com,dc=br
ou: system-accounts
objectClass: organizaitonalUnit
objectClass: top

dn: ou=department-accounts,dc=mydomain,dc=com,dc=br
ou: department-accounts
objectClass: organizaitonalUnit
objectClass: top

dn: ou=mailing-accounts,dc=mydomain,dc=com,dc=br
ou: mailing-accounts
objectClass: organizaitonalUnit
objectClass: top

dn: ou=person-accounts,dc=mydomain,dc=com,dc=br
ou: person-accounts
objectClass: organizaitonalUnit
objectClass: top

dn: ou=shared-mailboxes,dc=mydomain,dc=com,dc=br
ou: shared-mailboxes
objectClass: organizaitonalUnit
objectClass: top



## Create System User Accounts
#not related to a person
#can be accessed directly or indirectly by more than one person

dn: mail=ad...@mydomain.com.br,ou=system-accounts,dc=mydomain,dc=com,dc=br
uid: admin
userPassword: {SSHA}
displayName: My Domain - Admin
givenName: System
sn: Admin
cn: System Admin
mail: