dovecot - Oct 2009 - Dovecot, Shared Mailboxes (via symlink), and ACLs

Hello!  I just joined the list and will be happy to help where I can in
my limited experience, but also come to the table with a question.  I
think there's something I'm missing regarding shared mailboxes and ACLs,
so I will describe my situation and see if I am understanding correctly
(running Dovecot 1.1.10).  I have read over the Dovecot Wiki many times
and have scoured many forums but still can't seem to find a solution.

I have an IMAP mailbox that is working fine (user imapuser), so the
maildir and related structure is in:  /home/imapuser/Maildir

I have another IMAP mailbox for another imap user, newuser1, also
working fine, with maildir and related structure in:  /home/newuser1/Maildir

I have created a symlink under newuser1's Maildir to imapuser's Maildir
so as to give newuser1 access to the things in imapusers's inbox.  I
have also symlinked inside the newuser1 Maildir to a folder under
imapusers's inbox, let's call it "MailingList", basically
settiing up
something like:

/home/newuser1/Maildir:
cur/
.imapuserinbox -> /home/imapuser/Maildir
.imapusermailinglist -> /home/imapuser/Maildir/MailingList
new/
tmp/
(... and various other Dovecot-related files, nothing ACL related.)

Now, I have gotten the shared boxes to work IF I changed the permissions
to be rwx for user and group on /home/imapuser/Maildir/*, but this makes
procmail (and .procmailrc) unhappy and it starts sending things to mbox
files (old system) instead of sending them on to the Maildir.  So that
doesn't seem to work.  Which led me to ACLs.  Now, I've tried (after
enabling the two appropriate lines in dovecot.conf and restarting
dovecot, etc) both per-directory ACL files and global ACLs, and while I
can get some things to *change* as viewed by my mail client, I can't
seem to create consistent behavior.  I know that's fairly vague, but
it's like I'll change something in the global ACL and folders are
affected that I wouldn't anticipate, based on what I'm understanding of
ACLs.

So, in the example above, if I enable global ACLs, what names do I use
to refer to those shared boxes I'm trying to access?  Do I use the link
name I made, .imapuserinbox or .imapusermailinglist (without leading
periods), like /etc/dovecot/acls/imapuserinbox, or is it based off of
the original dir name?  Like do I need something like
/etc/dovecot/acls/MailingList ?  What about the "inbox" I'm
sharing in
/home/imapuser/Maildir, how do I reference that?  Is there a way to do
it without affecting or changing permissions of other IMAP users and
inboxes on the same system?

One thing I am receiving consistently in the error logs is:
mail dovecot: IMAP(newuser1):
stat(/home/newuser1/Maildir/.imapuserinbox/tmp) failed: Permission
denied (euid=152(newuser1) egid=100(usergroup) UNIX perms seem ok, ACL
problem?)

So it seems if I get the ACL stuff right, I will be in business.  Any
ideas??  Thanks for any help anyone can give!!
Dave

Hello!
I think, if you keep maildirs by different uid then you must change file 
permissons to permit access to shared maildir.
I don`t now about procmail delivery options, but in dovecots "deliver"
-
if you create in shared maildir file called "dovecot-shared", than 
deliver will keep permissions like this file.

After long experiments i choose dovecots v1.2 shared maildir scheme with 
imap acls.

Best Regards!
Michael

27.10.2009 22:51, Dave ?????:
> Hello!  I just joined the list and will be happy to help where I can in
> my limited experience, but also come to the table with a question.  I
> think there's something I'm missing regarding shared mailboxes and
ACLs,
> so I will describe my situation and see if I am understanding correctly
> (running Dovecot 1.1.10).  I have read over the Dovecot Wiki many times
> and have scoured many forums but still can't seem to find a solution.
>
> I have an IMAP mailbox that is working fine (user imapuser), so the
> maildir and related structure is in:  /home/imapuser/Maildir
>
> I have another IMAP mailbox for another imap user, newuser1, also
> working fine, with maildir and related structure in:  
> /home/newuser1/Maildir
>
> I have created a symlink under newuser1's Maildir to imapuser's
Maildir
> so as to give newuser1 access to the things in imapusers's inbox.  I
> have also symlinked inside the newuser1 Maildir to a folder under
> imapusers's inbox, let's call it "MailingList", basically
settiing up
> something like:
>
> /home/newuser1/Maildir:
> cur/
> .imapuserinbox -> /home/imapuser/Maildir
> .imapusermailinglist -> /home/imapuser/Maildir/MailingList
> new/
> tmp/
> (... and various other Dovecot-related files, nothing ACL related.)
>
> Now, I have gotten the shared boxes to work IF I changed the permissions
> to be rwx for user and group on /home/imapuser/Maildir/*, but this makes
> procmail (and .procmailrc) unhappy and it starts sending things to mbox
> files (old system) instead of sending them on to the Maildir.  So that
> doesn't seem to work.  Which led me to ACLs.  Now, I've tried
(after
> enabling the two appropriate lines in dovecot.conf and restarting
> dovecot, etc) both per-directory ACL files and global ACLs, and while I
> can get some things to *change* as viewed by my mail client, I can't
> seem to create consistent behavior.  I know that's fairly vague, but
> it's like I'll change something in the global ACL and folders are
> affected that I wouldn't anticipate, based on what I'm
understanding of
> ACLs.
>
> So, in the example above, if I enable global ACLs, what names do I use
> to refer to those shared boxes I'm trying to access?  Do I use the link
> name I made, .imapuserinbox or .imapusermailinglist (without leading
> periods), like /etc/dovecot/acls/imapuserinbox, or is it based off of
> the original dir name?  Like do I need something like
> /etc/dovecot/acls/MailingList ?  What about the "inbox" I'm
sharing in
> /home/imapuser/Maildir, how do I reference that?  Is there a way to do
> it without affecting or changing permissions of other IMAP users and
> inboxes on the same system?
>
> One thing I am receiving consistently in the error logs is:
> mail dovecot: IMAP(newuser1):
> stat(/home/newuser1/Maildir/.imapuserinbox/tmp) failed: Permission
> denied (euid=152(newuser1) egid=100(usergroup) UNIX perms seem ok, ACL
> problem?)
>
> So it seems if I get the ACL stuff right, I will be in business.  Any
> ideas??  Thanks for any help anyone can give!!
> Dave
>
>

-- 
----------------------------------------
????????? ?????????????
??? ??? "?????????-?????"
????????? ??????
???. +78634 311562 ???. 478

On Tue, 2009-10-27 at 14:51 -0500, Dave wrote:
> Now, I have gotten the shared boxes to work IF I changed the permissions
> to be rwx for user and group on /home/imapuser/Maildir/*, but this makes
> procmail (and .procmailrc) unhappy and it starts sending things to mbox
> files (old system) instead of sending them on to the Maildir.  So that
> doesn't seem to work.  
You'll need to set UNIX permissions in a way that it works.
> Which led me to ACLs.
Dovecot ACLs won't get you around UNIX permission problems.
> One thing I am receiving consistently in the error logs is:
> mail dovecot: IMAP(newuser1):
> stat(/home/newuser1/Maildir/.imapuserinbox/tmp) failed: Permission
> denied (euid=152(newuser1) egid=100(usergroup) UNIX perms seem ok, ACL
> problem?)
> 
> So it seems if I get the ACL stuff right, I will be in business.
No. What that means is that there's probably a bug in the code that
tries to check what permission problem you have (hopefully fixed in
later version, v1.1.10 is getting a bit old). The ACL it mentions isn't
Dovecot ACLs, but filesystem ACLs or perhaps SELinux or something else.
I guess I should change the error message.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20091027/c44e374d/attachment-0002.bin>

>> Now, I have gotten the shared boxes to work IF I changed the
permissions
 >> to be rwx for user and group on /home/imapuser/Maildir/*, but this
makes
 >> procmail (and .procmailrc) unhappy
 >
 > You'll need to set UNIX permissions in a way that it works.

Thank you for the responses!  OK, it seems from some reading and 
experimentation that procmail will bail very quickly if it doesn't like 
permissions on its user directories and procmailrc files, so what I 
discovered was that I can give EVERYTHING user and group permissions 
under imapuser's Maildir (either rwx or rw depending on context) but 
that still won't let the shared folders work... although that's part of 
it.  Only when I change the permissions of the main imapuser folder 
(/home/imapuser in this example) to 770 will it work.  But, that breaks 
procmail.  As does 760 or apparently giving any write permissions to 
anyone besides the owner.  If I change the permissions to 750, 
everything automagically works.  I can move messages, delete, view, 
etc.  So, I guess that is that!

 > later version, v1.1.10 is getting a bit old). The ACL it mentions
isn't
 > Dovecot ACLs, but filesystem ACLs or perhaps SELinux or something else.
 > I guess I should change the error message.

Thanks for letting me know the difference in the ACLs mentioned in the 
error message, that was definitely part of my confusion!!  That put me 
on the path to figuring it out. :)
Dave