dovecot - May 2007 - Public Namespace and ACLs with pure virtual users

hi!

i would appreciate to have some comments on my below scenario:

# from the config
userdb static {
     args = uid=vmail gid=mail home=/vmail/%d/%n
}

namespace public {
   separator = /
   prefix = All/
   location = maildir:/vmail/%d/all/Maildir:CONTROL=~/Maildir/control/ 
all:INDEX=~/Maildir/index/all
   inbox = no
   hidden = no
}

namespace private {
   separator = /
   prefix    location = maildir:~/Maildir
   inbox = yes
   hidden = no
}
# end config

the public namespace is also the maildir of the user "all at
mydomain".
a sieve skript is dropping mail for all at mydomain to the appropriate  
maildir within this maildir/namespace (e.g. .Support/)

first of all: this works to some point but is such a configuration  
valid? can a public namespace be the maildir of a user?

if a new mail for all at mydomain comes in, all subscribed users (of  
this domain) can view it and it is marked as /Seen individually.
the important feature to me: the /Seen flags are managed per user as  
configured in the public namespace

now the problem:
the whole mail system runs with one uid/gid and virtual users, which  
has the effect that some user can delete mails in the public  
namespace or drop mails into it, create folders etc. this is not  
wanted. i wanted a read-only public namespace. so i decided to use  
acls. as namespace prefixes are ignored i needed to create them  
globally. my first try was:

/etc/dovecot/acls/Support:

owner lrwstiekxa
authenticated lr

which lead to the result that other users than all at mydomain cannot  
manipulate the public namespace at all, including setting their /Seen  
flag. that was the first surprise to me as i thought this flag would  
be managed seperately in the users homes.

after a (very short) thought i came to this (allow setting the /Seen  
flag for others):

owner lrwstiekxa
authenticated lrs

which lead to another unexpected result: the /Seen flag is now set  
globally. if one user marks a mail /Seen, it is /Seen for all other  
users too.

where is the problem? except for the iso/osi layer 8 problem i am  
aware of...

marc

On Wed, 2007-05-23 at 17:30 +0200, Marc Delling wrote:
> first of all: this works to some point but is such a configuration  
> valid? can a public namespace be the maildir of a user?
Yes.
> now the problem:
> the whole mail system runs with one uid/gid and virtual users, which  
> has the effect that some user can delete mails in the public  
> namespace or drop mails into it, create folders etc. this is not  
> wanted. i wanted a read-only public namespace. so i decided to use  
> acls. as namespace prefixes are ignored i needed to create them  
> globally. 
That's exactly the reason why I think you shouldn't use global ACLs. You
could instead create dovecot-acl file to the maildir itself.
> /etc/dovecot/acls/Support:
> 
> owner lrwstiekxa
> authenticated lr
> 
> which lead to the result that other users than all at mydomain cannot  
> manipulate the public namespace at all, including setting their /Seen  
> flag. that was the first surprise to me as i thought this flag would  
> be managed seperately in the users homes.
Well, yes, but you're explicitly telling the ACL plugin to prevent even
that.
> after a (very short) thought i came to this (allow setting the /Seen  
> flag for others):
> 
> owner lrwstiekxa
> authenticated lrs
> 
> which lead to another unexpected result: the /Seen flag is now set  
> globally. if one user marks a mail /Seen, it is /Seen for all other  
> users too.
ACL plugin shouldn't have anything to do with that decision. The \Seen
flag is stored privately if you have created dovecot-shared file to the
maildir. There isn't yet support for separate shared and private flags
(and I'm not sure if there ever will be).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20070604/4d6ef148/attachment-0002.bin>

On Mon, Jun 04, 2007 at 04:28:56AM +0300, Timo Sirainen wrote:

  ACL plugin shouldn't have anything to do with that decision. The \Seen
  flag is stored privately if you have created dovecot-shared file to the
  maildir. 

Is it possible to have dovecot enforce the file mode and group owner of
inserted mails without causing flags to be stored privately?  Its looking
like I will have to use a cron job to fix file permissions on mails added
to shared mail folders by imap clients.  I'd be willing to implement a 
local permanent patch but I haven't looked into how easy it would be yet
because I did not (until now) realize that this behavior was intended.

On 6/3/2007 Timo Sirainen (tss at iki.fi) wrote:
> ACL plugin shouldn't have anything to do with that decision. The
> \Seen flag is stored privately if you have created dovecot-shared
> file to the maildir. There isn't yet support for separate shared and
> private flags (and I'm not sure if there ever will be).
Yikes!

Or maybe I musunderstood...

I have a real need to have (at least) one shared folder (inbound faxes) 
with shared \Seen flags - so the 5 people assigned to monitor it will 
know when someone else has seen/forwarded a new fax - and private \Seen 
flags on other shared maildirs (like distribution lists, etc)...

Are you saying this may never be possible?

-- 

Best regards,

Charles