Hello, I am relatively new to the world of MTAs and MDAs, and I try to set up shared mailboxes. So far I have somehow succeeded - I have defined a shared namespace and I have managed to create per-mailbox ACL files thanks to the doveadm command. However, I have been following these resources and there were bits that have puzzled me: When learning about how ACL work in e.g. https://doc.dovecot.org/settings/plugin/acl/ - when one wishes to use the Global ACL file, how does one link it to a particular user's mailboxes? Examples that are listed in the documentation are far too generic. For example does "* user=foo lrw" imply that all mailboxes of all accounts are shared to the user foo? The doveadm command works only if dovecot is set up with per-mailbox ACL files, so I can't use it to reverse-engineer the correct syntax. An interesting aspect to ACLs are dictionaries. I understood it as some kind of cache - if there is no dictionary or it is empty, then shared mailboxes don't work. Conversely, dictionary itself is not enough, one needs actual ACLs set up correctly. Is this a correct understanding? Next what https://wiki.dovecot.org/SharedMailboxes/Shared and https://wiki.dovecot.org/Dictionary describe is a possibility to reference LDAP data to define an ACL dictionary. Do I understand it correctly that if a LDAP database is the single source of truth, then I don't have to worry about updating dictionaries as long as LDAP itself is up-to-date, but I have to keep ACLs and LDAP in sync manually (or using an application)? Thanks, Matej
On 9/14/2020 1:19 PM, Matej Tyc wrote:> Hello, > > I am relatively new to the world of MTAs and MDAs, and I try to set up > shared mailboxes. > > So far I have somehow succeeded - I have defined a shared namespace and > I have managed to create per-mailbox ACL files thanks to the doveadm > command. > > However, I have been following these resources and there were bits that > have puzzled me: > > When learning about how ACL work in e.g. > https://doc.dovecot.org/settings/plugin/acl/ - when one wishes to use > the Global ACL file, how does one link it to a particular user's > mailboxes? Examples that are listed in the documentation are far too > generic. For example does "* user=foo lrw" imply that all mailboxes of > all accounts are shared to the user foo? The doveadm command works only > if dovecot is set up with per-mailbox ACL files, so I can't use it to > reverse-engineer the correct syntax. >The global ACLs are...global. They apply to all matching mailboxes system-wide. So to answer your question, yes "* user=foo lrw" means all mailboxes of all accounts are shared to the user foo. But...> An interesting aspect to ACLs are dictionaries. I understood it as some > kind of cache - if there is no dictionary or it is empty, then shared > mailboxes don't work. Conversely, dictionary itself is not enough, one > needs actual ACLs set up correctly. Is this a correct understanding?The ACLs grant/deny access to a specific mailbox - when that mailbox is known to the client. But ACLs are never scanned or iterated over to generate a list of available mailboxes - that's where the dictionary comes in. The dictionary is a list of shared mailboxes - but that's all it is. So when a client queries the server for a list of available mailboxes the dictionary is consulted. The ACLs are then applied for each transaction whenever a client tries to read/write/access/whatever a specific mailbox. So theoretically, if you can manually specify the shared mailbox correctly, no dictionary is required for access.> > Next what https://wiki.dovecot.org/SharedMailboxes/Shared and > https://wiki.dovecot.org/Dictionary describe is a possibility to > reference LDAP data to define an ACL dictionary. Do I understand it > correctly that if a LDAP database is the single source of truth, then I > don't have to worry about updating dictionaries as long as LDAP itself > is up-to-date, but I have to keep ACLs and LDAP in sync manually (or > using an application)?Again, a dictionary is a list of shared mailboxes - not ACL's. You can use any dictionary source Dovecot can read from - but if the dictionary also supports writing then any manipulation of ACLs will automatically update the dictionary. What the above implies, and I will now state explicitly, is that while global ACLs provide *access* they do not *publish* that access. A dictionary must be manually updated to list those mailboxes. -- Daniel
On 14. 09. 20 22:46, Daniel Miller wrote:> On 9/14/2020 1:19 PM, Matej Tyc wrote: >> ... >> >> When learning about how ACL work in e.g. >> https://doc.dovecot.org/settings/plugin/acl/ - when one wishes to use >> the Global ACL file, how does one link it to a particular user's >> mailboxes? Examples that are listed in the documentation are far too >> generic. For example does "* user=foo lrw" imply that all mailboxes >> of all accounts are shared to the user foo? The doveadm command works >> only if dovecot is set up with per-mailbox ACL files, so I can't use >> it to reverse-engineer the correct syntax. >> > > The global ACLs are...global. They apply to all matching mailboxes > system-wide. So to answer your question, yes "* user=foo lrw" means > all mailboxes of all accounts are shared to the user foo. But...Great, what about the format itself? Is it <namespace>/<account>/<mailbox>? The documentation brings up, i.e. /john at example.com/* shares all mailboxes of John from the example.com domain? Or have I overlooked a documentation page where the syntax is introduced?>> ... > > The ACLs grant/deny access to a specific mailbox - when that mailbox > is known to the client. But ACLs are never scanned or iterated over to > generate a list of available mailboxes - that's where the dictionary > comes in. The dictionary is a list of shared mailboxes - but that's > all it is. So when a client queries the server for a list of available > mailboxes the dictionary is consulted. The ACLs are then applied for > each transaction whenever a client tries to read/write/access/whatever > a specific mailbox. So theoretically, if you can manually specify the > shared mailbox correctly, no dictionary is required for access.Thanks, that's a great explanation!>> Next what https://wiki.dovecot.org/SharedMailboxes/Shared and >> https://wiki.dovecot.org/Dictionary describe is a possibility to >> reference LDAP data to define an ACL dictionary. Do I understand it >> correctly that if a LDAP database is the single source of truth, then >> I don't have to worry about updating dictionaries as long as LDAP >> itself is up-to-date, but I have to keep ACLs and LDAP in sync >> manually (or using an application)? > Again, a dictionary is a list of shared mailboxes - not ACL's. You can > use any dictionary source Dovecot can read from - but if the > dictionary also supports writing then any manipulation of ACLs will > automatically update the dictionary. > > What the above implies, and I will now state explicitly, is that while > global ACLs provide *access* they do not *publish* that access. A > dictionary must be manually updated to list those mailboxes.What I understand is that ACLs are purely filesystem-based, i.e. no LDAP backend, and one has to sync LDAP to respective ACLs "manually". If I follow what you have said, one could have an equal result with a database, syncing ACLs "manually" from LDAP, and doveadm will make sure that the database backend will be up-to-date.> > -- > Daniel >Thank you very much for your explanations, I will propose a documentation PR once I figure out all of the missing bits.