On Tue, 2006-05-30 at 11:28 +1200, Fintec wrote:> Our implementation of dovecot (v1.0b7) uses many virtual users and
> domains and 1 actual user (vmail), all using maildir. So far I have
> successfully created the public namespace (Public_Folders) which every
> user can access but I'm having difficulty restricting access using
ACls.
> 
> When trying to implement the dovecot ACL plug-in I followed the wiki
> instructions and created a "dovecot-acl" file within
Public_Folders
> containing:
> owner lrwstiekxa
> user=user1 at domain.com lrwstiek
> 
> However this doesn't appear to do anything. All users can still access
> Public_Folders so I have a couple of questions that hopefully someone
> can help me with...
The problem here is that Dovecot assumes the logged in user owns the
mailbox. The ACLs were currently meant mostly to work with master user
logins, so the only case when owner doesn't match the logged in user is
when a master user logs in as someone else.
How do you define mailbox's owner anyway in cases like this? If the
mailbox exists in a public namespace, is anyone its owner? Well I guess
I'll try to figure out this when I'm really implementing the proper
shared mailbox support for Dovecot..
Anyway, this would work for you:
owner
user=real-owner-user lrwstiekxa
user=user1 at domain.com lrwstiek
Although after I tried it now, I found a bug which causes it to crash
with the empty owner list. Or actually that same bug could cause it to
break in other ways too, fix here:
http://dovecot.org/list/dovecot-cvs/2006-May/005609.html
> 2) Is it possible to create dovecot-acl files with virtual usernames,
> i.e. user1 at domain.com or does it have to be actual users, i.e. vmail?
They must be virtual usernames.
> 3) Is it possible to restrict access within the namespace definition,
> i.e. set up another public namespace restricted to manager at domain.com?
This sounds more like user-specific configuration, which is possible
with a kludgy imap-wrapper script which sets up proper namespace
environment variables before calling imap binary itself.
> 4) Is ACL accepts & denies logged somewhere other than /var/log/maillog
> (my default)?
They're not logged anywhere currently. Is it really useful? Seems like
it'd only fill up the logs. Optionally perhaps..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20060530/0315470d/attachment.bin>