Access Control Lists ==================== Dovecot supports giving ACLs to mailboxes, although it doesn't yet support the actual IMAP ACL extension. The code allows multiple ACL backends, but currently Dovecot supports only virtual ACL files. See<SharedMailboxes.txt> for information how to implement them. ACLs can be enabled in dovecot.conf with: ---%<------------------------------------------------------------------------- protocol imap { .. mail_plugins = acl } ... plugin { acl = vfile:/etc/dovecot-acls } ---%<------------------------------------------------------------------------- Groups aren't currently supported, but only because the groups can't be specified in userdb currently. If you really need groups, you could modify the sources:http://dovecot.org/list/dovecot/2007-May/022535.html The default ACLs for mailboxes is to give owner all permissions and other users none. Mailboxes in public namespaces don't have owners, so by default no-one can access them. vfile backend ------------- vfile backend supports per-mailbox ACLs and global ACLs which apply to all users' mailbox with the same name. Per-mailbox ACLs are stored in 'dovecot-acl' named file, exists in: * maildir: The maildir's root directory (eg. '~/Maildir', '~/Maildir/.folder/') * mbox: Currently in the same directory as indexes (eg. '~/mail/.imap/INBOX/'), but this might change * dbox: dbox's root directory (eg. '~/mail/INBOX/Mails/') Global ACLs are stored in the directory you gave as ACL plugin parameter ('/etc/dovecot-acls' in above example). They exist with the same name as the mailbox. For example for *INBOX* you'd have '/etc/dovecot-acls/INBOX' file, and for *Folder.subfolder* you'd have '/etc/dovecot-acls/Folder.subfolder' file. If you have hierarchy separator as '/' it gets a bit more complicated. If you have mailboxes *foo* and *foo/bar*, the ACL file of *foo/bar* exists in '/etc/dovecot-acls/foo/bar/' as you would expect. But since '/etc/dovecot-acls/foo' is a directory, you can't create such file for *foo* mailbox's ACLs. So for *foo* you'll have to use '/etc/dovecot-acls/foo/.DEFAULT' file. WARNING: Namespace prefixes are currently ignored, so if you have multiple namespaces their mailbox names could conflict. This will be fixed later. ACL files --------- The files themselves are in format: ---%<------------------------------------------------------------------------- <identifier> <ACLs> [:<named ACLs>] ---%<------------------------------------------------------------------------- Where *identifier* is one of: * group-override=*group name* * owner / user=*user name* * group=*group name* * owner * authenticated * anyone / anonymous The ACLS are processed in the order given above, so eg. if you have given read-access to some group, you can still remove that from some specific user. Group-override identifier allows you to override users' ACLs. Probably the most useful reason to do this is to temporarily disable access for some users. For example: ---%<------------------------------------------------------------------------- user=timo rw group-override=tempdisabled ---%<------------------------------------------------------------------------- Now if *timo* is in *tempdisabled* group, he has no access to the mailbox. This wouldn't be possible with a normal group identifier, because the 'user=timo' would override it. The currently supported ACLs and their corresponding named ACLs are: +---+---------------+---------------------------------------------------------+ | l | lookup | Mailbox is visible in mailbox list. Mailbox can be | | | | subscribed to. | +---+---------------+---------------------------------------------------------+ | r | read | Mailbox can be opened for reading. | +---+---------------+---------------------------------------------------------+ | w | write | Message flags and keywords can be changed, except \Seen | | | | and \Deleted | +---+---------------+---------------------------------------------------------+ | s | write-seen | \Seen flag can be changed | +---+---------------+---------------------------------------------------------+ | t | write-deleted | \Deleted flag can be changed | +---+---------------+---------------------------------------------------------+ | i | insert | Messages can be written or copied to the mailbox | +---+---------------+---------------------------------------------------------+ | e | expunge | Messages can be expunged | +---+---------------+---------------------------------------------------------+ | k | create | Mailboxes can be created under this mailbox | +---+---------------+---------------------------------------------------------+ | x | delete | Mailbox can be deleted | +---+---------------+---------------------------------------------------------+ | a | admin | Administration rights to the mailbox | +---+---------------+---------------------------------------------------------+ The ACLs are compatible with RFC 4314 (IMAP ACL extension, updated version). Unknown ACL letters are complained about, but unknown named ACLs are ignored. Named ACLs are mostly intended for future extensions. Example ACL file: ---%<------------------------------------------------------------------------- owner lrwstiekxa user=timo rl ---%<------------------------------------------------------------------------- (This file was created from the wiki on 2007-06-15 04:42)