dovecot - Feb 2020 - shared folder name or public folder with mail address

On 2/14/20 11:44 AM, Tobias Kirchhofer wrote:
> On 14 Feb 2020, at 11:06, Armin Schindler wrote:
> 
>     Hello!
> 
>     we are about to move from cyrus to dovecot and have one open issue
>     for that migration.
>     With cyrus we have "shared/" folders with a name that is self
defined like
>     shared/project-xyz
>     but the email address for direct delivery to that folder my be
different
>     (not project-xyz at domain.com <mailto:project-xyz at
domain.com>).
> 
>     With dovecot we try to have it similar (at least how the user sees it
in the client)
>     like it is now.
> 
>     When configuring a namespace of type=shared, I see in the docs the the
prefix
>     can be configured with %%u , %%n or %%d. But is it possible to
configure
>     the name different to the email address? E.g. to hide the email address
of
>     that folder and show a nice name instead?
> 
>     I also thought about using public namespace instead. Does this make
sense here?
>     With public (maybe configured with prefix=shared/) folder I can set any
name
>     as subdir in prefix, right?
>     So would this be more like what we have with cyrus shared folder?
> 
>     If so, how could these public folders have an email address for direct
mail delivery into?
>     Can something like a global sieve rule do that? Or can a public folder
have an email address?
> 
>     Thanks in advance.
>     Armin
> 
> Hi, we went through this some years ago. It is a bit tricky in the details.
Involved is postfix,
> public namespace, subscriptions, acl, sieve.
> 
> We found a quite comprehensive solution so far. It is working similar to
Cyrus shared folder. Do not
> mix the names. Cyrus ?shared? folders are ?public? folders in Dovecot.
Dovecot ?shared? folders are
> personally shared folders from one user to another.
> 
> For our new setup (planned with CentOS 8, waiting for the official repo for
the latest dovecot
> version?) we have a prototype on Debian base with the latest version of
Dovecot. In opposite to our
> current solution we will implement global acls with user and groups from
LDAP. This is very nice.
Wow, thanks. This seem to be exactly what I need to go on.
Our base system is a Univention UCS, so LDAP users and groups is what we already
have working :-)

With your elements I think we really could have the cyrus shared folders with
dovecot by
using a namespace of
 type=public
but with
 prefix=shared/
(we might use type=shared with prefix=usershared/ later).

Or is the idea of just *one* public folder with name "shared" and with
subdirs for different "projects/departments/topics" not working as
expected?

ACL is something I didn't look at yet. Is it possible to set different
permissions
for the folders in the public prefix like /shared/dir1 , /shared/dir2 , etc.
or even for sub-subfolders?
Global ACLs aren't neccessary when using folder acls, right?

Armin

> Some elements:
> 
> Global ACL:
> |
> [..]
> Newsletter group=administrator lrwstipekxa
> Newsletter/* group=team lrwstipe
> Newsletter/* user=name at domain.tld lrwstipe
> [?]
> |
> 
> Public folder:
> |
> namespace {
> type = public
> prefix = Newsletter/
> separator = /
> location =
maildir:/var/vmail/public/$DOMAIN/newsletter:LAYOUT=fs:INDEXPVT=~/public/$DOMAIN/newsletter
> subscriptions = no
> hidden = no
> list = children
> }
> |
> 
> Subscriptions (! This one was tricky)
> ```
> namespace subscriptions {
> subscriptions = yes
> prefix > separator = /
> list = no
> hidden = yes
> }
> 
> namespace inbox {
> inbox = yes
> separator = /
> prefix = INBOX/
> subscriptions = no
> [?]
> ```
> 
> ?Dovecot? Shared folder (optional):
> |
> namespace shared {
> type = shared
> separator = /
> prefix = Shared/%%u/
> location = maildir:%%h/:INDEXPVT=~/shared/%%u
> list = children
> subscriptions = no
> }
> |
> 
> The sorting in the according public folder happens in a global sieve script
before user scripts are
> fireing. It is combined with the ?+? notation in postfix for sub addresses
and an special ?listadm? user
> 
> postfix:
> |
> listadm+Verteiler/info@$DOMAIN
> |
> 
> The sieve script is then reading the generated address and delivers it into
the according public
> folder. We learned a lot about sieve scripting with this task :-)
> 
> |sieve_before = /var/vmail/sieve/global/global-before.sieve [?] |
> 
> More details would be to much here.
> 
> To be honest, we needed some time to get it done properly. It is a
combination of features and A LOT
> OF testing and analysing the behaviour of
postfix/dovecot/public-folder/sieve/acl. For now we have a
> Public folder setup which is as nice like it is with Cyrus. With Cyrus this
issue is less complex to
> implement.
> 
> Maybe this helps a bit. Take exclusivly one to two weeks for this task and
read and test a lot! :-)
> 
> Tobias
> 
> -- 
> collect at shift.agency <mailto:collect at shift.agency>
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2900 bytes
Desc: S/MIME Cryptographic Signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200214/5873cbf2/attachment.p7s>

On 14 Feb 2020, at 14:05, Armin Schindler wrote:
> On 2/14/20 11:44 AM, Tobias Kirchhofer wrote:
>> On 14 Feb 2020, at 11:06, Armin Schindler wrote:
>>
>>     Hello!
[?]
>> For our new setup (planned with CentOS 8, waiting for the official 
>> repo for the latest dovecot
>> version?) we have a prototype on Debian base with the latest 
>> version of Dovecot. In opposite to our
>> current solution we will implement global acls with user and groups 
>> from LDAP. This is very nice.
>
> Wow, thanks. This seem to be exactly what I need to go on.
> Our base system is a Univention UCS, so LDAP users and groups is what 
> we already have working :-)
>
> With your elements I think we really could have the cyrus shared 
> folders with dovecot by
> using a namespace of
>  type=public
> but with
>  prefix=shared/
> (we might use type=shared with prefix=usershared/ later).
There is not something like one way do to this. You could also make your 
life easier and choose to create a ?Share user? which is only there 
to share folders. This will then be Dovecot ?Shared folders? shared 
by this pseudo user to other users. You then could use Roundcube or such 
to maintain acl with this pseudo user. But we did not follow this path 
then for reasons i cannot remember anymore :)

For each Public folder we have a defined namespace. ?Newsletter?, 
?Client1?, ?Client2? etc. We have many, around 30 or so. ACL 
goes on this namespace (namespace/*). I guess ACL are first match. Each 
namespace has its own prefix. (eq. prefix = Newsletter/, prefix = 
Client1 etc.) User can subscribe namespace by namespace acl assumed.

But as i sad - by writing this i get nervous, cause i now that you must 
immerse deeply with this topic. Otherwise you will not get happy :)

Tobias
> Or is the idea of just *one* public folder with name "shared" and
with
> subdirs for different "projects/departments/topics" not working
as
> expected?
>
> ACL is something I didn't look at yet. Is it possible to set different 
> permissions
> for the folders in the public prefix like /shared/dir1 , /shared/dir2 
> , etc.
> or even for sub-subfolders?
> Global ACLs aren't neccessary when using folder acls, right?
>
> Armin
[?]


-- 
collect at shift.agency

On 2/14/20 2:23 PM, Tobias Kirchhofer wrote:
> On 14 Feb 2020, at 14:05, Armin Schindler wrote:
> 
>> On 2/14/20 11:44 AM, Tobias Kirchhofer wrote:
>>> On 14 Feb 2020, at 11:06, Armin Schindler wrote:
>>>
>>> ??? Hello!
> 
> [?]
> 
>>> For our new setup (planned with CentOS 8, waiting for the official
repo for the latest dovecot
>>> version?) we have a prototype on Debian base with the latest
version of Dovecot. In opposite to our
>>> current solution we will implement global acls with user and groups
from LDAP. This is very nice.
>>
>> Wow, thanks. This seem to be exactly what I need to go on.
>> Our base system is a Univention UCS, so LDAP users and groups is what
we already have working :-)
>>
>> With your elements I think we really could have the cyrus shared
folders with dovecot by
>> using a namespace of
>> ?type=public
>> but with
>> ?prefix=shared/
>> (we might use type=shared with prefix=usershared/ later).
> 
> There is not something like one way do to this. You could also make your
life easier and choose to
> create a ?Share user? which is only there to share folders. This will then
be Dovecot ?Shared
> folders? shared by this pseudo user to other users. You then could use
Roundcube or such to maintain
> acl with this pseudo user. But we did not follow this path then for reasons
i cannot remember
> anymore :)
> 
> For each Public folder we have a defined namespace. ?Newsletter?,
?Client1?, ?Client2? etc. We have
> many, around 30 or so. ACL goes on this namespace (namespace/*). I guess
ACL are first match. Each
> namespace has its own prefix. (eq. prefix = Newsletter/, prefix = Client1
etc.) User can subscribe
> namespace by namespace acl assumed.
What is the benefit using own namespace for each public folder?
If the config is equal for all folders, wouldn't one namespace with
subfolders
be the same?
One public namespace would look like it is with cyrus in the client: one
"shared/"
folder to open/close.

Armin


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2900 bytes
Desc: S/MIME Cryptographic Signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200214/2324d8d9/attachment.p7s>