Website of Roman Plessl
Jekyll
2015-06-18T21:58:53+02:00
/
Roman Plessl
/
roman@plessl.info
/articles/dovecot-shared-read-only-mailbox
2015-06-18 21:42:24 +0200T00:00:00-00:00
2015-06-17T22:03:12+02:00
Roman Plessl
roman@plessl.info
<h1 id="initial-status">Initial Status</h1>
<p>I have a countable amount of emails for system and customer messages: mailman mailing lists, OTRS communications, git commit messages and results of self-checking procedures.</p>
<p>All of them have been distributed not only by email to me, but also to each sysadmin in our group, so that each professional have been able to filter and search them with his normal and preferred email client.</p>
<p>To reduce the amount of distributed and duplicated emails I have setup a shared read-only IMAP mailbox with Dovecot on a Ubuntu 14.04 LTS system.</p>
<p>The advantage of such a mailbox are:</p>
<ul>
<li>reduced filesystem overhead</li>
<li>each user has his own access / credentials (given by files or LDAP)</li>
<li>shared emails can’t be deleted (so it’s to use like a easly searchable archive)</li>
<li>shared emails have seen flags per user </li>
<li>directory subscription works</li>
</ul>
<h1 id="dovecot-configuration">Dovecot Configuration</h1>
<h2 id="installation">Installation</h2>
<p>Installation of stock Ubuntu Trusty 14.04 dovecot:</p>
<div class="highlight"><pre><code class="language-bash" data-lang="bash">apt-get install dovecot-core
apt-get install dovecot-imapd</code></pre></div>
<p>Check Version</p>
<div class="highlight"><pre><code class="language-bash" data-lang="bash">root@sharedmails:/etc/dovecot/conf.d <span class="c"># dovecot --version</span>
2.2.9</code></pre></div>
<h2 id="overload-default-configuration">Overload default configuration</h2>
<p>I overload the default dovecot configuration from Ubuntu with the config
snipplet below.</p>
<p>The most tricky and important configuration option is:</p>
<div class="highlight"><pre><code class="language-cfg" data-lang="cfg"><span class="na">location</span> <span class="o">=</span> <span class="s">maildir:/var/imap/shruser:CONTROL=/var/imap/%u/shruser:INDEXPVT=/var/imap/%u/shruser:INDEX=/var/imap/%u/shruser</span></code></pre></div>
<ul>
<li>maildir as mail storage format</li>
<li>CONTROL, INDEXPVT <em>and</em> INDEX per user stored and managed in his own mailbox</li>
</ul>
<div class="highlight"><pre><code class="language-bash" data-lang="bash">cat /etc/dovecot/conf.d/99-mydomain-shared-mailbox.conf</code></pre></div>
<h3 id="mydomain-shared-mailboxconf">99-mydomain-shared-mailbox.conf</h3>
<div class="highlight"><pre><code class="language-cfg" data-lang="cfg"><span class="c1"># we use Maildir</span>
<span class="na">mail_location</span> <span class="o">=</span> <span class="s">maildir:/var/imap/%u</span>
<span class="c1">## user get private inbox and a shared inbox</span>
<span class="err">namespace</span> <span class="err">inbox</span> <span class="err">{</span>
<span class="na">type</span> <span class="o">=</span> <span class="s">private</span>
<span class="s"> separator = /</span>
<span class="s"> prefix =</span>
<span class="s"> inbox = yes</span>
<span class="err">}</span>
<span class="err">namespace</span> <span class="err">{</span>
<span class="na">type</span> <span class="o">=</span> <span class="s">public</span>
<span class="s"> separator = /</span>
<span class="s"> prefix = shared/</span>
<span class="s"> location = maildir:/var/imap/shruser:CONTROL=/var/imap/%u/shruser:INDEXPVT=/var/imap/%u/shruser:INDEX=/var/imap/%u/shruser</span>
<span class="s"> subscriptions = no</span>
<span class="s"> list = children</span>
<span class="err">}</span>
<span class="c1">## IMAP with TLS and force TLS</span>
<span class="na">ssl</span> <span class="o">=</span> <span class="s">required</span>
<span class="na">ssl_cert</span> <span class="o">=</span> <span class="s"></etc/ssl/certs/SSL_wildcard.mydomain.com.pem</span>
<span class="na">ssl_key</span> <span class="o">=</span> <span class="s"></etc/ssl/private/SSL_wildcard.mydomain.com.key</span>
<span class="na">ssl_protocols</span> <span class="o">=</span> <span class="s">!SSLv2 !SSLv3 </span>
<span class="na">ssl_cipher_list</span> <span class="o">=</span> <span class="s">... </span>
<span class="na">ssl_prefer_server_ciphers</span> <span class="o">=</span> <span class="s">yes</span>
<span class="c1">## disable plaintext passwords without TLS</span>
<span class="na">disable_plaintext_auth</span> <span class="o">=</span> <span class="s">yes</span>
<span class="c1">## improve logging</span>
<span class="na">mail_plugins</span> <span class="o">=</span> <span class="s">$mail_plugins zlib mail_log notify</span>
<span class="na">login_log_format_elements</span> <span class="o">=</span> <span class="s">"user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k"</span>
<span class="c1">## active acls for read only mailboxes</span>
<span class="na">mail_plugins</span> <span class="o">=</span> <span class="s">acl</span>
<span class="err">protocol</span> <span class="err">imap</span> <span class="err">{</span>
<span class="na">mail_plugins</span> <span class="o">=</span> <span class="s">$mail_plugins imap_acl</span>
<span class="err">}</span>
<span class="err">plugin</span> <span class="err">{</span>
<span class="c1"># Without global ACLs:</span>
<span class="na">acl</span> <span class="o">=</span> <span class="s">vfile</span>
<span class="err">}</span>
<span class="c1">## enable debugging till productive</span>
<span class="na">mail_debug</span> <span class="o">=</span> <span class="s">yes</span></code></pre></div>
<p>For handling that each user can <em>see</em> but <em>not</em> <em>delete</em> emails the ACLs must be set. The documentation of dovecot 2.2.x is / was in that point not really clear: Anyone <em>needs</em> the right to set the user seen flag (sption: s).</p>
<div class="highlight"><pre><code class="language-bash" data-lang="bash">cat /var/imap/shruser/dovecot-acl</code></pre></div>
<h3 id="dovecot-acl">dovecot-acl</h3>
<div class="highlight"><pre><code class="language-apacheconf" data-lang="apacheconf"><span class="nb">owner</span> lrwstipekxa
<span class="nb">anyone</span> lrs</code></pre></div>
<p>That the emails are shared is activated with an empty file in the filesytem.</p>
<div class="highlight"><pre><code class="language-bash" data-lang="bash">cat /var/imap/shruser/dovecot-shared</code></pre></div>
<h3 id="dovecot-shared">dovecot-shared</h3>
<h1 id="setup-with-puppet">Setup with Puppet</h1>
<p>I have setup the configuration with Puppet (version 3.x). My receipt for setup is:</p>
<div class="highlight"><pre><code class="language-puppet" data-lang="puppet"><span class="c"># == Node: sharedmails</span>
<span class="k">node</span> <span class="na">sharedmails</span> <span class="k">inherits</span> <span class="k">default</span> <span class="p">{</span><span class="c"></span>
<span class="c"> # install wildcard cert for security</span>
<span class="k">include</span> <span class="na">c_mydomain</span><span class="p">::</span><span class="na">wildcard_cert</span><span class="c"></span>
<span class="c"> # packages for mail delivery and filtering</span>
<span class="na">ensure_packages</span><span class="p">([</span> <span class="s">'dovecot-core'</span><span class="p">,</span><span class="s">'dovecot-imapd'</span><span class="p">,</span> <span class="s">'procmail'</span> <span class="p">])</span><span class="c"></span>
<span class="c"> # IMAP Mailbox locations</span>
<span class="k">file</span> <span class="p">{</span> <span class="s">'/var/imap'</span><span class="p">:</span>
<span class="na">ensure</span> <span class="o">=></span> <span class="k">directory</span><span class="p">,</span>
<span class="na">owner</span> <span class="o">=></span> <span class="s">'dovecot'</span><span class="p">,</span>
<span class="na">group</span> <span class="o">=></span> <span class="s">'dovecot'</span><span class="p">,</span>
<span class="na">mode</span> <span class="o">=></span> <span class="s">'1777'</span><span class="p">;</span>
<span class="p">}</span><span class="c"></span>
<span class="c"> # add extra users with content of shared mailbox</span>
<span class="k">user</span> <span class="p">{</span><span class="s">'shruser'</span><span class="p">:</span>
<span class="na">ensure</span> <span class="o">=></span> <span class="k">present</span><span class="p">,</span>
<span class="na">shell</span> <span class="o">=></span> <span class="s">'/bin/bash'</span><span class="p">,</span>
<span class="na">managehome</span> <span class="o">=></span> <span class="k">true</span><span class="p">,</span>
<span class="na">gid</span> <span class="o">=></span> <span class="s">'1000'</span><span class="p">;</span>
<span class="p">}</span><span class="c"></span>
<span class="c"> # dovecot read only mailbox environment</span>
<span class="k">file</span> <span class="p">{</span> <span class="s">'/var/imap/shruser'</span><span class="p">:</span>
<span class="na">ensure</span> <span class="o">=></span> <span class="k">directory</span><span class="p">,</span>
<span class="na">owner</span> <span class="o">=></span> <span class="s">'shruser'</span><span class="p">,</span>
<span class="na">group</span> <span class="o">=></span> <span class="s">'mydomain'</span><span class="p">,</span>
<span class="na">mode</span> <span class="o">=></span> <span class="s">'2770'</span><span class="p">;</span>
<span class="p">}</span><span class="c"></span>
<span class="c"> ### shared mailbox environment</span>
<span class="k">file</span> <span class="p">{</span> <span class="s">'/var/imap/shruser/dovecot-acl'</span><span class="p">:</span>
<span class="na">ensure</span> <span class="o">=></span> <span class="k">present</span><span class="p">,</span>
<span class="na">owner</span> <span class="o">=></span> <span class="s">'shruser'</span><span class="p">,</span>
<span class="na">group</span> <span class="o">=></span> <span class="s">'mydomain'</span><span class="p">,</span>
<span class="na">mode</span> <span class="o">=></span> <span class="s">'0644'</span><span class="p">,</span>
<span class="na">source</span> <span class="o">=></span> <span class="s">'puppet:///modules/c_mydomain/sharedmails/dovecot-acl'</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">file</span> <span class="p">{</span> <span class="s">'/var/imap/shruser/dovecot-shared'</span><span class="p">:</span>
<span class="na">ensure</span> <span class="o">=></span> <span class="k">present</span><span class="p">,</span>
<span class="na">owner</span> <span class="o">=></span> <span class="s">'shruser'</span><span class="p">,</span>
<span class="na">group</span> <span class="o">=></span> <span class="s">'mydomain'</span><span class="p">,</span>
<span class="na">mode</span> <span class="o">=></span> <span class="s">'0644'</span><span class="p">,</span>
<span class="na">source</span> <span class="o">=></span> <span class="s">'puppet:///modules/c_mydomain/sharedmails/dovecot-shared'</span><span class="p">;</span>
<span class="p">}</span><span class="c"></span>
<span class="c"> ### configure dovecot environment</span>
<span class="k">file</span> <span class="p">{</span> <span class="s">'/etc/dovecot/conf.d/99-mydomain-shared-mailbox.conf'</span><span class="p">:</span>
<span class="na">ensure</span> <span class="o">=></span> <span class="s">'present'</span><span class="p">,</span>
<span class="na">source</span> <span class="o">=></span> <span class="s">'puppet:///modules/c_mydomain/sharedmails/99-mydomain-shared-mailbox.conf'</span><span class="p">,</span>
<span class="p">}</span><span class="c"></span>
<span class="c"> ### mail filter with procmail</span>
<span class="k">file</span> <span class="p">{</span> <span class="s">'/home/shruser/.procmailrc'</span><span class="p">:</span>
<span class="na">ensure</span> <span class="o">=></span> <span class="s">'present'</span><span class="p">,</span>
<span class="na">owner</span> <span class="o">=></span> <span class="s">'shruser'</span><span class="p">,</span>
<span class="na">group</span> <span class="o">=></span> <span class="s">'mydomain'</span><span class="p">,</span>
<span class="na">mode</span> <span class="o">=></span> <span class="s">'0644'</span><span class="p">,</span>
<span class="na">source</span> <span class="o">=></span> <span class="s">'puppet:///modules/c_mydomain/sharedmails/procmailrc_shruser'</span><span class="p">,</span>
<span class="p">}</span></code></pre></div>
<p>Enjoy!</p>
<p><a href="/articles/dovecot-shared-read-only-mailbox/">dovecot shared read-only mailbox on Ubuntu 14.04</a> was originally published by Roman Plessl at <a href="">Website of Roman Plessl</a> on June 17, 2015.</p>
/blog/refactoring-homepage
2015-01-03 00:15:31 +0100T00:00:00-00:00
2014-12-30T00:39:55+01:00
Roman Plessl
roman@plessl.info
<p>After using the same theme and website building technology (handcrafted) for about 14 years, it was now time to change it :-)</p>
<p>This site uses:</p>
<ul>
<li><a href="http://yekyllrb.com">jekyll</a></li>
<li><a href="https://mademistakes.com/work/jekyll-themes/">responsive design</a></li>
<li><a href="https://guides.github.com/features/mastering-markdown/">markdown</a></li>
<li><a href="https://www.sublimetext.com/">sublime</a></li>
<li><a href="https://github.com/23maverick23/sublime-jekyll">jekyll for sublime</a></li>
</ul>
<p><a href="/blog/refactoring-homepage/">refactoring homepage</a> was originally published by Roman Plessl at <a href="">Website of Roman Plessl</a> on December 30, 2014.</p>