Andreas T (DC)
2020-Jul-22 12:42 UTC
Mailbox sharing, user to user in same domain, OK! User to user sharing in separate domains, problem. ( ... and more oh boy!)
Dovecot -n and version present at the bottom of the email for
legibility.
System is a Debian 10 + Virtualmin hosting setup for my domains
-------------------------------------------------------------------
Hello everyone, my first post. Sorry for the long and confusing post,
I'm pretty new to dovecot other than basic functionality.
I recently in the last week went through the documentation for both
shared (user to user) and public mailboxes and got them both working.
Took me a bit but eventually I figured it out, but I am still
encountering some stubborn scenarios.
I am having some issues with 2 types of sharing. ( I believe problem A +
B are related as the error is similarly permission based error)
For inconsistencies in the user account names, user at domain.com vs
user-domain.com please see issue C, which my workaround is functional.
A.)
Sharing user to user between in the same domain works fine.
Sharing user to user in different domains gives me some permission
errors.
Permissions have been granted (to (using Linux ACL for more fine grained
permissions) as far as I can tell.
Trying to share the info "INBOX" (fullshare, same issue for single
boxes
as well) from the info at primarydomain.com to user at externaldomain.com
from info at primarydomain.com Mailder
cat dovecot-acl
user=user-externaldomain.com akxeilprwts
getfacl dovecot-acl
# file: dovecot-acl
# owner: info at primarydomain.com
# group: primarydomain.com
user::rw-
user:user at externaldomain.com:rwx #effective:rw-
user:info at primarydomain.com:rwx #effective:rw-
group::---
mask::rw-
other::---
doveadm acl debug -u user-externaldomain.com
"@/info at primarydomain.com/INBOX"
doveadm(user-externaldomain.com): Error:
stat(/home/primarydomain.com/homes/info/Maildir/tmp) failed: Permission
denied (euid=1121(user at externaldomain.com) egid=1091(holanow.com)
missing +x perm: /home/primarydomain.com, we're not in group
1092(primarydomain.com), dir owned by 1126:1092 mode=0750)
doveadm(user-externaldomain.com): Error: Can't open mailbox
@/info at primarydomain.com/INBOX:
stat(/home/primarydomain.com/homes/info/Maildir/tmp) failed: Permission
denied (euid=1121(user at externaldomain.com) egid=1091(holanow.com)
missing +x perm: /home/primarydomain.com, we're not in group
1092(primarydomain.com), dir owned by 1126:1092 mode=0750)
getfacl /home/primarydomain.com/homes/info/Maildir/tmp
# file: home/primarydomain.com/homes/info/Maildir/tmp
# owner: info at primarydomain.com
# group: primarydomain.com
user::rwx
user:user at externaldomain.com:rwx
user:info at primarydomain.com:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:user:user at externaldomain.com:rwx
default:user:info at primarydomain.com:rwx
default:group::---
default:mask::rwx
default:other::---
getfacl /home/primarydomain.com/homes/info/Maildir
# file: home/primarydomain.com/homes/info/Maildir/
# owner: info at primarydomain.com
# group: primarydomain.com
user::rwx
user:user at externaldomain.com:rwx
user:info at primarydomain.com:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:user:user at externaldomain.com:rwx
default:user:info at primarydomain.com:rwx
default:group::---
default:mask::rwx
default:other::---
B.)
Public mailbox, mailboxes that are physically present on the public mail
dir, work fine.
Public boxes which are symlinks to mailboxes to other users, with
correct permission and ACL, always give me permission errors and do not
show up publicly.
These type of mailboxes do show up if the person already has user to
user share setup with those boxes, which due to problem A, means only
within the same domain.
Similar errors as to the A scenario, even if giving complete rwx access
to all (user/group/other) I still get permission denied issues.
It just feel like dovecot isn't even trying to access the files
C. Tiny "other" problem I have worked around already.
dovecot-acl when using users via their user at domain.com account doesn't
lookup the user correctly.
I already have set,
auth_username_translation = @-
which works for when users login but it doesn't seem to work with
dovecot-acl files.
I have helper account pointers replacing the @ with - and then the ACL
file works fine.
Would prefer acl files contain,
user=user1 at primarydomain.com akxeilprwts
user=user2 at primarydomain.com akxeilprwts
But this works and is not a show stopper.
user=user1-primarydomain.com akxeilprwts
user=user2-primarydomain.com akxeilprwts
--------------------------------------------
dovecot --version
2.3.4.1 (f79e8e7e4)
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 5.4.44-2-pve x86_64 Debian 10.4
# Hostname: vps1.abclution.com
doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
doveconf: Warning: You can generate it with: dd
if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam
-inform der > /etc/dovecot/dh.pem
auth_mechanisms = plain login
auth_username_translation = @-
mail_debug = yes
mail_location = maildir:~/Maildir
mail_plugins = acl
namespace inbox {
inbox = yes
location mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix separator = /
}
namespace public_ns1 {
location =
maildir:/home/.Public_Mailboxes:INDEX=~/Maildir/public_ns1:INDEXPVT=~/Maildir/public_ns1
prefix = Public/
separator = /
subscriptions = no
type = public
}
namespace shared_ns1 {
list = yes
location =
maildir:%%h/Maildir:INDEX=~/Maildir/shared_ns1/%%u:INDEXPVT=~/Maildir/shared_ns1/%%u
prefix = @/%%u/
separator = /
subscriptions = no
type = shared
}
passdb {
driver = pam
}
plugin {
acl = vfile
acl_anyone = allow
acl_defaults_from_inbox = yes
acl_shared_dict = file:%h/Maildir/shared-mailboxes
}
protocols = " imap pop3"
service auth {
unix_listener auth-userdb {
mode = 0777
}
}
ssl_cert = </etc/dovecot/dovecot.cert.pem
ssl_cipher_list =
ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
driver = passwd
}
protocol imap {
mail_plugins = acl imap_acl
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200722/ea5c48d0/attachment.html>
Andreas T (DC)
2020-Jul-22 18:54 UTC
Mailbox sharing, user to user in same domain, OK! User to user sharing in separate domains, problem. ( ... and more oh boy!)
Ok, to answer my own mail, I realized I was reading some of the error messages wrongly, it turns out that I was missing +x on a directory or two in the path for one of my groups. So I have made a bit of progress but currently stuck here. doveadm(user-externaldomain.com): Debug: acl vfile: Global ACLs disabled doveadm(user-externaldomain.com): Error: fchown(/home/externaldomain.com/homes/user/Maildir/shared_ns1/info at primarydomain.com, group=1092(primarydomain.com)) failed: Operation not permitted (egid=1091(externaldomain.com), group based on /home/primarydomain.com/homes/info/Maildir - see http://wiki2.dovecot.org/Errors/ChgrpNoPerm) doveadm(user-externaldomain.com): Error: Mailbox @/info at primarydomain.com/INBOX: mkdir_parents(/home/externaldomain.com/homes/user/Maildir/shared_ns1/info at primarydomain.com/.INBOX) failed: Operation not permitted doveadm(user-externaldomain.com): Error: Can't open mailbox @/info at primarydomain.eu/INBOX: Mailbox @/info at primarydomain.com/INBOX: mkdir_parents(/home/externaldomain.com/homes/user/Maildir/shared_ns1/info at primarydomain.com/.INBOX) failed: Operation not permitted I did go through the http://wiki2.dovecot.org/Errors/ChgrpNoPerm page, and followed the recommended changes to the /var/mail directory, but, it did not seem to make a difference. Anyhow, I have pretty much resigned myself that it will not be possible to have shared mailboxes between domains on this system, at least with the namespaces running under each individual domain. For some reason, its bending my brain what is exactly needed. ------ Original Message ------ From: "Andreas T (DC)" <andreas.tyrosvoutis at gmail.com> To: "dovecot at dovecot.org" <dovecot at dovecot.org> Sent: 2020-07-22 3:42:53 PM Subject: Mailbox sharing, user to user in same domain, OK! User to user sharing in separate domains, problem. ( ... and more oh boy!)>Dovecot -n and version present at the bottom of the email for >legibility. >System is a Debian 10 + Virtualmin hosting setup for my domains >------------------------------------------------------------------- > >Hello everyone, my first post. Sorry for the long and confusing post, >I'm pretty new to dovecot other than basic functionality. > >I recently in the last week went through the documentation for both >shared (user to user) and public mailboxes and got them both working. >Took me a bit but eventually I figured it out, but I am still >encountering some stubborn scenarios. > >I am having some issues with 2 types of sharing. ( I believe problem A >+ B are related as the error is similarly permission based error) > >For inconsistencies in the user account names, user at domain.com vs >user-domain.com please see issue C, which my workaround is functional. > >A.) > >Sharing user to user between in the same domain works fine. >Sharing user to user in different domains gives me some permission >errors. >Permissions have been granted (to (using Linux ACL for more fine >grained permissions) as far as I can tell. > > >Trying to share the info "INBOX" (fullshare, same issue for single >boxes as well) from the info at primarydomain.com to >user at externaldomain.com > >from info at primarydomain.com Mailder > >cat dovecot-acl >user=user-externaldomain.com akxeilprwts > >getfacl dovecot-acl ># file: dovecot-acl ># owner: info at primarydomain.com ># group: primarydomain.com >user::rw- >user:user at externaldomain.com:rwx #effective:rw- >user:info at primarydomain.com:rwx #effective:rw- >group::--- >mask::rw- >other::--- > > >doveadm acl debug -u user-externaldomain.com >"@/info at primarydomain.com/INBOX" > >doveadm(user-externaldomain.com): Error: >stat(/home/primarydomain.com/homes/info/Maildir/tmp) failed: Permission >denied (euid=1121(user at externaldomain.com) egid=1091(holanow.com) >missing +x perm: /home/primarydomain.com, we're not in group >1092(primarydomain.com), dir owned by 1126:1092 mode=0750) > >doveadm(user-externaldomain.com): Error: Can't open mailbox >@/info at primarydomain.com/INBOX: >stat(/home/primarydomain.com/homes/info/Maildir/tmp) failed: Permission >denied (euid=1121(user at externaldomain.com) egid=1091(holanow.com) >missing +x perm: /home/primarydomain.com, we're not in group >1092(primarydomain.com), dir owned by 1126:1092 mode=0750) > > >getfacl /home/primarydomain.com/homes/info/Maildir/tmp > ># file: home/primarydomain.com/homes/info/Maildir/tmp ># owner: info at primarydomain.com ># group: primarydomain.com >user::rwx >user:user at externaldomain.com:rwx >user:info at primarydomain.com:rwx >group::--- >mask::rwx >other::--- >default:user::rwx >default:user:user at externaldomain.com:rwx >default:user:info at primarydomain.com:rwx >default:group::--- >default:mask::rwx >default:other::--- > > > > getfacl /home/primarydomain.com/homes/info/Maildir > ># file: home/primarydomain.com/homes/info/Maildir/ ># owner: info at primarydomain.com ># group: primarydomain.com >user::rwx >user:user at externaldomain.com:rwx >user:info at primarydomain.com:rwx >group::--- >mask::rwx >other::--- >default:user::rwx >default:user:user at externaldomain.com:rwx >default:user:info at primarydomain.com:rwx >default:group::--- >default:mask::rwx >default:other::--- > > > >B.) > >Public mailbox, mailboxes that are physically present on the public >mail dir, work fine. >Public boxes which are symlinks to mailboxes to other users, with >correct permission and ACL, always give me permission errors and do not >show up publicly. >These type of mailboxes do show up if the person already has user to >user share setup with those boxes, which due to problem A, means only >within the same domain. > >Similar errors as to the A scenario, even if giving complete rwx access >to all (user/group/other) I still get permission denied issues. >It just feel like dovecot isn't even trying to access the files > > > > >C. Tiny "other" problem I have worked around already. > >dovecot-acl when using users via their user at domain.com account doesn't >lookup the user correctly. >I already have set, >auth_username_translation = @- >which works for when users login but it doesn't seem to work with >dovecot-acl files. >I have helper account pointers replacing the @ with - and then the ACL >file works fine. > >Would prefer acl files contain, > >user=user1 at primarydomain.com akxeilprwts >user=user2 at primarydomain.com akxeilprwts > >But this works and is not a show stopper. >user=user1-primarydomain.com akxeilprwts >user=user2-primarydomain.com akxeilprwts > > > > >-------------------------------------------- > >dovecot --version >2.3.4.1 (f79e8e7e4) > ># 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf ># Pigeonhole version 0.5.4 () ># OS: Linux 5.4.44-2-pve x86_64 Debian 10.4 ># Hostname: vps1.abclution.com >doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem >doveconf: Warning: You can generate it with: dd >if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam >-inform der > /etc/dovecot/dh.pem >auth_mechanisms = plain login >auth_username_translation = @- >mail_debug = yes >mail_location = maildir:~/Maildir >mail_plugins = acl >namespace inbox { > inbox = yes > location > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix > separator = / >} >namespace public_ns1 { > location = >maildir:/home/.Public_Mailboxes:INDEX=~/Maildir/public_ns1:INDEXPVT=~/Maildir/public_ns1 > prefix = Public/ > separator = / > subscriptions = no > type = public >} >namespace shared_ns1 { > list = yes > location = >maildir:%%h/Maildir:INDEX=~/Maildir/shared_ns1/%%u:INDEXPVT=~/Maildir/shared_ns1/%%u > prefix = @/%%u/ > separator = / > subscriptions = no > type = shared >} >passdb { > driver = pam >} >plugin { > acl = vfile > acl_anyone = allow > acl_defaults_from_inbox = yes > acl_shared_dict = file:%h/Maildir/shared-mailboxes >} >protocols = " imap pop3" >service auth { > unix_listener auth-userdb { > mode = 0777 > } >} >ssl_cert = </etc/dovecot/dovecot.cert.pem >ssl_cipher_list = >ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM >ssl_dh = # hidden, use -P to show it >ssl_key = # hidden, use -P to show it >ssl_prefer_server_ciphers = yes >userdb { > driver = passwd >} >protocol imap { > mail_plugins = acl imap_acl >}-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20200722/74adc307/attachment-0001.html>
Possibly Parallel Threads
- DC's are unavailable when PDC halted
- public folder subscriptions sync issue with ldap user/group in dovecot-acl
- public folder subscriptions sync issue with ldap user/group in dovecot-acl
- How winbindd is working on DC/member? It ignores rfc2703 on DC, and not showing all users on member server... Where is a error?
- Winbind rid + SID History creating duplicate per-user groups