Setting up shared mailboxes in dovecot

[edited 28.06.2013]
Sometimes you need mail adresses and postboxes that need to be accessed by multiple persons. In a company for example there could be a mailbox sales@yourcompany.com and if you are planning for example a wedding it can be a good idea to have an account wedding@yourdomain.tld that can be accessed by you and yor (future) wife. It is definitly not the best idea to create a “normal” account and just give the password to all people who might need it. This might leed to confusion (and data loss). In my opinion accounts should always be bound to a person.
The solution for my LDA (aka mailserver) dovecot is called “SharedMailboxes”, ie mailboxes that are shared between users and linked to their accounts. It wasn’t that easy to setup but finally I could get it to work in the following way:

This is a post from my old blog http://tech.cbjck.de. It has been moved here and slightly edited for better readability. It's also been adjusted to the new layout.
The content however is old and might be outdated.

Enable shared mailboxes

First we have to setup a namespace in dovecot to make sharing possible. We will also explicitly define a private namespace for not shared mailboxes. In the default case this is implicitly defined.
Edit /etc/dovecot/dovecot.conf

## You need to create also a private namespace:
namespace private {
  separator = /
  prefix = 
  #location defaults to mail_location.
  inbox = yes
}

namespace shared {
  separator = /
  prefix =  Shared/%%n/
#  location = maildir:/var/vmail/%%d/%%u:INDEX=/var/vmail/%d/%u/shared/%%u
  location = maildir:/var/vmail/cbjck.de/%%u:INDEX=/var/vmail/cbjck.de/%u/shared/%%u
  subscriptions = no
  list = children
}

The location line in the shared namespace was the most difficult part to figure out. %%d should expand to the domain of the shared mailbox and %d to the domain of the user logging in. I still have the problem that the domain is not properly resolved from the account information stored in my LDAP server. So for the moment I just hardcoded the domain. %%u and %u will expand to the respective username.

Access to shared mailboxes is controlled by ACL. To create these add the following to your /etc/dovecot/dovecot.conf:

protocol imap {
  mail_plugins = acl imap_acl
}
protocol lda {
  mail_plugins = acl
}
plugin {
  acl = vfile
}

You’ll have to edit the sections mentioned above. Add the plugins to your already existing plugins, separator is space.

Now shared mailboxes should work already however they won’t be displayed in the users mailboxes. Dovecot doesn’t loop over all mailboxes to find shared mailboxes instead it uses a databes we need to create. As I only have a few account on my server I’m going to use a flat file. Of course it’s also possible to use a database (see for dovecot wiki).
Add the following line to /etc/dovecot/dovecot.conf:

plugin {
  acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes.db
}

Now it’s time to restart dovecot:

/etc/init.d/dovecot stop
/etc/init.d/dovecot start

Share a mailbox

Sharing mailboxes is expected to be done by IMAP SETACL commands. As I don’t know if and how my eMail client is supporting those I’ll do it the hard way – on the command line.
Let’s assume we have one account to share eg share@yourdopmain.tld, and two users user1@yourdomain.tld and user2@yourdomain.tld who should get access to the shared mailbox.
On the mailserver open a telnet connection:

telnet localhost 143

The server will respond with something like

Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN] Dovecot ready.

Note you’ll have to type the fullstop and space before your command.
Now login as user shared@yourdomian.tld

. login shared@yourdomain.tld passwordofshared
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS ACL RIGHTS=texk] Logged in

Now you set the ACL on a folder of your choice ie the inbox

. SETACL Inbox user1@yourdomain.tld lrwstipekxa
. OK Setacl complete.

This command will give user1 full access to the Inbox. For more information an ACL rusles have a look a the dovecot wiki.
You can check the ACL

. GETACL Inbox

The answer will show you all users having access to Inbox and their rights. In the example you should see something like

* ACL Inbox "user1@yourdomain.tld" akxeilprwtscd "shared@yourdomain.tld" lrwstipekxacd

Now add the second users as above.
Leave the telnet session by typing Ctrl + ] and

telnet> quit

In their mailclients user1 and user2 should now find a folder Shared/shared/inbox. In some mailclients you’ll have to add that folder for syncing via the accounts settings.
[edited 28.06.2013]

Make shared folders work in roundcube

With the setup describe above sharing works well in eMail clients like evolution. In my webmail client roundcube however the folder show up in the folders list but can’t be subscribed to. I could find the solution on dovecot mailinglist. In /etc/dovecot/dovecot.conf change the section shared to match

namespace shared {
  separator = /
  prefix =  Shared/%%n/
  location = maildir:/var/vmail/cbjck.de/%%u:CONTROL=/var/vmail/cbjck.de/%u/shared/%%u:INDEX=/var/vmail/$
  subscriptions = yes
  list = children
}

Then restart dovecot. Now you should be able to subcribe to the shared folders in roundcube.

2 Comments

  1. Pingback: Postfach teilen mit dovecot

Leave a Reply

Your email address will not be published. Required fields are marked *