fix(dovecot): Enable shared mailboxes

fix(open-xchange): Use login name instead of email between OX and Dovecot
fix(open-xchange): Update Dovecot CE chart to support ACLs (mailbox sharing) and usernames different from local part of mail address
2025-12-06 07:21:36 +01:00 · 2025-05-14 19:29:06 +02:00 · 2025-05-14 15:54:03 +02:00 · 2025-05-14 15:54:03 +02:00 · 2025-05-14 15:54:03 +02:00 · 2025-05-14 15:54:03 +02:00
12 changed files with 45 additions and 34 deletions
--- a/README.md
+++ b/README.md
@@ -38,7 +38,7 @@ openDesk currently features the following functional main components:
 | Collaborative notes  | Notes (aka Docs)            | [2.4.0](https://github.com/suitenumerique/docs/releases/tag/v2.4.0)                                                           | Online documentation/welcome document available in installed application                                                              |
 | Diagram editor       | CryptPad ft. diagrams.net   | [2024.9.0](https://github.com/cryptpad/cryptpad/releases/tag/2024.9.0)                                                        | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
 | File management      | Nextcloud                   | [30.0.6](https://nextcloud.com/de/changelog/#30-0-6)                                                                          | [Nextcloud 30](https://docs.nextcloud.com/)                                                                                           |
-| Groupware            | OX App Suite                | [8.35](https://documentation.open-xchange.com/appsuite/releases/8.35/)                                                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
+| Groupware            | OX App Suite                | [8.37](https://documentation.open-xchange.com/appsuite/releases/8.37/)                                                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | [16.10.5](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.5/)                                              | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
 | Portal & IAM         | Nubus                       | [1.8.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html#version-1-8-0-2025-04-07) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
 | Project management   | OpenProject                 | [15.5.1](https://www.openproject.org/docs/release-notes/15-5-1/)                                                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
--- a/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl
@@ -27,15 +27,8 @@ dovecot:
    password:
      value: {{ .Values.secrets.cassandra.dovecotDictmapUser | quote }}
    keyspace: {{ .Values.databases.dovecotDictmap.name | quote }}
-  sharedMailboxes:
-    enabled: false
-    host: {{ .Values.databases.dovecotACL.host | quote }}
-    port: {{ .Values.databases.dovecotACL.port }}
-    username: {{ .Values.databases.dovecotACL.username | quote }}
-    password:
-      value: {{ .Values.secrets.cassandra.dovecotACLUser | quote }}
-    keyspace: {{ .Values.databases.dovecotACL.name | quote }}
  objectStorage:
+    bucket: {{ .Values.objectstores.dovecot.bucket | quote }}
    encryption:
      privateKey:
        value: {{ env "DOVECOT_CRYPT_PRIVATE_KEY" | quote }}
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -49,6 +49,15 @@ dovecot:
    introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
    usernameAttribute: "opendesk_username"
  loginTrustedNetworks: {{ join " " .Values.cluster.networking.cidr | quote }}
+  sharedMailboxes:
+    type: "postgresql"
+    enabled: true
+    host: {{ .Values.databases.dovecotACL.host | quote }}
+    port: {{ .Values.databases.dovecotACL.port }}
+    username: {{ .Values.databases.dovecotACL.username | quote }}
+    password:
+      value: {{ .Values.secrets.postgresql.dovecotACLUser | quote }}
+    database: {{ .Values.databases.dovecotACL.name | quote }}
  submission:
    enabled: true
    ssl: "no"
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -325,12 +325,21 @@ appsuite:
      com.openexchange.oidc.passwordGrantUserNamePart: "local-part"
      # MAIL
      com.openexchange.mail.authType: "xoauth2"
-      com.openexchange.mail.loginSource: "mail"
+      com.openexchange.mail.loginSource: "name"
      com.openexchange.mail.mailServer: "dovecot"
      com.openexchange.mail.mailServerSource: "global"
      com.openexchange.mail.transport.authType: "xoauth2"
      com.openexchange.mail.transportServer: "postfix-ox"
      com.openexchange.mail.transportServerSource: "global"
+      # Mail Login Resolver
+      com.openexchange.mail.login.resolver.enabled: "true"
+      com.openexchange.mail.login.resolver.ldap.enabled: "true"
+      com.openexchange.mail.login.resolver.ldap.clientId: "contactsLdapClient"
+      com.openexchange.mail.login.resolver.ldap.mailLoginSearchFilter: "(entryUUID=[mailLogin])"
+      com.openexchange.mail.login.resolver.ldap.userNameAttribute: "uid"
+      com.openexchange.mail.login.resolver.ldap.contextNameAttribute: "oxContextIDNum"
+      com.openexchange.mail.login.resolver.ldap.entitySearchFilter: "(&(oxContextIDNum=[cid])(uid=[uname]))"
+      com.openexchange.mail.login.resolver.ldap.mailLoginAttribute: "entryUUID"
      # Requirements for OX-Connector
      com.openexchange.user.enforceUniqueDisplayName: "false"
      com.openexchange.folderstorage.database.preferDisplayName: "false"
--- a/helmfile/apps/services-external/values-cassandra.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-cassandra.yaml.gotmpl
@@ -43,10 +43,6 @@ initDB:
    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.username | quote }};
    ALTER ROLE {{ .Values.databases.dovecotDictmap.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotDictmapUser "''" | squote }} AND LOGIN = true;
    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotDictmap.name | quote }} TO {{ .Values.databases.dovecotDictmap.username | quote }};
-    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotACL.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
-    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }};
-    ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true;
-    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};

 # Will print a warning if unset but is automatically calculated:
 jvm:
--- a/helmfile/apps/services-external/values-postgresql.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-postgresql.yaml.gotmpl
@@ -48,6 +48,9 @@ image:

 job:
  users:
+    - username: {{ .Values.databases.dovecotACL.username | quote }}
+      password: {{ .Values.secrets.postgresql.dovecotACLUser | quote }}
+      connectionLimit: {{ .Values.databases.dovecotACL.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
    - username: {{ .Values.databases.keycloak.username | quote }}
      password: {{ .Values.secrets.postgresql.keycloakUser | quote }}
      connectionLimit: {{ .Values.databases.keycloak.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
@@ -83,6 +86,8 @@ job:
      connectionLimit: {{ .Values.databases.xwiki.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
 {{ end }}
  databases:
+    - name: {{ .Values.databases.dovecotACL.name | quote }}
+      user: {{ .Values.databases.dovecotACL.username | quote }}
    - name: {{ .Values.databases.keycloak.name | quote }}
      user: {{ .Values.databases.keycloak.username | quote }}
    - name: {{ .Values.databases.keycloakExtension.name | quote }}
--- a/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
@@ -6,12 +6,11 @@ charts:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro"
    name: "dovecot"
-    version: "3.0.0"
+    version: "3.0.0-tkaltenbrunner-fix-postgresacl"
    verify: true
  oxAppSuite:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector-pro-chart"
-    version: "1.15.236"
+    version: "1.17.283"
    verify: false
-...
--- a/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
@@ -17,5 +17,5 @@ images:
  openxchangeCoreMW:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/middleware-public-sector-pro"
-    tag: "8.35.85@sha256:54d01a16ea29a3ae8f1857e5bdf6d2e34046b8a3fa3d6179bb3ad3d047e1318f"
+    tag: "8.37.62@sha256:750bb22a12646e4f3df01de9d438617c53d0996407ba11924167102cd84c4660"
 ...
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -99,7 +99,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
    name: "dovecot"
-    version: "3.0.0"
+    version: "3.1.0-tkaltenbrunner-fix-dovecot-acls"
    verify: true
  element:
    # providerCategory: "Platform"
@@ -387,7 +387,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector"
-    version: "2.17.164"
+    version: "2.19.254"
    verify: false
  oxAppSuiteBootstrap:
    # providerCategory: "Platform"
--- a/helmfile/environments/default/database.yaml.gotmpl
+++ b/helmfile/environments/default/database.yaml.gotmpl
@@ -15,10 +15,10 @@ databases:
    password: ""
    connectionLimit: ~
  dovecotACL:
-    type: "cassandra"
+    type: "postgresql"
    name: "dovecot_acl"
-    host: "cassandra"
-    port: 9042
+    host: "postgresql"
+    port: 5432
    username: "dovecot_acl_user"
    password: ""
    connectionLimit: ~
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -764,7 +764,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "6", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
-    tag: "8.6.14@sha256:c00546144667d2d5036fa37b2e6185f1abb53c13e9eee7b0c78ec64ac8e5250a"
+    tag: "8.6.15@sha256:f8ea7b3f4003b518c43b12118980d26d1258396f55848af6a64e7a3e7e103c1d"
  openxchangeCoreMW:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -774,7 +774,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "51"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.35.83@sha256:5c4180c1ba255193059241921e6fe0a34555592aa29104a145a0e1beb91157d2"
+    tag: "8.37.62@sha256:2eb5f4a472c329cbf170b6e7fba5790756dcc3f6360d5d36dfff5eb06b09f8c3"
  openxchangeCoreUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -784,7 +784,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.35.2@sha256:658563b6ec4d3d5f2e06f2987cd8e730d91b8d0c65b0206495007d347f98965f"
+    tag: "8.37.1@sha256:eb30e03a5976d57a62d00a613336631d46bffc84c0d67e422f062635669f6b62"
  openxchangeCoreUIMiddleware:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -794,7 +794,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui-middleware"
-    tag: "2.1.1@sha256:1a3e96243353a53e06bf3d90067d7d07de449e8273fa60a043d7ac4a5e6464c3"
+    tag: "2.1.2@sha256:36fe59a047fa466bef6fcdeed1ed8e4bbeaf7824c37c63e3bfe7262cd135cb9e"
  openxchangeCoreUserGuide:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -804,7 +804,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "799279"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.35.1292950@sha256:a6937222e3b07b42c7dc6a066aae0cd05b3b899325a4e4aee50ee91355c9b3b5"
+    tag: "8.37.1354160@sha256:226b210268cd3c9b13a84a2ca1168e1ab08b62e19bccd3129adad7ffca514655"
  openxchangeDocumentConverter:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -814,7 +814,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.35.1671@sha256:0a7b9d7af9cd22562196b854ad11ca3fd477ddcc70f2ccd113e87ab3b7aad26c"
+    tag: "8.37.1751@sha256:c1bbe271d6c0ba9ecc1bbb4ba2a944099f0ba90133dd4e6d3aecd0ea51b2e5bd"
  openxchangeGotenberg:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -834,7 +834,7 @@ images:
    # upstreamMirrorStartFrom: ["4", "2", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/guard-ui"
-    tag: "8.32.0@sha256:5c9542f9112882e46c3b8cb6f0ca2bef61585abac0e640a4fafa7d7ef60a392b"
+    tag: "8.33.2@sha256:920b5ac87128f30c176c0ae75c6bedd32d226a97c6c5a822235606c39992ee9a"
  openxchangeImageConverter:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -844,7 +844,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.35.77@sha256:fb67cbaf0771ea6c18b5a1b94aaec9bf72b930227613e70535d382be58940372"
+    tag: "8.37.2089@sha256:8109351da173fa836d5559973103c8890e6a6e2514866675387bbf4d49606917"
  openxchangeNextcloudIntegrationUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -854,7 +854,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "2", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/nextcloud-integration-ui"
-    tag: "1.4.0@sha256:4be267ab2dc8dbef6b8382e2de6b28f3851a7af7f68702f360d457898cb9011e"
+    tag: "1.4.1@sha256:423d596b52ab32778d7227d98ccc719f98395a00d95ff0bcac826665b59e1937"
  openxchangePublicSectorUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -864,7 +864,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "2", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/public-sector-ui"
-    tag: "2.4.0@sha256:6513e948028ed98aca633d9943ef3be5fed890e4757eee6b527b7215206d2bd6"
+    tag: "2.4.1@sha256:c9f0f5425517e1740aaf9998c5944ce36ce26eda52329754e6b8ac733e2dacc5"
  oxConnector:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
--- a/helmfile/environments/default/secrets.yaml.gotmpl
+++ b/helmfile/environments/default/secrets.yaml.gotmpl
@@ -8,7 +8,6 @@ secrets:
  cassandra:
    rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "root_password" | sha1sum | quote }}
    dovecotDictmapUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_dictmap_user" | sha1sum | quote }}
-    dovecotACLUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_acl_user" | sha1sum | quote }}
  oxAppSuite:
    adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum | quote }}
    basicAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "basic_auth_password" | sha1sum | quote }}
@@ -59,6 +58,7 @@ secrets:
    natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }}
  postgresql:
    postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }}
+    dovecotACLUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_acl_user" | sha1sum | quote }}
    keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}
    keycloakExtensionUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum | quote }}
    matrixUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum | quote }}
Author	SHA1	Message	Date
Thomas Kaltenbrunner	50dc5ecc60	fix(dovecot): Enable shared mailboxes	2025-05-14 19:29:06 +02:00
Viktor Pracht	4171a2fcc1	fix(open-xchange): Use login name instead of email between OX and Dovecot	2025-05-14 15:54:03 +02:00
Thorsten Roßner	a969c6ee57	fix(open-xchange): Update Dovecot CE chart to support ACLs (mailbox sharing) and usernames different from local part of mail address	2025-05-14 15:54:03 +02:00
Viktor Pracht	96f9114553	fix(open-xchange): Enabled mail login resolver	2025-05-14 15:54:03 +02:00
Viktor Pracht	d89a826a0f	chore(openxchange): Updated OX App Suite to 8.37	2025-05-14 15:54:03 +02:00