Ordner anlegen in shared mailbox: "Permission denied"

Sa Mai 13 20:03:15 CEST 2017

Hallo an die Gurus,

ich versuche jetzt den halben Tag, in einer shared mailbox einen
Unterordner anzulegen, bekomme aber immer die Meldung "Permission denied".
Mit Google und dem Dovecot-Wiki komme ich leider auch nicht weiter, deshalb
seid Ihr so ziemlich meine letzte Hilfe.

Zum Hintergrund: Ich spiele mit einem Univention Corporate Server herum
(privat, lasst Euch nicht durch die Signatur verwirren :-) ), weil ich
vermeiden will, mich als Hobby-Admin mit allen Details der
Serverkonfiguration herumzuschlagen. Der Univention Support scheint bei
meinem Problem momentan aber auch (noch) ratlos zu sein:
https://help.univention.com/t/shared-folder-keine-berechtigung-fur-unterordner/5376

Ich möchte eine shared mailbox mit eigener E-Mail-Adresse anlegen, die aber
auch über Unterordner verfügen soll. Die erste Hürde (das UCS Web-Interface
setzt die ACLs nicht vollständig) habe ich genommen. Ich sehe die mailbox
in der Ordnerliste und kann auch Nachrichten dort ablegen.

Aber ich kann keine Unterordner erstellen. Hier der IMAP-Test:

root at client:~# openssl s_client  -crlf -connect imap-server:993

CONNECTED(00000003)
...
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
. login alice at example.de secret
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT
MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS
LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN
CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE NOTIFY QUOTA ACL
RIGHTS=texk] Logged in
. list "" "*"
...
* LIST (\HasNoChildren) "/" shared/bob at example.de
...
. OK List completed.
. myrights shared/bob at example.de
* MYRIGHTS shared/bob at example.de lrwstipekxacd
. OK Myrights completed.
. create shared/bob at example.de/test
. NO [NOPERM] Permission denied
. getacl shared/bob at example.de
* ACL shared/bob at example.de alice at example.de akxeilprwtscd
. OK Getacl completed.
. logout
* BYE Logging out
. OK Logout completed.
closed

Ich habe also die benötigten Rechte, das "create" scheitert aber.

Woran kann das liegen? Die Zugriffsrechte auf die Verzeichnisse scheinen
sinnvoll zu sein (Liste folgt unten), die Konfiguration ebenfalls
("doveconf -n" ist auch unten). Ein Debug-Log von Dovecot bringt mich
leider auch nicht weiter, da steht nichts verwertbares drin.

Hat jemand von Euch eine Ahnung, was da schief läuft? Für Hinweise wäre ich
sehr dankbar!

Grüße Rainer

PS: Zugriffsrechte und Konfiguration:

root at imap-server:~# ls -al /var/spool/dovecot/private/
example.de/alice/Maildir/shared/bob at example.de

insgesamt 12
drwx--S--- 3 dovemail dovemail 4096 Mai 12 16:16 .
drwx--S--- 4 dovemail dovemail 4096 Mai 12 16:16 ..
drwx--S--- 2 dovemail dovemail 4096 Mai 13 14:54 .INBOX

root at imap-server:~# ls -al /var/spool/dovecot/private/
example.de/alice/Maildir/shared/bob at example.de/.INBOX

insgesamt 12
drwx--S--- 2 dovemail dovemail 4096 Mai 13 14:54 .
drwx--S--- 3 dovemail dovemail 4096 Mai 12 16:16 ..
-rw------- 1 dovemail dovemail  684 Mai 13 16:54 dovecot.index.pvt.log

root at imap-server:~# ls -al /var/spool/dovecot/private/example.de/bob/Maildir

insgesamt 52
drwx--S--- 5 dovemail dovemail 4096 Mai 13 15:36 .
drwx--S--- 3 dovemail dovemail 4096 Mai 13 14:31 ..
drwx--S--- 2 dovemail dovemail 4096 Mai 13 14:54 cur
-rw------- 1 dovemail dovemail   89 Mai 13 14:38 dovecot-acl
-rw------- 1 dovemail dovemail   17 Mai 13 15:36 dovecot-acl-list
-rw------- 1 dovemail dovemail  360 Mai 13 14:54 dovecot.index.cache
-rw------- 1 dovemail dovemail 1552 Mai 13 15:02 dovecot.index.log
-rw------- 1 dovemail dovemail 1836 Mai 13 15:02 dovecot.list.index.log
-rw------- 1 dovemail dovemail   51 Mai 13 14:58 dovecot-uidlist
-rw------- 1 dovemail dovemail    8 Mai 13 14:31 dovecot-uidvalidity
-r--r--r-- 1 dovemail dovemail    0 Mai 13 14:31
dovecot-uidvalidity.5916fc85
-rw------- 1 dovemail dovemail   19 Mai 13 14:54 maildirsize
drwx--S--- 2 dovemail dovemail 4096 Mai 13 14:54 new
drwx--S--- 2 dovemail dovemail 4096 Mai 13 14:54 tmp

root at imap-server:~# cat /var/spool/dovecot/private/
example.de/bob/Maildir/dovecot-acl

user=alice at example.de akxeilprwts

root at imap-server:~# ls -ld /var/spool/dovecot/private/example.de/bob

drwx--S--- 3 dovemail dovemail 4096 Mai 13 14:31 /var/spool/dovecot/private/
example.de/bob

root at imap-server:~# ls -ld  /var/spool/dovecot/private/example.de

drwx--S--- 13 dovemail dovemail 4096 Mai 13 14:31
/var/spool/dovecot/private/example.de

root at imap-server:~# ls -ld /var/spool/dovecot/private

drwxr-s--- 5 dovemail dovemail 4096 Mai 12 14:50 /var/spool/dovecot/private

root at imap-server:~# ls -ld /var/spool/dovecot

drwxr-xr-x 4 dovemail dovemail 4096 Feb 26 20:42 /var/spool/dovecot

root at imap-server:~# doveconf -n

# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 4.9.0-ucs103-amd64 x86_64 Univention Corporate Server 4.2-0
errata15 (Lesum) ext4
auth_cache_negative_ttl = 1 mins
auth_cache_size = 100 k
auth_cache_ttl = 5 mins
auth_master_user_separator = *
auth_mechanisms = plain login
debug_log_path = syslog
default_client_limit = 400
default_process_limit = 400
first_valid_gid = 127
first_valid_uid = 121
info_log_path = syslog
last_valid_gid = 127
last_valid_uid = 121
mail_gid = dovemail
mail_home = /var/spool/dovecot/private/%Ld/%Ln
mail_location = maildir:/var/spool/dovecot/private/%Ld/%Ln/Maildir
mail_plugins = " acl quota"
mail_privileged_group = dovemail
mail_uid = dovemail
mailbox_list_index = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date ihave
imapflags notify
namespace {
  list = children
  location = maildir:%%h/Maildir:INDEXPVT=~/Maildir/shared/%%u
  prefix = shared/%%u/
  separator = /
  subscriptions = no
  type = shared
}
namespace inbox {
  inbox = yes
  location =
  mailbox Archives {
    special_use = \Archive
  }
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Entw&APw-rfe {
    special_use = \Drafts
  }
  mailbox "Gel&APY-schte Elemente" {
    special_use = \Trash
  }
  mailbox Gesendet {
    special_use = \Sent
  }
  mailbox "Gesendete Elemente" {
    special_use = \Sent
  }
  mailbox Ham {
    auto = subscribe
  }
  mailbox Junk-E-Mail {
    special_use = \Junk
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Papierkorb {
    special_use = \Trash
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Spam {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
  separator = /
  type = private
}
namespace public at local {
  list = children
  location =
maildir:/var/spool/dovecot/public/local/public:INDEXPVT=~/Maildir/public/local/public
  prefix = public at local/
  separator = /
  subscriptions = no
  type = public
}
passdb {
  args = /etc/dovecot/master-users
  driver = passwd-file
  master = yes
}
passdb {
  args = cache_key=%Lu dovecot
  driver = pam
}
plugin {
  acl = vfile
  acl_anyone = allow
  acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes
  quota = maildir:User quota
  quota_grace = 10%%
  quota_rule = *:storage=0
  quota_rule2 = Trash:storage=+100M
  quota_status_nouser = DUNNO
  quota_status_overquota = 552 5.2.2 Mailbox is full
  quota_status_success = DUNNO
  quota_warning = storage=95%% quota-warning 95 %Lu
  quota_warning2 = storage=80%% quota-warning 80 %Lu
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_extensions = +notify +imapflags
  sieve_global_dir = /var/lib/dovecot/sieve
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
protocols = " imap lmtp sieve pop3"
service anvil {
  client_limit = 1603
}
service auth {
  client_limit = 2000
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
}
service imap-login {
  client_limit = 400
  process_min_avail = 0
  service_count = 1
  vsz_limit = 256 M
}
service imap-postlogin {
  executable = script-login /usr/lib/dovecot/dovecot-postlogin.py
  user = $default_internal_user
}
service imap {
  executable = imap imap-postlogin
  process_limit = 400
  vsz_limit = 256 M
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service managesieve-login {
  inet_listener sieve {
    address =
    port = 4190
  }
  process_min_avail = 0
  service_count = 1
  vsz_limit = 256 M
}
service managesieve {
  process_limit = 400
}
service pop3-login {
  client_limit = 400
  process_min_avail = 0
  service_count = 1
  vsz_limit = 256 M
}
service pop3 {
  executable = pop3 imap-postlogin
  process_limit = 400
  vsz_limit = 256 M
}
service quota-status {
  client_limit = 1
  executable = quota-status -p postfix
  inet_listener {
    address = 127.0.0.1
    port = 12340
  }
}
service quota-warning {
  executable = script /usr/lib/dovecot/quota-warning.sh
  unix_listener quota-warning {
    user = dovemail
  }
  user = dovemail
}
ssl_cert = </etc/univention/ssl/imap-server.example.de/cert.pem
ssl_cipher_list =
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh_parameters_length = 2048
ssl_key = </etc/univention/ssl/imap-server.example.de/private.key
ssl_parameters_regenerate = 1 weeks
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
syslog_facility = local5
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
protocol lmtp {
  mail_plugins = " acl quota quota sieve"
}
protocol lda {
  mail_plugins = " acl quota sieve"
}
protocol imap {
  mail_plugins = " acl quota imap_acl imap_quota"
}
protocol sieve {
  mail_max_userip_connections = 10
}

-- 
Software Engineer | Trimble Imaging Division
Rotebühlstraße 81 | 70178 Stuttgart | Germany
Office +49 711 22881 0 | Fax +49 711 22881 11
http://www.trimble.com/imaging/ | http://www.inpho.de/

Trimble Germany GmbH, Am Prime Parc 11, 65479 Raunheim
Eingetragen beim Amtsgericht Darmstadt unter HRB 83893,
Geschäftsführer: Dr. Frank Heimberg, Jürgen Kesper
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listen.jpberlin.de/pipermail/dovecot/attachments/20170513/255821f9/attachment-0001.html>