DOVEADM-ACL(1) Dovecot DOVEADM-ACL(1)
NAME
doveadm-acl - Manage Access Control List (ACL)
SYNOPSIS
doveadm [-Dv] [-f formatter] acl command [OPTIONS] [ARGUMENTS]
DESCRIPTION
The doveadm acl COMMANDS can be used to execute various Access Control
List related actions.
OPTIONS
Global doveadm(1) options:
-D Enables verbosity and debug messages.
-f formatter
Specifies the formatter for formatting the output. Supported
formatters are:
flow prints each line with key=value pairs.
pager prints each key: value pair on its own line and separates
records with form feed character (^L).
tab prints a table header followed by tab separated value
lines.
table prints a table header followed by adjusted value lines.
-o setting=value
Overrides the configuration setting from /etc/dovecot/dove-
cot.conf and from the userdb with the given value. In order to
override multiple settings, the -o option may be specified mul-
tiple times.
-v Enables verbosity, including progress counter.
This command uses by default the output formatter table.
Command specific options:
-A If the -A option is present, the command will be performed for
all users. Using this option in combination with system users
from userdb { driver = passwd } is not recommended, because it
contains also users with a lower UID than the one configured
with the first_valid_uid setting.
When the SQL userdb module is used make sure that the iter-
ate_query setting in /etc/dovecot/dovecot-sql.conf.ext matches
your database layout. When using the LDAP userdb module, make
sure that the iterate_attrs and iterate_filter settings in
/etc/dovecot/dovecot-ldap.conf.ext match your LDAP schema. Oth-
erwise doveadm(1) will be unable to iterate over all users.
-F file
Execute the command for all the users in the file. This is sim-
ilar to the -A option, but instead of getting the list of users
from the userdb, they are read from the given file. The file
contains one username per line.
-S socket_path
The option's argument is either an absolute path to a local UNIX
domain socket, or a hostname and port (hostname:port), in order
to connect a remote host via a TCP socket.
This allows an administrator to execute doveadm(1) mail commands
through the given socket.
-u user/mask
Run the command only for the given user. It's also possible to
use '*' and '?' wildcards (e.g. -u *@example.org).
When neither the -A option, nor the -F file option, nor the
-u user was specified, the command will be executed with the
environment of the currently logged in user.
ARGUMENTS
id The id (identifier) is one of:
* group-override=group_name
* user=user_name
* owner
* group=group_name
* authenticated
* anyone (or anonymous, which is an alias for anyone)
The ACLs are processed in the precedence given above, so for
example if you have given read-access to a group, you can still
remove that from specific users inside the group.
Group-override identifier allows you to override users' ACLs.
Probably the most useful reason to do this is to temporarily
disable access for some users. For example:
user=timo rw
group-override=tempdisabled
Now if timo is a member of the tempdisabled group, he has no
access to the mailbox. This wouldn't be possible with a normal
group identifier, because the user=timo would override it.
mailbox
The name of the mailbox, for which the ACL manipulation should
be done. It's also possible to use the wildcard characters "*"
and/or "?" in the mailbox name.
right Dovecot ACL right name. This isn't the same as the IMAP ACL let-
ters, which aren't currently supported. Here is a mapping of
the IMAP ACL letters to Dovecot ACL names:
l -> lookup
Mailbox is visible in mailbox list. Mailbox can be
subscribed to.
r -> read
Mailbox can be opened for reading.
w -> write
Message flags and keywords can be changed, except
\Seen and \Deleted.
s -> write-seen
\Seen flag can be changed.
t -> write-deleted
\Deleted flag can be changed.
i -> insert
Messages can be written or copied to the mailbox.
p -> post
Messages can be posted to the mailbox by dovecot-lda,
e.g. from Sieve scripts.
e -> expunge
Messages can be expunged.
k -> create
Mailboxes can be created/renamed directly under this
mailbox (but not necessarily under its children, see
ACL Inheritance in the wiki).
Note: Renaming also requires the delete right.
x -> delete
Mailbox can be deleted.
a -> admin
Administration rights to the mailbox (currently:
ability to change ACLs for mailbox).
COMMANDS
acl add
doveadm acl add [-u user|-A|-F file] [-S socket_path] mailbox id right
[right ...]
Add ACL rights to the mailbox/id. If the id already exists, the exist-
ing rights are preserved.
acl debug
doveadm acl debug [-u user|-A|-F file] [-S socket_path] mailbox
This command can be used to debug why a shared mailbox isn't accessible
to the user. It will list exactly what the problem is.
acl delete
doveadm acl delete [-u user|-A|-F file] [-S socket_path] mailbox id
Remove the whole ACL entry for the mailbox/id.
acl get
doveadm acl get [-u user|-A|-F file] [-S socket_path] [-m] mailbox
Show all the ACLs for the mailbox.
acl recalc
doveadm acl recalc [-u user|-A|-F file] [-S socket_path]
Make sure the user's shared mailboxes exist correctly in the
acl_shared_dict.
acl remove
doveadm acl remove [-u user|-A|-F file] [-S socket_path] mailbox id
right [right ...]
Remove the specified ACL rights from the mailbox/id. If all rights are
removed, the entry still exists without any rights.
acl rights
doveadm acl rights [-u user|-A|-F file] [-S socket_path] mailbox
Show the user's current ACL rights for the mailbox.
acl set
doveadm acl set [-u user|-A|-F file] [-S socket_path] mailbox id right
[right ...]
Set ACL rights to the mailbox/id. If the id already exists, the exist-
ing rights are replaced.
REPORTING BUGS
Report bugs, including doveconf -n output, to the Dovecot Mailing List
<dovecot AT dovecot.org>. Information about reporting bugs is available
at: http://dovecot.org/bugreport.html
SEE ALSO
doveadm(1), dovecot-lda(1)
Additional resources:
ACL Inheritance
http://wiki2.dovecot.org/ACL#ACL_Inheritance
Dovecot v2.3 2015-05-09 DOVEADM-ACL(1)