Discussion:
[Dovecot] Permissions in shared folders
Lukas Haase
2011-02-08 10:33:03 UTC
Permalink
Hi,

On my mail server I want to implement shared folders for each workgroup
where there are many workgroups.

One way would be to create a separate namespace for each workgroup.
However, this does not scale well so I decided to use a single Shared
mailbox and use ACLs:

namespace public {
separator = .
prefix = Shared.
location = maildir:/var/mail/shared:CONTROL=~/Maildir/shared
}

Each workgroup should get a subfolder in "Shared". Until now, this
works, I create .Group1, .Group2 and assign correct group permissions
and ACL files.

However, now a user from group1 wants to create a subfolder in his IMAP
folder. Since the permissions for /var/mail/shared/.Group1 are correct
(writeable to group1 and the user is member of group1 and 'k' ACL
permissions are active) I would expect it to work.

However, for obvious reasons, the *sub*folder is created as

/var/mail/shared/.Group1.Subfolder

so it is actually not a subfolder in sense of the filesystem but rather
a folder inside /var/mail/shared

However, the user does (and should) not have write permissions to
/var/mail/shared (only to /var/mail/shared/.Group1).

Is there a way to overcome this problem? Why can't dovecot just use
/var/mail/shared/.Group1/.Subfolder? Is there an option to do so? It
would make everything a lot easier.

The one option is to make /var/mail/shared world-writeable - which is
not really a good option.

A second option might be to use ACLs and give each group write
permissions to /var/mail/shared. However, not even this seems very
"clean" to me.

What is the best way to handle this?

Best regards,
Luke
Lukas Haase
2011-02-08 15:54:33 UTC
Permalink
Dear list,

A dumb question: What exactly is the effect of the separator?

Is it also used to separate in the underlying file system? I.e. when I
have the separator '/', the IMAP folder Sent/Jan is physically stored as

/home/lukas/Maildir/.Send/Jan/cur

? If this is true this would greatly solve my problem described at the
bottom.

I have tried it myself, however, dovecot 1.2 does not allow to create a
namespace with a separator different than my default namespace...

If this works, is there a convenient migration procedure possible to
migrate from . to /?
The Wiki just mentions the other way (/ --> .).

Best regards,
Luke
Post by Lukas Haase
Hi,
On my mail server I want to implement shared folders for each workgroup
where there are many workgroups.
One way would be to create a separate namespace for each workgroup.
However, this does not scale well so I decided to use a single Shared
namespace public {
separator = .
prefix = Shared.
location = maildir:/var/mail/shared:CONTROL=~/Maildir/shared
}
Each workgroup should get a subfolder in "Shared". Until now, this
works, I create .Group1, .Group2 and assign correct group permissions
and ACL files.
However, now a user from group1 wants to create a subfolder in his IMAP
folder. Since the permissions for /var/mail/shared/.Group1 are correct
(writeable to group1 and the user is member of group1 and 'k' ACL
permissions are active) I would expect it to work.
However, for obvious reasons, the *sub*folder is created as
/var/mail/shared/.Group1.Subfolder
so it is actually not a subfolder in sense of the filesystem but rather
a folder inside /var/mail/shared
However, the user does (and should) not have write permissions to
/var/mail/shared (only to /var/mail/shared/.Group1).
Is there a way to overcome this problem? Why can't dovecot just use
/var/mail/shared/.Group1/.Subfolder? Is there an option to do so? It
would make everything a lot easier.
The one option is to make /var/mail/shared world-writeable - which is
not really a good option.
A second option might be to use ACLs and give each group write
permissions to /var/mail/shared. However, not even this seems very
"clean" to me.
What is the best way to handle this?
Best regards,
Luke
Willie Gillespie
2011-02-08 17:14:54 UTC
Permalink
Post by Lukas Haase
Dear list,
A dumb question: What exactly is the effect of the separator?
Is it also used to separate in the underlying file system? I.e. when I
have the separator '/', the IMAP folder Sent/Jan is physically stored as
As far as I understand, the separator is used in the context of IMAP
only, and not the file system.

So a client using IMAP will open Folder1/subfolder or Folder1.subfolder
depending on the separator.

Somebody can correct me if I'm wrong, but I don't believe it has an
effect on the backend (besides disallowing the use of that character in
a folder name).
Lukas Haase
2011-02-08 22:13:46 UTC
Permalink
Post by Willie Gillespie
Post by Lukas Haase
Dear list,
A dumb question: What exactly is the effect of the separator?
Is it also used to separate in the underlying file system? I.e. when I
have the separator '/', the IMAP folder Sent/Jan is physically stored as
As far as I understand, the separator is used in the context of IMAP
only, and not the file system.
Dear Willie,

So if I understand correctly, if I set '/' as separator, the Maildir
layout will still be

.Folder1.subfolder

?

Thank you for this hint, I think this is clear now.
Post by Willie Gillespie
[...]
Somebody can correct me if I'm wrong, but I don't believe it has an
effect on the backend (besides disallowing the use of that character in
a folder name).
Thank you for your reply!

Regards,
Luke
Willie Gillespie
2011-02-08 17:06:28 UTC
Permalink
Post by Lukas Haase
Hi,
On my mail server I want to implement shared folders for each workgroup
where there are many workgroups.
I did something similar with my small set up. A shared location for
each work group. I set things up a little differently though. Instead
of a public namespace, I made a shared namespace.

However, this entailed making a "user" for each work group which would
share its folders with the appropriate group. Then I could set the ACLs
to allow them to create folders, etc. and on the file system, they are
stored in separate places.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6026 bytes
Desc: S/MIME Cryptographic Signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20110208/73e4ff40/attachment-0001.bin
Timo Sirainen
2011-02-08 17:39:30 UTC
Permalink
Post by Lukas Haase
namespace public {
separator = .
prefix = Shared.
location = maildir:/var/mail/shared:CONTROL=~/Maildir/shared
location = maildir:/var/mail/shared:INDEX=~/Maildir/shared
Post by Lukas Haase
}
Each workgroup should get a subfolder in "Shared". Until now, this works, I create .Group1, .Group2 and assign correct group permissions and ACL files.
However, now a user from group1 wants to create a subfolder in his IMAP folder. Since the permissions for /var/mail/shared/.Group1 are correct (writeable to group1 and the user is member of group1 and 'k' ACL permissions are active) I would expect it to work.
However, for obvious reasons, the *sub*folder is created as
/var/mail/shared/.Group1.Subfolder
so it is actually not a subfolder in sense of the filesystem but rather a folder inside /var/mail/shared
Yep.
Post by Lukas Haase
However, the user does (and should) not have write permissions to /var/mail/shared (only to /var/mail/shared/.Group1).
Is there a way to overcome this problem? Why can't dovecot just use /var/mail/shared/.Group1/.Subfolder? Is there an option to do so? It would make everything a lot easier.
location = maildir:/var/mail/shared:INDEX=~/Maildir/shared:LAYOUT=fs
Willie Gillespie
2011-02-08 17:52:07 UTC
Permalink
Post by Timo Sirainen
Post by Lukas Haase
Is there a way to overcome this problem? Why can't dovecot just use /var/mail/shared/.Group1/.Subfolder? Is there an option to do so? It would make everything a lot easier.
location = maildir:/var/mail/shared:INDEX=~/Maildir/shared:LAYOUT=fs
Ah, didn't know about LAYOUT. That's good to know.
Lukas Haase
2011-02-08 22:20:14 UTC
Permalink
Dear Timo,

Thank you for your advice!
Post by Timo Sirainen
Post by Lukas Haase
namespace public {
separator = .
prefix = Shared.
location = maildir:/var/mail/shared:CONTROL=~/Maildir/shared
location = maildir:/var/mail/shared:INDEX=~/Maildir/shared
Why? According to the Wiki, CONTROL is used for example for the
subscriptions (I can not use "subscriptions=no" because my private
namespace is "INDEX." and not empty) and therefore I use it.

Furthermore, according to the Wiki, INDEX can be omitted if all users
have write permissions because this way the index file is shared among
all users.

However, I can also set CONTROL *and* INDEX. I think there is nothing
wrong about it, isn't it?
Post by Timo Sirainen
[...]
location = maildir:/var/mail/shared:INDEX=~/Maildir/shared:LAYOUT=fs
Wooow, great! Thank you very much!
I found very few documentation (although it is mentioned in the Wiki) on
it so I think that is the reason why I did not know it.

Thank you very much!

Regards,
Luke
Timo Sirainen
2011-02-08 22:48:26 UTC
Permalink
Post by Timo Sirainen
Post by Lukas Haase
namespace public {
separator = .
prefix = Shared.
location = maildir:/var/mail/shared:CONTROL=~/Maildir/shared
location = maildir:/var/mail/shared:INDEX=~/Maildir/shared
Why? According to the Wiki, CONTROL is used for example for the subscriptions (I can not use "subscriptions=no" because my private namespace is "INDEX." and not empty) and therefore I use it.
You can create a prefix="" namespace with list=no hidden=yes where the subscriptions will be saved.
Furthermore, according to the Wiki, INDEX can be omitted if all users have write permissions because this way the index file is shared among all users.
You can't share index files without sharing control files, otherwise they'll be out of sync (IMAP UID <-> maildir filename mapping is only in dovecot-uidlist control file).
However, I can also set CONTROL *and* INDEX. I think there is nothing wrong about it, isn't it?
Yes, but then if any keywords (= custom flags = labels = ..) are used, they're not shared between users. Other users instead will see keywords like "Unknown-1".
Lukas Haase
2011-02-09 11:58:20 UTC
Permalink
Dear Timo,
Post by Timo Sirainen
Post by Lukas Haase
Post by Timo Sirainen
namespace public { separator = . prefix = Shared. location =
maildir:/var/mail/shared:CONTROL=~/Maildir/shared
location = maildir:/var/mail/shared:INDEX=~/Maildir/shared
Why? According to the Wiki, CONTROL is used for example for the
subscriptions (I can not use "subscriptions=no" because my private
namespace is "INDEX." and not empty) and therefore I use it.
[...]
You can create a prefix="" namespace with list=no hidden=yes where
the subscriptions will be saved.
Great hint! This works!

For the archive:

namespace private {
separator = .
prefix =.
inbox = no
list = no
hidden = yes
location = maildir:~/Maildir-root
subscriptions = yes
}

The subscriptions file for the public namespaces are not saved in
~/Maildir-root.
Post by Timo Sirainen
[...]
Yes, but then if any keywords (= custom flags = labels = ..) are
used, they're not shared between users. Other users instead will see
keywords like "Unknown-1".
I re-read the Wiki again and now I understand it.

The usual option will be using dovecot-shared and INDEX=~/Maildir/...
for private Seen flags and index, no CONTROL for shared keywords and
subscriptions = no for private subscriptions in the private parent
namespace.


Thank you very much for these tipps!

Regards,
Luke

Continue reading on narkive:
Loading...