[Dovecot] Help needed with plugin - Read Only access to IMAP mailbox

Chris Moules chris at gms.lu
Wed Aug 25 15:53:40 EEST 2010 

Marcus Rueckert wrote:
> On 2010-08-25 14:13:53 +0200, Chris Moules wrote:
>>> you can specify default ACLs in /etc/dovecot/acls?
>> I did try this. Again, the issue being that they are not inherited to
>> sub-folders, so a ACL for the INBOX is not used for all folders. You
>> need a global ACL file named for each folder name. So if a client
>> creates a folder called "My banana photo collection" you would need a
>> file "/etc/dovecot/acls/My banana photo collection" with something
>> like "authenticated rl"
>>
>> It is not possible to have a global ACL for every possible folder name.
> 
> to quote http://wiki.dovecot.org/ACL :
> 
> [[[
> Every time you create a new mailbox, it gets its ACLs from the parent
> mailbox. If you're creating a root-level mailbox, it uses the
> namespace's default ACLs. There is no actual inheritance, however: If
> you modify parent's ACLs, the child's ACLs stay the same. There is
> currently no support for ACL inheritance. 
> 
> The default ACLs are read from "dovecot-acl" file in the namespace's
> mail root directory (e.g. /var/public/Maildir).
> ]]]
> 
>     darix
> 

Marcus / darix,

I read the wiki ACL thoroughly. I believe that you are missing the point.

source server  -rsync->  destination server
(Read/Write)               (Read Only)

  - I am _not_ doing everything though dovecot.
  - Maildirs are being synced from one server to another (source -> destination).
  - The 'new' mailbox (or folder as I have refered to them up until now) is created on the 'source' server (where ACLs are not 
enabled).
  - The 'destination' dovecot system has the Maildir changed underneath it, direct disk access (rsync). The ACL plugin has no 
influence on it's creation, so no auto-created "dovecot-acl" file like the parent (or not).
  - Global ACLs do not get inherited to the child mailboxes (I have not seen this written in black & white, my testing confirms 
this however). In the wiki Global ACLs have a different write-up to their 'standard' counterpart and need the full name / hierarchy.

The fact that my ACL/read-only dovecot server does not have any control over the creation of the maildirs means that the sync 
system would need to create a "dovecot-acl" file for all maildirs. This complicates the matter and leaves room for mistakes.

Through my research and testing I had the idea that using a dovecot plugin I could just tell the client that they only had read 
access to the server. This would avoid then need to have over-complex ACLs that looked like they would not, elegantly, solve my 
problem. The plugins did not seem over complex and I have been able to realize most of my need with very little code.

Regards

Chris

More information about the dovecot mailing list