1

Topic: Proposal for a Exchange like Shared Mailbox aka login as

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.6 PGSQL edition
- Linux/BSD distribution name and version: CentOS Linux release 7.3.1611 (Core)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? YES
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi there,

since i wanted to have a mechanism that's more or less the same like or at least very similar to an exchange shared mailbox (at least the way it's most often used imho => you define a mailbox and allow certain users to fully use that as if it would be their own) i did the following:


=========================================================================================
/etc/dovecot/dovecot.conf:

...
auth_master_user_separator = *
passdb {
    driver = passwd-file
    args = /etc/dovecot/dovecot-master-users
    master = yes
}
# HERE THE NEW PART FOR LOGINAS - START
passdb {
    driver = sql
    args = /etc/dovecot/dovecot-loginas.conf
    master = yes
    pass = yes
}
# HERE THE NEW PART FOR LOGINAS - END
...

=========================================================================================
/etc/dovecot/dovecot-loginas.conf:

driver = pgsql
default_pass_scheme = CRYPT
connect = host=127.0.0.1 dbname=vmail user=vmail password=***ENTER_YOUR_OWN***
password_query = SELECT password, allow_nets \
    FROM mailbox,loginas \
    WHERE mailbox.username='%u' \
    AND mailbox.enable%Ls%Lc=1 \
    AND mailbox.active=1 \
    AND mailbox.username=loginas.master_user \
    AND loginas.login_as_user='%{login_user}'

=========================================================================================
/etc/dovecot/dovecot-pgsql.conf: (the new part ist the '%u' as master_user thingie)

...
driver = pgsql
default_pass_scheme = CRYPT
connect = host=127.0.0.1 dbname=vmail user=vmail password=***ENTER_YOUR_OWN***
password_query = SELECT password, allow_nets FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active=1
user_query = SELECT \
    mailbox.storagebasedirectory || '/' || mailbox.storagenode || '/' || mailbox.maildir AS home, \
    '*:bytes=' || mailbox.quota*1048576 AS quota_rule, \
    '%u' as master_user \
FROM mailbox,domain \
WHERE mailbox.username='%u' \
    AND mailbox.domain='%d' \
    AND mailbox."enable%Ls%Lc"=1 \
    AND mailbox.domain=domain.domain \
    AND domain.backupmx=0 \
    AND domain.active=1 \
    AND mailbox.active=1
...

=========================================================================================
create_loginas_table.sql:

-- Table: loginas

-- DROP TABLE loginas;

CREATE TABLE loginas
(
  master_user character varying(255) NOT NULL,
  login_as_user character varying(255) NOT NULL,
  CONSTRAINT masteruser_to_loginuser PRIMARY KEY (master_user, login_as_user)
)
WITH (
  OIDS=FALSE
);
ALTER TABLE loginas
  OWNER TO vmailadmin;
GRANT ALL ON TABLE loginas TO vmailadmin;
GRANT SELECT ON TABLE loginas TO vmail;
GRANT SELECT, UPDATE ON TABLE loginas TO roundcube;

=========================================================================================


With that in place and the table loginas filled with the right values you can now allow certain existing users to login as another user and work like you would be that user - including sending mail as this user

Just wanted to share this. Perhaps you could extend the docs http://www.iredmail.org/docs/public.folder.html &| https://docs.iredmail.org/mailbox.sharing.html

Imho this way is way easier to use and has less implications (acl, mail send as, etc.) then the sharing variant.

It would also be cool to see this as an option in iRedAdmin (pro)

mfG,
Martin

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Proposal for a Exchange like Shared Mailbox aka login as

Do you want to share only one or few IMAP folders, or the whole mailbox? Is it legal or allowed to share whole mailbox by your local law or company security policy?

3

Re: Proposal for a Exchange like Shared Mailbox aka login as

ZhangHuangbin wrote:

Do you want to share only one or few IMAP folders, or the whole mailbox? Is it legal or allowed to share whole mailbox by your local law or company security policy?

1.) To make it clear: this is not a call for support - i got this solution already up and running. This was meant as an idea for a new feature

2.) it is for the use case where you want to share a whole mailbox, not just one or a few folders

3.) regarding legal aspects - i dont think that this is a problem here . beside the fact that also sharing just a single folder might be illegal under certain conditions there are plenty of use cases for such a shared mailbox:
  - think of the classical office@example.com mailbox which shall be used by 3-4 secretaries in paralell
  - or the main contact mailbox of a support team.
  - if you would use aliases here nobody could know which mail has already been worked on.
  - if you use a shared folder everytime a colleague adds a folder he also has to take care of the acl's so that his team members can work with the new folder too
  - regarding dynamically managed shared folders you could of course use "acl_defaults_from_inbox = yes" or global acl's - but this is a global setting which might not be wished for other mailboxes

to sum it up - i personally see some sense in that feature and no real legal issues (at least not more than these which could also arise from already existing sharing possibility)

and as the topic states: this shall be a proposal

mfg,
martin

4

Re: Proposal for a Exchange like Shared Mailbox aka login as

seldon wrote:

and as the topic states: this shall be a proposal

Sure we clearly understand this, and your implementation is very good.

This is the first time someone requested this feature, i'm not sure how frequently it will be used and how important it is.
Do many people need this feature?

5

Re: Proposal for a Exchange like Shared Mailbox aka login as

Hi, this is the feature that i need ( see post https://forum.iredmail.org/topic12221-s … ilbox.html )
One question here:
How you permit user access to shared mailbox, in client mail (e.g. Thunderbird) and in mail server ( via sql to add user) ?

Thanks

6

Re: Proposal for a Exchange like Shared Mailbox aka login as

cedbiella wrote:

Hi, this is the feature that i need ( see post https://forum.iredmail.org/topic12221-s … ilbox.html )
One question here:
How you permit user access to shared mailbox, in client mail (e.g. Thunderbird) and in mail server ( via sql to add user) ?

Thanks

u r welcome

for the server part i wrote a small php based ui which does basically execute the following sql at the end of the day: " insert into loginas values ('USER_MAILBOX_WHO_SHOULD_HAVE_ACCESS@yourdomain.com','SHARED_MAILBOX@yourdomain.com');

for the client mail part:
  - as username you have to use the following:  SHARED_MAILBOX@yourdomain.com*USER_MAILBOX_WHO_SHOULD_HAVE_ACCESS@yourdomain.com
  - as password you use the password of USER_MAILBOX_WHO_SHOULD_HAVE_ACCESS@yourdomain.com

hope this helps

7 (edited by cedbiella 2018-12-18 22:27:59)

Re: Proposal for a Exchange like Shared Mailbox aka login as

thanks very much, i'll test.

One more thing:
in dovecot.conf you add the lines for loginas or change?

Master user is a really master user ( can access to all mailbox ), if is that i don't understand because there is a masteruser for each record.

Sorry form my bad english

8

Re: Proposal for a Exchange like Shared Mailbox aka login as

one more thing....
I had tested your proposal and is ok but i want to add an header in mail to know the real sernder.
Example:
user1@domain.my,user2@domain.my,user3@domain.my have permission to shared@domain.my
When user1 send email as shared i want that in header there is Sender: user1 ( or something similar).

Thanks in advance

9 (edited by tuuialou 2021-02-28 08:16:49)

Re: Proposal for a Exchange like Shared Mailbox aka login as

Hello Seldon,

this is very interesting. I am trying to achieve exactly what you describe (see https://forum.iredmail.org/post77816.html#p77816). But I don't understand how

SHARED_MAILBOX@yourdomain.com*USER1_MAILBOX_WHO_SHOULD_HAVE_ACCESS@yourdomain.com

and

SHARED_MAILBOX@yourdomain.com*USER2_MAILBOX_WHO_SHOULD_HAVE_ACCESS@yourdomain.com

can maintain private \Seen flags (aka INDEXPVT or private index)? When USER1 reads an email, I still want USER2 to see it as unread but I can't achieve that. Is it really possible? Thanks for any help!