Hi, On Wed, 25 Oct 2017, Heiko Schlittermann wrote:
> given a small organization. There are *personal* mailboxes (mailbox per > user, incl. subfolders et cetera). The users can share specic folders > via the ACL (we call it "other users/", Dovecot calls it "shared" > folder. Additionally there are mailboxes Dovecot calls "public" (we use > the term "groups/"). They are not associated with a specific account, > but acessible via ACL only. (Good example for the latter is > "[email protected]") > > But now they're seeking for a way to implement "role" Accounts. > > We could create new "role" users, share the password and create an > additional account within the mail client (thunderbird) they use. From > users perspective it is exactly what they want. But I dislike the idea > of sharing the password. > > Question: Is there any way to split the authentication from the > authorization within common mail clients (as Thunderbird) in combination > with Dovecot. That is, doing something like logging in to the account > [email protected], using the credentials of the very own account (say > [email protected])? We faced the same problem and solved it with a PAM module: https://gitlab.kfki.hu/kadlec/pam-groupuser Any kind of MUA are supported with whatever background authentication you have. Here follows the README: This tiny PAM module makes possible to authenticate to group user accounts, where - the group user has got an own group with the same name as its username - the group members are real users, who want to access the resources (email, files) of the group user The pam_groupuser.so module must be referred two times in the PAM configuration for the given service/resources, i.e. auth required pam_groupuser.so <all normal auth modules> auth required pam_groupuser.so second-pass The users must use the username "groupusername*realusername" and the password belonging to "realusername". The first call to pam_groupusers.so sets the username for PAM to "realusername", so the authentication modules will use the real username for authentication. The second call to pam_groupusers.so sets the username for PAM to "groupusername", so the account and session environment is set up according to groupusername. The applications which supports this kind of setups: - dovecot POP/IMAP server - vsfptd FTP server Addendum: for dovecot, add "*" to the allowed username chars to auth_username_chars in /etc/dovecot/conf.d/10-auth.conf. Best regards, Jozsef -- E-mail : [email protected] PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt Address: Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary
