Access Control Lists
====================
Dovecot supports giving ACLs to mailboxes, although it doesn't yet support the
actual IMAP ACL extension. The code allows multiple ACL backends, but currently
Dovecot supports only virtual ACL files. See<SharedMailboxes.txt> for
information how to implement them.
ACLs can be enabled in dovecot.conf with:
---%<-------------------------------------------------------------------------
protocol imap {
..
mail_plugins = acl
}
...
plugin {
acl = vfile:/etc/dovecot-acls
}
---%<-------------------------------------------------------------------------
Groups aren't currently supported, but only because the groups can't be
specified in userdb currently. If you really need groups, you could modify the
sources:http://dovecot.org/list/dovecot/2007-May/022535.html
The default ACLs for mailboxes is to give owner all permissions and other users
none. Mailboxes in public namespaces don't have owners, so by default no-one
can access them.
vfile backend
-------------
vfile backend supports per-mailbox ACLs and global ACLs which apply to all
users' mailbox with the same name.
Per-mailbox ACLs are stored in 'dovecot-acl' named file, exists in:
* maildir: The maildir's root directory (eg. '~/Maildir',
'~/Maildir/.folder/')
* mbox: Currently in the same directory as indexes (eg.
'~/mail/.imap/INBOX/'), but this might change
* dbox: dbox's root directory (eg. '~/mail/INBOX/Mails/')
Global ACLs are stored in the directory you gave as ACL plugin parameter
('/etc/dovecot-acls' in above example). They exist with the same name as the
mailbox. For example for *INBOX* you'd have '/etc/dovecot-acls/INBOX' file, and
for *Folder.subfolder* you'd have '/etc/dovecot-acls/Folder.subfolder' file.
If you have hierarchy separator as '/' it gets a bit more complicated. If you
have mailboxes *foo* and *foo/bar*, the ACL file of *foo/bar* exists in
'/etc/dovecot-acls/foo/bar/' as you would expect. But since
'/etc/dovecot-acls/foo' is a directory, you can't create such file for *foo*
mailbox's ACLs. So for *foo* you'll have to use
'/etc/dovecot-acls/foo/.DEFAULT' file.
WARNING: Namespace prefixes are currently ignored, so if you have multiple
namespaces their mailbox names could conflict. This will be fixed later.
ACL files
---------
The files themselves are in format:
---%<-------------------------------------------------------------------------
<identifier> <ACLs> [:<named ACLs>]
---%<-------------------------------------------------------------------------
Where *identifier* is one of:
* group-override=*group name*
* owner / user=*user name*
* group=*group name*
* owner
* authenticated
* anyone / anonymous
The ACLS are processed in the order given above, so eg. if you have given
read-access to some group, you can still remove that from some specific user.
Group-override identifier allows you to override users' ACLs. Probably the most
useful reason to do this is to temporarily disable access for some users. For
example:
---%<-------------------------------------------------------------------------
user=timo rw
group-override=tempdisabled
---%<-------------------------------------------------------------------------
Now if *timo* is in *tempdisabled* group, he has no access to the mailbox. This
wouldn't be possible with a normal group identifier, because the 'user=timo'
would override it.
The currently supported ACLs and their corresponding named ACLs are:
+---+---------------+---------------------------------------------------------+
| l | lookup | Mailbox is visible in mailbox list. Mailbox can be |
| | | subscribed to. |
+---+---------------+---------------------------------------------------------+
| r | read | Mailbox can be opened for reading. |
+---+---------------+---------------------------------------------------------+
| w | write | Message flags and keywords can be changed, except \Seen |
| | | and \Deleted |
+---+---------------+---------------------------------------------------------+
| s | write-seen | \Seen flag can be changed |
+---+---------------+---------------------------------------------------------+
| t | write-deleted | \Deleted flag can be changed |
+---+---------------+---------------------------------------------------------+
| i | insert | Messages can be written or copied to the mailbox |
+---+---------------+---------------------------------------------------------+
| e | expunge | Messages can be expunged |
+---+---------------+---------------------------------------------------------+
| k | create | Mailboxes can be created under this mailbox |
+---+---------------+---------------------------------------------------------+
| x | delete | Mailbox can be deleted |
+---+---------------+---------------------------------------------------------+
| a | admin | Administration rights to the mailbox |
+---+---------------+---------------------------------------------------------+
The ACLs are compatible with RFC 4314 (IMAP ACL extension, updated version).
Unknown ACL letters are complained about, but unknown named ACLs are ignored.
Named ACLs are mostly intended for future extensions.
Example ACL file:
---%<-------------------------------------------------------------------------
owner lrwstiekxa
user=timo rl
---%<-------------------------------------------------------------------------
(This file was created from the wiki on 2007-06-15 04:42)
