Introduction

If supported by the mail server, mail folders can be shared to other users. This is done by defining mailbox access control lists (ACLs) through the IMAP protocol. The entity names used within the ACL rights are converted to and from App Suite users by mapping the name used in the ACL string to the mail login field of the provisioned users. By default, this is only done within the current context, however, if certain preconditions are met, this mapping is also possible across context boundaries so that cross-context permissions can be managed through App Suite APIs.

Preconditions

In order to support cross-context ACLs, the underlying mail server must support the IMAP4 Access Control List (ACL) Extension (RFC 4314). Also, all users of the deployment need to use the same mail server, of course.

Then, in order to support the built-in mapping from ACL entity names to internal users (and vice-versa), a Mail Login Resolver service needs to be configured and enabled. Typically, this would be backed by a LDAP directory, where records for the whole userbase are stored, and each LDAP entry for App Suite users carries attributes for the mail login name, OX user id and OX context id. See the dedicated documentation article for further details.

Furthermore, in order to resolve arbitrary email addresses to their user and context identifier while new permission records are added by clients through the HTTP API, a Mail Resolver service needs to be in place. Likewise, this would also utilize the LDAP directory with mappings from email addresses to OX user- and context identifiers (and vice-versa). See the corresponding documentation for details on how to enable and configure the resolver service.

Configuration

Once the preconditions are met, cross-context permissions for mail folders can be enabled through

com.openexchange.mail.crossContextPermissions = true

The setting can be defined through the config-cascade.