dovecot - Jun 2021 - Shared Mailboxes in Dovecot Cluster & director configuration

Hi!

I've been trying to set a shared namespace on a test dovecot cluster and
I've had some weird issues. I'm not sure if this is a feature or a bug,
so please advice.

As some features (like acl_ignore_namespace) are only in the upcoming
2.3.15, after some initial debugging, I've update the system I'm using
to the master branches (df1b4b8750fdb87d38ac9accb8a1dea02ac3ce2e for
core and 7090e62564bcb7bff7efc89bd2a42b1d32d9e475 for pigeonhole), but
it didn't change the initial issues I was having.

I've been following
https://doc.dovecot.org/configuration_manual/shared_mailboxes/cluster_setup/
and linked documentations to set up the cluster. You'll find at the end
of the mail the parts of the configuration that seems to be relevant.

The issues I've had was with the `You?ll need to setup master user
logins to work for all the users.` and `imapc_master_user` (for which
the bullet points recommend to use `%{userdb:sharing_user}` but is then
set to `%u` in the example.

For the sake of the tests, I'm using one director and one backend. On
this installation:
- user1 shared the folder 'Junk' with user2
- after logging as user2, I run `a2 SELECT shared/user1/Junk`

Initially on the director, I had (excluding other, unrelated configuration):
```
# Connection back from backends for shared mailbox access
passdb {
  args = password=XXXX allow_nets=${IPs of backend}
  driver = static
  master = yes
  mechanisms = plain
  result_success = continue
}
```

However, this lead to login failures on the director as the backend was
logging directly as user1, without master user set!

After further debugging, I now have on the director:
```
# Connection back from backends for shared mailbox access
passdb {
  args = password=XXXX allow_nets=${IPs of backend}
  driver = static
  master = yes
  mechanisms = plain
  result_success = continue
}
passdb {
  args = password=XXXX allow_nets=${IPs of backend}
  driver = static
  mechanisms = plain
  result_success = continue
}
```

And this works! Looking at the log, it's not that my `imapc_master_user`
is not recognized, just that there are two imapc connections from the
backend to the frontend.
- The first one logs as user1 directly, with no master user set:
  ```
  ${backend} dovecot[29900]: imap(user2)<29917><Mi/7WD/EgYi8uE1E>:
Debug: imapc(${director}:993): Authenticating as user1
  ```
- The second connection logs as expected, as user1 with user2 set as the
master user:
  ```
  ${backend} dovecot[29900]: imap(user2)<29917><Mi/7WD/EgYi8uE1E>:
Debug: imapc(${director}:993): Authenticating as user2 for user user1
  ```

Is it normal to have these two connections back to the director? From
the documentation, I would have only expected the 2nd one.


Going further, if I add a static part to imapc_master_user, like for
example `imapc_master_user = X%{userdb:sharing_user}`, the logged
authentications become:
```
${backend} dovecot: imap(user2)<31073><xu94pz/EqYi8uE1E>: Debug:
imapc(${director}:993): Authenticating as X for user user1
[...]
${backend} dovecot: imap(user2)<31073><xu94pz/EqYi8uE1E>: Debug:
imapc(${director}:993): Authenticating as Xuser2 for user user1
```

It looks to me that for the first connection, imapc_master_user is
resolved with the wrong context, without `userdb:sharing_user` resolving
to anything?


Thanks in advance, let me know if you need more details.
Vincent Brillault


PS configuration details (relevant parts of doveconf -n):
- Backend:
```
auth_master_user_separator = *
imapc_features = fetch-bodystructure fetch-headers rfc822.size search modseq
imapc_host = ${director}
imapc_master_user = %{userdb:sharing_user}

imapc_password = # hidden, use -P to show it
imapc_port = 993
imapc_sasl_mechanisms = plain
imapc_ssl = imaps
imapc_ssl_verify = no
mail_plugins = acl zlib virtual fts fts_solr
namespace {
  list = children
  location = imapc:~/shared/%%u
  prefix = shared/%%u/
  type = shared
}
namespace Virtual {
  hidden = yes
  list = no
  location = virtual:/etc/dovecot/virtual:INDEX=~/virtual
  prefix = Virtual/
  separator = /
  subscriptions = no
}
namespace inbox {
  inbox = yes
  location   mailbox "Deleted Items" {
    auto = subscribe
    special_use = \Trash
  }
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox "Sent Items" {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Spam {
    auto = create
    special_use = \Junk
  }
  prefix }
passdb {
  args = password=#hidden_use-P_to_show# allow_nets=${IPs of director}
userdb_namespace/shared/disabled=yes
  driver = static
  master = yes
}
passdb {
  args = password=#hidden_use-P_to_show# allow_nets=${IPs of director}
userdb_sharing_user=%u
  driver = static
}
plugin {
  acl = vfile:/etc/dovecot/dovecot-acl
  acl_ignore_namespace = Virtual/
  acl_ignore_namespace2 = shared/*
  acl_shared_dict = file:/mail/sharing/shared-mailboxes
  [...]
}
```
- Director (final & working version):
```
auth_master_user_separator = *
auth_mechanisms = plain login xoauth2 oauthbearer gssapi
auth_socket_path = director-userdb
passdb {
  args = /etc/dovecot/passdb-masterusers.conf.ext
  driver = ldap
  master = yes
  mechanisms = plain login
  result_success = continue
}
passdb {
  args = password=#hidden_use-P_to_show# allow_nets=${IPs of backend}
  driver = static
  master = yes
  mechanisms = plain
  result_success = continue
}
passdb {
  args = password=#hidden_use-P_to_show# allow_nets=${IPs of backend}
  driver = static
  mechanisms = plain
  result_success = continue
}
passdb {
  args = /etc/dovecot/passdb-oauth2.conf.ext
  driver = oauth2
  mechanisms = xoauth2 oauthbearer
  result_failure = return-fail
  result_internalfail = return-fail
  result_success = continue
}
passdb {
  args = /etc/dovecot/passdb-cerndc.conf.ext
  driver = ldap
}
```

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20210608/61e74eb4/attachment-0001.sig>

> On 08/06/2021 13:46 Vincent Brillault <vincent.brillault at cern.ch>
wrote:
> 
>  
> Hi!
> 
> I've been trying to set a shared namespace on a test dovecot cluster
and
> I've had some weird issues. I'm not sure if this is a feature or a
bug,
> so please advice.
> 
> As some features (like acl_ignore_namespace) are only in the upcoming
> 2.3.15, after some initial debugging, I've update the system I'm
using
> to the master branches (df1b4b8750fdb87d38ac9accb8a1dea02ac3ce2e for
> core and 7090e62564bcb7bff7efc89bd2a42b1d32d9e475 for pigeonhole), but
> it didn't change the initial issues I was having.
> 
> I've been following
>
https://doc.dovecot.org/configuration_manual/shared_mailboxes/cluster_setup/
> and linked documentations to set up the cluster. You'll find at the end
> of the mail the parts of the configuration that seems to be relevant.
> 
> The issues I've had was with the `You?ll need to setup master user
> logins to work for all the users.` and `imapc_master_user` (for which
> the bullet points recommend to use `%{userdb:sharing_user}` but is then
> set to `%u` in the example.
> 
> For the sake of the tests, I'm using one director and one backend. On
> this installation:
> - user1 shared the folder 'Junk' with user2
> - after logging as user2, I run `a2 SELECT shared/user1/Junk`
> 
> Initially on the director, I had (excluding other, unrelated
configuration):
> ```
> # Connection back from backends for shared mailbox access
> passdb {
>   args = password=XXXX allow_nets=${IPs of backend}
>   driver = static
>   master = yes
>   mechanisms = plain
>   result_success = continue
> }
> ```
> 
> However, this lead to login failures on the director as the backend was
> logging directly as user1, without master user set!
> 
> After further debugging, I now have on the director:
> ```
> # Connection back from backends for shared mailbox access
> passdb {
>   args = password=XXXX allow_nets=${IPs of backend}
>   driver = static
>   master = yes
>   mechanisms = plain
>   result_success = continue
> }
> passdb {
>   args = password=XXXX allow_nets=${IPs of backend}
>   driver = static
>   mechanisms = plain
>   result_success = continue
> }
> ```
> 
> And this works! Looking at the log, it's not that my
`imapc_master_user`
> is not recognized, just that there are two imapc connections from the
> backend to the frontend.
> - The first one logs as user1 directly, with no master user set:
>   ```
>   ${backend} dovecot[29900]:
imap(user2)<29917><Mi/7WD/EgYi8uE1E>:
> Debug: imapc(${director}:993): Authenticating as user1
>   ```
> - The second connection logs as expected, as user1 with user2 set as the
> master user:
>   ```
>   ${backend} dovecot[29900]:
imap(user2)<29917><Mi/7WD/EgYi8uE1E>:
> Debug: imapc(${director}:993): Authenticating as user2 for user user1
>   ```
> 
> Is it normal to have these two connections back to the director? From
> the documentation, I would have only expected the 2nd one.
> 
> 
> Going further, if I add a static part to imapc_master_user, like for
> example `imapc_master_user = X%{userdb:sharing_user}`, the logged
> authentications become:
> ```
> ${backend} dovecot: imap(user2)<31073><xu94pz/EqYi8uE1E>:
Debug:
> imapc(${director}:993): Authenticating as X for user user1
> [...]
> ${backend} dovecot: imap(user2)<31073><xu94pz/EqYi8uE1E>:
Debug:
> imapc(${director}:993): Authenticating as Xuser2 for user user1
> ```
> 
> It looks to me that for the first connection, imapc_master_user is
> resolved with the wrong context, without `userdb:sharing_user` resolving
> to anything?
Hi,

thank you very much for the details and sending feedback.

I am sorry there have been bugs in the documentation. The two connections are
expected but the missing master_user for the first connection is a problem. The
documentation suggested a not so greatly working way of doing it.

It works better if the backend userdb or passdb sets imapc_master_user=%{user}
or userdb_imapc_master_user=%{user}.

The userdb_sharing_user was meant to make it easier and better readable but made
it more complicated and nonfunctional, sorry.

The documentation will be updated soon. There will be also some example
configuration snippets to make it easier to configure.

Markus
> 
> 
> Thanks in advance, let me know if you need more details.
> Vincent Brillault
> 
> 
> PS configuration details (relevant parts of doveconf -n):
> - Backend:
> ```
> auth_master_user_separator = *
> imapc_features = fetch-bodystructure fetch-headers rfc822.size search
modseq
> imapc_host = ${director}
> imapc_master_user = %{userdb:sharing_user}
> 
> imapc_password = # hidden, use -P to show it
> imapc_port = 993
> imapc_sasl_mechanisms = plain
> imapc_ssl = imaps
> imapc_ssl_verify = no
> mail_plugins = acl zlib virtual fts fts_solr
> namespace {
>   list = children
>   location = imapc:~/shared/%%u
>   prefix = shared/%%u/
>   type = shared
> }
> namespace Virtual {
>   hidden = yes
>   list = no
>   location = virtual:/etc/dovecot/virtual:INDEX=~/virtual
>   prefix = Virtual/
>   separator = /
>   subscriptions = no
> }
> namespace inbox {
>   inbox = yes
>   location >   mailbox "Deleted Items" {
>     auto = subscribe
>     special_use = \Trash
>   }
>   mailbox Drafts {
>     auto = subscribe
>     special_use = \Drafts
>   }
>   mailbox "Sent Items" {
>     auto = subscribe
>     special_use = \Sent
>   }
>   mailbox Spam {
>     auto = create
>     special_use = \Junk
>   }
>   prefix > }
> passdb {
>   args = password=#hidden_use-P_to_show# allow_nets=${IPs of director}
> userdb_namespace/shared/disabled=yes
>   driver = static
>   master = yes
> }
> passdb {
>   args = password=#hidden_use-P_to_show# allow_nets=${IPs of director}
> userdb_sharing_user=%u
>   driver = static
> }
> plugin {
>   acl = vfile:/etc/dovecot/dovecot-acl
>   acl_ignore_namespace = Virtual/
>   acl_ignore_namespace2 = shared/*
>   acl_shared_dict = file:/mail/sharing/shared-mailboxes
>   [...]
> }
> ```
> - Director (final & working version):
> ```
> auth_master_user_separator = *
> auth_mechanisms = plain login xoauth2 oauthbearer gssapi
> auth_socket_path = director-userdb
> passdb {
>   args = /etc/dovecot/passdb-masterusers.conf.ext
>   driver = ldap
>   master = yes
>   mechanisms = plain login
>   result_success = continue
> }
> passdb {
>   args = password=#hidden_use-P_to_show# allow_nets=${IPs of backend}
>   driver = static
>   master = yes
>   mechanisms = plain
>   result_success = continue
> }
> passdb {
>   args = password=#hidden_use-P_to_show# allow_nets=${IPs of backend}
>   driver = static
>   mechanisms = plain
>   result_success = continue
> }
> passdb {
>   args = /etc/dovecot/passdb-oauth2.conf.ext
>   driver = oauth2
>   mechanisms = xoauth2 oauthbearer
>   result_failure = return-fail
>   result_internalfail = return-fail
>   result_success = continue
> }
> passdb {
>   args = /etc/dovecot/passdb-cerndc.conf.ext
>   driver = ldap
> }
> ```