1DOVEADM-ACL(1)                      Dovecot                     DOVEADM-ACL(1)
2
3
4

NAME

6       doveadm-acl - Manage Access Control List (ACL)
7

SYNOPSIS

9       doveadm [-Dv] [-f formatter] acl command [OPTIONS] [ARGUMENTS]
10

DESCRIPTION

12       The  doveadm acl COMMANDS can be used to execute various Access Control
13       List related actions.
14

OPTIONS

16       Global doveadm(1) options:
17
18       -D     Enables verbosity and debug messages.
19
20       -f formatter
21              Specifies the formatter for formatting  the  output.   Supported
22              formatters are:
23
24              flow   prints each line with key=value pairs.
25
26              pager  prints each key: value pair on its own line and separates
27                     records with form feed character (^L).
28
29              tab    prints a table header followed  by  tab  separated  value
30                     lines.
31
32              table  prints a table header followed by adjusted value lines.
33
34       -o setting=value
35              Overrides  the  configuration  setting  from  /etc/dovecot/dove‐
36              cot.conf and from the userdb with the given value.  In order  to
37              override  multiple settings, the -o option may be specified mul‐
38              tiple times.
39
40       -v     Enables verbosity, including progress counter.
41
42       This command uses by default the output formatter table.
43
44       Command specific options:
45
46       -A     If the -A option is present, the command will be  performed  for
47              all  users.   Using this option in combination with system users
48              from userdb { driver = passwd } is not recommended,  because  it
49              contains  also  users  with  a lower UID than the one configured
50              with the first_valid_uid setting.
51
52              When the SQL userdb module is used  make  sure  that  the  iter‐
53              ate_query  setting  in /etc/dovecot/dovecot-sql.conf.ext matches
54              your database layout.  When using the LDAP userdb  module,  make
55              sure  that  the  iterate_attrs  and  iterate_filter  settings in
56              /etc/dovecot/dovecot-ldap.conf.ext match your LDAP schema.  Oth‐
57              erwise doveadm(1) will be unable to iterate over all users.
58
59       -F file
60              Execute the command for all the users in the file.  This is sim‐
61              ilar to the -A option, but instead of getting the list of  users
62              from  the  userdb,  they are read from the given file.  The file
63              contains one username per line.
64
65       -S socket_path
66              The option's argument is either an absolute path to a local UNIX
67              domain  socket, or a hostname and port (hostname:port), in order
68              to connect a remote host via a TCP socket.
69
70              This allows an administrator to execute doveadm(1) mail commands
71              through the given socket.
72
73       -u user/mask
74              Run  the command only for the given user.  It's also possible to
75              use '*' and '?' wildcards (e.g. -u *@example.org).
76              When neither the -A option, nor  the  -F file  option,  nor  the
77              -u user  was  specified,  the  command will be executed with the
78              environment of the currently logged in user.
79

ARGUMENTS

81       id     The id (identifier) is one of:
82
83                     *   group-override=group_name
84
85                     *   user=user_name
86
87                     *   owner
88
89                     *   group=group_name
90
91                     *   authenticated
92
93                     *   anyone (or anonymous, which is an alias for anyone)
94
95              The ACLs are processed in the precedence  given  above,  so  for
96              example  if you have given read-access to a group, you can still
97              remove that from specific users inside the group.
98              Group-override identifier allows you to  override  users'  ACLs.
99              Probably  the  most  useful  reason to do this is to temporarily
100              disable access for some users.  For example:
101
102              user=timo rw
103              group-override=tempdisabled
104
105              Now if timo is a member of the tempdisabled  group,  he  has  no
106              access  to the mailbox.  This wouldn't be possible with a normal
107              group identifier, because the user=timo would override it.
108
109       mailbox
110              The name of the mailbox, for which the ACL  manipulation  should
111              be  done.  It's also possible to use the wildcard characters "*"
112              and/or "?" in the mailbox name.
113
114       right  Dovecot ACL right name. This isn't the same as the IMAP ACL let‐
115              ters,  which  aren't  currently supported.  Here is a mapping of
116              the IMAP ACL letters to Dovecot ACL names:
117
118                     l → lookup
119                         Mailbox is visible in mailbox list.  Mailbox  can  be
120                         subscribed to.
121
122                     r → read
123                         Mailbox can be opened for reading.
124
125                     w → write
126                         Message  flags  and  keywords  can be changed, except
127                         \Seen and \Deleted.
128
129                     s → write-seen
130                         \Seen flag can be changed.
131
132                     t → write-deleted
133                         \Deleted flag can be changed.
134
135                     i → insert
136                         Messages can be written or copied to the mailbox.
137
138                     p → post
139                         Messages can be posted to the mailbox by dovecot-lda,
140                         e.g. from Sieve scripts.
141
142                     e → expunge
143                         Messages can be expunged.
144
145                     k → create
146                         Mailboxes  can be created/renamed directly under this
147                         mailbox (but not necessarily under its children,  see
148                         ACL Inheritance in the wiki).
149                         Note: Renaming also requires the delete right.
150
151                     x → delete
152                         Mailbox can be deleted.
153
154                     a → admin
155                         Administration  rights  to  the  mailbox  (currently:
156                         ability to change ACLs for mailbox).
157

COMMANDS

159   acl add
160       doveadm acl add [-u user|-A|-F file] [-S socket_path] mailbox id  right
161       [right ...]
162
163       Add ACL rights to the mailbox/id.  If the id already exists, the exist‐
164       ing rights are preserved.
165
166   acl debug
167       doveadm acl debug [-u user|-A|-F file] [-S socket_path] mailbox
168
169       This command can be used to debug why a shared mailbox isn't accessible
170       to the user.  It will list exactly what the problem is.
171
172   acl delete
173       doveadm acl delete [-u user|-A|-F file] [-S socket_path] mailbox id
174
175       Remove the whole ACL entry for the mailbox/id.
176
177   acl get
178       doveadm acl get [-u user|-A|-F file] [-S socket_path] [-m] mailbox
179
180       Show all the ACLs for the mailbox.
181
182   acl recalc
183       doveadm acl recalc [-u user|-A|-F file] [-S socket_path]
184
185       Make   sure   the  user's  shared  mailboxes  exist  correctly  in  the
186       acl_shared_dict.
187
188   acl remove
189       doveadm acl remove [-u user|-A|-F file]  [-S  socket_path]  mailbox  id
190       right [right ...]
191
192       Remove the specified ACL rights from the mailbox/id.  If all rights are
193       removed, the entry still exists without any rights.
194
195   acl rights
196       doveadm acl rights [-u user|-A|-F file] [-S socket_path] mailbox
197
198       Show the user's current ACL rights for the mailbox.
199
200   acl set
201       doveadm acl set [-u user|-A|-F file] [-S socket_path] mailbox id  right
202       [right ...]
203
204       Set ACL rights to the mailbox/id.  If the id already exists, the exist‐
205       ing rights are replaced.
206

REPORTING BUGS

208       Report bugs, including doveconf -n output, to the Dovecot Mailing  List
209       <dovecot@dovecot.org>.   Information  about reporting bugs is available
210       at: http://dovecot.org/bugreport.html
211

SEE ALSO

213       doveadm(1), dovecot-lda(1)
214
215       Additional resources:
216
217       ACL Inheritance
218              http://wiki2.dovecot.org/ACL#ACL_Inheritance
219
220
221
222Dovecot v2.2                      2015-05-09                    DOVEADM-ACL(1)
Impressum