Owner group / SOGo shared mailbox not working

SGVFR · February 24, 2019, 12:57am

I am trying to set up a shared mailbox for a group of users… NS is joined into my UCS domain so users are not created or assigned to groups on the local Nethserver.

I believe this used to work at one point but not positive. is SOGo not able to apply security permissions from AD to shared mailboxes??? and if so, is there anything I can try or provide to further troubleshoot ??

for simplicity, I have 3 users I am testing with… user1, user2 and user3

group membership is as follows:
user1@domain.com : usergroup, admingroup
user2@domain.com : usergroup, admingroup
user3@domain.com : usergroup

I have created a shared mailbox of testshare1, owner groups admingroup@domain.com

there is a Mail Alias created : testshare1@ testshare1 (shared mailbox) and it exists in:

[root@sparky vmail]# ll -la /var/lib/nethserver/vmail/vmail/Maildir/
total 24
drwx------ 6 vmail vmail 234 Feb 23 16:22 .
drwx------ 3 vmail vmail  21 Feb 23 13:33 ..
drwx------ 2 vmail vmail   6 Feb 23 13:37 cur
-rw------- 1 vmail vmail  39 Feb 23 14:57 dovecot-acl
-rw------- 1 vmail vmail  34 Feb 23 16:16 dovecot-acl-list
-rw------- 1 vmail vmail 628 Feb 23 14:57 dovecot.index.log
-rw------- 1 vmail vmail  48 Feb 23 16:09 dovecot.mailbox.log
-rw------- 1 vmail vmail  51 Feb 23 14:57 dovecot-uidlist
-rw------- 1 vmail vmail   8 Feb 23 16:16 dovecot-uidvalidity
-r--r--r-- 1 vmail vmail   0 Feb 23 14:57 dovecot-uidvalidity.5c71cfe0
drwx------ 2 vmail vmail   6 Feb 23 13:37 new
drwx------ 5 vmail vmail 154 Feb 23 16:25 .testshare1
drwx------ 2 vmail vmail   6 Feb 23 13:37 tmp
[root@sparky vmail]#

shared is enabled

[root@sparky vmail]# config show dovecot | grep Shared
    SharedMailboxesStatus=enabled
[root@sparky vmail]#

looking at permissions

[root@sparky .testshare1]# pwd
/var/lib/nethserver/vmail/vmail/Maildir/.testshare1
[root@sparky .testshare1]# cat dovecot-acl
group=admingroup@domain.com keilrwts
[root@sparky .testshare1]#

The problem is all users have access to the shared mailbox… user3 who I have confirmed is not a member of admingroup is able to view and read any mail sent to testshare1@domain.com

federico.ballarini · February 24, 2019, 1:02am

Could you try from roundcube?

SGVFR · February 24, 2019, 1:05am

i don’t have roundcube installed… I need SOGo for activesync which I believe roundcube does not support.

I will install it for testing and report back shortly

SGVFR · February 24, 2019, 1:23am

I just installed roundcube and tested… I can subscribe to the folder with all accounts, list and read, but not delete email from the shared mailbox on the user3 account. (error message)

however, I was able to delete the same message using the user3 account in SOGo that I could not with roundcube, although it does re-appear after a refresh… so it appears to allow the action and does not show an error like roundcube did… but did not actually delete the email.

but, it appears that the owner-group is partially ignored… I will test with all three users at the same time on different machines.

SGVFR · February 24, 2019, 2:09am

one thing I just noticed as well when deleting emails from shared folders.

users who should not have access, can see, view and read the emails. They cannot permanatly delete them although SOGo looks like it does delete, and returns on a refresh…

The email however, is copied to the trash.

Edit… users who are part of the owner-group also cannot delete the email… it appears AD group membership / permissions are completely ignored for shared mailboxes.

I’d be happy to do any additional testing or troubleshooting to fix this.

federico.ballarini · February 24, 2019, 11:47am

I’ve tried to set up a shared folder and when I try to enter with user that is not authorized (after that he had correctly subscribed the folder), I obtain error:

The correct behavior is that unauth user can subscribe the folder, but he can’t read messages.
Please retry to share a folder with other users and group and check if behavior is correct.