Categories
dovecot e-mail IMAP Linux permissions shared folders

Shared folders in dovecot (aka how to hide useful information)

Along with the installation of squirrelmail in the office it became inconvenient for people to monitor the public e-mail addresses of the business. You know the info@companyname.com and support@companyname.com through the web interface. The user would have to log out and then in with the shared account – annoying.

In most IMAP systems where is a way to implement shared folders so user’s can stored documents or monitor public e-mail accounts. For example you have a public support or sales account and you’d like the entire team or company access to these e-mails.

I use dovecot IMAP server v 1.2.9 which came with Ubuntu 10.04. The latest version is 2.0 but Ubuntu 10.04 is not using it yet. These instructions may apply to 1.2+ but you’d be best going to the dovecot wiki instead. As well I tried the shared folders setup but I had all sorts of permissions issues and one issue with the shared dict file which I could not resolve so I gave up. I assume it is a bug.

Firstly I am sharing a user’s account e-mail and as stated above. This would have been the right way to do this, but I could not get it work.

First make a backup of the dovecot.conf file



cd /etc/dovecot
cp dovecot.conf dovecot.conf.bak

Then open the dovecot.conf file using your favorite editor and scroll down to find the following section



# REMEMBER: If you add any namespaces, the default namespace must be added
# explicitly, ie. mail_location does nothing unless you have a namespace
# without a location setting. Default namespace is simply done by having a
# namespace with empty prefix.
#namespace private {
# Hierarchy separator to use. You should use the same separator for all
# namespaces or some clients get confused. '/' is usually a good one.
# The default however depends on the underlying mail storage format.
#separator =

This is the default in dovecot, there is no namespaces at all. To implement a public (or shared) namespace, you will NEED to implement the private namespace. To do this uncomment the appropriate lines so that the following are set:



namespace private {
separator = /
prefix =
inbox = yes
subscriptions = yes
}

Don’t worry about the commented lines. Leave them in there, these are the only lines you need to change.

Now you need to add in the public namespace for the public folders to sit underneath. Note that I couldn’t get this work directly to a e-mail folder. I’ll get into what I did below along with the messy filesystem permissions and ACLs.



namespace public {
separator = /
prefix = Public/
location = maildir:/var/mail/Public
subscriptions = no
hidden = no
list = children
}

So this is a public namespace, the choices are private, shared and public. The separator, for subscriptions and e-mail clients is ‘/’ which is the most common. In the subscriptions list the prefix for this mail boxes is ‘Public’. The public folder is located at /var/mail/Public. The subscriptions are handled by the ‘parent’ namespace ie: the user’s subscription list. This is probably what you want. And the Public folder is only listed if there are folders underneath being shared. Note that the actual path /var/mail/Public is just a container for the maildir folders underneath. The wiki for dovecot give more information on your choices here.

Then you’ll need to add in two more lines to enable the ACL which will allow you to restrict/enable access to the shared mailboxes to the specific users you want.



protocol imap {
...
mail_plugins = acl imap_acl
}
...
plugin {
...
acl = vfile
}

Now things are setup in the imap server, but don’t restart it yet! Now we need to get the filesystem and acl files right.

I then create the folder and shared subfolders.



cd /var/mail
mkdir Public
chgrp mail Public
touch dovecot-acl

I then symlink in the maildir folder I want users to have access to. I did this because the account already existed and I didn’t want to effect any symlinks in the system pointing (and delivering e-mail) to this folder.



ln -s infobox ./Public/.info

Now I need to give users access the Public folder – but not yet the subfolders. The wiki misses some important points here. Firstly you need to allow users to read/list the public folder. I do this by editing the dovecot-acl file and allowing anyone read access



cd Public
nano dovecot-acl

add the following line



anyone lr

You need the put the same file in the maildir folders (not the cur/new/tmp folders) and any subfolders you want users to access. The wiki gives good explanation of what goes in the acl mine looked like



user=me keilrswtx
owner akxeilprwts

I could not get the group option working. Though I think if you read this then usage of the mail_access_groups flag may fix it. I haven’t tried it.

Now the last bit is to give the correct file permissions for access. I did this with file system acl (using setfacl and getfacl). I won’t get into the details here as they are well documented in many places.

This is what I did.



cd /var/mail/Public
chmod o+rx .
setfacl -dm g:GRP:rwx .info
cd .info
setfacl -dm g:GRP:rwx cur
setfacl -dm g:GRP:rwx new
setfacl -dm g:GRP:rwx tmp
setfacl -m g:GRP:rw cur/*
setfacl -m g:GRP:rw new/*
setfacl -m g:GRP:rw tmp/*

Now I can restart the dovecot server



service dovecot restart

Using my e-mail client I can see and subscribe to the public folders and read the e-mails.

Job done!