NAME

doveadm-acl - Manage Access Control List (ACL)

SYNOPSIS

doveadm [-Dv] [-f formatter] acl command [OPTIONS] [ARGUMENTS]

DESCRIPTION

The doveadm acl COMMANDS can be used to execute various Access Control List related actions.

OPTIONS

Global doveadm(1) options:

-D: Enables verbosity and debug messages.
-f formatter: Specifies the formatter for formatting the output. Supported formatters are:

flow: prints each line with key=value pairs.
pager: prints each key: value pair on its own line and separates records with form feed character (^L).
tab: prints a table header followed by tab separated value lines.
table: prints a table header followed by adjusted value lines.

-o setting=value: Overrides the configuration setting from /usr/local/etc/dovecot/dovecot.conf and from the userdb with the given value. In order to override multiple settings, the -o option may be specified multiple times.
-v: Enables verbosity, including progress counter.

This command uses by default the output formatter table.

Command specific options:

-A: If the -A option is present, the command will be performed for all users. Using this option in combination with system users from userdb { driver = passwd } is not recommended, because it contains also users with a lower UID than the one configured with the first_valid_uid setting.
When the SQL userdb module is used make sure that the iterate_query setting in /usr/local/etc/dovecot/dovecot-sql.conf.ext matches your database layout. When using the LDAP userdb module, make sure that the iterate_attrs and iterate_filter settings in /usr/local/etc/dovecot/dovecot-ldap.conf.ext match your LDAP schema. Otherwise doveadm(1) will be unable to iterate over all users.
-F file: Execute the command for all the users in the file. This is similar to the -A option, but instead of getting the list of users from the userdb, they are read from the given file. The file contains one username per line.
-S socket_path: The option's argument is either an absolute path to a local UNIX domain socket, or a hostname and port (hostname:port), in order to connect a remote host via a TCP socket.
This allows an administrator to execute doveadm(1) mail commands through the given socket.
-u user/mask: Run the command only for the given user. It's also possible to use '*' and '?' wildcards (e.g. -u *@example.org).
When neither the -A option, nor the -F file option, nor the -u user was specified, the command will be executed with the environment of the currently logged in user.

ARGUMENTS

id: The id (identifier) is one of:

*: group-override=group_name
*: user=user_name
*: owner
*: group=group_name
*: authenticated
*: anyone (or anonymous, which is an alias for anyone)

The ACLs are processed in the precedence given above, so for example if you have given read-access to a group, you can still remove that from specific users inside the group.
Group-override identifier allows you to override users' ACLs. Probably the most useful reason to do this is to temporarily disable access for some users. For example:

user=timo rw
group-override=tempdisabled

Now if timo is a member of the tempdisabled group, he has no access to the mailbox. This wouldn't be possible with a normal group identifier, because the user=timo would override it.

mailbox: The name of the mailbox, for which the ACL manipulation should be done. It's also possible to use the wildcard characters "*" and/or "?" in the mailbox name.
right: Dovecot ACL right name. This isn't the same as the IMAP ACL letters, which aren't currently supported. Here is a mapping of the IMAP ACL letters to Dovecot ACL names:

l → lookup: Mailbox is visible in mailbox list. Mailbox can be subscribed to.
r → read: Mailbox can be opened for reading.
w → write: Message flags and keywords can be changed, except \Seen and \Deleted.
s → write-seen: \Seen flag can be changed.
t → write-deleted: \Deleted flag can be changed.
i → insert: Messages can be written or copied to the mailbox.
p → post: Messages can be posted to the mailbox by dovecot-lda, e.g. from Sieve scripts.
e → expunge: Messages can be expunged.
k → create: Mailboxes can be created/renamed directly under this mailbox (but not necessarily under its children, see ACL Inheritance in the wiki).
Note: Renaming also requires the delete right.
x → delete: Mailbox can be deleted.
a → admin: Administration rights to the mailbox (currently: ability to change ACLs for mailbox).

COMMANDS

REPORTING BUGS

Report bugs, including doveconf -n output, to the Dovecot Mailing List <dovecot@dovecot.org>. Information about reporting bugs is available at: http://dovecot.org/bugreport.html

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

ARGUMENTS

COMMANDS

acl add

acl debug

acl delete

acl get

acl recalc

acl remove

acl rights

acl set

REPORTING BUGS

SEE ALSO