1DOVEADM-ACL(1) Dovecot DOVEADM-ACL(1)
2
6 doveadm-acl - Manage Access Control List (ACL)
7
9 doveadm [-Dv] [-f formatter] acl command [OPTIONS] [ARGUMENTS]
10
12 The doveadm acl COMMANDS can be used to execute various Access Control
13 List related actions.
14
16 Global doveadm(1) options:
17 -D Enables verbosity and debug messages.
19 -f formatter
21 Specifies the formatter for formatting the output. Supported
22 formatters are:
23 flow prints each line with key=value pairs.
25 pager prints each key: value pair on its own line and separates
27 records with form feed character (^L).
28 tab prints a table header followed by tab separated value
30 lines.
31 table prints a table header followed by adjusted value lines.
33 -o setting=value
35 Overrides the configuration setting from /etc/dovecot/dove‐
36 cot.conf and from the userdb with the given value. In order to
37 override multiple settings, the -o option may be specified mul‐
38 tiple times.
39 -v Enables verbosity, including progress counter.
41 This command uses by default the output formatter table.
43 Command specific options:
45 -A If the -A option is present, the command will be performed for
47 all users. Using this option in combination with system users
48 from userdb { driver = passwd } is not recommended, because it
49 contains also users with a lower UID than the one configured
50 with the first_valid_uid setting.
51 When the SQL userdb module is used make sure that the iter‐
53 ate_query setting in /etc/dovecot/dovecot-sql.conf.ext matches
54 your database layout. When using the LDAP userdb module, make
55 sure that the iterate_attrs and iterate_filter settings in
56 /etc/dovecot/dovecot-ldap.conf.ext match your LDAP schema. Oth‐
57 erwise doveadm(1) will be unable to iterate over all users.
58 -F file
60 Execute the command for all the users in the file. This is sim‐
61 ilar to the -A option, but instead of getting the list of users
62 from the userdb, they are read from the given file. The file
63 contains one username per line.
64 -S socket_path
66 The option's argument is either an absolute path to a local UNIX
67 domain socket, or a hostname and port (hostname:port), in order
68 to connect a remote host via a TCP socket.
69 This allows an administrator to execute doveadm(1) mail commands
71 through the given socket.
72 -u user/mask
74 Run the command only for the given user. It's also possible to
75 use '*' and '?' wildcards (e.g. -u *@example.org).
76 When neither the -A option, nor the -F file option, nor the
77 -u user was specified, the command will be executed with the
78 environment of the currently logged in user.
79
81 id The id (identifier) is one of:
82 * group-override=group_name
84 * user=user_name
86 * owner
88 * group=group_name
90 * authenticated
92 * anyone (or anonymous, which is an alias for anyone)
94 The ACLs are processed in the precedence given above, so for
96 example if you have given read-access to a group, you can still
97 remove that from specific users inside the group.
98 Group-override identifier allows you to override users' ACLs.
99 Probably the most useful reason to do this is to temporarily
100 disable access for some users. For example:
101 user=timo rw
103 group-override=tempdisabled
104 Now if timo is a member of the tempdisabled group, he has no
106 access to the mailbox. This wouldn't be possible with a normal
107 group identifier, because the user=timo would override it.
108 mailbox
110 The name of the mailbox, for which the ACL manipulation should
111 be done. It's also possible to use the wildcard characters "*"
112 and/or "?" in the mailbox name.
113 right Dovecot ACL right name. This isn't the same as the IMAP ACL let‐
115 ters, which aren't currently supported. Here is a mapping of
116 the IMAP ACL letters to Dovecot ACL names:
117 l → lookup
119 Mailbox is visible in mailbox list. Mailbox can be
120 subscribed to.
121 r → read
123 Mailbox can be opened for reading.
124 w → write
126 Message flags and keywords can be changed, except
127 \Seen and \Deleted.
128 s → write-seen
130 \Seen flag can be changed.
131 t → write-deleted
133 \Deleted flag can be changed.
134 i → insert
136 Messages can be written or copied to the mailbox.
137 p → post
139 Messages can be posted to the mailbox by dovecot-lda,
140 e.g. from Sieve scripts.
141 e → expunge
143 Messages can be expunged.
144 k → create
146 Mailboxes can be created/renamed directly under this
147 mailbox (but not necessarily under its children, see
148 ACL Inheritance in the wiki).
149 Note: Renaming also requires the delete right.
150 x → delete
152 Mailbox can be deleted.
153 a → admin
155 Administration rights to the mailbox (currently:
156 ability to change ACLs for mailbox).
157
159 acl add
160 doveadm acl add [-u user|-A|-F file] [-S socket_path] mailbox id right
161 [right ...]
162 Add ACL rights to the mailbox/id. If the id already exists, the exist‐
164 ing rights are preserved.
165 acl debug
167 doveadm acl debug [-u user|-A|-F file] [-S socket_path] mailbox
168 This command can be used to debug why a shared mailbox isn't accessible
170 to the user. It will list exactly what the problem is.
171 acl delete
173 doveadm acl delete [-u user|-A|-F file] [-S socket_path] mailbox id
174 Remove the whole ACL entry for the mailbox/id.
176 acl get
178 doveadm acl get [-u user|-A|-F file] [-S socket_path] [-m] mailbox
179 Show all the ACLs for the mailbox.
181 acl recalc
183 doveadm acl recalc [-u user|-A|-F file] [-S socket_path]
184 Make sure the user's shared mailboxes exist correctly in the
186 acl_shared_dict.
187 acl remove
189 doveadm acl remove [-u user|-A|-F file] [-S socket_path] mailbox id
190 right [right ...]
191 Remove the specified ACL rights from the mailbox/id. If all rights are
193 removed, the entry still exists without any rights.
194 acl rights
196 doveadm acl rights [-u user|-A|-F file] [-S socket_path] mailbox
197 Show the user's current ACL rights for the mailbox.
199 acl set
201 doveadm acl set [-u user|-A|-F file] [-S socket_path] mailbox id right
202 [right ...]
203 Set ACL rights to the mailbox/id. If the id already exists, the exist‐
205 ing rights are replaced.
206
208 Report bugs, including doveconf -n output, to the Dovecot Mailing List
209 <dovecot@dovecot.org>. Information about reporting bugs is available
210 at: http://dovecot.org/bugreport.html
211
213 doveadm(1), dovecot-lda(1)
214 Additional resources:
216 ACL Inheritance
218 http://wiki2.dovecot.org/ACL#ACL_Inheritance
219Dovecot v2.3 2015-05-09 DOVEADM-ACL(1)