dovecot • puppet

dovecot shared read-only mailbox on Ubuntu 14.04

Roman Plessl bio photo By Roman Plessl

Initial Status

I have a countable amount of emails for system and customer messages: mailman mailing lists, OTRS communications, git commit messages and results of self-checking procedures.

All of them have been distributed not only by email to me, but also to each sysadmin in our group, so that each professional have been able to filter and search them with his normal and preferred email client.

To reduce the amount of distributed and duplicated emails I have setup a shared read-only IMAP mailbox with Dovecot on a Ubuntu 14.04 LTS system.

The advantage of such a mailbox are:

  • reduced filesystem overhead
  • each user has his own access / credentials (given by files or LDAP)
  • shared emails can’t be deleted (so it’s to use like a easly searchable archive)
  • shared emails have seen flags per user
  • directory subscription works

Dovecot Configuration

Installation

Installation of stock Ubuntu Trusty 14.04 dovecot:

apt-get install dovecot-core
apt-get install dovecot-imapd

Check Version

root@sharedmails:/etc/dovecot/conf.d # dovecot --version
2.2.9

Overload default configuration

I overload the default dovecot configuration from Ubuntu with the config snipplet below.

The most tricky and important configuration option is:

location = maildir:/var/imap/shruser:CONTROL=/var/imap/%u/shruser:INDEXPVT=/var/imap/%u/shruser:INDEX=/var/imap/%u/shruser
  • maildir as mail storage format
  • CONTROL, INDEXPVT and INDEX per user stored and managed in his own mailbox
cat /etc/dovecot/conf.d/99-mydomain-shared-mailbox.conf

99-mydomain-shared-mailbox.conf

# we use Maildir
mail_location = maildir:/var/imap/%u

## user get private inbox and a shared inbox
namespace inbox {
  type = private
  separator = /
  prefix =
  inbox = yes
}

namespace {
  type = public
  separator = /
  prefix = shared/
  location = maildir:/var/imap/shruser:CONTROL=/var/imap/%u/shruser:INDEXPVT=/var/imap/%u/shruser:INDEX=/var/imap/%u/shruser
  subscriptions = no
  list = children
}

## IMAP with TLS and force TLS
ssl = required
ssl_cert = </etc/ssl/certs/SSL_wildcard.mydomain.com.pem
ssl_key = </etc/ssl/private/SSL_wildcard.mydomain.com.key
ssl_protocols = !SSLv2 !SSLv3 
ssl_cipher_list = ... 
ssl_prefer_server_ciphers = yes

## disable plaintext passwords without TLS
disable_plaintext_auth = yes

## improve logging
mail_plugins = $mail_plugins zlib mail_log notify
login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k"

## active acls for read only mailboxes
mail_plugins = acl
protocol imap {
  mail_plugins = $mail_plugins imap_acl
}
plugin {
  # Without global ACLs:
  acl = vfile
}

## enable debugging till productive
mail_debug = yes

For handling that each user can see but not delete emails the ACLs must be set. The documentation of dovecot 2.2.x is / was in that point not really clear: Anyone needs the right to set the user seen flag (sption: s).

cat /var/imap/shruser/dovecot-acl

dovecot-acl

owner lrwstipekxa
anyone lrs

That the emails are shared is activated with an empty file in the filesytem.

cat /var/imap/shruser/dovecot-shared

dovecot-shared

Setup with Puppet

I have setup the configuration with Puppet (version 3.x). My receipt for setup is:

# == Node: sharedmails
node sharedmails inherits default {
  # install wildcard cert for security
  include c_mydomain::wildcard_cert

  # packages for mail delivery and filtering
  ensure_packages([ 'dovecot-core','dovecot-imapd', 'procmail' ])

  # IMAP Mailbox locations
  file { '/var/imap':
    ensure => directory,
    owner  => 'dovecot',
    group  => 'dovecot',
    mode   => '1777';
  }

  # add extra users with content of shared mailbox
  user {'shruser':
    ensure     => present,
    shell      => '/bin/bash',
    managehome => true,
    gid        => '1000';
  }

  # dovecot read only mailbox environment
  file { '/var/imap/shruser':
    ensure => directory,
    owner  => 'shruser',
    group  => 'mydomain',
    mode   => '2770';
  }

  ### shared mailbox environment
  file { '/var/imap/shruser/dovecot-acl':
    ensure => present,
    owner  => 'shruser',
    group  => 'mydomain',
    mode   => '0644',
    source => 'puppet:///modules/c_mydomain/sharedmails/dovecot-acl';
  }
  file { '/var/imap/shruser/dovecot-shared':
    ensure => present,
    owner  => 'shruser',
    group  => 'mydomain',
    mode   => '0644',
    source => 'puppet:///modules/c_mydomain/sharedmails/dovecot-shared';
  }

  ### configure dovecot environment
  file { '/etc/dovecot/conf.d/99-mydomain-shared-mailbox.conf':
    ensure => 'present',
    source => 'puppet:///modules/c_mydomain/sharedmails/99-mydomain-shared-mailbox.conf',
  }

  ### mail filter with procmail
  file { '/home/shruser/.procmailrc':
    ensure => 'present',
    owner  => 'shruser',
    group  => 'mydomain',
    mode   => '0644',
    source => 'puppet:///modules/c_mydomain/sharedmails/procmailrc_shruser',
  }

Enjoy!