Loading ...
Sorry, an error occurred while loading the content.
 

Re: Group-readable email and overriden ACL's

Expand Messages
  • Victor Duchovni
    ... Support for multi-user access is the job of the mail-store, not the MTA. IMAP servers like Cyrus, Dovecot, ... have appropriate mailbox access-control
    Message 1 of 3 , Aug 23, 2011
      On Tue, Aug 23, 2011 at 11:11:31AM -0400, Wietse Venema wrote:

      > Kasper Loopstra:
      > > Dear list members,
      > >
      > > In our setup we have various mailboxes that have to be read (and edited)
      > > by groups of people. All these groups are defined in LDAP, as are the
      > > members (everything uses PAM, so all these accounts are on the system as
      > > well). The email is accessed by Dovecot, binding with the LDAP server as
      > > the user owning the mail. This means that all the mail for a certain
      > > user has to be accessible to that user on the system, otherwise Dovecot
      > > cannot read it. We use public namespaces in Dovecot to achieve this.
      > >
      > > Our problem is that postfix gives permissions 700 to all messages
      > > (overriding default ACL's). The messages may be owned by the correct
      > > group for a user, and be in the right folder, but still cannot be read
      > > by Dovecot (and our users). Hopefully, there is a more elegant solution
      > > then monitoring the filesystem for edits and changing the permissions
      > > when a mail folder is edited.
      >
      > In this case, the solution would be to deliver and read the mail
      > with dovecot, and to configure the permissions with Dovecot if
      > possible.
      >
      > Postfix implements only bare-bones email delivery and does not
      > support access by multiple UIDs other than the owner and root.

      Support for multi-user access is the job of the mail-store, not the MTA.
      IMAP servers like Cyrus, Dovecot, ... have appropriate mailbox access-control
      mechanisms that allow access by multiple (typically IMAP) users, and in some
      cases access to the underlying files via local clients running as the user.

      Work with the mail-store. Direct access to the underlying files is probably
      not a good idea.

      --
      Viktor.
    Your message has been successfully submitted and would be delivered to recipients shortly.