doveadm-acl¶
NAME¶
doveadm-acl - Manage Access Control List (ACL)
SYNOPSIS¶
doveadm [GLOBAL OPTIONS] acl command [OPTIONS] [ARGUMENTS]
DESCRIPTION¶
The doveadm acl COMMANDS can be used to execute various Access Control List related actions.
GLOBAL OPTIONS¶
Global doveadm(1) options:
- -D
Enables verbosity and debug messages.
- -O
Do not read any config file, just use defaults.
- -k
Preserve entire environment for doveadm, not just
import_environment.- -v
Enables verbosity, including progress counter.
- -i instance-name
If using multiple Dovecot instances, choose the config file based on this instance name. See
instance_namesetting for more information.- -c config-file
Read configuration from the given config-file. By default it first reads config socket, and then falls back to /etc/dovecot/dovecot.conf. You can also point this to config socket of some instance running compatible version.
- -o setting=value
Overrides the configuration setting from /etc/dovecot/dovecot.conf and from the userdb with the given value. In order to override multiple settings, the -o option may be specified multiple times.
- -f formatter
Specifies the formatter for formatting the output. Supported formatters are:
- flow
prints each line with key=value pairs.
- pager
prints each key: value pair on its own line and separates records with form feed character (^L).
- tab
prints a table header followed by tab separated value lines.
- table
prints a table header followed by adjusted value lines.
This command uses by default the output formatter table.
OPTIONS¶
- -A
If the -A option is present, the command will be performed for all users. Using this option in combination with system users from userdb { driver = passwd } is not recommended, because it contains also users with a lower UID than the one configured with the
first_valid_uidsetting.When the SQL userdb module is used make sure that the iterate_query setting in /etc/dovecot/dovecot-sql.conf.ext matches your database layout. When using the LDAP userdb module, make sure that the iterate_attrs and iterate_filter settings in /etc/dovecot/dovecot-ldap.conf.ext match your LDAP schema. Otherwise doveadm(1) will be unable to iterate over all users.
- -F file
Execute the command for all the users in the file. This is similar to the -A option, but instead of getting the list of users from the userdb, they are read from the given file. The file contains one username per line.
- -S socket_path
The option’s argument is either an absolute path to a local UNIX domain socket, or a hostname and port (hostname:port), in order to connect a remote host via a TCP socket.
This allows an administrator to execute doveadm(1) mail commands through the given socket.
- -u user/mask
Run the command only for the given user. It’s also possible to use ‘*’ and ‘?’ wildcards (e.g. -u *@example.org).
ARGUMENTS¶
- id
The id (identifier) is one of:
group-override = group_name
user = user_name
owner
group = group_name
authenticated
anyone
anonymous, which is an alias for anyone
The ACLs are processed in the precedence given above, so for example if you have given read-access to a group, you can still remove that from specific users inside the group.
Group-override identifier allows you to override users’ ACLs. Probably the most useful reason to do this is to temporarily disable access for some users. For example:
user=timo rw group-override=tempdisabled
Now if timo is a member of the tempdisabled group, he has no access to the mailbox. This wouldn’t be possible with a normal group identifier, because the user=timo would override it.
- mailbox
The name of the mailbox, for which the ACL manipulation should be done. It’s also possible to use the wildcard characters “*” and/or “?” in the mailbox name.
- right
Dovecot ACL right name. This isn’t the same as the IMAP ACL letters, which aren’t currently supported. Here is a mapping of the IMAP ACL letters to Dovecot ACL names:
- l -> lookup
Mailbox is visible in mailbox list. Mailbox can be subscribed to.
- r -> read
Mailbox can be opened for reading.
- w -> write
Message flags and keywords can be changed, except Seen and Deleted.
- s -> write-seen
Seen flag can be changed.
- t -> write-deleted
Deleted flag can be changed.
- i -> insert
Messages can be written or copied to the mailbox.
- p -> post
Messages can be posted to the mailbox by dovecot-lda, e.g. from Sieve scripts.
- e -> expunge
Messages can be expunged.
- k -> create
Mailboxes can be created/renamed directly under this mailbox (but not necessarily under its children, see ACL Inheritance at https://doc.dovecot.org/configuration_manual/acl/#acl-inheritance). Note: Renaming also requires the delete right.
- x -> delete
Mailbox can be deleted.
- a -> admin
Administration rights to the mailbox (currently: ability to change ACLs for mailbox).
COMMANDS¶
acl add¶
doveadm acl add [-u user | -A | -F file] [-S socket_path] mailbox id right [right …]
Add ACL rights to the mailbox/id. If the id already exists, the existing rights are preserved.
acl debug¶
doveadm acl debug [-u user | -A | -F file] [-S socket_path] mailbox
This command can be used to debug why a shared mailbox isn’t accessible to the user. It will list exactly what the problem is.
acl delete¶
doveadm acl delete [-u user | -A | -F file] [-S socket_path] mailbox id
Remove the whole ACL entry for the mailbox/id.
acl get¶
doveadm acl get [-u user | -A | -F file] [-S socket_path] [-m] mailbox
Show all the ACLs for the mailbox.
acl recalc¶
doveadm acl recalc [-u user | -A | -F file] [-S socket_path]
Make sure the user’s shared mailboxes exist correctly in the acl_shared_dict.
acl remove¶
doveadm acl remove [-u user | -A | -F file] [-S socket_path] mailbox id right [right …]
Remove the specified ACL rights from the mailbox/id. If all rights are removed, the entry still exists without any rights.
acl rights¶
doveadm acl rights [-u user | -A | -F file] [-S socket_path] mailbox
Show the user’s current ACL rights for the mailbox.
acl set¶
doveadm acl set [-u user | -A | -F file] [-S socket_path] mailbox id right [right …]
Set ACL rights to the mailbox/id. If the id already exists, the existing rights are replaced.
REPORTING BUGS¶
Report bugs, including doveconf -n output, to the Dovecot Mailing List <dovecot@dovecot.org>. Information about reporting bugs is available at: https://dovecot.org/bugreport.html
SEE ALSO¶
Additional resources:
