dovecot - Nov 2022 - Dovecot 2.3 shared namespace issues

Hello,

 

We're trying to configure the shared mailbox feature\namespace on a dovecot
2.3 installation .

 

OS : Ubuntu 22.04 x64

Dovecot : 2:2.3.19.1-2+ubuntu20.04

 

Our test enviroment is based on a dovecot frontend ( director + proxy ) and
a dovecot backend ( auth  and storage ), later we will think about
increasing the number of backends and frontends ( if we got it right, as we
plan to use multiple backends, we should use imapc in order to bind the
sharer and the accessing user to the same backend )  .

 

On dovecot backend we've configured the new shared namespace, as stated in
the documentation (
https://doc.dovecot.org/configuration_manual/shared_mailboxes/shared_mailbox
es/#user-shared-mailboxes ) :

-- Dovecot conf --------------------

# Maildir's location is under home dir, which is returned by userdb.

mail_location = maildir:~/Maildir:VOLATILEDIR=/tmp_lock/%2.256Nu/%u

 

# Quota, mail_log plugins enabled everywhere

mail_plugins = quota notify acl fts fts_lucene mail_log mailbox_alias
virtual

 

# Default namespace

namespace {

  hidden = no

  inbox = yes

  location 
  prefix 
  separator = /

  type = private

 

mailbox Sent {

   special_use = \Sent

   auto = create

}

mailbox Trash {

   special_use = \Trash

   auto = create

}

mailbox Drafts {

   special_use = \Drafts

   auto = create

}

mailbox SPAM {

   special_use = \Junk

  auto = create

}

}

 

# namespace used by virtual search

namespace {

   prefix = VrtSearch.

   separator = /

   location = virtual:/etc/dovecot-common-backend/virtual:INDEX=~/virtual

         hidden = yes

         subscriptions = no

         inbox = no

         list = no

}

 

 

# IMAP SHARING FEATURE

service dict {

  unix_listener dict {

    mode = 0600

    user = vpopmail

    group = vchkpw

  }

}

 

plugin {

  acl = vfile

  acl_ignore_namespace = shared/*

  acl_shared_dict = proxy::acl-mysql

}

 

dict {

  acl-mysql = mysql:/etc/dovecot-common-backend/dovecot-dict-sql.conf.ext

}

 

# namespace used for IMAP sharing feature

namespace {

  type = shared

  separator = /

  prefix = shared/%%u/

  location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u

  list = children

  subscriptions = no

}

 

-- Dovecot dict sql --------------------

# IMAP SHARING FEATURE

connect = host=x.x.x.x dbname=xxxxxx user=xxxxxx password=xxxxxx

map {

  pattern = shared/shared-boxes/user/$to/$from

  table = imap_user_shares

  value_field = dummy

 

  fields {

    from_user = $from

    to_user = $to

  }

}

 

map {

  pattern = shared/shared-boxes/anyone/$from

  table = imap_anyone_shares

  value_field = dummy

 

  fields {

    from_user = $from

  }

}

 

-- Dict DB contents --------------------

mysql> select * from imap_user_shares;

+------------------------------------------+--------------------------------
--------+-------+

| from_user                                | to_user
| dummy |

+------------------------------------------+--------------------------------
--------+-------+

| test.imapsharer01 at td01.testdomain.it     |
test.imapuser01 at td01.testdomain.it     | 1     |

+------------------------------------------+--------------------------------
--------+-------+

 

 

For our tests, we've :

- created two users

test.imapsharer01 at td01.testdomain.it

test.imapuser01 at td01.testdomain.it

 

- Created two INBOX subfolders on the sharer01 user, giving user01 those
permissions :

subfolder01 giving to user01 Full control

subfolder02ro giving to user01 list and read 

 

- logging as user01 with thunderbird, we see the shared namespace tree :

shared

      test.imapsharer01 at td01.testdomain.it

            subfolder01

            subfolder02

            

we're able to see the contents of each folder, even the INBOX .

Checking the folder properties, thunderbird reports that the user01 has full
control on the INBOX of shared01 .

 

If we try to check the ACL via python script ( imaplib.gestacl ) or via
doveadm, we can see that the sharer01 INBOX has no rights for user01 .

But via thunderbird ( or other email clients ) we can delete emails .

 

ACL - sharer01 accessing its folder

('OK', [b'INBOX test.imapsharer01 at td01.testdomain.it
lrwstipekxacd'])

('OK', [b'subfolder01 test.imapuser01 at td01.testdomain.it
akxeilprwtscd
test.imapsharer01 at td01.testdomain.it lrwstipekxacd'])

('OK', [b'subfolder02ro test.imapuser01 at td01.testdomain.it lr
test.imapsharer01 at td01.testdomain.it lrwstipekxacd'])

 

ACL - user01 accessing sharer01 folders

('OK', [b'shared/test.imapsharer01 at
td01.testdomain.it/INBOX'])

('OK', [b'shared/test.imapsharer01 at td01.testdomain.it/subfolder01
test.imapuser01 at td01.testdomain.it akxeilprwtscd'])

('OK', [b'shared/test.imapsharer01 at
td01.testdomain.it/subfolder02ro
test.imapuser01 at td01.testdomain.it lr'])

 

Testing with doveadm shows the correct ACL :

 

# doveadm -c /etc/dovecot-backend01/dovecot.conf acl debug -u
test.imapuser01 at td01.testdomain.it
shared/test.imapsharer01 at td01.testdomain.it/INBOX

doveadm(test.imapuser01 at td01.testdomain.it): Info: Mailbox 'INBOX' is
in
namespace 'shared/test.imapsharer01 at td01.testdomain.it/'

doveadm(test.imapuser01 at td01.testdomain.it): Info: Mailbox path:
/home/vpopmail/domains/td01.testdomain.it/dccm4584.imapsharer01/Maildir

doveadm(test.imapuser01 at td01.testdomain.it): Info: All message flags are
shared across users in mailbox

doveadm(test.imapuser01 at td01.testdomain.it): Info: User
test.imapuser01 at td01.testdomain.it has no rights for mailbox

doveadm(test.imapuser01 at td01.testdomain.it): Error: User
test.imapuser01 at td01.testdomain.it is missing 'lookup' right

doveadm(test.imapuser01 at td01.testdomain.it): Info: Mailbox
shared/test.imapsharer01 at td01.testdomain.it/INBOX is NOT visible in LIST

 

# doveadm -c /etc/dovecot-backend01/dovecot.conf acl debug -u
test.imapuser01 at td01.testdomain.it
shared/test.imapsharer01 at td01.testdomain.it/subfolder01

doveadm(test.imapuser01 at td01.testdomain.it): Info: Mailbox
'subfolder01' is
in namespace 'shared/test.imapsharer01 at td01.testdomain.it/'

doveadm(test.imapuser01 at td01.testdomain.it): Info: Mailbox path:
/home/vpopmail/domains/td01.testdomain.it/dccm4584.imapsharer01/Maildir/.sub
folder01

doveadm(test.imapuser01 at td01.testdomain.it): Info: All message flags are
shared across users in mailbox

doveadm(test.imapuser01 at td01.testdomain.it): Info: User
test.imapuser01 at td01.testdomain.it has rights: lookup read write write-seen
write-deleted insert post expunge create delete admin

doveadm(test.imapuser01 at td01.testdomain.it): Info: Mailbox found from
dovecot-acl-list

doveadm(test.imapuser01 at td01.testdomain.it): Info: User
test.imapsharer01 at td01.testdomain.it found from ACL shared dict

doveadm(test.imapuser01 at td01.testdomain.it): Info: Mailbox
shared/test.imapsharer01 at td01.testdomain.it/subfolder01 is visible in LIST

 

# doveadm -c /etc/dovecot-backend01/dovecot.conf acl debug -u
test.imapuser01 at td01.testdomain.it
shared/test.imapsharer01 at td01.testdomain.it/subfolder02ro

doveadm(test.imapuser01 at td01.testdomain.it): Info: Mailbox
'subfolder02ro'
is in namespace 'shared/test.imapsharer01 at td01.testdomain.it/'

doveadm(test.imapuser01 at td01.testdomain.it): Info: Mailbox path:
/home/vpopmail/domains/td01.testdomain.it/dccm4584.imapsharer01/Maildir/.sub
folder02ro

doveadm(test.imapuser01 at td01.testdomain.it): Info: All message flags are
shared across users in mailbox

doveadm(test.imapuser01 at td01.testdomain.it): Info: User
test.imapuser01 at td01.testdomain.it has rights: lookup read

doveadm(test.imapuser01 at td01.testdomain.it): Info: Mailbox found from
dovecot-acl-list

doveadm(test.imapuser01 at td01.testdomain.it): Info: User
test.imapsharer01 at td01.testdomain.it found from ACL shared dict

doveadm(test.imapuser01 at td01.testdomain.it): Info: Mailbox
shared/test.imapsharer01 at td01.testdomain.it/subfolder02ro is visible in LIST

 

in the debug log we can see the delete operation :

Nov 15 10:53:25 imap(357716 test.imapuser01 at td01.testdomain.it):Debug:
Mailbox Trash: Mailbox opened

Nov 15 10:53:25 imap(357716 test.imapuser01 at td01.testdomain.it):Debug: acl
vfile: file
/home/vpopmail/domains/td01.testdomain.it/dccm4584.imapuser01/Maildir/.Trash
/dovecot-acl not found

Nov 15 10:53:25 imap(357716 test.imapuser01 at td01.testdomain.it):Debug:
Mailbox shared/test.imapsharer01 at td01.testdomain.it: Mailbox opened

Nov 15 10:53:25 imap(357716 test.imapuser01 at td01.testdomain.it):Debug:
Mailbox Trash: Adding field flags to cache for the first time (uid=0)

Nov 15 10:53:25 imap(357716 test.imapuser01 at td01.testdomain.it):Debug:
Mailbox Trash: saving UID 0: Opened mail because: header Message-ID (Cache
file is unusable)

Nov 15 10:53:25 imap(357716 test.imapuser01 at td01.testdomain.it):Debug:
Mailbox Trash: Adding field hdr.Message-ID to cache for the first time
(uid=0)

Nov 15 10:53:25 imap(357716 test.imapuser01 at td01.testdomain.it):Debug:
Mailbox shared/test.imapsharer01 at td01.testdomain.it: UID 1: Expunge
requested

Nov 15 10:53:25 imap(357716 test.imapuser01 at td01.testdomain.it):Debug:
Mailbox Trash: Purging (new file_seq=1668506005): creating cache

Nov 15 10:53:25 imap(357716 test.imapuser01 at td01.testdomain.it):Debug:
Mailbox Trash: Purging finished, file_seq changed 0 -> 1668506005, size=0
->
412, max_uid=0

Nov 15 10:53:25 imap(357716 test.imapuser01 at td01.testdomain.it):Info: copy
from shared/test.imapsharer01 at td01.testdomain.it: box=Trash, uid=1,
msgid=<mnid2m.1.24789225.57389.0.1127444.c495198613._ at nl.aruba.it>

Nov 15 10:53:25 imap(357716 test.imapuser01 at td01.testdomain.it):Info:
expunge: box=shared/test.imapsharer01 at td01.testdomain.it, uid=1,
msgid=<mnid2m.1.24789225.57389.0.1127444.c495198613._ at nl.aruba.it>

Nov 15 10:53:26 imap(357716 test.imapuser01 at td01.testdomain.it):Debug:
Mailbox shared/test.imapsharer01 at td01.testdomain.it: UID 1: Mail expunged

 

After we delete a message, we cannot find it on the Trash folders ( user01
or sharer01 ) .

 

 

Are we missing something ?

 

 

Thanks

Stefano

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20221115/db03d72c/attachment-0001.htm>