Hello,
I am working on implementing support for the RFC4314 ACL management commands and responses in the ACL plugin included with dovecot 1.1.2. (I verified the error persists with 1.1.3 though.) While the described objective is still in the works, I have stumbled upon what I believe to be a critical issue with the handling of negative rights in the present ACL plugin - to be precise, the cache component of it handles them in the exact same way as it does positive rights, thus granting rather than retracting the individual privileges.
To fix this, go to src/plugins/acl/acl-cache.c:391. The line and the one following it should read p[j] |= obj_cache->my_neg_rights[i]->mask[j]; Replace that to read p[j] &= ~obj_cache->my_neg_rights[i]->mask[j];
I hope this information is useful.
Regards, M. Soloviev