In a mailbox that has ACL restrictions on both DELETE and EXPUNGE
(i.e. no 'e' or 't' rights), I see the following:
3 UID STORE 3173 (UNCHANGEDSINCE 353) +FLAGS \deleted 3 OK Store completed.
(UID 3173 is not flagged \deleted)
[...]
6 UID EXPUNGE 1:* 6 OK Expunge completed.
(At least 1 UID is flagged \deleted in mailbox)
Shouldn't these commands be returning "NO" instead of "OK"? RFC 3501
[6.4.6] for STORE:
NO - store error: can't store that data
and RFC RFC 3501 [6.4.3] for EXPUNGE:
NO - expunge failure: can't expunge (e.g., permission denied)
Additionally, RFC 5530 [3] provides the NOPERM response code:
NOPERM
The access control system (e.g., Access Control List (ACL), see
[RFC 4314]) does not permit this user to carry out an operation,
such as selecting or creating a mailbox.
C: f select "/archive/projects/experiment-iv"
S: f NO [NOPERM] Access deniedMy reading of this is that NOPERM should be returned for ANY ACL
prohibited action, not just for selecting or creating a mailbox.
Dovecot 2.0.12 does not return NOPERM for DELETE/EXPUNGE actions (at a
minimum) that are prohibited.
Thoughts?
michael