Benjamin R. Haskell
2007-Aug-02 14:12 UTC
[Dovecot] Shared folder hierarchies, multiple groups
Hi,
I'm trying to set up two shared folder hierarchies on my Dovecot
installation for two groups of employees, all of whom should only have
access to their own hierarchy. Any employee should be able to create
sub-folders and generally have full access to the hierarchy.
My initial setup was to create two public namespaces, Shared-One and
Shared-Two. Each is a Maildir under /var/mail.
The actual shared folders seem to be working fine in terms of adding and
accessing folders and messages, and there are no problems at all for the
'admin' user, who belongs to both the shared1 and shared2 Unix groups.
The problem is for other users, where trying to (IMAP-) LIST folders
fails.
(sanitized) IMAP session log: ('user2' is in group shared2)
* OK Dovecot ready.
A LOGIN user2 pass
A OK Logged in.
B LIST "" "%"
* LIST (\Noselect \HasChildren) "/" "Shared-One"
B NO Internal error occurred. Refer to server log for more information.
[2007-08-02 09:01:23]
In the mail logs I find:
dovecot: IMAP(user2): stat(/var/mail/Shared-One/cur) failed: Permission denied
Relevant permissions:
2770/drwxrws--- shared1 shared1 /var/mail/Shared-One
2770/drwxrws--- shared1 shared1 /var/mail/Shared-One/cur
0660/-rw-rw---- shared1 shared1 /var/mail/Shared-One/dovecot-shared
And similarly for Shared-Two. (replace shared1 with shared2 everywhere)
Among other things, I've read:
http://wiki.dovecot.org/SharedMailboxes
http://wiki.dovecot.org/ACL
http://wiki.dovecot.org/MainConfig
http://wiki.dovecot.org/Namespaces
I don't want to use vfile ACL's (I think) because I want users to be
able to create subfolders at will, and I don't want to have to add a
dovecot-acl file per-folder. (Is there a way to set global defaults on a
global basis? [not per-folder]) I also think there would be a problem with
the hierarchies being similar. (e.g. both have a 'Projects' sub-folder,
but there's a pretty clear WARNING on the wiki about mailbox name
conflicts.)
I can't use symlinked Maildirs, because new subfolders get created under
~user/Maildir/. (Want them under /var/mail/Shared-X/)
I can't use hidden namespaces, because employees use Outlook (uggh), and
I couldn't figure out how to "find" the namespace when it was
hidden.
(That seemed like the closest thing to a solution - it solved the LIST
problem.)
Ideally, Shared-Two wouldn't even be visible to members of Shared-One, and
vice versa. But, that's at least an acceptable "problem" I could
live
with.
Any suggestions?
Thanks,
Ben
On Thu, 2007-08-02 at 10:12 -0400, Benjamin R. Haskell wrote:> I'm trying to set up two shared folder hierarchies on my Dovecot > installation for two groups of employees, all of whom should only have > access to their own hierarchy. Any employee should be able to create > sub-folders and generally have full access to the hierarchy. > > My initial setup was to create two public namespaces, Shared-One and > Shared-Two. Each is a Maildir under /var/mail.One possibility would be to have the namespaces setup separately for your user groups. If you use flexible enough userdb (or you can play with post-login scripts), you could return the namespace settings from there: namespace_2=maildir:/var/mail/shared1 namespace_2_prefix=shared1/ namespace_2_type=public http://wiki.dovecot.org/UserDatabase/ExtraFields -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20070809/3c19ae0e/attachment-0002.bin>