Shared Mailboxes in Dovecot Cluster¶
Note
This setup is supported from Dovecot version 2.3.15 and higher only
As mentioned in Director, you can’t have multiple servers accessing the same user at the same time or it will lead into trouble. This can become problematic with shared mailboxes, because two users who are sharing a folder may run in different servers. The solution here is to access the shared folders via IMAP protocol, which passes through the Dovecot proxies/directors so the actual filesystem access is done only by one server.
There are some limitations for this kind of use case:
imapc_*
settings are global. You can’t have two different namespaces with different imapc settings yet.The imapc code doesn’t support some IMAP features. Most importantly SORT isn’t supported, which may result in lower performance.
Setting up user-shared folders¶
You’ll need to setup master user logins to work for all the users. The
logged in user becomes the master user. The master user doesn’t actually
have any special privileges. It’s just used to get ACLs applied correctly
using permissions of the master user (the logged in user). It is supported
to access shared mailboxes of users which live on other backends via the IMAP
protocol. For this purpose shared mailboxes in a cluster must be accessed via
another namespace which has location
configured to use imapc
.
It is recommended to disable shared namespaces for master users so you should
add userdb_namespace/shared/disabled=yes
to your master passdb as
extra field. Depending on
the authentication configuration it may be necessary to also override the acl_user
via userdb extra field
like this userdb_acl_user=%{auth_user}
.
Mailboxes in the shared namespace can be accessed using the given namespace
prefix. For example the user someone1
could have access to a
mailbox(shared_mailbox
) owned by the user someone2
. To access mails
in this mailbox someone1
would access a mailbox with the name
shared/someone2/shared_mailbox
. The permissions which are given to
someone1
on this mailbox are determined by Access Control Lists.
namespace shared {
type = shared
prefix = shared/%%u/
list = children
subscriptions = no
# Use INDEXPVT to enable per-user \Seen flags.
# If running earlier versions than 2.3.15, or earlier than 2.3.17 with obox
# storage INDEXPVT is not supported.
location = imapc:~/shared/%%u:INDEXPVT=~/shared-pvt/%%u
}
Note
Obox relies on having the INDEXPVT directory configured to ~/shared-pvt
otherwise the private indexes are not tracked by metacache and can
get lost if user changes backends.
Note
See % vs %% for an explanation more details on the used variables.
- Additionally imapc must be configured accordingly on the backends:
On backends either passdb or userdb for non-master users must return
userdb_imapc_master_user=%{user}
orimapc_master_user=%{user}
imapc_master_user
becomes set using userdb. In case of a simple setupimapc_master_user
can also be just set to%u
(the logged in user).imapc_password
must be set to the master password which is configured on all backends and directorsimapc_host
must point to a load balancer’s address that connects to Dovecot director/proxyimapc_features
: For the best performance and functionality, the setting should contain at leastfetch-bodystructure fetch-headers rfc822.size search modseq acl delay-login
New in version 2.3.15: INDEXPVT for imapc is supported from 2.3.15 onwards. In general INDEXPVT with imapc is only supported for non-obox storages.
imapc_host = director-ip
#imapc_user = # leave this empty. It'll be automatically filled with the destination username.
imapc_password = master-secret
imapc_features = fetch-bodystructure fetch-headers rfc822.size search modseq acl delay-login
As mentioned earlier the acl plugin must be loaded and configured accordingly:
mail_plugins = $mail_plugins acl
plugin {
acl = vfile
# Added in 2.3.15
acl_ignore_namespace = shared/*
acl_shared_dict = $your_prefered_shared_dict
}
# In order to be able to issue ACL commands over imap, imap_acl must be loaded
protocol imap {
mail_plugins = $mail_plugins imap_acl
}
The acl plugin must be told to ignore the shared namespace and all
its children using the acl_ignore_namespace
setting.
The shared dictionary needs to be accessible from all the backends. The possibilities for it are:
file: A single shared file in filesystem. This becomes a performance bottleneck easily if there are many in a shared filesystem.
fs posix: Shared directory in filesystem. This will create many small files in a shared filesystem.
sql: Shared SQL server
Any other shared dictionary can be used like described at Shared mailbox listing.
Please also see Example config snippets for shared mailboxes in Dovecot Cluster.
Shared folders and quota¶
When using the Quota Plugin it must be configured to not attempt to calculate quota for the shared namespaces. This is suggested to be achieved by limiting the quota plugin to the private inbox namespace using:
quota=count:ns=<inbox namespace prefix>
For more details on quota configuration please see Quota Configuration.