dovecot - Apr 2013 - Easy way to make all mailboxes of a user read-only

Hello all,

I try to configure dovecot to make all imap accesses read-only for a certain
user. I thought this would be possible by creating a global acl file (here
"global-acl") like:

user=<username> lr

and 

plugin {
  acl = vfile:/etc/dovecot/global-acls:cache_secs=300
}

But that seems to be ignored. What is wrong with this idea, the docs are not
really clear about a single acl file with global settings.

-- 
Regards,
Stephan

On 11.4.2013, at 15.07, Stephan von Krawczynski <skraw at ithnet.com>
wrote:
> I try to configure dovecot to make all imap accesses read-only for a
certain
> user. I thought this would be possible by creating a global acl file (here
> "global-acl") like:
Sorry, there is still no "default ACLs" feature in Dovecot. The only
semi-easy way to do what you want is using filesystem permissions.

This is something that really should be developed though.. But probably not
until v2.3.

Let me explain some more details, that seem important to understand:

I cannot use acl files per folder/mailbox because the MTA creates folders
dynamically (re-orders mails in folders). So I really would need some idea to
tell dovecot to let a certain user access his mailbox/folders read-only, no
matter how many.
A global acl _file_ would do that, or an acl-file that work for a whole tree
of folders.
A global acl directory does not help, because I would have to know the names
of every single folder/mailbox to create the correct acl-file in the global
directory.

-- 
Regards,
Stephan

On Thu, 11 Apr 2013 16:00:22 +0300
Timo Sirainen <tss at iki.fi> wrote:
> On 11.4.2013, at 15.07, Stephan von Krawczynski <skraw at ithnet.com>
wrote:
> 
> > I try to configure dovecot to make all imap accesses read-only for a
certain
> > user. I thought this would be possible by creating a global acl file
(here
> > "global-acl") like:
> 
> Sorry, there is still no "default ACLs" feature in Dovecot. The
only semi-easy way to do what you want is using filesystem permissions.
> 
> This is something that really should be developed though.. But probably not
until v2.3.
Oh, that is _bad_. I cannot use fs permissions because the MTA (postfix) must
have write permissions (to the directories) to create the mail files... 

-- 
Regards,
Stephan

Am 11.04.2013 15:05, schrieb Stephan von Krawczynski:
> Let me explain some more details, that seem important to understand:
> 
> I cannot use acl files per folder/mailbox because the MTA creates folders
> dynamically (re-orders mails in folders)
why does the MTA that?

normally the MTA should only decide reject or accept a message
and deliver it via LMTP to the LDA which can then filter via
Sieve or whatever and from this moment on any dynamically
created folder would be created in the dovecot world

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20130411/c2148eb9/attachment.bin>

On Thu, 11 Apr 2013 15:08:31 +0200
Reindl Harald <h.reindl at thelounge.net> wrote:
> 
> 
> Am 11.04.2013 15:05, schrieb Stephan von Krawczynski:
> > Let me explain some more details, that seem important to understand:
> > 
> > I cannot use acl files per folder/mailbox because the MTA creates
folders
> > dynamically (re-orders mails in folders)
> 
> why does the MTA that?
> 
> normally the MTA should only decide reject or accept a message
> and deliver it via LMTP to the LDA which can then filter via
> Sieve or whatever and from this moment on any dynamically
> created folder would be created in the dovecot world
I cannot further explain the background, you have to believe that there is a
good reason for this implementation. It is no standard mail service. 

-- 
Regards,
Stephan

On Thu, 11 Apr 2013 16:00:22 +0300
Timo Sirainen <tss at iki.fi> wrote:
> On 11.4.2013, at 15.07, Stephan von Krawczynski <skraw at ithnet.com>
wrote:
> 
> > I try to configure dovecot to make all imap accesses read-only for a
certain
> > user. I thought this would be possible by creating a global acl file
(here
> > "global-acl") like:
> 
> Sorry, there is still no "default ACLs" feature in Dovecot. The
only semi-easy way to do what you want is using filesystem permissions.
> 
> This is something that really should be developed though.. But probably not
until v2.3.
And I just checked another thing:
Though setting permissions to 400 the owner still can move mails to trash
(seems to be a rename?). That is definitely not read-only.


-- 
Regards,
Stephan

Am 11.04.2013 15:00, schrieb Timo Sirainen:
> On 11.4.2013, at 15.07, Stephan von Krawczynski <skraw at ithnet.com>
wrote:
> 
>> I try to configure dovecot to make all imap accesses read-only for a
certain
>> user. I thought this would be possible by creating a global acl file
(here
>> "global-acl") like:
> 
> Sorry, there is still no "default ACLs" feature in Dovecot. The
only semi-easy way to do what you want is using filesystem permissions.
> 
> This is something that really should be developed though.. But probably not
until v2.3.
> 
i tested somthing "alike" setting acl by using sieve external prog
but at last it get to complex , so i did another solution layout
but you may try by your own


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstra?e 15, 81669 M?nchen

Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich