Hi,
On my mail server I want to implement shared folders for each workgroup
where there are many workgroups.
One way would be to create a separate namespace for each workgroup.
However, this does not scale well so I decided to use a single Shared
mailbox and use ACLs:
namespace public {
separator = .
prefix = Shared.
location = maildir:/var/mail/shared:CONTROL=~/Maildir/shared
}
Each workgroup should get a subfolder in "Shared". Until now, this
works, I create .Group1, .Group2 and assign correct group permissions
and ACL files.
However, now a user from group1 wants to create a subfolder in his IMAP
folder. Since the permissions for /var/mail/shared/.Group1 are correct
(writeable to group1 and the user is member of group1 and 'k' ACL
permissions are active) I would expect it to work.
However, for obvious reasons, the *sub*folder is created as
/var/mail/shared/.Group1.Subfolder
so it is actually not a subfolder in sense of the filesystem but rather
a folder inside /var/mail/shared
However, the user does (and should) not have write permissions to
/var/mail/shared (only to /var/mail/shared/.Group1).
Is there a way to overcome this problem? Why can't dovecot just use
/var/mail/shared/.Group1/.Subfolder? Is there an option to do so? It
would make everything a lot easier.
The one option is to make /var/mail/shared world-writeable - which is
not really a good option.
A second option might be to use ACLs and give each group write
permissions to /var/mail/shared. However, not even this seems very
"clean" to me.
What is the best way to handle this?
Best regards,
Luke
Lukas Haase
2011-Feb-08 15:54 UTC
[Dovecot] Effect of separators (was: Re: Permissions in shared folders)
Dear list, A dumb question: What exactly is the effect of the separator? Is it also used to separate in the underlying file system? I.e. when I have the separator '/', the IMAP folder Sent/Jan is physically stored as /home/lukas/Maildir/.Send/Jan/cur ? If this is true this would greatly solve my problem described at the bottom. I have tried it myself, however, dovecot 1.2 does not allow to create a namespace with a separator different than my default namespace... If this works, is there a convenient migration procedure possible to migrate from . to /? The Wiki just mentions the other way (/ --> .). Best regards, Luke Am 08.02.2011 11:33, schrieb Lukas Haase:> Hi, > > On my mail server I want to implement shared folders for each workgroup > where there are many workgroups. > > One way would be to create a separate namespace for each workgroup. > However, this does not scale well so I decided to use a single Shared > mailbox and use ACLs: > > namespace public { > separator = . > prefix = Shared. > location = maildir:/var/mail/shared:CONTROL=~/Maildir/shared > } > > Each workgroup should get a subfolder in "Shared". Until now, this > works, I create .Group1, .Group2 and assign correct group permissions > and ACL files. > > However, now a user from group1 wants to create a subfolder in his IMAP > folder. Since the permissions for /var/mail/shared/.Group1 are correct > (writeable to group1 and the user is member of group1 and 'k' ACL > permissions are active) I would expect it to work. > > However, for obvious reasons, the *sub*folder is created as > > /var/mail/shared/.Group1.Subfolder > > so it is actually not a subfolder in sense of the filesystem but rather > a folder inside /var/mail/shared > > However, the user does (and should) not have write permissions to > /var/mail/shared (only to /var/mail/shared/.Group1). > > Is there a way to overcome this problem? Why can't dovecot just use > /var/mail/shared/.Group1/.Subfolder? Is there an option to do so? It > would make everything a lot easier. > > The one option is to make /var/mail/shared world-writeable - which is > not really a good option. > > A second option might be to use ACLs and give each group write > permissions to /var/mail/shared. However, not even this seems very > "clean" to me. > > What is the best way to handle this? > > Best regards, > Luke > > >
On 02/08/2011 03:33 AM, Lukas Haase wrote:> Hi, > > On my mail server I want to implement shared folders for each workgroup > where there are many workgroups.I did something similar with my small set up. A shared location for each work group. I set things up a little differently though. Instead of a public namespace, I made a shared namespace. However, this entailed making a "user" for each work group which would share its folders with the appropriate group. Then I could set the ACLs to allow them to create folders, etc. and on the file system, they are stored in separate places. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6026 bytes Desc: S/MIME Cryptographic Signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20110208/73e4ff40/attachment-0002.bin>
On 8.2.2011, at 12.33, Lukas Haase wrote:> namespace public { > separator = . > prefix = Shared. > location = maildir:/var/mail/shared:CONTROL=~/Maildir/sharedlocation = maildir:/var/mail/shared:INDEX=~/Maildir/shared> } > > Each workgroup should get a subfolder in "Shared". Until now, this works, I create .Group1, .Group2 and assign correct group permissions and ACL files. > > However, now a user from group1 wants to create a subfolder in his IMAP folder. Since the permissions for /var/mail/shared/.Group1 are correct (writeable to group1 and the user is member of group1 and 'k' ACL permissions are active) I would expect it to work. > > However, for obvious reasons, the *sub*folder is created as > > /var/mail/shared/.Group1.Subfolder > > so it is actually not a subfolder in sense of the filesystem but rather a folder inside /var/mail/sharedYep.> However, the user does (and should) not have write permissions to /var/mail/shared (only to /var/mail/shared/.Group1). > > Is there a way to overcome this problem? Why can't dovecot just use /var/mail/shared/.Group1/.Subfolder? Is there an option to do so? It would make everything a lot easier.location = maildir:/var/mail/shared:INDEX=~/Maildir/shared:LAYOUT=fs