acl plugin

See also

See Access Control Lists for a plugin overview.



  • Default: <empty>

  • Values: String

The ACL driver to use. This setting is REQUIRED - if empty, the acl plugin is disabled.

The format is:


Currently, there is a single backend available: vfile. This backend supports two ways of defining the ACL configuration:

  • global: ACL rules are applied to all users.

  • per-mailbox: Each mailbox has separate ACL rules. They are stored in a dovecot-acl file in each mailbox (or CONTROL) directory. This is the default.

This backend has the following options:




If a path is defined, this is the location of the global ACL configuration file.


The interval, in seconds, for running stat() on the ACL file to check for changes. DEFAULT: 30 seconds


plugin {
  # Per-user ACL:
  acl = vfile

  # Global ACL; check for changes every minute
  #acl = vfile:/etc/dovecot/dovecot-acl:cache_secs=60


New in version 2.2.2.

If yes, the default ACLs for private and shared namespaces (but not public namespaces) are taken from the INBOX. This means that giving somebody access to your INBOX will give them access to all your other mailboxes as well, unless the specific mailboxes’ ACLs override the INBOX’s.


New in version 2.2.31.

If enabled, don’t try to find dovecot-acl files from mailbox directories. This reduces unnecessary disk I/O when only global ACLs are used.


  • Default: <empty>

  • Values: String

A comma-separated string which contains all the groups the user belongs to.

A user’s UNIX groups have no effect on ACLs (you can enable them by using a special Post-login scripting).

The default ACL for mailboxes is to give the mailbox owner all permissions and other users none. Mailboxes in public namespaces don’t have owners, so by default no one can access them.


New in version 2.3.15.

  • Default: <empty>

  • Values: String

Ignore ACLs entirely for the given namespace.

You can define muiltiple namespaces by appending an increasing number to the setting name.


plugin {
  acl_ignore_namespace = virtual/
  # Ignore shared/ and all its (autocreated) child namespaces
  acl_ignore_namespace2 = shared/*


  • Default: <empty>

  • Values: String

A shared mailbox dictionary that defines which users may LIST mailboxes shared by other users.

See Shared mailbox listing for further details on the contents of the dictionary entries.


plugin {
  acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes


  • Default: <empty>

  • Values: String

See ACLs.

See auth_master_user_separator for the format of this setting.


See acl_user.