On May 25, 2015, at 15:55 , andy at thecsillags.com wrote:> I'll assume you've seen these: > http://wiki2.dovecot.org/SharedMailboxes/Shared and http://wiki2.dovecot.org/ACLYup, I'd looked at those, but still left not understanding all of the options. And you gave a doveadm command, which I appreciate very much, but surprises me since the materials in the ACL wiki page are all about file contents. But I'll try your command.> When I set them up that way, I shared the target inbox (we'll call it foo at example.com) to be accessible by user bar at example.com. When I go into my email client, I'll see something like: shared/foo at example.com/INBOX as a folder.When you say "set them up that way", do you mean following the example config at SharedMailboxes/Shared ? In that example, a mail_location is set at the outer level, which I think I don't want to do, and overridden in the shared namespace. I'm assuming I don't want either of those, or at least that's what I'm going to try first. A question I have given your example above, is, did you set mail_shared_explicit_inbox ? It's only briefly described what that effects, so I'm not sure which setting (on or off) will cause the shared/foo at example.com/INBOX you describe seeing. I assume on, so I've turned it on.> To give bar@ access to foo@'s INBOX, I ran something like this: > > doveadm acl add \ > -u foo at example.com \ > INBOX user=bar at example.com \ > lookup read write write-seen write-deleted insert\ > post expunge create delete admin > > http://wiki2.dovecot.org/Tools/Doveadm/ACL covers the details of what all of the "lookup read..." bits and more do. > > The boxes don't have to be shared publicly if you use the "private" namespace.By "use the "private" namespace", do you mean specifying a separate namespace block in the config, like the one is declared in the example at http://wiki2.dovecot.org/SharedMailboxes/Shared ? If so, that's what I've done. If there is a way to have a single namespace declared that's both private and shared, I don't see that, so I have two as presented on that wiki page. And did/do you have "subscriptions=no" and "list=children" defined? Again, as their only briefly described, I'm not 100% sure I understand the difference in behavior I'll see with different settings. And I'm pretty sure I read that there are ways to have mailboxes shared such that who has or hasn't read contents of the mailboxes is stored within the mailbox, and also ways to have it stored per reading user. I'm not sure which I'll be seeing/using here. Thanks. I'll ask more questions if I have more questions after a little trial and error on my own server. :-) Thanks for your help! - Chris
On May 27, 2015, at 22:57 , Chris Ross <cross+dovecot at distal.com> wrote:> On May 25, 2015, at 15:55 , andy at thecsillags.com wrote: >> When I set them up that way, I shared the target inbox (we'll call it foo at example.com) to be accessible by user bar at example.com. When I go into my email client, I'll see something like: shared/foo at example.com/INBOX as a folder. > > When you say "set them up that way", do you mean following the example config at SharedMailboxes/Shared ? In that example, a mail_location is set at the outer level, which I think I don't want to do, and overridden in the shared namespace. I'm assuming I don't want either of those, or at least that's what I'm going to try first. > > A question I have given your example above, is, did you set mail_shared_explicit_inbox ? It's only briefly described what that effects, so I'm not sure which setting (on or off) will cause the shared/foo at example.com/INBOX you describe seeing. I assume on, so I've turned it on. > >> The boxes don't have to be shared publicly if you use the "private" namespace. > > By "use the "private" namespace", do you mean specifying a separate namespace block in the config, like the one is declared in the example at http://wiki2.dovecot.org/SharedMailboxes/Shared ? If so, that's what I've done. If there is a way to have a single namespace declared that's both private and shared, I don't see that, so I have two as presented on that wiki page.Okay. Lots of trial and error and error, and I at least have some configuration that I think includes pieces about shared mailboxes and ACLs, and it's actually up and running. But, I'm not seeing the shared folder. I was getting a lot of errors about separators (namespace configuration error: All list=yes namespaces must use the same separator) and prefixes (namespace configuration error: list=yes requires prefix=/ not to start with separator), but have it working now. The namespace private block from the example at http://wiki2.dovecot.org/SharedMailboxes/Public caused many of those problems, and I didn't have a separator configured at all (ie, was still commented out) in my main namespace, so that apparently conflicted with the "separator = /" in the shared namespace. But, all that resolved. The config file I've added into conf.d/15-shared.conf is: namespace { type = shared separator = / prefix = shared/%%u/ location = maildir:/home/%%n/Maildir:INDEX=~/Maildir/shared/%%u:INDEXPVT=~/Maildir/shared/%%u subscriptions = no list = children } mail_shared_explicit_inbox = yes protocol imap { mail_plugins = $mail_plugins acl imap_acl } plugin { acl = vfile } This comes from the aforementioned wiki page. I ran the doveadm acl command you suggested (though my usernames have no domain part, like your example did have domain parts) Now, while dovecot is back to working, I don't see a shared folder anywhere. "doveadm mailbox list" lists the mailboxes for users, including the INBOX I've tried to configure an ACL to let me share. Clearly I'm missing a piece. Andy, or anyone else, if you see what I've missed, please let me know. I'm not seeing anything back from the server with my mail client under "Subscription List", so I can't choose to subscribe. Maybe I've turned off subscriptions somehow, and it's not auto-subscribing me? Or, maybe having "list=children", and I haven't set up the ACL correctly? I ran: sudo doveadm acl add -u childuser INBOX user=cross lookup read write write-seen write-deleted insert post expunge create delete admin After removing the domains from your example, that's about what you had. I can see the INBOX for childuser with "doveadm mailbox list -u childuser". Ahh. I think I may be on to something. I tried the "doveadm acl add" again, which seems to succeed, but "doveadm acl debug" then doesn't mention anything about me, or my access to childuser's INBOX. Running the "acl add" with "doveadm -D" shows: doveadm(childuser): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled and later: doveadm(childuser): Debug: acl vfile: Global ACLs disabled The first of those looks like it might be a problem. Do you have an "acl_shared_dict" set up in your config anywhere, Andy? Thanks. Any help appreciated. - Chris
Chris, I do indeed have an acl_shared_dict set up. That may be the ticket. That makes it so that the IMAP server knows that you have acls on the other mailbox, so it can know to then look in that mailbox to find out precisely what the ACLs are. Cheers, Andy May 28 2015 12:49 AM, "Chris Ross" <cross+dovecot at distal.com> wrote:> On May 27, 2015, at 22:57 , Chris Ross <cross+dovecot at distal.com> wrote: > >> On May 25, 2015, at 15:55 , andy at thecsillags.com wrote: >>> When I set them up that way, I shared the target inbox (we'll call it foo at example.com) to be >>> accessible by user bar at example.com. When I go into my email client, I'll see something like: >>> shared/foo at example.com/INBOX as a folder. >> >> When you say "set them up that way", do you mean following the example config at >> SharedMailboxes/Shared ? In that example, a mail_location is set at the outer level, which I think >> I don't want to do, and overridden in the shared namespace. I'm assuming I don't want either of >> those, or at least that's what I'm going to try first. >> >> A question I have given your example above, is, did you set mail_shared_explicit_inbox ? It's only >> briefly described what that effects, so I'm not sure which setting (on or off) will cause the >> shared/foo at example.com/INBOX you describe seeing. I assume on, so I've turned it on. >> >>> The boxes don't have to be shared publicly if you use the "private" namespace. >> >> By "use the "private" namespace", do you mean specifying a separate namespace block in the config, >> like the one is declared in the example at http://wiki2.dovecot.org/SharedMailboxes/Shared ? If so, >> that's what I've done. If there is a way to have a single namespace declared that's both private >> and shared, I don't see that, so I have two as presented on that wiki page. > > Okay. Lots of trial and error and error, and I at least have some configuration that I think > includes pieces about shared mailboxes and ACLs, and it's actually up and running. But, I'm not > seeing the shared folder. > > I was getting a lot of errors about separators (namespace configuration error: All list=yes > namespaces must use the same separator) and prefixes (namespace configuration error: list=yes > requires prefix=/ not to start with separator), but have it working now. The namespace private > block from the example at http://wiki2.dovecot.org/SharedMailboxes/Public caused many of those > problems, and I didn't have a separator configured at all (ie, was still commented out) in my main > namespace, so that apparently conflicted with the "separator = /" in the shared namespace. But, all > that resolved. > > The config file I've added into conf.d/15-shared.conf is: > > namespace { > type = shared > separator = / > prefix = shared/%%u/ > location = maildir:/home/%%n/Maildir:INDEX=~/Maildir/shared/%%u:INDEXPVT=~/Maildir/shared/%%u > subscriptions = no > list = children > } > mail_shared_explicit_inbox = yes > protocol imap { > mail_plugins = $mail_plugins acl imap_acl > } > plugin { > acl = vfile > } > > This comes from the aforementioned wiki page. I ran the doveadm acl command you suggested (though > my usernames have no domain part, like your example did have domain parts) > > Now, while dovecot is back to working, I don't see a shared folder anywhere. "doveadm mailbox list" > lists the mailboxes for users, including the INBOX I've tried to configure an ACL to let me share. > > Clearly I'm missing a piece. Andy, or anyone else, if you see what I've missed, please let me know. > I'm not seeing anything back from the server with my mail client under "Subscription List", so I > can't choose to subscribe. Maybe I've turned off subscriptions somehow, and it's not > auto-subscribing me? Or, maybe having "list=children", and I haven't set up the ACL correctly? > > I ran: > > sudo doveadm acl add -u childuser INBOX user=cross lookup read write write-seen write-deleted > insert post expunge create delete admin > > After removing the domains from your example, that's about what you had. I can see the INBOX for > childuser with "doveadm mailbox list -u childuser". > > Ahh. I think I may be on to something. I tried the "doveadm acl add" again, which seems to succeed, > but "doveadm acl debug" then doesn't mention anything about me, or my access to childuser's INBOX. > Running the "acl add" with "doveadm -D" shows: > > doveadm(childuser): Debug: acl: No acl_shared_dict setting - shared mailbox listing is disabled > > and later: > > doveadm(childuser): Debug: acl vfile: Global ACLs disabled > > The first of those looks like it might be a problem. Do you have an "acl_shared_dict" set up in > your config anywhere, Andy? > > Thanks. Any help appreciated. > > - Chris
> On May 28, 2015, at 09:08, andy at thecsillags.com wrote: > > Chris, > > I do indeed have an acl_shared_dict set up. That may be the ticket. That makes it so that the IMAP server knows that you have acls on the other mailbox, so it can know to then look in that mailbox to find out precisely what the ACLs are.Okay. I did set up an acl_shared_dict, but I?m not sure the file ownership/permissions aren?t somewhat in the way. It appears dovecot, and doveadm, operate as the user in question, and I think the permission problems may be getting in my way. I eventually made ~childuser/Maildir group readable (to a group I?m in), and then was seeing permission denied issues when I tried: % sudo doveadm acl debug -u cross shared/childuser/INBOX [?] doveadm(cross): Error: open(/home/childuser/Maildir/dovecot-acl-list) failed: Permission denied So, I made that file readable to a group I?m in, and that went away, but cal debug still shows no access. I think UNIX permissions are what is impeding my progress at the moment. Is that normal? Any idea how you?re avoiding this problem, Andy?> On May 28, 2015, at 23:57, G H <uothrawn at yahoo.com> wrote: > > Look in to dovecot's master user feature as well.Okay. This looks like it may help with my above problem. I haven?t looked into it yet, but will check on that as it sounds valuable. Thanks! - Chris