Steffen Kaiser
2009-Jun-17 14:38 UTC
[Dovecot] Dovecot v1.2 share user Maildir problems with %%h
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I'm using Dovecot v1.2 9133:f65112bd90b3 with attached config and try to share user Maildirs. The ACLs are working. However the %%h gives me head aches, well, the location in general: I've copied the default mail_location and changed its CONTROL and INDEX settings: namespace shared { ... location = maildir:%%h/Maildir:CONTROL=/var/cache/dovecot/%i/control/shared/%%u:INDEX=/var/cache/dovecot/%i/index/shared/%%u } Now the first wows are that: a) IMAP insists to connect to $install_prefix/var/run/dovecot/auth-master instead of /var/run/dovecot/auth-master used by deliver. My workaround was to symlink /var/run/dovecot/ to $install_prefix/var/run/dovecot/ b) This socket needs to be r/w for every user, which is a security risk as mentioned in the conf and the default permission is 0600. For deliver I changed the socket attr to permission 0660 and group=mail; for making %%h work I added mail_access_groups=mail c) The user's mailbox is not found still, because: 2009-06-17 15:04:57 auth(default): Info: master in: USER 1 testusr/INBOX service=internal 2009-06-17 15:04:57 auth(default): Info: auth(?): Invalid username: testusr/INBOX 2009-06-17 15:04:57 auth(default): Info: userdb(?): Username contains disallowed character: 0x2f 2009-06-17 15:04:57 auth(default): Info: master out: NOTFOUND 1 The imap process passes the mailbox to the authentificator, too. Also, it changes the '.' to '/', although rawlog has: select "shared.testusr.INBOX" If I allow "/" as userchar, I get: 2009-06-17 15:43:00 auth(default): Info: ldap(testusr/INBOX): Unknown user 2009-06-17 15:43:00 auth(default): Info: master out: NOTFOUND 1 It reallt requests the data of user "testusr/INBOX". d) If I use location = maildir:/home/%%u/Maildir: instead of %%h/Maildir, things work _except_ that some user's %%h != /home/%%u . ============= Basically I have yet another problem with location in the user-share namespace: Because one can override the default mail_location for each user, I did so for some users. Some of them even do not have the Maildir. That leads to the problem, that I need one shared namespace for each location template. There had been a suggestion of a special user-shared namespace a while back. How about to add the base location in the shared-mailboxes.db? So instead of "1" the value is the base of the shared location, e.g. maildir:/local/testuser or maildir:/home/user/Maildir..., and some %%? token takes the string from there. Because the path is known from the db now, the other problems mentioned above do no longer apply. Bye, - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSjj/63WSIuGy1ktrAQLliQf9E/fh9BK+5eeHfiJBwfD1kGfP7AYc4CwE Kj6Snkq/eG05F7VM5TyANDZVNFpGY0WsNkmQHutx3OSfh+gVe2gxNljk7KdISMpC 7+PS1Rsnz+0iqq6ueCbs7LGNQCgZyD9Ne14XTzRymJJElw7MfHh7A6+Zhul+CzTL 4D7owW+vcyOVBMY9G2e978MkzXXWQ0zDBHamjeFm4idx4Bl1sbMOuqpWHCse+sP8 XET58VXOMI1LBsrdgoobXRGojLFxZe7r77lSrTkUprFa3ljOsYIIxOEk6mskELue SAftwNlqbkHMAwZQ0G0rlD6vBdyw7B3sN48yFoLEd/cw1SyttVrCdA==vC9k -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: dv.conf.gz Type: application/octet-stream Size: 1416 bytes Desc: dv v1.2 conf URL: <http://dovecot.org/pipermail/dovecot/attachments/20090617/fee6e5d7/attachment-0002.obj>
Steffen Kaiser
2009-Jun-17 14:45 UTC
[Dovecot] Dovecot v1.2 share user Maildir problems with %%h
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 17 Jun 2009, Steffen Kaiser wrote:> I'm using Dovecot v1.2 9133:f65112bd90b3 with attached config and try toThe correct changeset is: changeset: 9127:01fae3737994 branch: HEAD tag: tip user: Timo Sirainen <tss at iki.fi> date: Mon Jun 15 19:38:30 2009 -0400 summary: acl: Don't assert-crash if removing all rights. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSjkBoXWSIuGy1ktrAQJw7AgAwAkGnsM4Ky+LNR0lqfi09NivEoOYSHPa 0qKn4j6Ljo7yVKtNnv4/sWuQNCkSYRXLsBUEsEJphcNAAvjGPtD1ORmqvqFnL0p1 Nudp6JNWhIP5OEGrjJoZoqsyjiPNgVzDWcvowXy3gN9vGocT5Bf89ievBLKxGiej MyljwDQVTaHA3wTu8Nh5xw1RNqdRZokIdAvvY72iQIYJaFXOHvCnpwZMmar7YXFm QHJnLOzPi2RVsH5zyB+Rc9hlXzVRjv5/8L7rS+1euILWSve8RCbYOti1fGCAc14H 4DZia8seL4KqUOI56Z/n+eJG/dNbUblGzRh8/QZn4fUKs9JhWiZkhg==jWWM -----END PGP SIGNATURE-----
Timo Sirainen
2009-Jun-17 16:32 UTC
[Dovecot] Dovecot v1.2 share user Maildir problems with %%h
On Wed, 2009-06-17 at 16:38 +0200, Steffen Kaiser wrote:> I've copied the default mail_location and changed its CONTROL and INDEX > settings: > > namespace shared { > ...What does this "..." contain? :) Like prefix, separator?> a) IMAP insists to connect to $install_prefix/var/run/dovecot/auth-master > instead of /var/run/dovecot/auth-master used by deliver.It connects to base_dir/var/run/dovecot/ where base_dir is the setting in dovecot.conf.> b) This socket needs to be r/w for every user, which is a security risk as > mentioned in the conf and the default permission is 0600.It allows looking up userdb data, which is pretty similar to being able to do cat /etc/passwd. So not a huge security risk, but..> For deliver I changed the socket attr to permission 0660 and group=mail; > for making %%h work I added mail_access_groups=mailI would have used a different group than "mail", since it's often used by the system for other things too.> There had been a suggestion of a special user-shared namespace a while > back. How about to add the base location in the shared-mailboxes.db? So > instead of "1" the value is the base of the shared location, e.g. > maildir:/local/testuser or maildir:/home/user/Maildir..., and some %%? > token takes the string from there. Because the path is known from the db > now, the other problems mentioned above do no longer apply.And when the path is changed in userdb, it points to a wrong location. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090617/4ae13cdf/attachment-0002.bin>
Steffen Kaiser
2009-Jun-18 07:44 UTC
[Dovecot] Dovecot v1.2 share user Maildir problems with %%h
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 17 Jun 2009, Timo Sirainen wrote:>> I've copied the default mail_location and changed its CONTROL and INDEX >> settings: >> >> namespace shared { >> ... > > What does this "..." contain? :) Like prefix, separator?My complete conf is attached at the original mail.>> a) IMAP insists to connect to $install_prefix/var/run/dovecot/auth-master >> instead of /var/run/dovecot/auth-master used by deliver. > > It connects to base_dir/var/run/dovecot/ where base_dir is the setting > in dovecot.conf.It's install_prefix. The log says: IMAP(user) [10363]: Error: userdb lookup: connect(/usr/local/dovecot-1.2.rc5unpatched/var/run/dovecot/auth-master) failed: Permission denied But the conf has: base_dir: /var/run/dovecot/ Also, auth default | socket | master contains the setting: path: /var/run/dovecot/auth-master Deliver works with this conf without the symlink.> I would have used a different group than "mail", since it's often used > by the system for other things too.Hmm, I'll investigate where the group "mail" comes from.>> There had been a suggestion of a special user-shared namespace a while >> back. How about to add the base location in the shared-mailboxes.db? So >> instead of "1" the value is the base of the shared location, e.g. >> maildir:/local/testuser or maildir:/home/user/Maildir..., and some %%? >> token takes the string from there. Because the path is known from the db >> now, the other problems mentioned above do no longer apply. > > And when the path is changed in userdb, it points to a wrong location.Well, a) as there is no way to return/use the mail_location of the sharing user, the location is possibly wrong anyway, because mail_location is not neccessarily derived from the user's home in the same way always. b) I considered mail_location stable after setup. But you are right, that this is not neccessaily so. One would need some sort of book keeping to keep the redundant data in shared-mailboxes.db in sync. Bye, - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSjnwQ3WSIuGy1ktrAQJbxAf+J7W98bPuWZflJ63hg9KPJ4lH1Mi3KhQv AtS0bGMz9RIp7hFm/a9atc44lOg2d52f8HV0hTbPI+FtmtC4sFHDDJLqx0w0CxN6 Tid8gC90H2F8Kiv4c2j9mwu0yyT+B7Mw7R1fmb75O3jK+daTeJdW9Tv5zEmcEMY3 NEYd0yobGYwBXABtSK1TIYLQWh64fgVIj+gx3pVW05Jx8g7tjwYadfO1btm/ntoT 8u8qN9REwyFRSXevIG+bdrcUfwSYI+DZ2SzYqAWKrYeMdf8hTCHTdAsSB5qcLkdU xmalUapMTRgB+ktLyBG0K1EP9sJC7LWeqRxLTk9q9jEFx6wm6wJclA==PAxW -----END PGP SIGNATURE-----