Filesystem permissions (in shared mailboxes)

IMAP processes need filesystem level permissions to access shared/public mailboxes. This means that:

  • If you use more than one UNIX UID for your mail users (e.g. you use system users), you’ll need to make sure that all users can access the mailboxes on filesystem level. (ACL plugin won’t help you with this.)

  • You can remove write permissions on purpose from public namespace root directory to prevent users from creating new mailboxes under it.

Dovecot never modifies permissions for existing mail files or directories. When users share mailboxes between each others, the system must have been set up in a way that filesystem permissions don’t get in the way. The easiest way to do that is to use only a single UID. Another possibility would be to use one or more groups for all the mail files that may be shared to other users belonging to the same group. For example if you host multiple domains, you might create a group for each domain and allow mailbox sharing (only) between users in the same domain.

System user UNIX groups

There’s no requirement to use UNIX groups (i.e. typically defined in /etc/group) for anything. If you don’t care about them, you can safely ignore this section.

If you use Passwd userdb, the IMAP process has access to all the UNIX groups defined for that user. You may use these groups when granting filesystem permissions. If you wish to use UNIX groups defined in /etc/group but don’t use passwd userdb, you can still do this by returning system_groups_user userdb extra fields, which contains the UNIX user name whose groups are read from the group file.

You can also set up extra UNIX groups by listing them in mail_access_groups setting. To have per-user UNIX groups, return mail_access_groups as userdb extra field. The advantage of using this method is that only Dovecot mail processes have access to the group, but nothing else, such as user’s SSH session. For example a simple way to set up shared mailbox access for all system users is to make all mail dirs/files 0770/0660 mode and owned by group “sharedmail” and then set mail_access_groups=sharedmail. Using more fine-grained groups of course leaks less mail data in case there’s a security hole in Dovecot.

Permissions for new mailboxes

When creating a new mailbox, Dovecot copies the permissions from the mailbox root directory. For example with mboxes if you have directories:

drwx--xr-x 8 user group 4096 2009-02-21 18:31 /home/user/mail/
drwxrwxrwx 2 user group 4096 2009-02-21 18:32 /home/user/mail/foo/

When creating a new foo/bar/ directory, Dovecot gives it permissions:

drwx--xr-x 2 user group 4096 2009-02-21 18:33 /home/user/mail/foo/bar/

As you can see, the file mode was copied from mail/ directory, not mail/foo/. The group is also preserved. If this causes problems (e.g. different users having different groups create mailboxes, causing permission denied errors when trying to preserve the group) you can set the setgid bit for the root directory:

chmod g+s /home/user/mail

This will cause the group to be automatically copied by the OS for all created files/directories under it, even if the user doesn’t belong to the group.

Permissions for new files in mailboxes

When creating new files inside a mailbox, Dovecot copies the read/write permissions from the mailbox’s directory. For example if you have:

drwx--xr-x 5 user group 4096 2009-02-21 18:53 /home/user/Maildir/.foo/

Dovecot creates files under it with modes:

drwx--xr-x 2 user group 4096 2009-02-21 18:54 cur/
drwx--xr-x 2 user group 4096 2009-02-21 18:54 new/
drwx--xr-x 2 user group 4096 2009-02-21 18:54 tmp/
-rw----r-- 1 user group  156 2009-02-21 18:54 dovecot.index.log
-rw----r-- 1 user group   17 2009-02-21 18:54 dovecot-uidlist

Note how the g+x gets copied to directories, but for files it’s simply ignored. The group is copied the same way as explained in the previous section.

When mails are copied between Maildirs, it’s usually done by hard linking. If the source and destination directory permissions are different, Dovecot create a new file and copies data the slow way so that it can assign the wanted destination permissions. The source and destination permission lookups are done only by looking at the mailbox root directories’ permissions, not individual mail files. This may become a problem if the mail files’ permissions aren’t as Dovecot expects.

Permissions to new /domain/user directories

If each user has different UIDs and you have /var/mail/domain/user/ style directories, you run into a bit of trouble. The problem is that the first user who creates /var/mail/domain/ will create it as 0700 mode, and other users can’t create their own user/ directories under it anymore. The solution is to use a common group for the users and set /var/mail/ directory’s permissions properly (group-suid is required):

chgrp dovemail /var/mail
chmod 02770 /var/mail # or perhaps 03770 for extra security

and in dovecot.conf:

mail_location = maildir:/var/vmail/%d/%n/Maildir
mail_access_groups = dovemail

The end result should look like this:

drwxrwsr-x 3 user dovemail 60 Oct 24 12:04
drwx--S--- 3 user user 60 Oct 24 12:04

Note that this requires that the mail_location setting is in its explicit format with %variables. Using maildir:~/Maildir won’t work, because Dovecot can’t really know how far down it should copy the permissions from.

Permissions to new user home directories

When mail_location begins with %h or ~/, its permissions are copied from the first existing parent directory if it has setgid-bit set. This isn’t done when the path contains any other %variables.

Mail Delivery Agent permissions

When using Dovecot LDA, it uses all the same configuration files as IMAP/POP3, so you don’t need to worry about it.

When using an external MDA to deliver to a shared mailbox, you need to make sure that the resulting files have proper permissions. For example with Procmail + Maildir, set UMASK=007 in .procmailrc to make the delivered mail files group-readable. To get the file to use the proper group, set the group to the Maildir’s tmp/ directory and also set its setgid bit (chmod g+s).

Dictionary files

Created dictionary files (e.g. acl_shared_dict = file:...) also base their initial permissions on parent directory’s permissions. After the initial creation, the permissions are permanently preserved. So if you want to use different permissions, just chown/chmod the file.