I'm using dovecot RC6. I have a group named "cmpymail" with 2 users "jdoe at arinbe.com" and "jsmith at arinbe.com". I set up a mail folders like: drwxrwx--- 4 cmpymail cmpymail 4096 2006-08-13 02:21 cmpymail drwxrwx--- 3 jdoe users 4096 2005-11-21 13:34 jdoe drwxrwx--- 3 jsmith users 4096 2006-08-13 02:27 jsmith drwxrwx--- 3 fred users 4096 2006-08-13 02:27 fred drwxrwx--- 3 wilma users 4096 2006-08-13 02:27 wilma In dovecot.conf namespace public { separator = . prefix = COMPANY. location = maildir:/home/services/mail/arinbe.com/company/Maildir:CONTROL=%h/shared-settings/company/control:INDEX=%h/shared-settings/rootmail/index hidden = no } I have a dovecot-shared file -rw-rw---- 1 cmpymail cmpymail 0 2006-08-13 13:24 dovecot-shared What I can not do is restrict access to cmpymail to -just- jdoe and jsmith. I've looked at http://www.dovecot.org/list/dovecot/2006-June/013683.html I've tried adding mail_plugin_dir = /usr/local/lib/dovecot/imap mail_plugins = acl and a dovecot-acl file owner user=jdoe at arinbe.com lrwstiekxa user=jsmith at arinbe.com lrwstiekxa user=jdoe rwstiekxa user=jsmith lrwstiekxa I am not exactly sure what username to use. All users are in LDAP. The "cmpymail" group shows # getent group cmpymail:*:5555:jdoe,jsmith Nothing I do seems to work. I either get errors that wilma and fred can't access cmpymail, for instance when wilma/fred try to subscribe to folders, or wilma and fred have complete access to cmpymail (if I change cmpymail's group to users instead of cmpymail). Is there a way to restrict access like I want? Thanks, Jim
On Tue, 2006-08-15 at 00:12 -0400, Jim Horner wrote:> and a dovecot-acl file > > owner > user=jdoe at arinbe.com lrwstiekxa > user=jsmith at arinbe.com lrwstiekxa > user=jdoe rwstiekxa > user=jsmith lrwstiekxa > > I am not exactly sure what username to use. All users are in LDAP.Most likely jdoe at arinbe.com, assuming the username doesn't get changed somewhere.> The "cmpymail" group shows > > # getent group > cmpymail:*:5555:jdoe,jsmithThis is the problem. Since your users come from LDAP, Dovecot never even reads the /etc/group. There are a couple of ways to handle this: 1) Make LDAP return jdoe's and jsmith's default GID as cmpymail instead of whatever they now return (users?). 2) Make LDAP return system_user. That makes Dovecot get the groups for that user. So something like: pass_attrs = uid=user,uid=system_user,userPassword=password Although if your uid is in user at domain format, then you'll need to use the user at domain format in /etc/group also. Or alternatively use some other field from LDAP which has only the user. Some day in future I might get rid of the system_user though and instead make it possible to return multiple GIDs from LDAP (and SQL and others). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20060816/fd748f62/attachment.bin>
Thanks for the reply.> 2) Make LDAP return system_user. That makes Dovecot get the groups for > that user. So something like: > > pass_attrs = uid=user,uid=system_user,userPassword=passwordSorry I didn't mention this. I am doing exactly as you state (I think). user_attrs = mail=user,mailbox=home,uid=system_user,uidNumber=uid,gidNumber=gid pass_attrs = mail=user,userPassword=password,uid=userdb_user,uid=userdb_system_u ser,mailbox=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid The problem is not so much that jdoe and jsmith can not see the company mail folder as it is so can everyone else. I would like it so only jdoe and jsmith see the "COMPANY" namespace. However if I lock down the folder using unix permissions: drwxrwx--- 4 cmpymail cmpymail 4096 2006-08-13 02:21 cmpymail drwxrwx--- 3 jdoe users 4096 2005-11-21 13:34 jdoe drwxrwx--- 3 jsmith users 4096 2006-08-13 02:27 jsmith drwxrwx--- 3 fred users 4096 2006-08-13 02:27 fred drwxrwx--- 3 wilma users 4096 2006-08-13 02:27 wilma then fred, wilma get "IMAP(wilma at arinbe.com): opendir(/home/services/mail/arinbe.com/cmpymail/Maildir) failed: Permission denied" error messages. I'm fine with the error. It makes sense. I just don't know how to configure dovecot so the user (fred, wilma) don't see the error. As I understand it dovecot-shared file is for deliver (dovecot lda) so it knows what permissions to give mail files. dovecot-acl provides, I am not sure? Can it override unix permissions? Doesn't appear so. If the user logged in doesn't have unix permission to access the folder then how can dovecot-acl be accessed? It also appears that if I set the unix permissions on the folder to cmpymail.users then dovecot-acl doesn't do anything to stop fred and wilma from accessing the folder since they have unix permission access to that folder (they (everyone) are in the users group). Should I make everyone a static uid like userdb static { args = uid=1500 gid=1500 home=/home/services/mail/%d/%n } remove unix permissions, chown vuser.vuser for all mail folders and put a dovecot-acl in the folders/namespace I want to protect? Does it have to be that way? I kind of like seeing the login process and who it belongs to... though this is "black" box and no one can log into it. I guess my example is pretty lame compared to what ACLs are suppose to be able to do in IMAP but I imagine something similar to what samba does for shares like a "users" parameter. namespace public { separator = . prefix = COMPANY. users = someuser @somegroup location = maildir:/home/services/mail/arinbe.com/company/Maildir:CONTROL=%h/shared-settings/company/control:INDEX=%h/shared-settings/rootmail/index hidden = no } Thanks, Jim