Shared group mailboxes and IMAP

My school offers a "group e-mail account" facility
to allow groups of
two or more people (e.g., office staff, or a professor and
his/her AA)
to share access to a mailbox on a Cyrus IMAP server.

Some aspects of the implementation of this group account
facility are
painful.  I'd like to ask some questions in order to get an
idea of what
sorts of improvements could be proposed (and hopefully
implemented by
our campus IT people, or maybe implemented in my department
if we can't
get a better campus-wide solution).

The main snag, in my view, has to do with the authentication
scheme for
accessing group accounts.  Rather than have a separate
password for the
group account (which would have to be known by all
accessors, would need
to be changed whenever any accessor left, and is essentially
dismissed
out of hand as an unacceptable security flaw), each user
logs in to the
group account IMAP server using his/her own individual ID
(user name)
and password.  A separate, web-based utility exists to allow
owners of
a group account to manipulate the account's ACL info and
control who can
access the account.

The group accounts are set up on the IMAP server under a
separate name
hierarchy (e.g., an account named
"ourgroupaccount" is filed on the IMAP
server under group.ourgroupaccount).  Since users are
authenticating to
the server via their own user names (e.g., I would log in as
"richw",
not as "ourgroupaccount"), it doesn't appear to be
possible to make the
group accounts live in the regular "user"
namespace -- the IMAP server
wouldn't understand that I (having authenticated as
"richw") want to
see user.ourgroupaccount as the account's inbox (and not
user.richw).

And since the group mailbox isn't named "user.XXX"
(where "XXX" is the
user's individual account name which was used for
authentication), some
mail clients have a really hard time working with group
accounts in a
seamless fashion.  In Eudora and Thunderbird, for example,
the user is
confronted with an "Inbox" on the group account
server that really isn't
used for anything at all -- and if a user is set up to
access more than
one group account, all the group mailboxes show up as
separate entities
gathered under a single account.  Problems also exist with
checking for
the arrival of new mail in a group account -- again, because
the group
account's inbox is not in the normal location.  Curiously,
one mail
client which does seem to do a half-decent job of presenting
group
accounts as separate entities that look the same as the
user's individual
Inbox is Outlook (!).

I imagine that if there were some way for a mail client to
tell the IMAP
server that the account user name was
"ourgroupaccount", but that the
user would be logging in as a different user (e.g.,
"richw") and with
such-and-so password, it might be possible to put the group
mailboxes
in the "user" namespace on the server, and things
would be much cleaner.
But I'm not aware of any non-kludgy way to do such a thing.

I suppose one possibility would be to tell people to use the
group
account name as the user name -- and then use a "group
password"
consisting of their individual ID, a colon or other
punctuation mark,
and their own individual account password -- something like
this:

    User name:    ourgroupaccount
    Password:     richw:myownindividualpassword

and then write a SASL mechanism to deal with this composite
user name /
password thingy.  But this might very possibly be too
complicated and
confusing for some users to deal with.

Has anyone else out there dealt with group accounts of this
type?  How
do you handle the authentication issue (allowing multiple
users to log
in to a single group account, each using his/her own
individual user
ID and password)?  I'd be very interested in hearing any
suggestions.

-- 
Rich Wales      ===      Palo Alto, CA, USA      ===    
richwrichw.org
http://www.richw.org  
===   http://en
.wikipedia.org/wiki/User:Richwales
    "The difference between theory and practice is
that, in theory,
theory and practice are identical -- whereas in practice,
they aren't."
_______________________________________________
Imap-protocol mailing list
Imap-protocolu.washington.edu
https://mailman1.u.washington.edu/mailman/listin
fo/imap-protocol

> My school offers a "group e-mail account"
facility to allow groups of
> two or more people (e.g., office staff, or a professor
and his/her AA)
> to share access to a mailbox on a Cyrus IMAP server.

Why do you have a shared account when all you want is a
shared mailbox?

I'm assuming by "account" you mean authentication
details for IMAP. An
email address is something quite different, and can easily
be aliased.

> The main snag, in my view, has to do with the
authentication scheme for
> accessing group accounts.  Rather than have a separate
password for the
> group account (which would have to be known by all
accessors, would need
> to be changed whenever any accessor left, and is
essentially dismissed
> out of hand as an unacceptable security flaw), each
user logs in to the
> group account IMAP server using his/her own individual
ID (user name)
> and password.

IMHO a single set of authentication credentials for a group
of people is
never the right solution. There's always a better way.

> A separate, web-based utility exists to allow owners
of
> a group account to manipulate the account's ACL info
and control who can
> access the account.

Do you mean access to the mailbox(es) here? Access to the
account is
surely available to anyone who has the password.

> The group accounts are set up on the IMAP server under
a separate name
> hierarchy (e.g., an account named
"ourgroupaccount" is filed on the IMAP
> server under group.ourgroupaccount).  Since users are
authenticating to
> the server via their own user names (e.g., I would log
in as "richw",
> not as "ourgroupaccount"), it doesn't appear
to be possible to make the
> group accounts live in the regular "user"
namespace -- the IMAP server
> wouldn't understand that I (having authenticated as
"richw") want to
> see user.ourgroupaccount as the account's inbox (and
not user.richw).

I really think you're getting "account" and
"mailbox" very confused.

So far as I can tell you don't need a group account at all.

> I imagine that if there were some way for a mail client
to tell the IMAP
> server that the account user name was
"ourgroupaccount", but that the
> user would be logging in as a different user (e.g.,
"richw") and with
> such-and-so password, it might be possible to put the
group mailboxes
> in the "user" namespace on the server, and
things would be much cleaner.
> But I'm not aware of any non-kludgy way to do such a
thing.

Exactly how you make a mailbox accessible to a group of
users is
server implementation dependent. What server are you using?

For an example (the UW server in this case) you might like
to read

http://www.washington.edu/imap/IMAP-FAQs/index.html#4.6

Cheers,

	- Joel
_______________________________________________
Imap-protocol mailing list
Imap-protocolu.washington.edu
https://mailman1.u.washington.edu/mailman/listin
fo/imap-protocol

In the scenario I described earlier, the shared mailbox is
treated
as a separate IMAP account.  The group mailboxes/accounts
are on a
separate IMAP server (not the same as any of the servers
where the
users' individual accounts live) -- which is why I said that
the
group mailbox(es) will end up in their own, completely
separate name
space, with most mail clients showing a dummy
"inbox" on the group
mailboxes' IMAP server.

FWIW, all the IMAP servers here are using Cyrus.

Each group account has its own, unique e-mail address, and
the group
mailbox acts like the inbox for the corresponding e-mail
address
(except, as I tried to explain earlier, they don't really
LOOK like
regular INBOX'es to most mail clients, apparently since they
are
stored in a name space starting with "group."
instead of "user.").

Aside from the fact that the group mailboxes are on a
separate IMAP
server of their own, it's felt desirable to treat them as
totally
separate "accounts" in any case because the users
accessing one of
these group mailboxes generally want/need to assume a
special group
identity / personality (e.g., if a group mailbox is used by
the staff
of an office, and anyone in the office replies to a message
sent to
the group e-mail address, the reply should be
"From:" the group
address and NOT from the individual staff member sending the
reply).
This also means the current model (wherein all group
mailboxes that
a given user has rights to will all show up under a single
account)
if NOT good, because it prevents the user from assuming a
separate
persona for each separate group account.

The main thing I was hoping to find by posting my original
question
was whether anyone can point me to an authentication
mechanism that
current IMAP clients could use to allow multiple users to
log in to
a single account, with each user having his/her own separate
password.

-- 
Rich Wales      ===      Palo Alto, CA, USA      ===    
richwrichw.org
http://www.richw.org  
===   http://en
.wikipedia.org/wiki/User:Richwales
    "The difference between theory and practice is
that, in theory,
theory and practice are identical -- whereas in practice,
they aren't."
_______________________________________________
Imap-protocol mailing list
Imap-protocolu.washington.edu
https://mailman1.u.washington.edu/mailman/listin
fo/imap-protocol

Sorry for the delay in following up...

> In the scenario I described earlier, the shared mailbox
is treated
> as a separate IMAP account.  The group
mailboxes/accounts are on a
> separate IMAP server (not the same as any of the
servers where the
> users' individual accounts live)

Just because the STORAGE for the individuals is on another
server does
not mean the AUTHENTICATION DETAILS can't be duplicated on
this "group"
server.

And this is exactly what I would recommend. Have users log
in to both
servers with identical and individual authentication
details. You may want
to use something like LDAP for this so there's no
duplication of the auth
record.

> Each group account has its own, unique e-mail address,
and the group
> mailbox acts like the inbox for the corresponding
e-mail address
> (except, as I tried to explain earlier, they don't
really LOOK like
> regular INBOX'es to most mail clients, apparently since
they are
> stored in a name space starting with "group."
instead of "user.").

With the scheme above you could actually make it into the
INBOX for
each user since they're logging in to a different server to
access
this group mailbox.

> Aside from the fact that the group mailboxes are on a
separate IMAP
> server of their own, it's felt desirable to treat them
as totally
> separate "accounts" in any case because the
users accessing one of
> these group mailboxes generally want/need to assume a
special group
> identity / personality (e.g., if a group mailbox is
used by the staff
> of an office, and anyone in the office replies to a
message sent to
> the group e-mail address, the reply should be
"From:" the group
> address and NOT from the individual staff member
sending the reply).
> This also means the current model (wherein all group
mailboxes that
> a given user has rights to will all show up under a
single account)
> if NOT good, because it prevents the user from assuming
a separate
> persona for each separate group account.

That is a mail client configuration issue. Just because the
automatic
stupidity of some mail clients can be tricked into the
desired behaviour
by some server-side contortions doesn't mean you should do
it.

> The main thing I was hoping to find by posting my
original question
> was whether anyone can point me to an authentication
mechanism that
> current IMAP clients could use to allow multiple users
to log in to
> a single account, with each user having his/her own
separate password.

This is server dependent, but I would expect most
authentication
implementations to support multiple passwords for the same
uid. You can
certainly do it with /etc/passwd in UNIX.

Cheers,

	- Joel
_______________________________________________
Imap-protocol mailing list
Imap-protocolu.washington.edu
https://mailman1.u.washington.edu/mailman/listin
fo/imap-protocol