1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
|
.\" Copyright (c) 2014-2018 Dovecot authors, see the included COPYING file
.TH DOVEADM\-ACL 1 "2015-05-09" "Dovecot v2.3" "Dovecot"
.SH NAME
doveadm\-acl \- Manage Access Control List (ACL)
.\"------------------------------------------------------------------------
.SH SYNOPSIS
.BR doveadm " [" \-Dv ]
[\fB\-f\fP \fIformatter\fP]
.BI acl \ command
.RI [ OPTIONS ]\ [ ARGUMENTS ]
.\"------------------------------------------------------------------------
.SH DESCRIPTION
The
.B doveadm acl
.I COMMANDS
can be used to execute various Access Control List related actions.
.\"------------------------------------------------------------------------
@INCLUDE:global-options-formatter@
.\" --- command specific options --- "/.
.PP
This command uses by default the output formatter
.BR table .
.PP
Command specific
.IR options :
.\"-------------------------------------
@INCLUDE:option-A@
.\"-------------------------------------
@INCLUDE:option-F-file@
.\"-------------------------------------
@INCLUDE:option-S-socket@
.\"-------------------------------------
@INCLUDE:option-u-user@
.\"------------------------------------------------------------------------
.SH ARGUMENTS
.TP
.I id
The id (identifier) is one of:
.RS
.RS
.TP 4
*
.BR group\-override =\c
.I group_name
.\"-----------------
.TP
*
.BR user =\c
.I user_name
.\"-----------------
.TP
*
.B owner
.\"-----------------
.TP
*
.BR group =\c
.I group_name
.\"-----------------
.TP
*
.B authenticated
.\"-----------------
.TP
*
.BR anyone " (or " anonymous ", which is an alias for anyone)"
.\"-----------------
.RE
.PP
The ACLs are processed in the precedence given above, so for example if you
have given read\-access to a group, you can still remove that from specific
users inside the group.
.br
Group\-override identifier allows you to override users\(aq ACLs.
Probably the most useful reason to do this is to temporarily disable
access for some users.
For example:
.PP
.nf
user=timo rw
group\-override=tempdisabled
.fi
.PP
Now if timo is a member of the tempdisabled group, he has no access to the
mailbox.
This wouldn\(aqt be possible with a normal group identifier, because the
.B user=timo
would override it.
.RE
.\"-------------------------------------
.TP
.I mailbox
The name of the mailbox, for which the ACL manipulation should be done.
It\(aqs also possible to use the wildcard characters
.RB \(dq * "\(dq and/or \(dq" ? \(dq
in the mailbox name.
.\"-------------------------------------
.TP
.I right
Dovecot ACL right name. This isn\(aqt the same as the IMAP ACL letters,
which aren\(aqt currently supported.
Here is a mapping of the IMAP ACL letters to Dovecot ACL names:
.RS
.RS
.TP 4
.B l \(-> lookup
.I Mailbox
is visible in mailbox list.
.I Mailbox
can be subscribed to.
.\"-----------------
.TP
.B r \(-> read
.I Mailbox
can be opened for reading.
.\"-----------------
.TP
.B w \(-> write
Message flags and keywords can be changed, except
.BR \(rsSeen " and " \(rsDeleted .
.\"-----------------
.TP
.B s \(-> write\-seen
.B \(rsSeen
flag can be changed.
.\"-----------------
.TP
.B t \(-> write\-deleted
.B \(rsDeleted
flag can be changed.
.\"-----------------
.TP
.B i \(-> insert
Messages can be written or copied to the
.IR mailbox .
.\"-----------------
.TP
.B p \(-> post
Messages can be posted to the
.I mailbox
by
.BR dovecot\-lda ,
e.g. from Sieve scripts.
.\"-----------------
.TP
.B e \(-> expunge
Messages can be expunged.
.\"-----------------
.TP
.B k \(-> create
Mailboxes can be created/renamed directly under this
.I mailbox
(but not necessarily under its children, see
.I ACL Inheritance
in the wiki).
.br
Note: Renaming also requires the delete right.
.\"-----------------
.TP
.B x \(-> delete
.I Mailbox
can be deleted.
.\"-----------------
.TP
.B a \(-> admin
Administration rights to the
.I mailbox
(currently: ability to change ACLs for
.IR mailbox ).
.RE
.RE
.\"------------------------------------------------------------------------
.SH COMMANDS
.SS acl add
.B doveadm acl add
[\fB\-u\fP \fIuser\fP|\fB\-A\fP|\fB\-F\fP \fIfile\fP]
[\fB\-S\fP \fIsocket_path\fP]
.I mailbox id right
.RI [ right " ...]"
.PP
Add ACL rights to the
.IR mailbox / id .
If the
.I id
already exists, the existing rights are preserved.
.\"-------------------------------------
.SS acl debug
.B doveadm acl debug
[\fB\-u\fP \fIuser\fP|\fB\-A\fP|\fB\-F\fP \fIfile\fP]
[\fB\-S\fP \fIsocket_path\fP]
.I mailbox
.PP
This command can be used to debug why a shared mailbox isn\(aqt
accessible to the user.
It will list exactly what the problem is.
.\"-------------------------------------
.SS acl delete
.B doveadm acl delete
[\fB\-u\fP \fIuser\fP|\fB\-A\fP|\fB\-F\fP \fIfile\fP]
[\fB\-S\fP \fIsocket_path\fP]
.I mailbox id
.PP
Remove the whole ACL entry for the
.IR mailbox / id .
.\"-------------------------------------
.SS acl get
.B doveadm acl get
[\fB\-u\fP \fIuser\fP|\fB\-A\fP|\fB\-F\fP \fIfile\fP]
[\fB\-S\fP \fIsocket_path\fP]
.RB [ \-m ]
.I mailbox
.PP
Show all the ACLs for the
.IR mailbox .
.\"-------------------------------------
.SS acl recalc
.B doveadm acl recalc
[\fB\-u\fP \fIuser\fP|\fB\-A\fP|\fB\-F\fP \fIfile\fP]
[\fB\-S\fP \fIsocket_path\fP]
.PP
Make sure the
.IR user \(aqs
shared mailboxes exist correctly in the
.IR acl_shared_dict .
.\"-------------------------------------
.SS acl remove
.B doveadm acl remove
[\fB\-u\fP \fIuser\fP|\fB\-A\fP|\fB\-F\fP \fIfile\fP]
[\fB\-S\fP \fIsocket_path\fP]
.I mailbox id right
.RI [ right " ...]"
.PP
Remove the specified ACL rights from the
.IR mailbox / id .
If all rights are removed, the entry still exists without any rights.
.\"-------------------------------------
.SS acl rights
.B doveadm acl rights
[\fB\-u\fP \fIuser\fP|\fB\-A\fP|\fB\-F\fP \fIfile\fP]
[\fB\-S\fP \fIsocket_path\fP]
.I mailbox
.PP
Show the
.IR user \(aqs
current ACL rights for the
.IR mailbox .
.\"-------------------------------------
.SS acl set
.B doveadm acl set
[\fB\-u\fP \fIuser\fP|\fB\-A\fP|\fB\-F\fP \fIfile\fP]
[\fB\-S\fP \fIsocket_path\fP]
.I mailbox id right
.RI [ right " ...]"
.PP
Set ACL rights to the
.IR mailbox / id .
If the
.I id
already exists, the existing rights are replaced.
.\"------------------------------------------------------------------------
@INCLUDE:reporting-bugs@
.\"------------------------------------------------------------------------
.SH SEE ALSO
.BR doveadm (1),
.BR dovecot\-lda (1)
.\"-------------------------------------
.PP
Additional resources:
.IP "ACL Inheritance"
http://wiki2.dovecot.org/ACL#ACL_Inheritance
|