Provided by: dovecot-core_2.3.7.2-1ubuntu3.7_amd64 bug

NAME

       doveadm-acl - Manage Access Control List (ACL)

SYNOPSIS

       doveadm [-Dv] [-f formatter] acl command [OPTIONS] [ARGUMENTS]

DESCRIPTION

       The  doveadm  acl  COMMANDS  can  be  used  to execute various Access Control List related
       actions.

OPTIONS

       Global doveadm(1) options:

       -D     Enables verbosity and debug messages.

       -f formatter
              Specifies the formatter for formatting the output.  Supported formatters are:

              flow   prints each line with key=value pairs.

              pager  prints each key: value pair on its own line and separates records with  form
                     feed character (^L).

              tab    prints a table header followed by tab separated value lines.

              table  prints a table header followed by adjusted value lines.

       -o setting=value
              Overrides  the  configuration  setting  from /etc/dovecot/dovecot.conf and from the
              userdb with the given value.  In order to override multiple settings, the -o option
              may be specified multiple times.

       -v     Enables verbosity, including progress counter.

       This command uses by default the output formatter table.

       Command specific options:

       -A     If  the  -A  option is present, the command will be performed for all users.  Using
              this option in combination with system users from userdb { driver = passwd } is not
              recommended,  because  it  contains  also  users  with  a  lower  UID  than the one
              configured with the first_valid_uid setting.

              When the SQL userdb module is used make sure  that  the  iterate_query  setting  in
              /etc/dovecot/dovecot-sql.conf.ext  matches  your  database  layout.  When using the
              LDAP userdb module, make sure that the iterate_attrs and iterate_filter settings in
              /etc/dovecot/dovecot-ldap.conf.ext  match  your  LDAP schema.  Otherwise doveadm(1)
              will be unable to iterate over all users.

       -F file
              Execute the command for all the users in the file.   This  is  similar  to  the  -A
              option,  but  instead  of  getting the list of users from the userdb, they are read
              from the given file.  The file contains one username per line.

       -S socket_path
              The option's argument is either an absolute path to a local UNIX domain socket,  or
              a  hostname  and  port (hostname:port), in order to connect a remote host via a TCP
              socket.

              This allows an administrator to execute doveadm(1) mail commands through the  given
              socket.

       -u user/mask
              Run  the  command  only  for the given user.  It's also possible to use '*' and '?'
              wildcards (e.g. -u *@example.org).
              When neither the -A option, nor the -F file option, nor the -u user was  specified,
              the command will be executed with the environment of the currently logged in user.

ARGUMENTS

       id     The id (identifier) is one of:

                     *   group-override=group_name

                     *   user=user_name

                     *   owner

                     *   group=group_name

                     *   authenticated

                     *   anyone (or anonymous, which is an alias for anyone)

              The  ACLs  are  processed in the precedence given above, so for example if you have
              given read-access to a group, you can still remove that from specific users  inside
              the group.
              Group-override  identifier  allows  you to override users' ACLs.  Probably the most
              useful reason to do this is to temporarily disable  access  for  some  users.   For
              example:

              user=timo rw
              group-override=tempdisabled

              Now if timo is a member of the tempdisabled group, he has no access to the mailbox.
              This wouldn't be possible with a normal group  identifier,  because  the  user=timo
              would override it.

       mailbox
              The  name of the mailbox, for which the ACL manipulation should be done.  It's also
              possible to use the wildcard characters "*" and/or "?" in the mailbox name.

       right  Dovecot ACL right name. This isn't the same as the IMAP ACL letters,  which  aren't
              currently  supported.   Here  is  a  mapping of the IMAP ACL letters to Dovecot ACL
              names:

                     l  lookup
                         Mailbox is visible in mailbox list.  Mailbox can be subscribed to.

                     r  read
                         Mailbox can be opened for reading.

                     w  write
                         Message flags and keywords can be changed, except \Seen and \Deleted.

                     s  write-seen
                         \Seen flag can be changed.

                     t  write-deleted
                         \Deleted flag can be changed.

                     i  insert
                         Messages can be written or copied to the mailbox.

                     p  post
                         Messages can be posted to the mailbox by dovecot-lda,  e.g.  from  Sieve
                         scripts.

                     e  expunge
                         Messages can be expunged.

                     k  create
                         Mailboxes  can  be  created/renamed directly under this mailbox (but not
                         necessarily under its children, see ACL Inheritance in the wiki).
                         Note: Renaming also requires the delete right.

                     x  delete
                         Mailbox can be deleted.

                     a  admin
                         Administration rights to the mailbox (currently: ability to change  ACLs
                         for mailbox).

COMMANDS

   acl add
       doveadm acl add [-u user|-A|-F file] [-S socket_path] mailbox id right [right ...]

       Add  ACL  rights  to  the  mailbox/id.   If the id already exists, the existing rights are
       preserved.

   acl debug
       doveadm acl debug [-u user|-A|-F file] [-S socket_path] mailbox

       This command can be used to debug why a shared mailbox isn't accessible to the  user.   It
       will list exactly what the problem is.

   acl delete
       doveadm acl delete [-u user|-A|-F file] [-S socket_path] mailbox id

       Remove the whole ACL entry for the mailbox/id.

   acl get
       doveadm acl get [-u user|-A|-F file] [-S socket_path] [-m] mailbox

       Show all the ACLs for the mailbox.

   acl recalc
       doveadm acl recalc [-u user|-A|-F file] [-S socket_path]

       Make sure the user's shared mailboxes exist correctly in the acl_shared_dict.

   acl remove
       doveadm acl remove [-u user|-A|-F file] [-S socket_path] mailbox id right [right ...]

       Remove the specified ACL rights from the mailbox/id.  If all rights are removed, the entry
       still exists without any rights.

   acl rights
       doveadm acl rights [-u user|-A|-F file] [-S socket_path] mailbox

       Show the user's current ACL rights for the mailbox.

   acl set
       doveadm acl set [-u user|-A|-F file] [-S socket_path] mailbox id right [right ...]

       Set ACL rights to the mailbox/id.  If the id  already  exists,  the  existing  rights  are
       replaced.

REPORTING BUGS

       Report   bugs,   including   doveconf   -n   output,   to   the   Dovecot   Mailing   List
       <dovecot@dovecot.org>.    Information   about   reporting   bugs    is    available    at:
       http://dovecot.org/bugreport.html

SEE ALSO

       doveadm(1), dovecot-lda(1)

       Additional resources:

       ACL Inheritance
              http://wiki2.dovecot.org/ACL#ACL_Inheritance