logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

doveadm-acl - Manage Access Control List (ACL)

Arguments

id     The id (identifier) is one of:

                     *   group-override=group_name

                     *   user=user_name

                     *   owner

                     *   group=group_name

                     *   authenticated

                     *   anyone (or anonymous, which is an alias for anyone)

              The ACLs are processed in the precedence given above, so for example if you have given read-access
              to a group, you can still remove that from specific users inside the group.
              Group-override identifier allows you to override users' ACLs.  Probably the most useful reason  to
              do this is to temporarily disable access for some users.  For example:

              user=timo rw
              group-override=tempdisabled

              Now if timo is a member of the tempdisabled group, he has no access to the mailbox.  This wouldn't
              be possible with a normal group identifier, because the user=timo would override it.

       mailbox
              The name of the mailbox, for which the ACL manipulation should be done.  It's also possible to use
              the wildcard characters "*" and/or "?" in the mailbox name.

       right  Dovecot  ACL  right  name.  This  isn't  the  same as the IMAP ACL letters, which aren't currently
              supported.  Here is a mapping of the IMAP ACL letters to Dovecot ACL names:

                     llookupMailbox is visible in mailbox list.  Mailbox can be subscribed to.

                     rreadMailbox can be opened for reading.

                     wwrite
                         Message flags and keywords can be changed, except \Seen and \Deleted.

                     swrite-seen\Seen flag can be changed.

                     twrite-deleted\Deleted flag can be changed.

                     iinsert
                         Messages can be written or copied to the mailbox.

                     ppost
                         Messages can be posted to the mailbox by dovecot-lda, e.g. from Sieve scripts.

                     eexpunge
                         Messages can be expunged.

                     kcreate
                         Mailboxes can be created/renamed directly under this mailbox (but not necessarily under
                         its children, see ACLInheritance in the wiki).
                         Note: Renaming also requires the delete right.

                     xdeleteMailbox can be deleted.

                     aadmin
                         Administration rights to the mailbox (currently: ability to change ACLs for mailbox).

Commands

acladddoveadmacladd [-uuser|-A|-Ffile] [-Ssocket_path] mailboxidright [right ...]

       Add ACL rights to the mailbox/id.  If the id already exists, the existing rights are preserved.

   acldebugdoveadmacldebug [-uuser|-A|-Ffile] [-Ssocket_path] mailbox

       This command can be used to debug why a shared mailbox isn't  accessible  to  the  user.   It  will  list
       exactly what the problem is.

   acldeletedoveadmacldelete [-uuser|-A|-Ffile] [-Ssocket_path] mailboxid

       Remove the whole ACL entry for the mailbox/id.

   aclgetdoveadmaclget [-uuser|-A|-Ffile] [-Ssocket_path] [-m] mailbox

       Show all the ACLs for the mailbox.

   aclrecalcdoveadmaclrecalc [-uuser|-A|-Ffile] [-Ssocket_path]

       Make sure the user's shared mailboxes exist correctly in the acl_shared_dict.

   aclremovedoveadmaclremove [-uuser|-A|-Ffile] [-Ssocket_path] mailboxidright [right ...]

       Remove  the  specified ACL rights from the mailbox/id.  If all rights are removed, the entry still exists
       without any rights.

   aclrightsdoveadmaclrights [-uuser|-A|-Ffile] [-Ssocket_path] mailbox

       Show the user's current ACL rights for the mailbox.

   aclsetdoveadmaclset [-uuser|-A|-Ffile] [-Ssocket_path] mailboxidright [right ...]

       Set ACL rights to the mailbox/id.  If the id already exists, the existing rights are replaced.

Description

       The doveadmaclCOMMANDS can be used to execute various Access Control List related actions.

Name

       doveadm-acl - Manage Access Control List (ACL)

Options

       Global doveadm(1) options:

       -D     Enables verbosity and debug messages.

       -fformatter
              Specifies the formatter for formatting the output.  Supported formatters are:

              flow   prints each line with key=value pairs.

              pager  prints  each key: value pair on its own line and separates records with form feed character
                     (^L).

              tab    prints a table header followed by tab separated value lines.

              table  prints a table header followed by adjusted value lines.

       -osetting=value
              Overrides the configuration setting from /etc/dovecot/dovecot.conf and from the  userdb  with  the
              given  value.   In  order  to  override multiple settings, the -o option may be specified multiple
              times.

       -v     Enables verbosity, including progress counter.

       This command uses by default the output formatter table.

       Command specific options:

       -A     If the -A option is present, the command will be performed for all users.  Using  this  option  in
              combination  with  system  users  from  userdb{driver=passwd} is not recommended, because it
              contains also users with a lower UID than the one configured with the first_valid_uid setting.

              When  the  SQL  userdb  module  is  used   make   sure   that   the   iterate_query   setting   in
              /etc/dovecot/dovecot-sql.conf.ext  matches  your  database  layout.   When  using  the LDAP userdb
              module, make sure that the iterate_attrs  and  iterate_filter  settings  in  /etc/dovecot/dovecot-ldap.conf.ext  match  your  LDAP  schema.  Otherwise doveadm(1) will be unable to iterate over all
              users.

       -Ffile
              Execute the command for all the users in the file.  This is similar to the -A option, but  instead
              of  getting  the  list  of  users  from  the  userdb, they are read from the given file.  The file
              contains one username per line.

       -Ssocket_path
              The option's argument is either an absolute path to a local UNIX domain socket, or a hostname  and
              port (hostname:port), in order to connect a remote host via a TCP socket.

              This allows an administrator to execute doveadm(1) mail commands through the given socket.

       -uuser/mask
              Run the command only for the given user.  It's also possible to use '*' and '?' wildcards (e.g. -u
              *@example.org).
              When  neither  the  -A  option, nor the -Ffile option, nor the -uuser was specified, the command
              will be executed with the environment of the currently logged in user.

Reporting Bugs

       Report  bugs,  including  doveconf-n  output,  to  the  Dovecot  Mailing  List   <dovecot@dovecot.org>.
       Information about reporting bugs is available at: http://dovecot.org/bugreport.html

See Also

doveadm(1), dovecot-lda(1)

       Additional resources:

       ACL Inheritance
              http://wiki2.dovecot.org/ACL#ACL_Inheritance

Dovecot v2.3                                       2015-05-09                                     DOVEADM-ACL(1)

Synopsis

doveadm [-Dv] [-fformatter] aclcommand [OPTIONS] [ARGUMENTS]

See Also