dovecot - Feb 2011 - Questions about dovecot-shared in 1.2 and inherit group membership from parent mailbox

Hi,

I read the Wiki about dovecot-shared a few times but it is not 100% 
clear to me (at least for 1.2).

First, if I want shared keywords I *must* have a dovecot-shared. In this 
case, the permissions are not taken any longer from the parent folder 
(what is exactly this parent folder?) but from the dovecot-shared file. 
So in some sense dovecot-shared is always required (since everyone would 
like to share keywords). True?

Second, is there only *one* dovecot-shared per namespace or per mailbox 
*under* a specific namespace? Or an arbitrary number (where the "last"
is taken)? Where does dovecot-shared need to be placed?
For example, if the location of the namespace points to /var/mail/shared 
and I have two mailboxes "group1" and "group2" inside.
Does the dovecot-shared need to reside in /var/mail/shared or 
/var/mail/shared/group1 and /var/mail/shared/group2 (with LAYOUT=fs)? Is 
it possible?

Third (and main) question: In /var/mail/shared I want to have a mailbox 
for each group. Each user is member of his respective groups (in terms 
of UNIX permissions *and* ACLs).
The mailboxes are owned by their respective groups and if a user creates 
a subfolder inside it should surely have the same group assigned as the 
parent mailbox (not the namespace!).

namespace public {
   separator = .
   prefix = Shared.
   location = maildir:/var/mail/shared:INDEX=~/Maildir/shared:LAYOUT=fs
   subscriptions = no
}

mail:~# ls -l -R /var/mail/shared/
/var/mail/shared/:
total 12
drwxrwx--- 5 root group1 4096 Feb  9 11:53 Group1
drwxrwx--- 5 root group2 4096 Feb  9 12:27 Group2
-rw-r--r-- 1 root root     23 Feb  9 11:52 dovecot-acl
-rw-rw-r-- 1 root root      0 Dec 15  2009 dovecot-shared

/var/mail/shared/Group1:
total 16
drwxrwx--- 2 root group1 4096 Feb  8 10:35 cur
-rw-r--r-- 1 root group1   28 Feb  9 11:52 dovecot-acl
-rw-rw-r-- 1 root group1    0 Dec 15  2009 dovecot-shared
drwxrwx--- 2 root group1 4096 Dec 15  2009 new
drwxrwx--- 2 root group1 4096 Feb  8 10:34 tmp

/var/mail/shared/Group1/cur:
total 0

/var/mail/shared/Group1/new:
total 0

/var/mail/shared/Group1/tmp:
total 0

/var/mail/shared/Group2:
total 16
drwxrwx--- 2 root group2 4096 Feb  8 10:35 cur
-rw-r--r-- 1 root group2   27 Feb  9 11:52 dovecot-acl
-rw-rwS--- 1 root group2    0 Dec 15  2009 dovecot-shared
drwxrwx--- 2 root group2 4096 Dec 15  2009 new
drwxrwx--- 2 root group2 4096 Feb  8 10:34 tmp

/var/mail/shared/Group2/cur:
total 0

/var/mail/shared/Group2/new:
total 0

/var/mail/shared/Group2/tmp:
total 0

Again: *Inside* /var/mail/shared I want to create mailboxes for each 
group (Group1, Group2, ...). This is done only by the administrator. 
Therefore /var/mail/shared is owned by root.

Each Group1, Group2, ... in turn is owned by group1, group2, ...

I tried all combinations using dovecot-shared which came into my mind 
such that a subfolder of Group1 is owned by group1. However, either

1.) the subfolder is owned by the primary group of the creating user 
(group "users")
   or
2.) the group of /var/mail/shared/dovecot-shared
   or
3.) creation of the subfolder fails with

dovecot: IMAP(user1): chown(/var/mail/shared/Group2/Test1, -1, 0(root)) 
failed: Operation not permitted (egid=100(users), group based on 
/var/mail/shared/dovecot-shared)
dovecot: IMAP(user1): mkdir(/var/mail/shared/Group2/Test1/cur) failed: 
Operation not permitted

Is this just not possible or do I get something wrong here?

Regards,
Luke

On Wed, 2011-02-09 at 12:51 +0100, Lukas Haase wrote:
> First, if I want shared keywords I *must* have a dovecot-shared. In this 
> case, the permissions are not taken any longer from the parent folder 
> (what is exactly this parent folder?)
If you have ~/Maildir/.foo/, then the permissions are based on the .foo
directory when ~/Maildir/.foo/dovecot-share doesn't exist.
>  but from the dovecot-shared file. 
> So in some sense dovecot-shared is always required (since everyone would 
> like to share keywords). True?
dovecot-shared is needed only if you want private \Seen flags.
> Second, is there only *one* dovecot-shared per namespace or per mailbox 
> *under* a specific namespace? Or an arbitrary number (where the
"last"
> is taken)? Where does dovecot-shared need to be placed?
For each mailbox.
> For example, if the location of the namespace points to /var/mail/shared 
> and I have two mailboxes "group1" and "group2" inside.
> Does the dovecot-shared need to reside in /var/mail/shared or 
> /var/mail/shared/group1 and /var/mail/shared/group2 (with LAYOUT=fs)? Is 
> it possible?
group1 & group2
> Third (and main) question: In /var/mail/shared I want to have a mailbox 
> for each group. Each user is member of his respective groups (in terms 
> of UNIX permissions *and* ACLs).
> The mailboxes are owned by their respective groups and if a user creates 
> a subfolder inside it should surely have the same group assigned as the 
> parent mailbox (not the namespace!).
Well, now you're going into something that's a new feature :) But you
can probably do:

/var/mail/shared = root:root, 02770
/var/mail/shared/group1 = root:group1, 02770

Now filesystem should preserve group1 and Dovecot should preserve 02770
permissions.