dovecot - Aug 2011 - Sharing all mailboxes and userdb LDAP attrs

Hello all,

I'm setting up a Dovecot environment here, version 1.2.15 on Debian 6.0.2
"squeeze". This is actually a complete revamp of the previous setup we
have
in-place here, built from the ground up with updated versions of all
involved software.

The operators have told me that they use some scripts hacked up by a
previous sysadmin to give a single "admin" account full access to all
user
mail. That is, if any user runs into problems, they: 1. Call in; 2. The
operator logs in as the admin user; 3. Operator performs maintenance duties
on user email.

I've been researching the possibility of using Dovecot shared namespaces to
perform that very same task in a better fashion in this new server. So far,
I've been able to globally share users' INBOXes and view them from a
single
admin account (through user= entries on global acl's). My ultimate goal,
however, is to have access to all user mailboxes with any user that's a
member of a particular group, adding all operators to that group as needed.

- - - - -

First question, then, is this one: how can I give global access to all user
mailboxes? I've read that it's possible to give access to all subfolders
of
a particular folder throught the use of a .DEFAUL acl. That didn't seem to
work with the uppermost directory, however. Here's what I tried:

root at mail:/etc/dovecot# dovecot -a | grep acl:
  acl: vfile:/etc/dovecot/acl:cache_secs=300
root at mail:/etc/dovecot# cat acl/.DEFAULT
owner lrwstipekxa
user=admin lrwstipekxa

Renaming .DEFAULT to INBOX does achieve the intended goal, but only for the
INBOX folder evidently.

- - - - -

Second question is somewhat simpler. So far I've been using a single admin
user, but I'd like to switch to using an admin group in the future. I've
read that the best way to do that would be to use the user_attrs entry in my
dovecot-ldap.conf file, while using a userdb ldap. The groups should be
strings separated by commas in the appropriate attribute, from what I
understand.

Is there any readily-available or recommended schema I can use to fill up
that attribute? I'm using the default ones (plus samba.schema) but I've
seen
mostly space to fit GID's, not group names.

Thanks in advance,
fbscarel

PS: Here's my dovecot -a output, should it be needed.

- - - - -

root at mailaluno:~# dovecot -a
# 1.2.15: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.2
base_dir: /var/run/dovecot
log_path: /var/log/dovecot/error.log
info_log_path: /var/log/dovecot/info.log
log_timestamp: %Y-%m-%d %H:%M:%S
syslog_facility: mail
protocols: imap pop3 pop3s managesieve
listen(default): *
listen(imap): *
listen(pop3): *
listen(managesieve): localhost:2000
ssl_listen: 127.0.0.1
ssl: yes
ssl_ca_file:
ssl_cert_file: /etc/ssl/certs/dovecot.pem
ssl_key_file: /etc/ssl/private/dovecot.pem
ssl_key_password:
ssl_parameters_regenerate: 168
ssl_cipher_list:
ssl_cert_username_field: commonName
ssl_verify_client_cert: no
disable_plaintext_auth: no
verbose_ssl: yes
shutdown_clients: yes
nfs_check: yes
version_ignore: no
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
login_executable(managesieve): /usr/lib/dovecot/managesieve-login
login_user: dovecot
login_greeting: Server ready.
login_log_format_elements: user=<%u> method=%m rip=%r lip=%l %c
login_log_format: %$: %s
login_process_per_connection: no
login_chroot: yes
login_trusted_networks:
login_process_size: 64
login_processes_count: 5
login_max_processes_count: 128
login_max_connections: 256
valid_chroot_dirs:
mail_chroot:
max_mail_processes: 512
mail_max_userip_connections: 10
verbose_proctitle: no
first_valid_uid: 108
last_valid_uid: 0
first_valid_gid: 112
last_valid_gid: 0
mail_access_groups:
mail_privileged_group: mail
mail_uid:
mail_gid:
mail_location:
mail_cache_fields:
mail_never_cache_fields: imap.envelope
mail_cache_min_mail_count: 0
mailbox_idle_check_interval: 30
mail_debug: yes
mail_full_filesystem_access: no
mail_max_keyword_length: 50
mail_save_crlf: no
mmap_disable: no
dotlock_use_excl: yes
fsync_disable: no
mail_nfs_storage: no
mail_nfs_index: no
mailbox_list_index_disable: yes
lock_method: fcntl
maildir_stat_dirs: no
maildir_copy_with_hardlinks: yes
maildir_copy_preserve_filename: no
maildir_very_dirty_syncs: no
mbox_read_locks: fcntl
mbox_write_locks: fcntl dotlock
mbox_lock_timeout: 300
mbox_dotlock_change_timeout: 120
mbox_min_index_size: 0
mbox_dirty_syncs: yes
mbox_very_dirty_syncs: no
mbox_lazy_writes: yes
dbox_rotate_size: 2048
dbox_rotate_min_size: 16
dbox_rotate_days: 1
mail_drop_priv_before_exec: no
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_executable(managesieve): /usr/lib/dovecot/managesieve
mail_process_size: 256
mail_plugins(default): quota imap_quota trash mail_log acl imap_acl
mail_plugins(imap): quota imap_quota trash mail_log acl imap_acl
mail_plugins(pop3): quota mail_log
mail_plugins(managesieve):
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
mail_plugin_dir(managesieve): /usr/lib/dovecot/modules/managesieve
mail_log_prefix: %Us(%u):
mail_log_max_lines_per_sec: 0
imap_max_line_length: 65536
imap_capability:
imap_client_workarounds:
imap_logout_format: bytes=%i/%o
imap_id_send:
imap_id_log:
imap_idle_notify_interval: 120
pop3_no_flag_updates: no
pop3_enable_last: no
pop3_reuse_xuidl: no
pop3_save_uidl: no
pop3_lock_session: no
pop3_uidl_format: %08Xu%08Xv
pop3_client_workarounds:
pop3_logout_format: top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
dict_db_config:
dict_process_count: 1
managesieve_max_line_length: 65536
managesieve_logout_format: bytes=%i/%o
managesieve_implementation_string: dovecot
namespace:
  type: private
  separator: /
  prefix:
  location: maildir:/vmail/%Ln/Maildir
  alias_for:
  inbox: yes
  hidden: no
  list: yes
  subscriptions: yes
namespace:
  type: shared
  separator: /
  prefix: shared/%%n/
  location: maildir:/vmail/%%n/Maildir:INDEX=/vmail/%n/Maildir/shared/%%n
  alias_for:
  inbox: no
  hidden: no
  list: yes
  subscriptions: no
lda:
  postmaster_address: xxx at xxx
  mail_plugins: quota sieve trash acl
auth default:
  mechanisms: plain login
  realms:
  default_realm:
  cache_size: 0
  cache_ttl: 3600
  cache_negative_ttl: 3600
  executable: /usr/lib/dovecot/dovecot-auth
  user: vmail
  chroot:
  username_chars:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
  username_translation:
  username_format: %Lu
  master_user_separator: *
  anonymous_username: anonymous
  krb5_keytab:
  gssapi_hostname:
  winbind_helper_path: /usr/bin/ntlm_auth
  failure_delay: 2
  verbose: no
  debug: no
  debug_passwords: no
  ssl_require_client_cert: no
  ssl_username_from_cert: no
  use_winbind: no
  count: 1
  worker_max_count: 30
  process_size: 256
  passdb:
    driver: passwd-file
    args: /etc/dovecot/passwd.masterusers
    deny: no
    pass: no
    master: yes
  passdb:
    driver: shadow
    args:
    deny: no
    pass: no
    master: no
  passdb:
    driver: ldap
    args: /etc/dovecot/dovecot-ldap.conf
    deny: no
    pass: no
    master: no
  userdb:
    driver: passwd
    args:
  userdb:
    driver: static
    args: uid=vmail gid=vmail home=/vmail/%Ln allow_all_users=yes
  socket:
    type: listen
    master:
      path: /var/run/dovecot/auth-master
      mode: 384
      user: vmail
      group: vmail
plugin:
  quota: maildir:User quota
  quota_rule: *:storage=1G
  quota_rule2: Trash:storage=100M
  acl: vfile:/etc/dovecot/acl:cache_secs=300
  acl_shared_dict: file:/vmail/shared_mboxes
  trash: /etc/dovecot/dovecot-trash.conf
  mail_log_events: delete mailbox_delete
  mail_log_fields: uid box msgid size
  sieve: ~/.dovecot.sieve
  sieve_dir: ~/sieve
  sieve_before: /vmail/default.sieve

On 2011-08-19 12:14 PM, Felipe Scarel <fbscarel at gmail.com>
wrote:
> I'm setting up a Dovecot environment here, version 1.2.15 on Debian
6.0.2
> "squeeze". This is actually a complete revamp of the previous
setup we have
> in-place here, built from the ground up with updated versions of all
> involved software.
> 
> The operators have told me that they use some scripts hacked up by a
> previous sysadmin to give a single "admin" account full access to
all user
> mail. That is, if any user runs into problems, they: 1. Call in; 2. The
> operator logs in as the admin user; 3. Operator performs maintenance duties
> on user email.
Isn't this what master users are for?

http://wiki2.dovecot.org/Authentication/MasterUsers

-- 

Best regards,

Charles