Captive mailbox in Cyrus IMAP?

Phil Pennock info-cyrus-spodhuis at spodhuis.org
Tue Nov 21 18:59:49 EST 2006


On 2006-11-21 at 16:44 -0600, Rich Graves wrote:
> UW-IMAP has no concept of ACLs; to make a mailbox read-only, you simply 
> manipulate file system permissions. Cyrus has proper ACLs that are 
> shared between mail delivery and imapd. It's not obvious what you would 
> want to hack in order to make lmtpd's view of ACLs and mailbox paths 
> different than imapd's.

lmtpd ignores posting permissions when delivering directly to INBOX
folders.  It's the final parameter of imap/lmtpd.c:deliver_mailbox(),
acloverride.  Cyrus can _always_ deliver new mail to user inboxes via
LMTP, permissions apply for direct delivery to subfolders by +extension
addressing and for shared folders, etc.

So you probably want to script up an admin tool which, for a user
"fred", connects up, does two LISTs:
  LIST "" "user.fred"
  LIST "" "user.fred.*"
(or "/" instead of ".", depending upon config), then does a GETACL for
every folder returned; dump those results out to a backup file in the
local filesystem, where a restore tool can automatically put the privs
back, then loop through and for every folder, for each identifier with
positive rights, remove those rights.

The only bit to be really cautious of is to be sure that a restore
script properly deals with negative ACL rights, if a user has shared
folders which are semi-public, to deal with privacy issues.

All AIUI.

-Phil


More information about the Info-cyrus mailing list