doveadm-acl - Manage Access Control List (ACL)
doveadm [-Dv] [-f formatter]
acl command
[OPTIONS] [ARGUMENTS]
The doveadm acl COMMANDS can be used to execute
various Access Control List related actions.
Global doveadm(1) options:
- -D
- Enables verbosity and debug messages.
- -f formatter
- Specifies the formatter for formatting the output. Supported
formatters are:
- flow
- prints each line with key=value pairs.
- prints each key: value pair on its own line and
separates records with form feed character (^L).
- tab
- prints a table header followed by tab separated value lines.
- table
- prints a table header followed by adjusted value lines.
- -o setting=value
- Overrides the configuration setting from
/etc/dovecot/dovecot.conf and from the userdb with the given
value. In order to override multiple settings, the -o option
may be specified multiple times.
- -v
- Enables verbosity, including progress counter.
This command uses by default the output formatter
table.
Command specific options:
- -A
- If the -A option is present, the command will be performed
for all users. Using this option in combination with system users from
userdb { driver = passwd } is not recommended, because it contains
also users with a lower UID than the one configured with the
first_valid_uid setting.
When the SQL userdb module is used make sure that the
iterate_query setting in /etc/dovecot/dovecot-sql.conf.ext
matches your database layout. When using the LDAP userdb module, make
sure that the iterate_attrs and iterate_filter settings in
/etc/dovecot/dovecot-ldap.conf.ext match your LDAP schema.
Otherwise doveadm(1) will be unable to iterate over all
users.
- -F file
- Execute the command for all the users in the file. This is
similar to the -A option, but instead of getting the list of users
from the userdb, they are read from the given file. The file
contains one username per line.
- -S socket_path
- The option's argument is either an absolute path to a local UNIX domain
socket, or a hostname and port (hostname:port), in order to
connect a remote host via a TCP socket.
This allows an administrator to execute doveadm(1) mail
commands through the given socket.
- -u user/mask
- Run the command only for the given user. It's also possible
to use '*' and '?' wildcards (e.g. -u *@example.org).
When neither the -A option, nor the -F file
option, nor the -u user was specified, the
command will be executed with the environment of the currently
logged in user.
- id
- The id (identifier) is one of:
- *
- group-override=group_name
- *
- user=user_name
- *
- owner
- *
- group=group_name
- *
- authenticated
- *
- anyone (or anonymous, which is an alias for anyone)
The ACLs are processed in the precedence given above, so for
example if you have given read-access to a group, you can still remove that
from specific users inside the group.
Group-override identifier allows you to override users' ACLs. Probably the
most useful reason to do this is to temporarily disable access for some
users. For example:
user=timo rw
group-override=tempdisabled
Now if timo is a member of the tempdisabled group, he has no
access to the mailbox. This wouldn't be possible with a normal group
identifier, because the user=timo would override it.
- mailbox
- The name of the mailbox, for which the ACL manipulation should be done.
It's also possible to use the wildcard characters "*"
and/or "?" in the mailbox name.
- right
- Dovecot ACL right name. This isn't the same as the IMAP ACL letters, which
aren't currently supported. Here is a mapping of the IMAP ACL letters to
Dovecot ACL names:
- l → lookup
- Mailbox is visible in mailbox list. Mailbox can be
subscribed to.
- r → read
- Mailbox can be opened for reading.
- w → write
- Message flags and keywords can be changed, except \Seen and
\Deleted.
- s →
write-seen
- \Seen flag can be changed.
- t →
write-deleted
- \Deleted flag can be changed.
- i → insert
- Messages can be written or copied to the mailbox.
- p → post
- Messages can be posted to the mailbox by dovecot-lda, e.g.
from Sieve scripts.
- e → expunge
- Messages can be expunged.
- k → create
- Mailboxes can be created/renamed directly under this mailbox (but
not necessarily under its children, see ACL Inheritance in the
wiki).
Note: Renaming also requires the delete right.
- x → delete
- Mailbox can be deleted.
- a → admin
- Administration rights to the mailbox (currently: ability to change
ACLs for mailbox).
doveadm acl add [-u user|-A|-F
file] [-S socket_path] mailbox id right
[right ...]
Add ACL rights to the mailbox/id. If the id
already exists, the existing rights are preserved.
doveadm acl debug [-u
user|-A|-F file] [-S socket_path]
mailbox
This command can be used to debug why a shared mailbox isn't
accessible to the user. It will list exactly what the problem is.
doveadm acl delete [-u
user|-A|-F file] [-S socket_path]
mailbox id
Remove the whole ACL entry for the mailbox/id.
doveadm acl get [-u user|-A|-F
file] [-S socket_path] [-m] mailbox
Show all the ACLs for the mailbox.
doveadm acl recalc [-u
user|-A|-F file] [-S
socket_path]
Make sure the user's shared mailboxes exist correctly in
the acl_shared_dict.
doveadm acl remove [-u
user|-A|-F file] [-S socket_path]
mailbox id right [right ...]
Remove the specified ACL rights from the mailbox/id.
If all rights are removed, the entry still exists without any rights.
doveadm acl rights [-u
user|-A|-F file] [-S socket_path]
mailbox
Show the user's current ACL rights for the
mailbox.
doveadm acl set [-u user|-A|-F
file] [-S socket_path] mailbox id right
[right ...]
Set ACL rights to the mailbox/id. If the id
already exists, the existing rights are replaced.
Report bugs, including doveconf -n output, to the Dovecot
Mailing List <dovecot@dovecot.org>. Information about reporting bugs
is available at: http://dovecot.org/bugreport.html