[Dovecot] Dovecot public folders ACL

Fintec mailing_list at fintec.co.nz
Tue Aug 29 23:42:25 EEST 2006 

Are you using "real" users as opposed to "virtual"? I've been trying to
implement ACL controlled shared folders but couldn't as our set-up
requires the use of virtual users.

Specifically our problems are:
1) dovecot-acl file within public namespace directory isn't found
2) global ACLs (vfile) partially work with virtual users but when used:
        a) non-ACL restricted public namespace directories stop working
        b) permitted users are unable to view or create sub-folders

See: http://dovecot.org/pipermail/dovecot/2006-August/015058.html and
rest of thread for more details.

If anyone has been successful with virtual users I'd love to hear about
it! If/when I can get ACLs working with virtual users we'll have a full
dovecot (imap) replacement for exchange server!

Gavin

On Mon, 2006-08-28 at 10:54 +0300, typus vulgaris wrote:
> Hi Jeff,
> 
> After I have read this post from your namesake I have made it works!
> http://dovecot.org/pipermail/dovecot/2006-August/015634.html
> 
> Main idea is that dovecot-acl file in public/shared folder is read
> only by owner!
> 
> To make it read by other users you have to define global vfile folder
> in plugin ACL.
> 
> I have defined in dovecot.conf like this:
> 
> plugin {
>       acl = vfile:/usr/local/etc/dovecot-acls
> }
> 
> As I have folder separator /  I have to create in
> /usr/local/etc/dovecot-acls folders that named as my public folders in
> location for public folders like this:
> /usr/local/etc/dovecot-acls/share/ as I have public folder in
> /home/user/public/.share/
> 
> In /home/user/public/.share/ I have created dovecot-share file and in
> /usr/local/etc/dovecot-acls/share/ I have created .DEFAUL file which
> contain real ACL:
> user=someuser lr
> 
> And it did the trick!
> 
> So I want to say that http://wiki.dovecot.org/ACL does not clearly
> explain the process :(
> 
> Hope my post will help someone...
> 
> PS. Thanks to Jeff Horner for make it clear for me...
> 
> 
> 2006/8/28, Jeff Turner <jeff at atlassian.com>:
> > After trying and failing to do the same thing, I'm also curious about
> > this. Do ACLs simply not work with shared folders? If so, what's the
> > point of ACLs? Only shared resources need access control in the first
> > place.
> >
> >
> > --Jeff
> >
> > On Thu, Aug 17, 2006 at 12:24:35PM +0300, typus vulgaris wrote:
> > > Hi, all!
> > >
> > > I'm new to dovecot but trying to setup read-only public folders for
> > > different user groups.
> > >
> > > My goal is to create several public folder such as sales, operation
> > > etc with per user index.
> > >
> > > But I have some problem which I can't resolve with Google and Dovecot.Org.
> > >
> > > Now users can see and subscribe to test folder "share", but I can't
> > > block ability to delete messages via ACL.
> > >
> > > Here is file system permissions:
> > >
> > > public/.share ]> ls -la
> > > total 12
> > > drwxrwx---  5 share  mail  512 17 авг 12:17 .
> > > drwxrwx---  6 root   mail  512 17 авг 11:04 ..
> > > drwxrwx---  2 share  mail  512 17 авг 11:18 cur
> > > -rwxrwx---  1 root   mail   21 17 авг 10:36 dovecot-acl
> > > -rwxrwx---  1 root   mail    0 16 авг 17:56 dovecot-shared
> > > drwxrwx---  2 share  mail  512 17 авг 11:17 new
> > > drwxrwx---  2 share  mail  512 17 авг 11:17 tmp
> > >
> > > my dovecot-acl file:
> > >
> > > public/.share ]> cat dovecot-acl
> > > owner lr
> > > user=typ lr
> > >
> > > But user typ can delete messages. But ACL seems working because if I
> > > remove letter 'l' from typ's setting he cannot see the folder.
> > >
> > > Here is my config:
> > > ----------8<------------
> > > protocols = imap
> > > ssl_disable = yes
> > > disable_plaintext_auth = no
> > > shutdown_clients = yes
> > > log_path = /var/log/dovecot/sys.log
> > > info_log_path = /var/log/dovecot/info.log
> > > login_process_size = 64
> > > verbose_proctitle = yes
> > > first_valid_gid = 0
> > > mail_extra_groups = mail
> > > default_mail_env = mbox:/var/mail/%u:INDEX=/home/user/%u:INBOX=/var/mail/%u
> > > namespace private {
> > >   separator = /
> > >   prefix =
> > >   location = maildir:/home/user/%u/.maildir
> > >   inbox = yes
> > > }
> > > namespace public {
> > >  separator = /
> > >  prefix = Public/
> > >  location =
> > >  maildir:/home/user/public:CONTROL=/home/user/%u/public/control:INDEX=/home/user/%u/public/index
> > >  hidden = no
> > >  inbox  = no
> > > }
> > > mbox_read_locks = fcntl
> > > mbox_write_locks = dotlock fcntl
> > > mbox_lock_timeout = 300
> > > mbox_very_dirty_syncs = yes
> > > umask = 0007
> > > protocol imap {
> > >     listen = 192.168.101.1:143
> > >  mail_plugins = acl
> > >   imap_client_workarounds = delay-newmail outlook-idle
> > > }
> > >
> > > protocol pop3 {
> > >  pop3_uidl_format = %08Xu%08Xv
> > >  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
> > > }
> > > auth default {
> > >  mechanisms = plain
> > >  passdb pam {
> > >  }
> > >  userdb passwd {
> > >  }
> > >  user = root
> > > }
> > > plugin {
> > > }
> > > -----------------8<--------------
> > >
> > >
> > > --
> > > typus
> > > vulgaris
> >
> 
>

More information about the dovecot mailing list