Search K
Appearance
Shared Mailboxes in Dovecot Pro
As mentioned in Palomar Architecture, you can't have multiple servers accessing the same user at the same time or it will lead into trouble. This can become problematic with shared mailboxes, because two users who are sharing a folder may run in different servers.
The solution is to access the shared folders via IMAP protocol, which passes through the Dovecot proxies so the actual filesystem access is done only on a single server.
There are some limitations for this kind of use case:
imapc_*settings are global. You can't have two different namespaces with different imapc settings yet.- The imapc code doesn't support some IMAP features. Most importantly SORT isn't supported, which may result in lower performance.
Configuring User-shared Folders
You'll need to setup master user logins to work for all the users. The logged in user becomes the master user. The master user doesn't actually have any special privileges. It's just used to get ACLs applied correctly using permissions of the master user (the logged in user). It is supported to access shared mailboxes of users which live on other backends via the IMAP protocol. For this purpose shared mailboxes in a cluster must be accessed via another namespace which has mail_driver configured to use imapc.
It is recommended to disable shared namespaces for master users so you should add userdb_namespace/shared/disabled=yes to your master passdb as a passdb: Extra Fields.
Depending on the authentication configuration, it may be necessary to also override the acl_user via userdb: Extra Fields like: userdb_acl_user=%{auth_user}.
Mailboxes in the shared namespace can be accessed using the given namespace prefix. For example the user someone1 could have access to a mailbox(shared_mailbox) owned by the user someone2. To access mails in this mailbox someone1 would access a mailbox with the name shared/someone2/shared_mailbox. The permissions which are given to someone1 on this mailbox are determined by ACLs.
Example:
namespace shared {
type = shared
prefix = shared/$user/
list = children
subscriptions = no
mail_driver = imapc
mail_path = ~/shared/%{owner_user}
# Use private indexes to enable per-user \Seen flags:
mail_index_private_path = ~/shared-pvt/%{owner_user}
}INFO
Obox relies on having the mail_index_private_path configured to ~/shared-pvt. Otherwise the private indexes are not tracked by metacache and can get lost if user changes backends.
INFO
See shared mailbox expansion documentation for an explanation more details on the used variables.
Additionally imapc must be configured accordingly on the backends:
- On backends either passdb or userdb for non-master users must return
userdb_imapc_master_user=%{user}orimapc_master_user=%{user} imapc_master_userbecomes set using userdb. In case of a simple setupimapc_master_usercan also be just set to%{user}(the logged in user).imapc_passwordmust be set to the master password which is configured on all backends and proxiesimapc_hostmust point to a load balancer's address that connects to Dovecot Proxy
imapc_host = proxy-load-balancer
imapc_ssl = imaps
# This %variable will be automatically filled with the destination username.
#imapc_user = %{owner_user}
imapc_password = master-secretThe acl plugin must be loaded and configured:
mail_plugins {
acl = yes
}
acl_driver = vfile
acl_sharing_map {
#dict ... {
#}
}
namespace shared {
acl_ignore = yes
}
# In order to be able to issue ACL commands over imap, imap_acl must be loaded
protocol imap {
mail_plugins {
imap_acl = yes
}
}The ACL plugin must be told to ignore the shared namespace and all its children using the acl_ignore = yes setting.
The shared dictionary needs to be accessible from all the backends. The possibilities are:
| Dictionary Type | Description |
|---|---|
file | A single shared file in filesystem. This becomes a performance bottleneck easily if there are many in a shared filesystem. |
fs posix | Shared directory in filesystem. This will create many small files in a shared filesystem. |
sql | Shared SQL server |
| Other shared dictionaries] | See shared mailbox listing |
Shared Folders and Quota
Quota is automatically handled for shared namespaces without any explicit configuration.
See quota plugin for more details.
Example Configuration
The following snippets show important configuration parts for configuring cluster wide sharing of mailboxes. The following snippets are not complete configuration.
Dovecot Proxy Configuration
passdb {
driver = static
master = yes
fields {
proxy = y
}
args = password=imapcpass
}
passdb {
driver = static
args = proxy=y password=masterpass
}Dovecot Backend Configuration
mail_plugins {
acl = yes
}
imapc_host = <proxy-load-balancer>
imapc_password = imapcpass
mail_shared_explicit_inbox = yes
imapc_user = %{owner_user}
namespace shared {
type = shared
prefix = shared/$user/
separator = /
list = children
subscriptions = no
mail_driver = imapc
mail_path = ~/shared/$user
mail_index_private_path = ~/shared-pvt/%{owner_user}
}
namespace inbox {
inbox = yes
}
passdb {
# masterpass is the normal users master password
args = password=masterpass userdb_imapc_master_user=%{user}
driver = static
}
passdb {
driver = static
master = yes
# imapcpass is the master password used for master logins (via imapc)
args = password=imapcpass userdb_namespace/shared/disabled=yes userdb_acl_user=%{auth_user}
}
dict_server {
# Any shared dictionary is suitable, this is just an example using mysql
dict acl-mysql {
driver = sql
sql_driver = mysql
dict_map shared/shared-boxes/user/$to/$from {
sql_table = user_shares
value_field dummy {
}
key_field from_user {
value = $from
}
key_field to_user {
value = $to
}
}
dict_map shared/shared-boxes/anyone/$from {
sql_table = anyone_shares
value_field dummy {
}
key_field from_user {
value = $from
}
}
}
}
acl_driver = vfile
namespace shared {
acl_ignore = yes
}
acl_sharing_map {
dict proxy {
name = acl-mysql
}
}
protocol imap {
mail_plugins {
imap_acl = yes
}
}
#mail_plugins {
# quota = yes
#}
#quota "User storage" {
# quota_storage_size = 1G
#}