Hi *,
The problem is most noticeable when a user shares his INBOX[0][1] with others:
User A sets his INBOX acls to "eilprwtsd"
Now User B can see _all_ sub mailboxes and sub sub [...] mailboxes and their contents of User A:
User A: g getacl INBOX
- ACL "INBOX" "A@example.com" akxeilprwtscd "B@example.com" eilprwtsd "A@example.com" lrwstipekxacd g OK Getacl completed. g getacl INBOX/foobar
- ACL "INBOX/foobar" "1@aztec.intevation.de" lrwstipekxacd
User B: l list "" "*"
- LIST (\Noselect \HasChildren) "/" "user"
- LIST (\Noselect \HasChildren) "/" "user/1@aztec.intevation.de"
- LIST (\HasChildren) "/" "INBOX"
- LIST (\HasNoChildren) "/" "INBOX/Gesendet"
- LIST (\HasChildren) "/" "user/1@aztec.intevation.de/foobar"
- LIST (\HasNoChildren) "/" "user/1@aztec.intevation.de/foobar/barbaaz"
- LIST (\HasNoChildren) "/" "user/1@aztec.intevation.de/INBOX" l OK List completed.
The RfC is not to verbose on this topic of scope, but I think the following excerpt from RfC4314:
- Access Control
[...]
An access control list is a set of <access identifier,rights>
pairs. An ACL applies to a mailbox name.indicates that ACLs are only valid for individual mailboxes (name) and not for sub mailboxes.
cheers sascha
[0] Yes, there are really actual users wanting to do this. [1] There is actually another bug in this context I'll report in my next mail...
Sascha Wilde OpenPGP key: 4BB86568 http://www.intevation.de/~wilde/ http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner