I have noticed a difference in the behavior of ACLs. When used in a MUA the following global ACL works fine and has the desired effect - new mailboxes can be created by a user being part of the 'PublicMailboxAdmins' group:
[ global-acl: ] INBOX owner lrwstiekxap Public/* group=PublicMailboxAdmins lrwsipk Public/* anyone lr Public/* authenticated lrws
Creating the same mailbox via doveadm however fails with a permission problem:
doveadm(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(tlx@leuxner.net): Debug: Namespace : type=public, prefix=Public/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=no location=mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public doveadm(tlx@leuxner.net): Debug: fs: root=/var/vmail/public, index=, indexpvt=/var/vmail/domains/leuxner.net/tlx/mdbox/public, control=, inbox=, alt= doveadm(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 doveadm(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net doveadm(tlx@leuxner.net): Debug: acl: owner = 0 doveadm(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(tlx@leuxner.net): Debug: Namespace : type=private, prefix=Virtual/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=virtual:~/mdbox/virtual doveadm(tlx@leuxner.net): Debug: fs: root=/var/vmail/domains/leuxner.net/tlx/mdbox/virtual, index=, indexpvt=, control=, inbox=, alt= doveadm(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 doveadm(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net doveadm(tlx@leuxner.net): Debug: acl: owner = 1 doveadm(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/dovecot-acl not found doveadm(tlx@leuxner.net): Error: Can't create mailbox Public/Archive/Newsletters/heise-security/2014: Permission denied
Interestingly, doveadm succeeds when dovecot-acl is present in the namespace root - which of course is not desirable in the light of the global ACL:
[ dovecot-acl: ] group=PublicMailboxAdmins lrwsipk
doveadm(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(tlx@leuxner.net): Debug: Namespace : type=public, prefix=Public/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=no location=mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public doveadm(tlx@leuxner.net): Debug: fs: root=/var/vmail/public, index=, indexpvt=/var/vmail/domains/leuxner.net/tlx/mdbox/public, control=, inbox=, alt= doveadm(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 doveadm(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net doveadm(tlx@leuxner.net): Debug: acl: owner = 0 doveadm(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(tlx@leuxner.net): Debug: Namespace : type=private, prefix=Virtual/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=virtual:~/mdbox/virtual doveadm(tlx@leuxner.net): Debug: fs: root=/var/vmail/domains/leuxner.net/tlx/mdbox/virtual, index=, indexpvt=, control=, inbox=, alt= doveadm(tlx@leuxner.net): Debug: acl: initializing backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300 doveadm(tlx@leuxner.net): Debug: acl: acl username = tlx@leuxner.net doveadm(tlx@leuxner.net): Debug: acl: owner = 1 doveadm(tlx@leuxner.net): Debug: acl vfile: Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl doveadm(tlx@leuxner.net): Debug: acl vfile: reading file /var/vmail/public/mailboxes/dovecot-acl doveadm(tlx@leuxner.net): Debug: Namespace Public/: /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014 doesn't exist yet, using default permissions doveadm(tlx@leuxner.net): Debug: Namespace Public/: Using permissions from /var/vmail/public: mode=0700 gid=default doveadm(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/dbox-Mails/dovecot-acl not found doveadm(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014/dbox-Mails/dovecot-acl not found doveadm(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014/dbox-Mails/dovecot-acl not found doveadm(tlx@leuxner.net): Debug: acl vfile: file /var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014/dbox-Mails/dovecot-acl not found
# 2.2.15 (6078354e6238): /etc/dovecot/dovecot.conf
I know there have been some changes in Mercurial as to how global ACLs are interpreted. Is doveadm probably behind on them?
Regards Thomas