Hello Is it possible to limit the ability of sharing it?s own mailboxes to only a few users? We have a few sensitive mailboxes of users where the ability to share via IMAP SETACL should be prevented. I tried the following so far? doveadm acl remove -u test at onnet.ch INBOX user=test at onnet.ch admin but when doing this the admin rights are still there doveadm acl rights -u test at onnet.ch INBOX vmail at buserver:~$ doveadm acl rights -u test at onnet.ch INBOX Rights lookup read write write-seen write-deleted insert post expunge create delete admin Thanks in advance for your help Simeon -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180805/6fc45657/attachment.html>
You could do
userdb {
?? driver = username_format=%Lu passwd-file
?? args = /etc/dovecot/share.passwd
}
#? /etc/dovecot/share.passwd
test at onnet.ch::::::: userdb_acl=vfile:/etc/dovecot/dovecot-acl
userdb_acl_globals_only = yes
should prevent the user from modifying any ACL files.
Aki
On 05.08.2018 17:04, Simeon Ott wrote:> Hello
>
> Is it possible to limit the ability of sharing it?s own mailboxes to
> only a few users?
> We have a few sensitive mailboxes of users where the ability to share
> via IMAP SETACL should be prevented.
>
> I tried the following so far?
> ??doveadm acl remove -u test at onnet.ch <mailto:test at onnet.ch>
INBOX
> user=test at onnet.ch <mailto:user=test at onnet.ch> admin
>
> but when doing this the admin rights are still there
> ? doveadm acl rights -u test at onnet.ch <mailto:test at onnet.ch>
INBOX
> ? vmail at buserver:~$ doveadm acl rights -u test at onnet.ch
> <mailto:test at onnet.ch> INBOX
> ? Rights ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
> ? lookup read write write-seen write-deleted insert post expunge
> create delete admin
>
> Thanks in advance for your help
> Simeon
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180806/51428f46/attachment.html>
On 06.08.2018 08:26, Aki Tuomi wrote:> > You could do > > userdb { > ?? driver = username_format=%Lu passwd-file > ?? args = /etc/dovecot/share.passwd > } > > #? /etc/dovecot/share.passwd > test at onnet.ch::::::: userdb_acl=vfile:/etc/dovecot/dovecot-acl > userdb_acl_globals_only = yes > > should prevent the user from modifying any ACL files. > > Aki >userdb_acl_globals_only=yes should be written without spaces... Aki> On 05.08.2018 17:04, Simeon Ott wrote: >> Hello >> >> Is it possible to limit the ability of sharing it?s own mailboxes to >> only a few users? >> We have a few sensitive mailboxes of users where the ability to share >> via IMAP SETACL should be prevented. >> >> I tried the following so far? >> ??doveadm acl remove -u test at onnet.ch <mailto:test at onnet.ch> INBOX >> user=test at onnet.ch <mailto:user=test at onnet.ch> admin >> >> but when doing this the admin rights are still there >> ? doveadm acl rights -u test at onnet.ch <mailto:test at onnet.ch> INBOX >> ? vmail at buserver:~$ doveadm acl rights -u test at onnet.ch >> <mailto:test at onnet.ch> INBOX >> ? Rights ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? >> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? >> ? lookup read write write-seen write-deleted insert post expunge >> create delete admin >> >> Thanks in advance for your help >> Simeon >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180806/2ec06961/attachment-0001.html>
> On 6 Aug 2018, at 8.26, Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > You could do > > userdb { > driver = username_format=%Lu passwd-file > args = /etc/dovecot/share.passwd > } > > # /etc/dovecot/share.passwd > test at onnet.ch <mailto:test at onnet.ch>::::::: userdb_acl=vfile:/etc/dovecot/dovecot-acl userdb_acl_globals_only = yes > > should prevent the user from modifying any ACL files. >close, but few typos. userdb should be: userdb { driver = passwd-file args = username_format=%Lu /etc/dovecot/share.passwd } Sami -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180806/2ce154be/attachment-0001.html>
Thanks for the advice Aki> On 6 Aug 2018, at 07:26, Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > userdb { > driver = username_format=%Lu passwd-file > args = /etc/dovecot/share.passwd > }Something is wrong with the suggested driver configuration ? Leads to a fatal ? I think there is missing a driver name. Any chance of doing this via LDAP attribute? Here is my working config (without your suggestion): # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain debug_log_path = syslog disable_plaintext_auth = no info_log_path = syslog lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c mail_debug = yes mail_gid = 5000 mail_location = maildir:~/Maildir mail_plugins = zlib quota acl mail_uid = 5000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { hidden = no ignore_on_failure = no inbox = no list = children location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } plugin { acl = vfile acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes quota = maildir:User quota quota_exceeded_message = 4.2.2 Mailbox full quota_rule = *:storage=1G quota_rule2 = INBOX.Trash:storage=+100M quota_rule3 = INBOX.Spam:ignore quota_warning = storage=95%% quota-warning 95 %u sieve = ~/.dovecot.sieve sieve_before = /var/lib/dovecot/sieve/default.sieve sieve_dir = ~/sieve sieve_max_actions = 32 sieve_max_redirects = 4 sieve_max_script_size = 1M sieve_quota_max_scripts = 0 sieve_quota_max_storage = 0 } protocols = " imap lmtp sieve pop3" service auth { group = dovecot unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } user = dovecot } service lmtp { unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } ssl = no userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } protocol lmtp { mail_plugins = zlib quota acl sieve } protocol lda { auth_socket_path = /var/run/dovecot/auth-master deliver_log_format = msgid=%m: %$ mail_plugins = zlib quota acl sieve postmaster_address = postmaster at onnet.ch } protocol imap { mail_plugins = zlib quota acl imap_quota imap_acl } protocol sieve { info_log_path = /var/log/sieve.log log_path = /var/log/sieve.log mail_max_userip_connections = 10 managesieve_implementation_string = Dovecot Pigeonhole managesieve_logout_format = bytes=%i/%o managesieve_max_compile_errors = 5 managesieve_max_line_length = 65536 } Thanks in advance for your help -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180806/4b6226c0/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3696 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20180806/4b6226c0/attachment-0001.p7s>