doveadm-acl (1)
Leading comments
Copyright (c) 2014-2016 Dovecot authors, see the included COPYING file
NAME
doveadm-acl - Manage Access Control List (ACL)SYNOPSIS
doveadm [-Dv] [-f formatter] acl command [OPTIONS] [ARGUMENTS]DESCRIPTION
The doveadm acl COMMANDS can be used to execute various Access Control List related actions.OPTIONS
Global doveadm(1) options:- -D
- Enables verbosity and debug messages.
- -f formatter
-
Specifies the
formatter
for formatting the output.
Supported formatters are:
-
- flow
- prints each line with key=value pairs.
- pager
- prints each key: value pair on its own line and separates records with form feed character (^L).
- tab
- prints a table header followed by tab separated value lines.
- table
- prints a table header followed by adjusted value lines.
-
- -o setting=value
- Overrides the configuration setting from /etc/dovecot/dovecot.conf and from the userdb with the given value. In order to override multiple settings, the -o option may be specified multiple times.
- -v
- Enables verbosity, including progress counter.
This command uses by default the output formatter table.
Command specific options:
- -A
-
If the
-A
option is present, the
command
will be performed for all users.
Using this option in combination with system users from
userdb { driver = passwd }
is not recommended, because it contains also users with a lower UID than
the one configured with the
first_valid_uid
setting.
When the SQL userdb module is used make sure that the iterate_query setting in /etc/dovecot/dovecot-sql.conf.ext matches your database layout. When using the LDAP userdb module, make sure that the iterate_attrs and iterate_filter settings in /etc/dovecot/dovecot-ldap.conf.ext match your LDAP schema. Otherwise doveadm(1) will be unable to iterate over all users.
- -F file
- Execute the command for all the users in the file. This is similar to the -A option, but instead of getting the list of users from the userdb, they are read from the given file. The file contains one username per line.
- -S socket_path
-
The optionaqs argument is either an absolute path to a local UNIX domain
socket, or a hostname and port
(hostname:port),
in order to connect a remote host via a TCP socket.
This allows an administrator to execute doveadm(1) mail commands through the given socket.
- -u user/mask
-
Run the
command
only for the given
user.
Itaqs also possible to use
aq*aq
and
aq?aq
wildcards (e.g. -u *@example.org).
When neither the -A option, nor the -F file option, nor the -u user was specified, the command will be executed with the environment of the currently logged in user.
ARGUMENTS
- id
-
The id (identifier) is one of:
-
-
- *
- group-override=group_name
- *
- user=user_name
- *
- owner
- *
- group=group_name
- *
- authenticated
- *
- anyone (or anonymous, which is an alias for anyone)
The ACLs are processed in the precedence given above, so for example if you have given read-access to a group, you can still remove that from specific users inside the group.
Group-override identifier allows you to override usersaq ACLs. Probably the most useful reason to do this is to temporarily disable access for some users. For example:user=timo rw group-override=tempdisabled
Now if timo is a member of the tempdisabled group, he has no access to the mailbox. This wouldnaqt be possible with a normal group identifier, because the user=timo would override it.
-
-
- mailbox
- The name of the mailbox, for which the ACL manipulation should be done. Itaqs also possible to use the wildcard characters dq*dq and/or dq?dq in the mailbox name.
- right
-
Dovecot ACL right name. This isnaqt the same as the IMAP ACL letters,
which arenaqt currently supported.
Here is a mapping of the IMAP ACL letters to Dovecot ACL names:
-
-
- l -> lookup
- Mailbox is visible in mailbox list. Mailbox can be subscribed to.
- r -> read
- Mailbox can be opened for reading.
- w -> write
- Message flags and keywords can be changed, except rsSeen and rsDeleted.
- s -> write-seen
- rsSeen flag can be changed.
- t -> write-deleted
- rsDeleted flag can be changed.
- i -> insert
- Messages can be written or copied to the mailbox.
- p -> post
- Messages can be posted to the mailbox by dovecot-lda, e.g. from Sieve scripts.
- e -> expunge
- Messages can be expunged.
- k -> create
-
Mailboxes can be created/renamed directly under this
mailbox
(but not necessarily under its children, see
ACL Inheritance
in the wiki).
Note: Renaming also requires the delete right. - x -> delete
- Mailbox can be deleted.
- a -> admin
- Administration rights to the mailbox (currently: ability to change ACLs for mailbox).
-
-
COMMANDS
acl add
doveadm acl add [-u user|-A|-F file] [-S socket_path] mailbox id right [right ...]Add ACL rights to the mailbox/id. If the id already exists, the existing rights are preserved.
acl debug
doveadm acl debug [-u user|-A|-F file] [-S socket_path] mailboxThis command can be used to debug why a shared mailbox isnaqt accessible to the user. It will list exactly what the problem is.
acl delete
doveadm acl delete [-u user|-A|-F file] [-S socket_path] mailbox idRemove the whole ACL entry for the mailbox/id.
acl get
doveadm acl get [-u user|-A|-F file] [-S socket_path] [-m] mailboxShow all the ACLs for the mailbox.
acl recalc
doveadm acl recalc [-u user|-A|-F file] [-S socket_path]Make sure the useraqs shared mailboxes exist correctly in the acl_shared_dict.
acl remove
doveadm acl remove [-u user|-A|-F file] [-S socket_path] mailbox id right [right ...]Remove the specified ACL rights from the mailbox/id. If all rights are removed, the entry still exists without any rights.
acl rights
doveadm acl rights [-u user|-A|-F file] [-S socket_path] mailboxShow the useraqs current ACL rights for the mailbox.
acl set
doveadm acl set [-u user|-A|-F file] [-S socket_path] mailbox id right [right ...]Set ACL rights to the mailbox/id. If the id already exists, the existing rights are replaced.
REPORTING BUGS
Report bugs, including doveconf -n output, to the Dovecot Mailing List <dovecot@dovecot.org>. Information about reporting bugs is available at: dovecot.org/bugreport.htmlSEE ALSO
doveadm(1), dovecot-lda(1)Additional resources:
- ACL Inheritance
-
wiki2.dovecot.org/ACL#ACL_Inheritance