Command "doveadm director kick ...." doesn't work
Hi, I have a Dovecot installation (version 2.3.16) with 3 directors and 4 backend servers. Three backend servers have the director_tag 'new', one has the director_tag 'old'. The users are on the DB, the director_tag is a table field. I want to migrate mailboxes from the old backend (Maildir format) to the new (mdbox format). For the migration I use the "doveadm backup" command and everything works fine. The problem I'm having is that I can't kick the user (if logged in). Once the migration is done (as indicated https://doc.dovecot.org/3.0/man/doveadm-sync.1/), I modify the user's home, mail_location and director_tag and then execute the command "doveadm director kick ..." but the connection on the directors is not killed. Why does this problem occur? Could it be due to the use of the director_tag and the fact that for the command "doveadm director kick ..." it is not possible to specify it? Even if I run the command "doveadm director move mailbox_account new_backend_server", the director adds a new connection but does not kill the previous one, with the result that there are two connections for the same user, one on the new backend and one on the old one. I also tried to configure the director_tag only for the 3 new servers, but the "director kick" still doesn't work. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: I can't configure shared mailbox ACLs using LDAP information
Wow, hard to believe.
I thought it was just a lack of skill on my part in finding/making the correct
configuration.
But what do large email servers that use Dovecot do?
I thought it was an orchestration between OpenLDAP, Postfix and Dovecot because
theoretically LDAP is the best place to store users, groups, passwords and
permissions.
Anyway, below is the bash script that I used to do a minimal automation of ACLs.
[ apply_ACLs_for_shared_mailboxes.sh ]
#!/bin/bash
# LDAP base DN
BASE_DN="dc=mydomain,dc=com,dc=br"
# LDAP search filter for enabled shared mailboxes
LDAP_FILTER="(&(objectClass=groupOfUniqueNamesWithMail)(mailEnabled=TRUE))"
# LDAP server details
LDAP_SERVER="ldap://ldap";
LDAP_BIND_DN="cn=admin,dc=mydomain,dc=com,dc=br"
LDAP_PASSWORD="Secret-pwd"
# temporary file to store the results of the LDAP search
TEMP_FILE="/tmp/shared_mailboxes.ldif"
# perform LDAP search to get shared mailboxes and their members
ldapsearch -x -H $LDAP_SERVER -D $LDAP_BIND_DN -w $LDAP_PASSWORD -b
"ou=shared-mailboxes,$BASE_DN" "$LDAP_FILTER" mail uniqueMember > $TEMP_FILE
# read the LDIF file and generate the doveadm acl commands
while IFS= read -r line; do
if [[ $line =~ ^mail: ]]; then
SHARED_MAILBOX=$(echo $line | awk '{print $2}')
fi
if [[ $line =~ ^uniqueMember: ]]; then
USER=$(echo $line | awk '{print $2}' | cut -d ',' -f 1 | cut -d '=' -f
2)
# generate the doveadm acl command for INBOX
COMMAND_INBOX="doveadm acl set -u $SHARED_MAILBOX INBOX user=$USER
lookup read write write-seen write-deleted insert post expunge create delete"
echo $COMMAND_INBOX
# execute the command for INBOX
eval $COMMAND_INBOX
# generate the doveadm acl command for Sent folder
COMMAND_SENT="doveadm acl set -u $SHARED_MAILBOX INBOX/Sent user=$USER
lookup read write write-seen write-deleted insert post expunge create delete"
echo $COMMAND_SENT
# execute the command for Sent folder
eval $COMMAND_SENT
fi
done < $TEMP_FILE
# clean up temporary file
rm $TEMP_FILE
I would like to take this opportunity to ask two things:
a) what would be the most appropriate permissions so that users with access to
shared mailboxes can only read emails (delete, only users "owners of shared
boxes")
b) with the query below in [ /etc/postfix/ldap-senders.cf ] users with
permission to access shared mailboxes can send mail using the shared mailbox
address; however, the mail is in the Sent folder of the user who sent it and
not in the Sent folder of the shared mailbox (where I would like it to be); The
idea is that if three people have access to a shared mailbox, the first one to
read and respond to an email will leave it saved in the Sent folder of the
shared mailbox so that the other two can see that the email has already been
responded to
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
RE: I can't configure shared mailbox ACLs using LDAP information
> I thought it was just a lack of skill on my part in finding/making the > correct configuration. I am curious about your results, so keep posting! :) > But what do large email servers that use Dovecot do? > > I thought it was an orchestration between OpenLDAP, Postfix and Dovecot > because theoretically LDAP is the best place to store users, groups, > passwords and permissions. I agree, however I am currently configuring ldap users on the os, and have dovecot use the os. I think it is also a little more secure having the os manage users. I once tested dovecot in a container with direct ldap access but can't remember much from it. Does dovecot take settings from ldap.conf so you can have redundant ldap servers configured? > > b) with the query below in [ /etc/postfix/ldap-senders.cf ] users with > permission to access shared mailboxes can send mail using the shared > mailbox address; however, the mail is in the Sent folder of the user who > sent it and not in the Sent folder of the shared mailbox (where I would > like it to be); The idea is that if three people have access to a shared > mailbox, the first one to read and respond to an email will leave it > saved in the Sent folder of the shared mailbox so that the other two can > see that the email has already been responded to Maybe global sieve rule that check this? Afaik you can enable in outlook that send messages should go to the active folder if you are not on the inbox, but it does not work on all folders. I can remember thinking about having a module made that would do this automatically. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
