Quotas Implementation


#1

I have been able to get quotas working by making a minimal amount of changes to the system.

Modify /etc/dovecot/20-imap.conf:

mail_plugins = $mail_plugins quota
protocol imap {
  mail_plugins = $mail_plugins antispam imap_quota
}

Modify /etc/dovecot/90-quota.conf:

plugin {
  quota = maildir
}

Modify the users table in users.sqlite:

ALTER TABLE users ADD COLUMN quota TEXT NOT NULL DEFAULT '0';

Setting the default to zero means that user quotas will default to unlimited.

Modify /etc/dovecot/dovecot-sql.conf.ext to add the quota rule:

user_query = SELECT email AS user, "mail" as uid, "mail" as gid, "/home/user-data/mail/mailboxes/%d/%n" as home, '*:bytes=' || quota AS quota_rule FROM users WHERE email='%u';

Add the following line to `/usr/local/lib/roundcubemail/config/config.inc.php’

$config['quota_zero_as_unlimited'] = true;

Restart dovecot.

Quotas are working for me now and I can set the quotas for individual users by modifying the quota column in the users table.

Are there any problems with this implementation? I’d especially like to hear from the dovecot experts.

Thanks


#2

Thanks for posting this.
I for one appreciate it.

Dennis


#3

@jrsupplee I too thank you for posting this information.

The project maintainer @JoshData has stated that mail quota’s were outside of the scope of this project. I understand and do not disagree with his reasoning. However, as the project has matured I would like there to be further discussion of this.

Josh’s initial intent was, I believe, for mainly individuals to set up MiaB but in the last few years it has been adopted by many many small businesses as well, So maybe it is time to give further consideration to adding quotas as it has been one of the more consistently asked for improvements/additons to this project.


#4

My view has changed from when I probably said that years ago. I’d be ok with adding support for quotas.

The problem nowadays is that it takes me a very long time to review changes to Mail-in-a-Box that aren’t fixing a problem.


#5

I certainly understand time problems. I’ll fork the github repository and put these changes into it so people can start playing with it.

Any help on where to start with modifying the control panel interface would be appreciated.


#6

I forked the repository on github and made the changes to add quotas to the installation. You can clone the repository at:

There is no user interface for changing quotas at this point.


#7

I added support in control panel to change quotas. MiaB is working with quotas now.

It also returns the proper quota information in Roundcube if you hover the the cursor over the pie chart for space used at the bottom of the page.

Any feedback from users would be appreciated.


#8

Thank you!

Since you are working with the control panel, can you add a delete account action?

Thanks

Dennis


#9

It is already there … ‘archive account’. This action removes the account from the database so it is no longer possible to log in, send, or receive email with it. HOWEVER the actual physical email files are NOT deleted. They must be deleted manually from the command line. This, IMHO, is a good feature to help avoid accidental deletion of email.


#10

Thanks!

This is another reason for a Manual.


#11

Speaking of changes, I’ve been meaning to get around to adding support for external authentication ( External Authentication Repo? ), but I haven’t been able to fully grasp Keycloak and OpenLDAP. I feel like Mail-in-a-Box needs to get to a point where you can plug it into your existing environment, and streamline making everything work together (like Single-Sign-On).

For example, I want to run a full Nextcloud server, Collabora Office environment, MediaWiki, Wordpress, blaw blaw blaw, and want to give all my users ONE username and ONE password, where they sign into ONE login prompt. And when they switch between services, they stay logged in/out.

I know that Mail-in-a-Box is not an all-in-one magical solution, but I feel like it should get to a point where it can fit into the bigger picture of a business with all its applications.

…Oh the joys of ignorance and lack of time, but the eagerness to make the world a better place.

…Anyways, @jrsupplee, would you consider looking into implementing quotas into an LDAP user object thingy?.. I had looked at some documentation on LDAP schemas and stuff, but that was a couple of months ago.


#12

MIAB is not meant for business though - it’s for personal self-hosting…,… :confused:

Edit: Although, maybe implementing external ldap authentication would be dope. At the very least all the apps you mentioned support this too :slight_smile:


#13

Well, there are business applications that can be used for personal use. I mean Google G-Suite is for businesses, but I still use it for personal use for free. business-y personal use. It’s nice how going from Google mail magically signs me in when I go to YouTube, Google Docs, Google Drive, etc…


#14

Sorry, @Eliter I’m not done with the implementation of the quotas and that is my focus right now for MiaB changes. Also, if you need LDAP support you should probably be looking at something other than MiaB.

Specifically, quota calculations are only made when the IMAP server (Dovecot) is accessed. So if the user does not access Dovecot the mailbox size will not be updated and mail will continue to be delivered by Postfix regardless of any quota settings. At least that is how I understand the situation right now.

Postfix needs to be configured to check the quota status before delivering the mail. I’ll look at this when I can but if anyone has any experience with this I’m all ears.


#15

I made an edit to my post just before you posted this. External LDAP would be nice to have. But comparing G-Suite to MIAB is like comparing a Prius to a Commercial truck bro.


#16

So my main problem with how MIAB manages stuff is that there is no standard, especially in a median that is happy to be externally pushed/synced, so that means there’s no plug-n-play or good communication between applications.

Now, I did look into how MIAB manages stuff, and looked into how to tinker with it. MIAB puts all its stuff into two places–inside /home/www-data/blaw/blaw/blaw (in a directory, in maildir format), and in a SQLlite database located somewhere on the system (I forgot where). I forget it Postfix needs to access either of these.

So Dovecot uses the SQL/SQLlite plugin/mod, which makes an SQL query for the SQLlite file. When IMAP authentication requests hit the Dovecot server, Dovecot hits the SQLlite file, then responds accordingly to the SQLlite file. Nextcloud is configured to use IMAP authentication to the Dovecot server.

Now, I know that Dovecot supports LDAP. The problem WAS that Dovecot didn’t support LDAP on Ubuntu 14.04, but luckily we are not in that situation anymore with Ubuntu 18.04. So hopefully if Dovecot can be configured to use LDAP, then we’ll be golden… Hopefully. With these types of things, it is ALWAYS easier said than done.

I saw.

Who is Google and who is MIAB in this context? The commercial truck has a lot more power than a Prius, but presumably isn’t newer, is older, slow and with far less technology in it than a Prius. :smiley:


#17

commercial truck = Google
Prius = MIAB

Prius, small, light, ready for easy loads
truck, big, bloaty, heavy to steer, but can handle huge loads.


#18

From someone who has spent time configuring an LDAP server, trust me a SQLite database is much simpler. The amount of overhead required to run an LDAP server is not worth it when SQLite does the job.

I’m not saying your use case is invalid, just that you are asking to add another level of complexity that most people who use MiaB do not require.


#19

Well, I have looked into other external authentication protocols (looking to Keycloak’s supported authentication methods as an example), it seems LDAP has a lot more support and popularity than say openID or Oauth. I don’t know much about authentication jargain, but I know it would be nice to magically be able to go from MIAB to MediaWiki/Wordpress/other, and back without having to sign in/out for each, (possibly) having multiple passwords for each.

EDIT: Oh yes, Apache2 is a big reason for me. I wanted to figure out how to lock down the whole server, by forcing authentication. PHP authentication only goes so far, because clients can still access non-PHP files without authenticating.


#20

Luckily OpenLDAP is simple enough - but also MSAD is too.