RE: I can't configure shared mailbox ACLs using LDAP information
> I thought it was just a lack of skill on my part in finding/making the > correct configuration. I am curious about your results, so keep posting! :) > But what do large email servers that use Dovecot do? > > I thought it was an orchestration between OpenLDAP, Postfix and Dovecot > because theoretically LDAP is the best place to store users, groups, > passwords and permissions. I agree, however I am currently configuring ldap users on the os, and have dovecot use the os. I think it is also a little more secure having the os manage users. I once tested dovecot in a container with direct ldap access but can't remember much from it. Does dovecot take settings from ldap.conf so you can have redundant ldap servers configured? > > b) with the query below in [ /etc/postfix/ldap-senders.cf ] users with > permission to access shared mailboxes can send mail using the shared > mailbox address; however, the mail is in the Sent folder of the user who > sent it and not in the Sent folder of the shared mailbox (where I would > like it to be); The idea is that if three people have access to a shared > mailbox, the first one to read and respond to an email will leave it > saved in the Sent folder of the shared mailbox so that the other two can > see that the email has already been responded to Maybe global sieve rule that check this? Afaik you can enable in outlook that send messages should go to the active folder if you are not on the inbox, but it does not work on all folders. I can remember thinking about having a module made that would do this automatically. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: I can't configure shared mailbox ACLs using LDAP information
Wow, hard to believe. I thought it was just a lack of skill on my part in finding/making the correct configuration. But what do large email servers that use Dovecot do? I thought it was an orchestration between OpenLDAP, Postfix and Dovecot because theoretically LDAP is the best place to store users, groups, passwords and permissions. Anyway, below is the bash script that I used to do a minimal automation of ACLs. [ apply_ACLs_for_shared_mailboxes.sh ] #!/bin/bash # LDAP base DN BASE_DN="dc=mydomain,dc=com,dc=br" # LDAP search filter for enabled shared mailboxes LDAP_FILTER="(&(objectClass=groupOfUniqueNamesWithMail)(mailEnabled=TRUE))" # LDAP server details LDAP_SERVER="ldap://ldap; LDAP_BIND_DN="cn=admin,dc=mydomain,dc=com,dc=br" LDAP_PASSWORD="Secret-pwd" # temporary file to store the results of the LDAP search TEMP_FILE="/tmp/shared_mailboxes.ldif" # perform LDAP search to get shared mailboxes and their members ldapsearch -x -H $LDAP_SERVER -D $LDAP_BIND_DN -w $LDAP_PASSWORD -b "ou=shared-mailboxes,$BASE_DN" "$LDAP_FILTER" mail uniqueMember > $TEMP_FILE # read the LDIF file and generate the doveadm acl commands while IFS= read -r line; do if [[ $line =~ ^mail: ]]; then SHARED_MAILBOX=$(echo $line | awk '{print $2}') fi if [[ $line =~ ^uniqueMember: ]]; then USER=$(echo $line | awk '{print $2}' | cut -d ',' -f 1 | cut -d '=' -f 2) # generate the doveadm acl command for INBOX COMMAND_INBOX="doveadm acl set -u $SHARED_MAILBOX INBOX user=$USER lookup read write write-seen write-deleted insert post expunge create delete" echo $COMMAND_INBOX # execute the command for INBOX eval $COMMAND_INBOX # generate the doveadm acl command for Sent folder COMMAND_SENT="doveadm acl set -u $SHARED_MAILBOX INBOX/Sent user=$USER lookup read write write-seen write-deleted insert post expunge create delete" echo $COMMAND_SENT # execute the command for Sent folder eval $COMMAND_SENT fi done < $TEMP_FILE # clean up temporary file rm $TEMP_FILE I would like to take this opportunity to ask two things: a) what would be the most appropriate permissions so that users with access to shared mailboxes can only read emails (delete, only users "owners of shared boxes") b) with the query below in [ /etc/postfix/ldap-senders.cf ] users with permission to access shared mailboxes can send mail using the shared mailbox address; however, the mail is in the Sent folder of the user who sent it and not in the Sent folder of the shared mailbox (where I would like it to be); The idea is that if three people have access to a shared mailbox, the first one to read and respond to an email will leave it saved in the Sent folder of the shared mailbox so that the other two can see that the email has already been responded to ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: I can't configure shared mailbox ACLs using LDAP information
> On 23/05/2024 04:42 EEST moso.mosoleu--- via dovecot > wrote: > > > It shouldn't be impossible, but I've tried countless ways and not even > ChatGPT 4o was able to help me! :D > > I use three LDIF files to get OpenLDAP ready for testing. In the first LDIF I > just modify the schema to add the associatedDomain attributes (then I could > configure the server to serve more than one domain). The second LDIF is to > add 4 objects to the schema that I use to differentiate accounts that > actually receive/send emails and have a password; another thing done in it is > to add a "groupOfUniqueNamesWithMail" object that allows the "mail" and > "mailEnabled" attributes that are then necessary to use in the entries > created in the "shared-mailboxes" OU. Finally, the third LDIF populates the > LDAP by creating OUs, user accounts and creating entries in > "shared-mailboxes" that serve to say which user accounts have access to which > other user accounts. > > When I start the email server, sending and receiving emails works perfectly. > > And mailbox shares work as expected if I manually use, for each share, the > command: > > doveadm acl set -u ad...@mydomain.com.br INBOX user=use...@mydomain.com.br > lookup read write write-seen write-deleted insert post expunge create delete > > But just as authentication works perfectly via LDAP, I believe there must be > a way to configure Dovecot to dynamically adjust ACLs via LDAP. > Hi! This has not yet been implemented in Dovecot. Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
I can't configure shared mailbox ACLs using LDAP information
It shouldn't be impossible, but I've tried countless ways and not even ChatGPT 4o was able to help me! :D I use three LDIF files to get OpenLDAP ready for testing. In the first LDIF I just modify the schema to add the associatedDomain attributes (then I could configure the server to serve more than one domain). The second LDIF is to add 4 objects to the schema that I use to differentiate accounts that actually receive/send emails and have a password; another thing done in it is to add a "groupOfUniqueNamesWithMail" object that allows the "mail" and "mailEnabled" attributes that are then necessary to use in the entries created in the "shared-mailboxes" OU. Finally, the third LDIF populates the LDAP by creating OUs, user accounts and creating entries in "shared-mailboxes" that serve to say which user accounts have access to which other user accounts. When I start the email server, sending and receiving emails works perfectly. And mailbox shares work as expected if I manually use, for each share, the command: doveadm acl set -u ad...@mydomain.com.br INBOX user=use...@mydomain.com.br lookup read write write-seen write-deleted insert post expunge create delete But just as authentication works perfectly via LDAP, I believe there must be a way to configure Dovecot to dynamically adjust ACLs via LDAP. The configuration in principle would be this: acl_search_base = ou=shared-mailboxes,dc=mydomain,dc=com,dc=br acl_search_filter = (&(objectClass=groupOfUniqueNamesWithMail)(|(uniqueMember=mail=%u,ou=system-accounts,dc=mydomain,dc=com,dc=br)(uniqueMember=mail=%u,ou=department-accounts ,dc=mydomain,dc=com,dc=br)(uniqueMember=mail=%u,ou=mailing-accounts,dc=mydomain,dc=com,dc=br)(uniqueMember=mail=%u,ou=person -accounts,dc=mydomain,dc=com,dc=br))) acl_user = %u Testing this filter on the command line with "ldapsearch" the expected results are returned. I mean, I enter an email address from a user account and the result is all the other user account email addresses that the first one would have access to. Any charitable soul who is willing to help and needs more information, just say what you need and I will try to respond as quickly as possible. I will place the content of the three LDIFs below. [ 01-modify_domain.ldif ] dn: dc=mydomain,dc=com,dc=br changetype: modify add: objectClass objectClass: domainRelatedObject - add: associatedDomain associatedDomain: mydomain.com.br - add: associatedDomain associatedDomain: anotherdomain.com.br [ 02-add_my_object_classes_to_schema.ldif ] # Object class for system user accounts dn: cn=SystemAccount,cn=schema,cn=config objectClass: olcSchemaConfig cn: SystemAccount olcObjectClasses: ( 1.3.6.1.4.1.9.1.1 NAME 'SystemAccount' DESC 'Object class for system accounts' SUP top AUXILIARY ) # Object class for department user accounts dn: cn=DepartmentAccount,cn=schema,cn=config objectClass: olcSchemaConfig cn: DepartmentAccount olcObjectClasses: ( 1.3.6.1.4.1.9.1.2 NAME 'DepartmentAccount' DESC 'Object class for department accounts' SUP top AUXILIARY ) # Object class for mailing user accounts dn: cn=MailingAccount,cn=schema,cn=config objectClass: olcSchemaConfig cn: MailingAccount olcObjectClasses: ( 1.3.6.1.4.1.9.1.3 NAME 'MailingAccount' DESC 'Object class for mailing accounts' SUP top AUXILIARY ) # Object class for person user accounts dn: cn=PersonAccount,cn=schema,cn=config objectClass: olcSchemaConfig cn: PersonAccount olcObjectClasses: ( 1.3.6.1.4.1.9.1.4 NAME 'PersonAccount' DESC 'Object class for person accounts' SUP top AUXILIARY ) # Object class that allows groupOfUniqueNames to have a mail attribute dn: cn=groupOfUniqueNamesWithMail,cn=schema,cn=config objectClass: olcSchemaConfig cn: groupOfUniqueNamesWithMail olcObjectClasses: ( 1.3.6.1.4.1.9.1.5 NAME 'groupOfUniqueNamesWithMail' SUP groupOfUniqueNames STRUCTURAL MAY ( mail $ mailEnabled ) ) [ 03-initialize_mydomain.com.br.ldif ] ### Create organizaitonal units dn: ou=system-accounts,dc=mydomain,dc=com,dc=br ou: system-accounts objectClass: organizaitonalUnit objectClass: top dn: ou=department-accounts,dc=mydomain,dc=com,dc=br ou: department-accounts objectClass: organizaitonalUnit objectClass: top dn: ou=mailing-accounts,dc=mydomain,dc=com,dc=br ou: mailing-accounts objectClass: organizaitonalUnit objectClass: top dn: ou=person-accounts,dc=mydomain,dc=com,dc=br ou: person-accounts objectClass: organizaitonalUnit objectClass: top dn: ou=shared-mailboxes,dc=mydomain,dc=com,dc=br ou: shared-mailboxes objectClass: organizaitonalUnit objectClass: top ## Create System User Accounts #not related to a person #can be accessed directly or indirectly by more than one person dn: mail=ad...@mydomain.com.br,ou=system-accounts,dc=mydomain,dc=com,dc=br uid: admin userPassword: {SSHA} displayName: My Domain - Admin givenName: System sn: Admin cn: System Admin mail: