dovecot shared read-only mailbox on Ubuntu 14.04

Roman Plessl bio photo By Roman Plessl

Initial Status

I have a countable amount of emails for system and customer messages: mailman mailing lists, OTRS communications, git commit messages and results of self-checking procedures.

All of them have been distributed not only by email to me, but also to each sysadmin in our group, so that each professional have been able to filter and search them with his normal and preferred email client.

To reduce the amount of distributed and duplicated emails I have setup a shared read-only IMAP mailbox with Dovecot on a Ubuntu 14.04 LTS system.

The advantage of such a mailbox are:

  • reduced filesystem overhead
  • each user has his own access / credentials (given by files or LDAP)
  • shared emails can’t be deleted (so it’s to use like a easly searchable archive)
  • shared emails have seen flags per user
  • directory subscription works

Dovecot Configuration


Installation of stock Ubuntu Trusty 14.04 dovecot:

apt-get install dovecot-core
apt-get install dovecot-imapd

Check Version

root@sharedmails:/etc/dovecot/conf.d # dovecot --version

Overload default configuration

I overload the default dovecot configuration from Ubuntu with the config snipplet below.

The most tricky and important configuration option is:

location = maildir:/var/imap/shruser:CONTROL=/var/imap/%u/shruser:INDEXPVT=/var/imap/%u/shruser:INDEX=/var/imap/%u/shruser
  • maildir as mail storage format
  • CONTROL, INDEXPVT and INDEX per user stored and managed in his own mailbox
cat /etc/dovecot/conf.d/99-mydomain-shared-mailbox.conf


# we use Maildir
mail_location = maildir:/var/imap/%u

## user get private inbox and a shared inbox
namespace inbox {
  type = private
  separator = /
  prefix =
  inbox = yes

namespace {
  type = public
  separator = /
  prefix = shared/
  location = maildir:/var/imap/shruser:CONTROL=/var/imap/%u/shruser:INDEXPVT=/var/imap/%u/shruser:INDEX=/var/imap/%u/shruser
  subscriptions = no
  list = children

## IMAP with TLS and force TLS
ssl = required
ssl_cert = </etc/ssl/certs/
ssl_key = </etc/ssl/private/
ssl_protocols = !SSLv2 !SSLv3 
ssl_cipher_list = ... 
ssl_prefer_server_ciphers = yes

## disable plaintext passwords without TLS
disable_plaintext_auth = yes

## improve logging
mail_plugins = $mail_plugins zlib mail_log notify
login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k"

## active acls for read only mailboxes
mail_plugins = acl
protocol imap {
  mail_plugins = $mail_plugins imap_acl
plugin {
  # Without global ACLs:
  acl = vfile

## enable debugging till productive
mail_debug = yes

For handling that each user can see but not delete emails the ACLs must be set. The documentation of dovecot 2.2.x is / was in that point not really clear: Anyone needs the right to set the user seen flag (sption: s).

cat /var/imap/shruser/dovecot-acl


owner lrwstipekxa
anyone lrs

That the emails are shared is activated with an empty file in the filesytem.

cat /var/imap/shruser/dovecot-shared


Setup with Puppet

I have setup the configuration with Puppet (version 3.x). My receipt for setup is:

# == Node: sharedmails
node sharedmails inherits default {
  # install wildcard cert for security
  include c_mydomain::wildcard_cert

  # packages for mail delivery and filtering
  ensure_packages([ 'dovecot-core','dovecot-imapd', 'procmail' ])

  # IMAP Mailbox locations
  file { '/var/imap':
    ensure => directory,
    owner  => 'dovecot',
    group  => 'dovecot',
    mode   => '1777';

  # add extra users with content of shared mailbox
  user {'shruser':
    ensure     => present,
    shell      => '/bin/bash',
    managehome => true,
    gid        => '1000';

  # dovecot read only mailbox environment
  file { '/var/imap/shruser':
    ensure => directory,
    owner  => 'shruser',
    group  => 'mydomain',
    mode   => '2770';

  ### shared mailbox environment
  file { '/var/imap/shruser/dovecot-acl':
    ensure => present,
    owner  => 'shruser',
    group  => 'mydomain',
    mode   => '0644',
    source => 'puppet:///modules/c_mydomain/sharedmails/dovecot-acl';
  file { '/var/imap/shruser/dovecot-shared':
    ensure => present,
    owner  => 'shruser',
    group  => 'mydomain',
    mode   => '0644',
    source => 'puppet:///modules/c_mydomain/sharedmails/dovecot-shared';

  ### configure dovecot environment
  file { '/etc/dovecot/conf.d/99-mydomain-shared-mailbox.conf':
    ensure => 'present',
    source => 'puppet:///modules/c_mydomain/sharedmails/99-mydomain-shared-mailbox.conf',

  ### mail filter with procmail
  file { '/home/shruser/.procmailrc':
    ensure => 'present',
    owner  => 'shruser',
    group  => 'mydomain',
    mode   => '0644',
    source => 'puppet:///modules/c_mydomain/sharedmails/procmailrc_shruser',