dovecot - Aug 2010 - Help needed with plugin - Read Only access to IMAP mailbox

System info:
# 1.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-686-bigmem i686 Debian squeeze/sid
..
mail_plugins: readonly
..

I have a requirement to have read-only to a mailbox. I have been researching
through the wiki, the mailing list archives and
good old Google. There was a number of similar questions with no real definitive
answer.

Option 1: ACL
This can work, but not if the mailbox(s) can change without you knowing how.
I.E. a online read-only archive of someone else's
mailbox. There is no wild-card or recursive ACL options. Rsync style backups
don't allow for easy creation of custom ACL files
per mailbox.

Option 2: Read-only filesystem (Linux)
This seems easy, but it's not.
  1) how do you update your archive?
I tried with a bind mount, this does not let you set the 'ro' option
*directly*. You must then use "-o remount,ro" to get your
read-only bind mount. This is a little messy (needs custom init scripts for
mounting on boot), but do-able.

  2) Dovecot needs write access to CONTROL and INDEX files.
This lead me to using the "CONTROL" and "INDEX" options on
the mail_locaiton. Setting these to the original 'rw' mount and the
rest to my 'ro' bind mount. Again, messy but do-able.

  3) Clients try to move messages from 'new' to 'cur' for
Maildir.
Every time I opened a maildir I got an error per mail (dovecot log) about
read-only filesysem as the client was trying to set
the Seen flag and dovecot was trying to move the 'new' mail to the
'cur' folder.
My test client, mutt, has a 'read_only' option when connecting. This
eliminates this issue, but I cannot get everyone to use
this archive with a correctly configured mutt.

This sent me looking for 'read only' options in other clients. I could
hardly find any.
I noted that mutt send an EXAMINE and not a SELECT to open the mailbox when in
read_only mode and this set me thinking about
doing this in another way.

Option 3: Dovecot Plugin
I started looking into the dovecot plugins. Being more a systems administrator
than developer I have cobbled together a working
plugin. It nearly does what I want, but not quite, and I don't know why.
NOTE: I no longer use the setup that I had to test Options 1 and 2.

I thought that this plugin can either be used server-wide or with the
'mail_plugins' userdb option.

The plugin forces the MAILBOX_OPEN_READONLY flag in a mailbox_open() call.
The plugin returns an error for all mailbox_create() calls.

Testing in mutt:
  - I am unable to delete a mail
  - I am unable to create a new folder
So far so good. However:
  - I am able to move/copy a mail to an *existing* mailbox
    (note, the move operation makes the copy but fails to set the
'delete' flag)

I do not understand why this works. I have been grep-ing through the source of
dovecot and the plugins to find some answer, but
without luck.

Attached is the full source to my plugin and the Makefile (adapted from Johannes
Berg's antispam plugin Makefile)

When finished, I will be happy to release this to the dovecot community under
the GPL/LGPL or whatever.

Regards

Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: readonly_plugin.tgz
Type: application/x-gtar
Size: 1815 bytes
Desc: not available
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20100825/d1bcddad/attachment-0002.gtar>

On 2010-08-25 11:59:06 +0200, Chris Moules wrote:
> System info:
> # 1.2.13: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-5-686-bigmem i686 Debian squeeze/sid
> ..
> mail_plugins: readonly
> ..
> 
> I have a requirement to have read-only to a mailbox. I have been
> researching through the wiki, the mailing list archives and good old
> Google. There was a number of similar questions with no real
> definitive answer.
> 
> Option 1: ACL
> This can work, but not if the mailbox(s) can change without you
> knowing how. I.E. a online read-only archive of someone else's
> mailbox. There is no wild-card or recursive ACL options. Rsync style
> backups don't allow for easy creation of custom ACL files per
> mailbox.
acls are stored in dovecot-acls files either inside the mailbox or in
/etc/dovecot. so you can preserve them easily with rsync style backup.
>  2) Dovecot needs write access to CONTROL and INDEX files.
> This lead me to using the "CONTROL" and "INDEX" options
on the
> mail_locaiton. Setting these to the original 'rw' mount and the
rest
> to my 'ro' bind mount. Again, messy but do-able.
Just for the record: you can configure CONTROL and INDEX seperately. see below.

my solution for a similar problem:

[[[
namespace public {
   separator = /

   # Mailboxes are visible under "shared/user at domain/"
   # %%n, %%d and %%u are expanded to the destination user.
   prefix = archive/

   # Mail location for other users' mailboxes. Note that %variables and ~/
   # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to
the
   # destination user's data.
   location =
maildir:/srv/mail/archive:INDEX=/srv/mail/%u/shared/%%u:CONTROL=/srv/mail/%u/shared

   # Use the default namespace for saving subscriptions.
   subscriptions = yes

   # List the shared/ namespace only if there are visible shared mailboxes.
   list = children
}
]]]

only my mail archive user can deliver mails into that namespace (via ACL (p)).
all other users only have read permissions, as index/control are per user, each
user can have their own
flags (like seen).

shouldnt this give you exactly what you want?

-- 
           openSUSE - SUSE Linux is my linux
               openSUSE is good for you
                   www.opensuse.org

On Wed, 2010-08-25 at 11:59 +0200, Chris Moules wrote:
> Option 1: ACL
> This can work, but not if the mailbox(s) can change without you knowing
how. I.E. a online read-only archive of someone else's
> mailbox. There is no wild-card or recursive ACL options. Rsync style
backups don't allow for easy creation of custom ACL files
> per mailbox.
I think you could pretty easily add support for "default ACL file"
that
is used instead of the internal ACL defaults. I've been planning on
doing that at some point anyway. Maybe ~/Maildir/dovecot-acl-default or
something.
> The plugin forces the MAILBOX_OPEN_READONLY flag in a mailbox_open() call.
Yeah .. this flag isn't enforced much really.. I think I should just
remove it.