doveadm-acl(1) - Manage Access Control List (ACL)

SYNOPSIS

doveadm [GLOBAL OPTIONS] acl command [OPTIONS] [ARGUMENTS]

DESCRIPTION

The doveadm acl COMMANDS can be used to execute various Access Control List related actions.

GLOBAL OPTIONS

Global doveadm(1) options:

-D

Enables verbosity and debug messages.

-O

Do not read any config file, just use defaults. The dovecot_storage_version defaults to the latest version, but can be overridden with -o.

-k

Preserve entire environment for doveadm, not just import_environment.

-v

Enables verbosity, including progress counter.

-i instance-name

If using multiple Dovecot instances, choose the config file based on this instance name.

See instance_name for more information.

-c config-file

Read configuration from the given config-file. By default it first reads config socket, and then falls back to /etc/dovecot/dovecot.conf. You can also point this to config socket of some instance running compatible version.

-o setting= value

Overrides the configuration setting from /etc/dovecot/dovecot.conf and from the userdb with the given value. In order to override multiple settings, the -o option may be specified multiple times.

-f formatter

Specifies the formatter for formatting the output. Supported formatters are:

flow

prints each line with key=value pairs.

pager

prints each key: value pair on its own line and separates records with form feed character (^L).

tab

prints a table header followed by tab separated value lines.

table

prints a table header followed by adjusted value lines.

This command uses by default the output formatter table.

OPTIONS

-A

If the -A option is present, the command will be performed for all users. Using this option in combination with system users from userdb { driver = passwd } is not recommended, because it contains also users with a lower UID than the one configured with the first_valid_uid setting.

When the SQL userdb module is used make sure that the iterate_query setting in /etc/dovecot/dovecot-sql.conf.ext matches your database layout. When using the LDAP userdb module, make sure that the iterate_attrs and iterate_filter settings in /etc/dovecot/dovecot-ldap.conf.ext match your LDAP schema. Otherwise doveadm(1) will be unable to iterate over all users.

-F file

Execute the command for all the users in the file. This is similar to the -A option, but instead of getting the list of users from the userdb, they are read from the given file. The file contains one username per line.

--no-userdb-lookup

Do not perform userdb lookup. Use the USER environment variable to specify the username.

-S socket_path

The option's argument is either an absolute path to a local UNIX domain socket, or a hostname and port (hostname:port), in order to connect a remote host via a TCP socket.

This allows an administrator to execute doveadm(1) mail commands through the given socket.

-u user/mask

Run the command only for the given user. It's also possible to use '*' and '?' wildcards (e.g. -u *@example.org).

ARGUMENTS

id

The id (identifier) is one of:

• group-override = group_name
• user = user_name
• owner
• group = group_name
• authenticated
• anyone
• anonymous, which is an alias for anyone

The ACLs are processed in the precedence given above, so for example if you have given read-access to a group, you can still remove that from specific users inside the group.

Group-override identifier allows you to override users' ACLs. Probably the most useful reason to do this is to temporarily disable access for some users. For example:

user=timo rw
group-override=tempdisabled

Now if timo is a member of the tempdisabled group, he has no access to the mailbox. This wouldn't be possible with a normal group identifier, because the user=timo would override it.

mailbox

The name of the mailbox, for which the ACL manipulation should be done. It's also possible to use the wildcard characters "*" and/or "?" in the mailbox name.

right

Dovecot ACL right name. This isn't the same as the IMAP ACL letters, which aren't currently supported.

Here is a mapping of the IMAP ACL letters to Dovecot ACL names:

l -> lookup

Mailbox is visible in mailbox list. Mailbox can be subscribed to.

r -> read

Mailbox can be opened for reading.

w -> write

Message flags and keywords can be changed, except \Seen and \Deleted.

s -> write-seen

\Seen flag can be changed.

t -> write-deleted

\Deleted flag can be changed.

i -> insert

Messages can be written or copied to the mailbox.

p -> post

Messages can be posted to the mailbox by dovecot-lda, e.g. from Sieve scripts.

e -> expunge

Messages can be expunged.

k -> create

Mailboxes can be created/renamed directly under this mailbox (but not necessarily under its children, see ACL Inheritance. Note: Renaming also requires the delete right.

x -> delete

Mailbox can be deleted.

a -> admin

Administration rights to the mailbox (currently: ability to change ACLs for mailbox).

COMMANDS

acl add

doveadm [GLOBAL OPTIONS] acl add [-u user | -A | -F file || --no-userdb-lookup] [-S socket_path] mailbox id right [right ...]

Add ACL rights to the mailbox/id. If the id already exists, the existing rights are preserved.

acl debug

doveadm [GLOBAL OPTIONS] acl debug [-u user | -A | -F file | --no-userdb-lookup] [-S socket_path] mailbox

This command can be used to debug why a shared mailbox isn't accessible to the user. It will list exactly what the problem is.

acl delete

doveadm [GLOBAL OPTIONS] acl delete [-u user | -A | -F file | --no-userdb-lookup] [-S socket_path] mailbox id

Remove the whole ACL entry for the mailbox/id.

acl get

doveadm [GLOBAL OPTIONS] acl get [-u user | -A | -F file | --no-userdb-lookup] [-S socket_path] [-m] mailbox

Show all the ACLs for the mailbox.

-m

Only show ACLs that match the mailbox.

acl recalc

doveadm [GLOBAL OPTIONS] acl recalc [-u user | -A | -F file | --no-userdb-lookup] [-S socket_path]

Make sure the user's shared mailboxes exist correctly in the acl_shared_dict.

acl remove

doveadm [GLOBAL OPTIONS] acl remove [-u user | -A | -F file | --no-userdb-lookup] [-S socket_path] mailbox id right [right ...]

Remove the specified ACL rights from the mailbox/id. If all rights are removed, the entry still exists without any rights.

acl rights

doveadm [GLOBAL OPTIONS] acl rights [-u user | -A | -F file | --no-userdb-lookup] [-S socket_path] mailbox

Show the user's current ACL rights for the mailbox.

acl set

doveadm [GLOBAL OPTIONS] acl set [-u user | -A | -F file | --no-userdb-lookup] [-S socket_path] mailbox id right [right ...]

Set ACL rights to the mailbox/id. If the id already exists, the existing rights are replaced.

REPORTING BUGS

Report bugs, including doveconf -n output, to the Dovecot Mailing List dovecot@dovecot.org. Information about reporting bugs is available at: https://dovecot.org/bugreport.html

SEE ALSO

doveadm(1)

Additional resources:

• ACL Inheritance