dovecot - Apr 2016 - push-notification plugin and imap-metadata permissions

Ultra short version:

Why cant I set the following mailbox metadata key?
/private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify

Let me explain the context:

I'm using the Dovecot version 2.23.1, but the same happens for the 2.2.22

The push-notification plugin is supposed to send out a notification whenever
a mailbox get a new email message.

In order to tell if a mailbox is enabled to send out the notification, the
plugin
looks out for the following mailbox metadata key:
/private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify

If the key is set then everything is OK and the notification is sent, otherwise
the
action is skipped.

If I try to setup the metadata key by hand (telnet as the user over the imap
port):
setmetadata INBOX
(/private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify
"user=myuser at mydomain.com")

I get the error message: "Internal mailbox attributes cannot be
accessed"

Digging in the Dovecot 2.2.22 sources i found that:

This string is from lib-imap-storage/imap-metadata.c - line 36 - Dovecot 2.2.22
The message is triggered by the following condition - same file - line 125  -
Dovecot 2.2.22

if (strncmp(*key_r, MAILBOX_ATTRIBUTE_PREFIX_DOVECOT_PVT,
                     strlen(MAILBOX_ATTRIBUTE_PREFIX_DOVECOT_PVT)) == 0) {

So the path pvt/server appears to be forbidden.

But, in the file lib-storage/mailbox-attribute.h we can read the following
comment:

/* User can get/set all non-pvt/ attributes and also pvt/server/
    (but not pvt/server/pvt/) attributes. */

And, after said comment there is the definition of the macro 
MAILBOX_ATTRIBUTE_KEY_IS_USER_ACCESSIBLE(key)
which has the same basic function of the condition in imap-metadata.c , but in
this case
the same imap key is seen as accessible.

Now my questions:

Can we use a negated version of MAILBOX_ATTRIBUTE_KEY_IS_USER_ACCESSIBLE(key) in
imap-metadata?
How can the push-notification plugin work out-of-the-box without changes and
recompilation?

Thank you for your valuable time and forgive me if I'm posing a dumb
question.

Best wishes,
Giovanni S. Fois

On 22.04.2016 15:17, Giovanni S. Fois wrote:
> Ultra short version:
> 
> Why cant I set the following mailbox metadata key?
> /private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify
Why do you want to set it there? Have you tried setting it on some mailbox path?
> 
> Let me explain the context:
> 
> I'm using the Dovecot version 2.23.1, but the same happens for the
2.2.22
> 
> The push-notification plugin is supposed to send out a notification
whenever
> a mailbox get a new email message.
> 
> In order to tell if a mailbox is enabled to send out the notification, the
plugin
> looks out for the following mailbox metadata key:
> /private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify
> 
> If the key is set then everything is OK and the notification is sent,
otherwise the
> action is skipped.
> 
> If I try to setup the metadata key by hand (telnet as the user over the
imap port):
> setmetadata INBOX
(/private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify
"user=myuser at mydomain.com")
> 
> I get the error message: "Internal mailbox attributes cannot be
accessed"
> 
> Digging in the Dovecot 2.2.22 sources i found that:
> 
> This string is from lib-imap-storage/imap-metadata.c - line 36 - Dovecot
2.2.22
> The message is triggered by the following condition - same file - line 125 
- Dovecot 2.2.22
> 
> if (strncmp(*key_r, MAILBOX_ATTRIBUTE_PREFIX_DOVECOT_PVT,
>                     strlen(MAILBOX_ATTRIBUTE_PREFIX_DOVECOT_PVT)) == 0) {
> 
> So the path pvt/server appears to be forbidden.
> 
> But, in the file lib-storage/mailbox-attribute.h we can read the following
comment:
> 
> /* User can get/set all non-pvt/ attributes and also pvt/server/
>    (but not pvt/server/pvt/) attributes. */
> 
> And, after said comment there is the definition of the macro
MAILBOX_ATTRIBUTE_KEY_IS_USER_ACCESSIBLE(key)
> which has the same basic function of the condition in imap-metadata.c , but
in this case
> the same imap key is seen as accessible.
> 
> Now my questions:
> 
> Can we use a negated version of
MAILBOX_ATTRIBUTE_KEY_IS_USER_ACCESSIBLE(key) in imap-metadata?
> How can the push-notification plugin work out-of-the-box without changes
and recompilation?
> 
> Thank you for your valuable time and forgive me if I'm posing a dumb
question.
Please see instructions at
http://oxpedia.org/wiki/index.php?title=AppSuite:OX_Mail#Setup_of_the_Dovecot_Push
In case the problem is not resolved, do attach your doveconf -n output to the
next mail.

br,
Teemu
> 
> Best wishes,
> Giovanni S. Fois

[cut]

On 04/22/2016 02:57 PM, Teemu Huovila wrote:
> Why cant I set the following mailbox metadata key?
> /private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify
> Why do you want to set it there? Have you tried setting it on some mailbox
path?
Do you mean by editing directly the metadata file instead of accessing it with
an Imap command?
The answer to this question is that I don't have the direct access to the
physical mailboxes.
>> Let me explain the context:
>>
>> I'm using the Dovecot version 2.23.1, but the same happens for the
2.2.22
>>
>> The push-notification plugin is supposed to send out a notification
whenever
>> a mailbox get a new email message.
>>
>> In order to tell if a mailbox is enabled to send out the notification,
the plugin
>> looks out for the following mailbox metadata key:
>>
/private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify
>>
>> If the key is set then everything is OK and the notification is sent,
otherwise the
>> action is skipped.
>>
>> If I try to setup the metadata key by hand (telnet as the user over the
imap port):
>> setmetadata INBOX
(/private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify
"user=myuser at mydomain.com")
>>
>> I get the error message: "Internal mailbox attributes cannot be
accessed"
>>
>> Digging in the Dovecot 2.2.22 sources i found that:
>>
>> This string is from lib-imap-storage/imap-metadata.c - line 36 -
Dovecot 2.2.22
>> The message is triggered by the following condition - same file - line
125  - Dovecot 2.2.22
>>
>> if (strncmp(*key_r, MAILBOX_ATTRIBUTE_PREFIX_DOVECOT_PVT,
>>                      strlen(MAILBOX_ATTRIBUTE_PREFIX_DOVECOT_PVT)) ==
0) {
>>
>> So the path pvt/server appears to be forbidden.
>>
>> But, in the file lib-storage/mailbox-attribute.h we can read the
following comment:
>>
>> /* User can get/set all non-pvt/ attributes and also pvt/server/
>>     (but not pvt/server/pvt/) attributes. */
>>
>> And, after said comment there is the definition of the macro
MAILBOX_ATTRIBUTE_KEY_IS_USER_ACCESSIBLE(key)
>> which has the same basic function of the condition in imap-metadata.c ,
but in this case
>> the same imap key is seen as accessible.
>>
>> Now my questions:
>>
>> Can we use a negated version of
MAILBOX_ATTRIBUTE_KEY_IS_USER_ACCESSIBLE(key) in imap-metadata?
>> How can the push-notification plugin work out-of-the-box without
changes and recompilation?
>>
>> Thank you for your valuable time and forgive me if I'm posing a
dumb question.
> Please see instructions at
http://oxpedia.org/wiki/index.php?title=AppSuite:OX_Mail#Setup_of_the_Dovecot_Push
> In case the problem is not resolved, do attach your doveconf -n output to
the next mail.
I have read the instructions, and enabled the metadata options and enabled the
lmtp and lda parts as
stated in the instructions.
I understand that the instructions talk about the Dovecot
"http-notify" plugin, which I suppose is
the old name of the push_notification plugin.
I understand that the Ox Appsuite Mail uses the following imap key 
"/private/vendor/vendor.dovecot/http-notify" instead of the one
declared by
the plugin.

I'm not using the OX Appsuite Mail, I just need to get out the notifications
out of the plugin
towards some url of mine which will take care of the message.
In order to get there I need to write said metadata key in the INBOX folders
metadata .

I know I could write my own plugin or I could recompile the push_notification
plugin after changing
the key.
The problem with this is that my sysadmin wants to install and keep everything
updated using only
original packages.

Attached to this email you will find the output of the dovecot -n command.

I'll be grateful for any hint and suggestion.

Thank you for your time and patience.

Giovanni










-------------- next part --------------
# 2.2.23.1 (b1f5a4f): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.13 (93c6eee)
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.10 
auth_debug = yes
auth_default_realm = mydomain.it
auth_master_user_separator = *
auth_mechanisms = cram-md5 digest-md5 plain
auth_realms = mydomain.it
auth_username_format = %Ln at mydomain.it
auth_verbose = yes
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
dotlock_use_excl = no
imap_capability = IMAP4rev1 UIDPLUS NAMESPACE QUOTA CHILDREN SORT ID
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
imap_id_log = *
listen = *
mail_attribute_dict = file:%h/Maildir/dovecot-attributes
mail_debug = yes
mail_fsync = always
mail_gid = 9999
mail_location = sdbox:~/dbox:ALT=/mbx_alt/%5.2h_t2/%12.6h%u
mail_plugins = quota stats notify
mail_uid = 9999
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext vacation-seconds editheader
mmap_disable = yes
namespace inbox {
  inbox = yes
  location = 
  mailbox Draft {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Spam {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Trashcan {
    auto = subscribe
    special_use = \Trash
  }
  prefix = 
  separator = /
}
passdb {
  args = /etc/dovecot/master-users
  driver = passwd-file
  master = yes
  pass = yes
}
passdb {
  args = nopassword=y
  driver = static
}
plugin {
  push_notification_driver = ox:url=http://mydomain.it/push_notify.php
  quota = dict:User quota::redis:host=10.39.117.15:port=6400
  quota_grace = 10M
  quota_rule = *:storage=10G
  quota_rule2 = Trash:storage=+100M
  quota_warning = storage=95%% quota-warning 95 %u
  quota_warning2 = storage=80%% quota-warning 80 %u
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_before = file:~/sieve/sender_blacklist.sieve
  sieve_before2 = file:~/sieve/interceptor.sieve
  sieve_before3 = file:~/sieve/forward_vacation.sieve
  sieve_extensions = +vacation +vacation-seconds +editheader
  sieve_vacation_default_period = 1h
  sieve_vacation_max_period = 30d
  sieve_vacation_min_period = 60s
  stats_refresh = 30 secs
  stats_track_cmds = yes
}
protocols = imap pop3 lmtp sieve
service imap-login {
  inet_listener imap {
    address = 10.39.117.15
    port = 143
  }
  service_count = 0
}
service imap-postlogin {
  executable = script-login -d /etc/dovecot/postlogin.sh imap
  user = $default_internal_user
}
service imap {
  executable = imap imap-postlogin
}
service lmtp {
  inet_listener lmtp {
    address = 10.39.117.15
    port = 24
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  service_count = 1
  vsz_limit = 64 M
}
service pop-postlogin {
  executable = script-login -d /etc/dovecot/postlogin.sh pop3
  user = $default_internal_user
}
service pop3-login {
  inet_listener pop3 {
    address = 10.39.117.15
    port = 110
  }
}
service pop3 {
  executable = pop3 pop-postlogin
}
service stats {
  fifo_listener stats-mail {
    mode = 0600
    user = doveuser
  }
}
ssl = no
stats_memory_limit = 64 M
submission_host = director-1.mydomain.it
userdb {
  args = /etc/dovecot/conf.d/dovecot-dict-auth.conf.ext
  driver = dict
}
protocol lmtp {
  mail_plugins = quota stats notify sieve  notify push_notification
}
protocol lda {
  mail_plugins = quota stats notify notify push_notification
}
protocol imap {
  imap_metadata = yes
  mail_plugins = quota stats notify imap_quota imap_stats
}
protocol sieve {
  mail_max_userip_connections = 100
}

On 22 Apr 2016, at 15:17, Giovanni S. Fois <giovanni at giovannisfois.net>
wrote:
> 
> In order to tell if a mailbox is enabled to send out the notification, the
plugin
> looks out for the following mailbox metadata key:
> /private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify
> 
> If the key is set then everything is OK and the notification is sent,
otherwise the
> action is skipped.
> 
> If I try to setup the metadata key by hand (telnet as the user over the
imap port):
> setmetadata INBOX
(/private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify
"user=myuser at mydomain.com")
> 
> I get the error message: "Internal mailbox attributes cannot be
accessed"
Server metadata is set with:

a SETMETADATA "" (/private/vendor/vendor.dovecot/http-notify
"user=myuser at mydomain.com")

Which should internally map into the INBOX's
/private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify.

On 2016-04-22 09:07 PM, Timo Sirainen wrote:
> On 22 Apr 2016, at 15:17, Giovanni S. Fois <giovanni at
giovannisfois.net> wrote:
>> In order to tell if a mailbox is enabled to send out the notification,
the plugin
>> looks out for the following mailbox metadata key:
>>
/private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify
>>
>> If the key is set then everything is OK and the notification is sent,
otherwise the
>> action is skipped.
>>
>> If I try to setup the metadata key by hand (telnet as the user over the
imap port):
>> setmetadata INBOX
(/private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify
"user=myuser at mydomain.com")
>>
>> I get the error message: "Internal mailbox attributes cannot be
accessed"
> Server metadata is set with:
>
> a SETMETADATA "" (/private/vendor/vendor.dovecot/http-notify
"user=myuser at mydomain.com")
>
> Which should internally map into the INBOX's
/private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify.
>
I am sorry, but this is not working.
As you suggested I have launched the imap commands:

a setmetadata ""  (/private/vendor/vendor.dovecot/http-notify 
"user=myuser at mydomain.com")
b getmetadata ""
"/private/vendor/vendor.dovecot/http-notify"
c getmetadata "INBOX" 
"/private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify"

the 'b' command returns a sort of json with the correct result
the 'c' command returns NIL

By the way,  hardcoding the key as 
"/private/vendor/vendor.dovecot/http-notify" and recompiling the
plugin
has the effect to bring the system on the expected course.

Thank you again for your time and kind support.

Have a good weekend,
Giovanni