Ok, to answer my own mail, I realized I was reading some of the error
messages wrongly, it turns out that I was missing +x on a directory or
two in the path for one of my groups.
So I have made a bit of progress but currently stuck here.
doveadm(user-externaldomain.com): Debug: acl vfile: Global ACLs disabled
doveadm(user-externaldomain.com): Error:
fchown(/home/externaldomain.com/homes/user/Maildir/shared_ns1/i...@primarydomain.com,
group=1092(primarydomain.com)) failed: Operation not permitted
(egid=1091(externaldomain.com), group based on
/home/primarydomain.com/homes/info/Maildir - see
http://wiki2.dovecot.org/Errors/ChgrpNoPerm)
doveadm(user-externaldomain.com): Error: Mailbox
@/i...@primarydomain.com/INBOX:
mkdir_parents(/home/externaldomain.com/homes/user/Maildir/shared_ns1/i...@primarydomain.com/.INBOX)
failed: Operation not permitted
doveadm(user-externaldomain.com): Error: Can't open mailbox
@/i...@primarydomain.eu/INBOX: Mailbox @/i...@primarydomain.com/INBOX:
mkdir_parents(/home/externaldomain.com/homes/user/Maildir/shared_ns1/i...@primarydomain.com/.INBOX)
failed: Operation not permitted
I did go through the http://wiki2.dovecot.org/Errors/ChgrpNoPerm page,
and followed the recommended changes to the /var/mail directory, but, it
did not seem to make a difference.
Anyhow, I have pretty much resigned myself that it will not be possible
to have shared mailboxes between domains on this system, at least with
the namespaces running under each individual domain. For some reason,
its bending my brain what is exactly needed.
------ Original Message ------
From: "Andreas T (DC)" <andreas.tyrosvou...@gmail.com>
To: "dovecot@dovecot.org" <dovecot@dovecot.org>
Sent: 2020-07-22 3:42:53 PM
Subject: Mailbox sharing, user to user in same domain, OK! User to user
sharing in separate domains, problem. ( ... and more oh boy!)
Dovecot -n and version present at the bottom of the email for
legibility.
System is a Debian 10 + Virtualmin hosting setup for my domains
-------------------------------------------------------------------
Hello everyone, my first post. Sorry for the long and confusing post,
I'm pretty new to dovecot other than basic functionality.
I recently in the last week went through the documentation for both
shared (user to user) and public mailboxes and got them both working.
Took me a bit but eventually I figured it out, but I am still
encountering some stubborn scenarios.
I am having some issues with 2 types of sharing. ( I believe problem A
+ B are related as the error is similarly permission based error)
For inconsistencies in the user account names, u...@domain.com vs
user-domain.com please see issue C, which my workaround is functional.
A.)
Sharing user to user between in the same domain works fine.
Sharing user to user in different domains gives me some permission
errors.
Permissions have been granted (to (using Linux ACL for more fine
grained permissions) as far as I can tell.
Trying to share the info "INBOX" (fullshare, same issue for single
boxes as well) from the i...@primarydomain.com to
u...@externaldomain.com
from i...@primarydomain.com Mailder
cat dovecot-acl
user=user-externaldomain.com akxeilprwts
getfacl dovecot-acl
# file: dovecot-acl
# owner: i...@primarydomain.com
# group: primarydomain.com
user::rw-
user:u...@externaldomain.com:rwx #effective:rw-
user:i...@primarydomain.com:rwx #effective:rw-
group::---
mask::rw-
other::---
doveadm acl debug -u user-externaldomain.com
"@/i...@primarydomain.com/INBOX"
doveadm(user-externaldomain.com): Error:
stat(/home/primarydomain.com/homes/info/Maildir/tmp) failed: Permission
denied (euid=1121(u...@externaldomain.com) egid=1091(holanow.com)
missing +x perm: /home/primarydomain.com, we're not in group
1092(primarydomain.com), dir owned by 1126:1092 mode=0750)
doveadm(user-externaldomain.com): Error: Can't open mailbox
@/i...@primarydomain.com/INBOX:
stat(/home/primarydomain.com/homes/info/Maildir/tmp) failed: Permission
denied (euid=1121(u...@externaldomain.com) egid=1091(holanow.com)
missing +x perm: /home/primarydomain.com, we're not in group
1092(primarydomain.com), dir owned by 1126:1092 mode=0750)
getfacl /home/primarydomain.com/homes/info/Maildir/tmp
# file: home/primarydomain.com/homes/info/Maildir/tmp
# owner: i...@primarydomain.com
# group: primarydomain.com
user::rwx
user:u...@externaldomain.com:rwx
user:i...@primarydomain.com:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:user:u...@externaldomain.com:rwx
default:user:i...@primarydomain.com:rwx
default:group::---
default:mask::rwx
default:other::---
getfacl /home/primarydomain.com/homes/info/Maildir
# file: home/primarydomain.com/homes/info/Maildir/
# owner: i...@primarydomain.com
# group: primarydomain.com
user::rwx
user:u...@externaldomain.com:rwx
user:i...@primarydomain.com:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:user:u...@externaldomain.com:rwx
default:user:i...@primarydomain.com:rwx
default:group::---
default:mask::rwx
default:other::---
B.)
Public mailbox, mailboxes that are physically present on the public
mail dir, work fine.
Public boxes which are symlinks to mailboxes to other users, with
correct permission and ACL, always give me permission errors and do not
show up publicly.
These type of mailboxes do show up if the person already has user to
user share setup with those boxes, which due to problem A, means only
within the same domain.
Similar errors as to the A scenario, even if giving complete rwx access
to all (user/group/other) I still get permission denied issues.
It just feel like dovecot isn't even trying to access the files
C. Tiny "other" problem I have worked around already.
dovecot-acl when using users via their u...@domain.com account doesn't
lookup the user correctly.
I already have set,
auth_username_translation = @-
which works for when users login but it doesn't seem to work with
dovecot-acl files.
I have helper account pointers replacing the @ with - and then the ACL
file works fine.
Would prefer acl files contain,
user=us...@primarydomain.com akxeilprwts
user=us...@primarydomain.com akxeilprwts
But this works and is not a show stopper.
user=user1-primarydomain.com akxeilprwts
user=user2-primarydomain.com akxeilprwts
--------------------------------------------
dovecot --version
2.3.4.1 (f79e8e7e4)
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 5.4.44-2-pve x86_64 Debian 10.4
# Hostname: vps1.abclution.com
doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
doveconf: Warning: You can generate it with: dd
if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam
-inform der > /etc/dovecot/dh.pem
auth_mechanisms = plain login
auth_username_translation = @-
mail_debug = yes
mail_location = maildir:~/Maildir
mail_plugins = acl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
separator = /
}
namespace public_ns1 {
location =
maildir:/home/.Public_Mailboxes:INDEX=~/Maildir/public_ns1:INDEXPVT=~/Maildir/public_ns1
prefix = Public/
separator = /
subscriptions = no
type = public
}
namespace shared_ns1 {
list = yes
location =
maildir:%%h/Maildir:INDEX=~/Maildir/shared_ns1/%%u:INDEXPVT=~/Maildir/shared_ns1/%%u
prefix = @/%%u/
separator = /
subscriptions = no
type = shared
}
passdb {
driver = pam
}
plugin {
acl = vfile
acl_anyone = allow
acl_defaults_from_inbox = yes
acl_shared_dict = file:%h/Maildir/shared-mailboxes
}
protocols = " imap pop3"
service auth {
unix_listener auth-userdb {
mode = 0777
}
}
ssl_cert = </etc/dovecot/dovecot.cert.pem
ssl_cipher_list =
ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
driver = passwd
}
protocol imap {
mail_plugins = acl imap_acl
}
