Re: lazy_expunge mangles dovecot-acl-list

2014-06-12 Thread Christoph Bußenius 

On 06/12/2014 03:06 PM, Florian Tischler wrote:

Am Donnerstag, 12. Juni 2014, 11:53:26 schrieb Christoph Bußenius:
Interestingly a doveadm acl debug recreates dovecot-acl-list:
doveadm acl debug -u user2 user/user1/Folder


A quick fix is to just delete all empty "dovecot-acl-list" files in a 
cron job.  They will get recreated as soon as they are needed.



A question because you mention 2.2.13, is acl + lazy_expunge working for you
with 2.2.13???


Actually we are not using 2.2 on our main mail servers. Before I 
reported this bug, I reproduced it with the current 2.1 and 2.2 
dovecots, but I did not do much testing in these setups.



2.2.13 fails for me completely with unknown namespace .EXPUNGED as soon as a
user shares a folder. (as long as nothing is shared everything is file)
Reproducible with: doveadm acl set -u user1 Folder user=user2 rights...
2.1.17: doveadm acl debug -u user2 user/user1/Folder everything is fine.
2.2.13: unknown namespace .EXPUNGED, user2 cannot login anymore.


I just checked. I get the same error. As soon as user2 issues the "LIST" 
imap command, the imap connection is dropped and the log shows


dovecot: imap(user2): Fatal: lazy_expunge: Unknown namespace: '_EXPUNGED.'


Thanks for the warning.. At some point we would like to upgrade to 2.2 
too, but we are going to need ACLs and lazy_expunge.




protocol imap {
imap_client_workarounds = tb-extra-mailbox-sep
mail_max_userip_connections = 20
mail_plugins = acl imap_acl acl
}


Btw, to reproduce your bug, I had to add "lazy_expunge" to the imap section.

Cheers,
Christoph

--
Christoph Bußenius
Rechnerbetriebsgruppe Informatik und Mathematik
Technische Universität München

Re: lazy_expunge mangles dovecot-acl-list

2014-06-12 Thread Florian Tischler 
Am Donnerstag, 12. Juni 2014, 11:53:26 schrieb Christoph Bußenius:
> Hi,
> 
> I think I found a bug in Dovecot 2.1.17 and 2.2.13.
> 
> In our setup, sometimes ACLs stop working because "dovecot-acl-list" is
> replaced by an empty file.  We found that lazy_expunge is connected to
> this.
> 
> To reproduce, create ACLs for "user1" in a folder.  Put a mail in that
> folder and expunge it, so that the folder will be created in the
> "expunged" namespace.
> 
> For instance,
> 
> # cat user1/mail/mailboxes/folder/dbox-Mails/dovecot-acl
> user=user2 keilrwts
> 
> # cat user1/mail/dovecot-acl-list
> 1350914868 folder
> 
> # doveadm -f user1w fetch -u "user1" 'guid' mailbox _EXPUNGED.\*
> 
> # ls -l user1/mail/dovecot-acl-list
> -rw--- 1 vmail vmail 0 2014-06-12 11:40 user1/mail/dovecot-acl-list
> 
> You see that we have used doveadm to list the expunged namespace, which
> has emptied the "dovecot-acl-list" file.

Hi,

tried it with dovecot-ee-2.1.17.7-1.el6 and can confirm exactly the 
behaviour!

Interestingly a doveadm acl debug recreates dovecot-acl-list:
doveadm acl debug -u user2 user/user1/Folder
...
doveadm(user2): Info: User user2 has rights: ...
doveadm(user2): Error: Mailbox not found from dovecot-acl-list, rebuilding
doveadm(user2): Info: User user1 found from ACL shared dict
doveadm(user2): Info: Retrying after rebuilds:
...

A question because you mention 2.2.13, is acl + lazy_expunge working for you 
with 2.2.13???

2.2.13 fails for me completely with unknown namespace .EXPUNGED as soon as a 
user shares a folder. (as long as nothing is shared everything is file)
Reproducible with: doveadm acl set -u user1 Folder user=user2 rights...
2.1.17: doveadm acl debug -u user2 user/user1/Folder everything is fine.
2.2.13: unknown namespace .EXPUNGED, user2 cannot login anymore.

Unfortunately I never got any feedback to this issue and therefore stick 
with 2.1.17 :-(

Florian

> Cheers,
> Christoph
> 
> 
> 
> 
> # 2.2.13: /usr/local/dovecot/etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-57-server x86_64 Ubuntu 10.04.4 LTS
> disable_plaintext_auth = no
> mail_gid = vmail
> mail_location = mdbox:~/mail
> mail_plugins = acl
> mail_uid = vmail
> namespace {
>inbox = no
>list = children
>location = mdbox:%%h/mail
>prefix = INBOX.shared.%%u.
>separator = .
>subscriptions = no
>type = shared
> }
> namespace default {
>inbox = yes
>location =
>prefix = INBOX.
>separator = .
>type = private
> }
> namespace expunged {
>hidden = yes
>list = no
>location =
> mdbox:~/mail:MAILBOXDIR=expunged:SUBSCRIPTIONS=expunged-subscriptions
>prefix = _EXPUNGED.
>separator = .
>subscriptions = yes
> }
> passdb {
>args = scheme=CRYPT username_format=%u
> /usr/local/dovecot/etc/dovecot/users
>driver = passwd-file
> }
> plugin {
>acl = vfile
>acl_shared_dict = file:/mail/shared-mailboxes
>lazy_expunge = _EXPUNGED.
> }
> protocols = imap pop3
> service auth {
>unix_listener auth-userdb {
>  group = vmail
>  mode = 0660
>}
> }
> ssl_cert =  ssl_key =  userdb {
>args = /usr/local/dovecot/etc/dovecot/users
>driver = passwd-file
> }
> protocol imap {
>imap_client_workarounds = tb-extra-mailbox-sep
>mail_max_userip_connections = 20
>mail_plugins = acl imap_acl acl
> }
-- 
Florian Tischler
System Administrator
*Johann Radon Institute for Computational and Applied Mathematics (RICAM)
http://www.ricam.oeaw.ac.at/
florian.tisch...@oeaw.ac.at
*Industrial Mathematics Institute
http://www.indmath.uni-linz.ac.at/
tisch...@indmath.uni-linz.ac.at
http://www.ricam.oeaw.ac.at/people/page.cgi?firstn=Florian;lastn=Tischler
GPG-Key: http://www.ricam.oeaw.ac.at/gpg/florian_tischler.asc
tel: +43 732 2468 5250
fax: +43 732 2468 5212

lazy_expunge mangles dovecot-acl-list

2014-06-12 Thread Christoph Bußenius 

Hi,

I think I found a bug in Dovecot 2.1.17 and 2.2.13.

In our setup, sometimes ACLs stop working because "dovecot-acl-list" is 
replaced by an empty file.  We found that lazy_expunge is connected to this.


To reproduce, create ACLs for "user1" in a folder.  Put a mail in that 
folder and expunge it, so that the folder will be created in the

"expunged" namespace.

For instance,

# cat user1/mail/mailboxes/folder/dbox-Mails/dovecot-acl
user=user2 keilrwts

# cat user1/mail/dovecot-acl-list
1350914868 folder

# doveadm -f flow fetch -u "user1" 'guid' mailbox _EXPUNGED.\*

# ls -l user1/mail/dovecot-acl-list
-rw--- 1 vmail vmail 0 2014-06-12 11:40 user1/mail/dovecot-acl-list

You see that we have used doveadm to list the expunged namespace, which 
has emptied the "dovecot-acl-list" file.


Cheers,
Christoph




# 2.2.13: /usr/local/dovecot/etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-57-server x86_64 Ubuntu 10.04.4 LTS
disable_plaintext_auth = no
mail_gid = vmail
mail_location = mdbox:~/mail
mail_plugins = acl
mail_uid = vmail
namespace {
  inbox = no
  list = children
  location = mdbox:%%h/mail
  prefix = INBOX.shared.%%u.
  separator = .
  subscriptions = no
  type = shared
}
namespace default {
  inbox = yes
  location =
  prefix = INBOX.
  separator = .
  type = private
}
namespace expunged {
  hidden = yes
  list = no
  location = 
mdbox:~/mail:MAILBOXDIR=expunged:SUBSCRIPTIONS=expunged-subscriptions

  prefix = _EXPUNGED.
  separator = .
  subscriptions = yes
}
passdb {
  args = scheme=CRYPT username_format=%u 
/usr/local/dovecot/etc/dovecot/users

  driver = passwd-file
}
plugin {
  acl = vfile
  acl_shared_dict = file:/mail/shared-mailboxes
  lazy_expunge = _EXPUNGED.
}
protocols = imap pop3
service auth {
  unix_listener auth-userdb {
group = vmail
mode = 0660
  }
}
ssl_cert =