Shared email boxes

From Syscore

Contents

[edit]

What is a shared email box?

A shared email box is an email folder - or a collection of email folders - that can be accessed by multiple users without the need for them to share a single user account or login ID. Typically, the name of the shared email box is also the name of the central email alias that redirects mail into the shared folder.

Most customers who ask for "shared email accounts," "shared user accounts," or "group user accounts" really only want to share access to certain sets of email, not to logins.

[edit]

HOW TO: Making a shared email box

[edit]

Gather information

In order to make a shared email box, we need to know:
  1. What name should be assigned to the shared email box
    There is always a central email alias associated with a shared email box; they are usually assigned the same name to avoid confusion
  2. Who should be designated as the shared email box owner
    This should be the username of a full-time faculty or staff member
  3. Who should have access to the shared email box
    This should be a list of usernames; remember to include the owner if the owner will need read access
  4. Who should be contacted for request authorization
    Shared email boxes are generally created for the use of UMBC Administration, or for other official UMBC functions. An email from the relevant department head, or faculty person, is adequate validation for this kind of request


[edit]

Check existing aliases

Use the Webadmin Interface to verify that the requested alias (usually the same as the shared email box name) is not already in use.
Note
If the alias is not available, communicate with the requesting customer. Verify that creation of a new alias is necessary (as opposed to redirection of the existing one). If so, suggest some sensible alternatives to the customer.


[edit]

Run the creation script

There is a script called create-shared.pl under the /afs/umbc.edu/admin/afsadmin/sharedmail/ directory that automatically creates and populates the necessary elements for a new shared email box.
The command syntax for create-shared.pl is: 
create-shared.pl <boxname> <owner> <users>
Note
If the requester needs to have access to the shared email box, that username must be given both in the "owner" argument and then repeated in the "users" list argument.


Example
User robtest has requested a new shared email box called new-systems-test. Users foobar and barbaz also need access to the shared email box.
After checking for existing email aliases called new-systems-test, run the following with afsadmin privileges: 
cd /afs/umbc.edu/admin/afsadmin/sharedmail/
./create-shared.pl new-systems-test robtest robtest foobar barbaz


[edit]

Perform manual tasks

After successfully running the create-shared.pl script, the following un-scripted tasks must be completed to make delivery and user access work properly:
  • Create a central email alias for the shared email box address
    1. Go back to the Webadmin Interface for managing email aliases
    2. Select the "Create New Alias" function; follow these guidelines when filling in the fields:
      • Alias Name: Usually the same as the shared email box name
      • Description: Should be terse & contain "shared mailbox"
      • Destination: Set to shared+<shared_foldername> (Note that "@umbc.edu" will be filled in automagically)
      • Owner (by username): The requester (Note that the DN will be filled in automagically)
  • Create a symlink from the new shared folder under shared/Mail/ into the Mail/ directory of each user in the "users" list (as passed to the script, earlier)
Example
User foobar2 needs a link to the shared email box foobar-test for mail client access.
With afsadmin privileges, create the link as follows: 
cd /afs/umbc.edu/users/f/o/foobar2/Mail
ln -s /afs/umbc.edu/users/s/h/shared/Mail/foobar-test foobar-test
[edit]

REFERENCE: Shared email box implementation

[edit]

Location

We have dedicated a special AFS user account called shared [ /afs/umbc.edu/users/s/h/shared/ ] to handling shared email boxes. Every sub-directory under shared/Mail/ represents a distinct shared email box.
Example
The shared email box called systems-test is stored in the directory with the following path name:
/afs/umbc.edu/users/s/h/shared/Mail/systems-test/


Users may wish to create sub-folders to better manage their shared pile of email messages. Logically enough, sub-folders are stored in sub-directories under the main shared email box directory.
Example
The shared email box called systems-test contains a collection of sub-folders, including archived, incoming, pending, and processed. Layout of related directories follows:
Path to shared email box systems-test/ (top-level):
/afs/umbc.edu/users/s/h/shared/Mail/systems-test/
Paths to shared folders in collection under systems-test/:
/afs/umbc.edu/users/s/h/shared/Mail/systems-test/archived/
/afs/umbc.edu/users/s/h/shared/Mail/systems-test/incoming/
/afs/umbc.edu/users/s/h/shared/Mail/systems-test/pending/
/afs/umbc.edu/users/s/h/shared/Mail/systems-test/processed/


[edit]

Access Control

It is important that a shared email box be available only to the proper users; after all, 'shared' does not necessarily imply 'universally-accessible.' We use AFS protection groups to manage access rights - shared email boxes (and shared email collections) are stored as directories, and AFS protection groups enforce access controls at a directory level.


Our naming convention for shared email box AFS pts groups follows:
<owner>:sb_<foldername>
Note
The owner may be the requester, or another user specified in the request. Also, the owner does not automatically have access rights to the shared email box; the owner must also be listed as a member for access rights to be conferred.
Example
User bsmith has requested a shared email box named umbctest.
An AFS pts group called bsmith:sb_umbctest will be created to manage folder access.


When users request a shared email box, we require that they also submit a list of authorized users so that the create-shared.pl script can populate the new AFS pts group. As with any other AFS pts group, manual manipulation can be performed via the pts command.


Given that every top-level directory under shared/Mail/ is owned by a different AFS pts group, access to one shared email box does not necessarily allow access to any other. Since subdirectories inherit ownership and protection information from the parent directory at creation, shared folder collections are protected in the same manner as single-folder shared email boxes.


[edit]

Delivery

Delivery to shared email boxes is handled centrally, using a combination of mail aliases and "+" address extensions, so that it remains transparent to the user. When email destined for a shared email box arrives centrally, its address generally looks something like:
<shared_foldername>@umbc.edu
During standard mail processing, an alias lookup is performed. Since all shared email boxes have central email aliases, a match will be found, and a rewrite will transform the address into something like:
shared+<shared_foldername>@umbc.edu
Later processing rules split the new address at the "+" to determine further delivery information. The left-hand-side provides the destination account (shared) and when prepended to the local standard mail delivery directory (Mail/), forms the primary destination (shared/Mail/).


Delivery processing is continued by procmail after it loads the resource file located in the primary destination directory (shared/Mail/.procmailrc).
Note
The procmail resource file may include one or more additional files with further processing rules. You may have to follow a chain of includes to find all involved files. For email delivery to shared email boxes, the controlling procmail resource file is: shared/Mail/.procdir/01shared. Every shared email box has a rule in this file.
The right-hand-side of the rewritten address provides procmail with the delivery directory (<shared_foldername). When appended to the primary destination, the final destination emerges (shared/Mail/<shared_foldername>).


Example
Delivery processing of an email originally addressed to umbctest@umbc.edu
  1. Once the email arrives at a central mail system, an alias lookup rewrites the destination address as:
    shared+umbctest@umbc.edu
  2. The delivery account is determined by the left-hand-side (the rewritten address before the "+"):
    shared
  3. The primary destination is constructed from the delivery account and the standard mail delivery directory:
    shared/Mail/
  4. The delivery directory is determined by the right-hand-side (the rewritten address after the "+"):
    umbctest/
  5. The final destination is constructed from the primary destination and the delivery directory:
    shared/Mail/umbctest/


The procmail rule controlling message delivery to shared+systems-test looks like this: 
##systems-test
:0
* PLUS ?? ^systems-test$
{
MAILDIR=systems-test
DEFAULT=.
INCLUDERC=../.shared/systems-test
}
This rule processes the message based on the address information to the right of the "+" and anchored to the end of the line (in this case, systems-test). The delivery directory is set by the MAILDIR line, and the systems-test-specific mail filter is included by the INCLUDERC line (useful for setting up vacation auto-responders, and the like).


[edit]

IMAP access

The most straightforward - and most universally compatible - way to get mail clients to see a shared email box is to create a symlink from the shared email box directory under shared/Mail/ into the user's Mail/ directory.


Example
User foobar1 needs a link to the shared email box foobar-test for mail client access.
Assuming the user is already a member of the necessary AFS pts group, create the link as follows: 
cd /afs/umbc.edu/users/f/o/foobar1/Mail
ln -s /afs/umbc.edu/users/s/h/shared/Mail/foobar-test foobar-test


Linking like this will work well for pine and, in particular, IMAP-based readers such as MacMail, which ignore the IMAP server's folder subscription data.


For mail readers that honor subscription data, access can be given to shared folders by simply adding the folder to the client's subscriptions list.
Example
Subscribe user robtest to the shared email box systems-test
Append ~shared/systems-test to ~robtest/../Mail/.mailboxlist


Note
The location & format of this file may vary, depending on the mail client used.


[edit]

Creation script

The elements created and manipulated by the script create-shared.pl are:
  • a new AFS pts group
  • a new folder area (top-level directory) in shared/Mail/
  • an AFS ACL for the folder directory
  • a new procmail delivery recipe


The creation script requires the following 5 perl modules from the sub-directory /afs/umbc.edu/admin/afsadmin/sharedmail/perl-admin/UMBC to successfully run:

  • ArMail.pm
  • Admin/AFS.pm
  • Admin/Account.pm
  • Admin/Password.pm
  • Admin/SharedBox.pm

Retrieved from "http://www.umbc.edu/oit/iss/syscore/wiki/Shared_email_boxes"