doveadm sync should sync all your local ACLs just fine.

So... Why it does not?


I forgot to write, 

try doveadm -D to find out what's happening. You are loading acl plugin globally right? On both ends?

Yes, acl is on.

Look here. Identical access is given on both ends:

$ doveadm acl debug -u micha shared/aga
doveadm(micha): Info: Mailbox 'INBOX' is in namespace 'shared/aga/'
doveadm(micha): Info: Mailbox path: /srv/vmail/spinaczbiurowy/aga/.maildir
doveadm(micha): Info: All message flags are shared across users in mailbox
doveadm(micha): Info: User micha has rights: lookup read write write-seen write-deleted insert expunge create delete admin
doveadm(micha): Info: Mailbox found from dovecot-acl-list
doveadm(micha): Info: User aga found from ACL shared dict
doveadm(micha): Info: Mailbox shared/aga is visible in LIST

Now, I remove permission on one server:

$ doveadm acl delete shared/aga user=micha
$ doveadm acl debug -u micha shared/aga
doveadm(micha): Info: Mailbox 'INBOX' is in namespace 'shared/aga/'
doveadm(micha): Info: Mailbox path: /srv/vmail/spinaczbiurowy/aga/.maildir
doveadm(micha): Info: All message flags are shared across users in mailbox
doveadm(micha): Info: User micha has no rights for mailbox
doveadm(micha): Error: User micha is missing 'lookup' right
doveadm(micha): Info: Mailbox shared/aga is NOT visible in LIST

I perform sync:

$ doveadm -D sync -u aga  remote:vmail@lennier
[...]
May 14 20:59:14 doveadm(aga)<34202><>: Debug: auth-master: userdb lookup(aga): Finished userdb lookup (username=aga uid=5000 gid=5000 system_groups_user=vmail home=/srv/vmail/spinaczbiurowy/aga)
May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: Effective uid=5000, gid=5000, home=/srv/vmail/spinaczbiurowy/aga
May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/.maildir:LAYOUT=fs
May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: fs: root=/srv/vmail/spinaczbiurowy/aga/.maildir, index=, indexpvt=, control=, inbox=/srv/vmail/spinaczbiurowy/aga/.maildir, alt=
May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl: initializing backend with data: vfile:/etc/dovecot/mailconfig/shared/global-acls
May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl: acl username = aga
May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl: owner = 1
May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: Global ACL file: /etc/dovecot/mailconfig/shared/global-acls
May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: Namespace : type=shared, prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=no location=maildir:%h/.maildir:LAYOUT=fs:INDEX=~/.shared/%u
May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: shared: root=/run/dovecot, index=, indexpvt=, control=, inbox=, alt=
May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl: initializing backend with data: vfile:/etc/dovecot/mailconfig/shared/global-acls
May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl: acl username = aga
May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl: owner = 0
May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: Global ACL file: /etc/dovecot/mailconfig/shared/global-acls
May 14 20:59:14 doveadm(aga): Debug: brain M: Namespace  has location maildir:~/.maildir:LAYOUT=fs
May 14 20:59:14 doveadm(aga): Debug: acl vfile: reading file /srv/vmail/spinaczbiurowy/aga/.maildir/dovecot-acl
May 14 20:59:14 doveadm(aga): Debug: acl vfile: file /srv/vmail/spinaczbiurowy/aga/.maildir/Junk/dovecot-acl not found
May 14 20:59:14 doveadm(aga): Debug: Namespace : Using permissions from /srv/vmail/spinaczbiurowy/aga/.maildir: mode=0700 gid=default
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Local mailbox tree: INBOX guid=d04ec020dbd2606448930000d55fb758 uid_validity=1684067035 uid_next=2 subs=no last_change=0 last_subs=0
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Local mailbox tree: Junk guid=3847f021dbd2606448930000d55fb758 uid_validity=1684067036 uid_next=1 subs=no last_change=0 last_subs=0
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Remote mailbox tree: INBOX guid=d04ec020dbd2606448930000d55fb758 uid_validity=1684067035 uid_next=2 subs=no last_change=0 last_subs=0
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Remote mailbox tree: Junk guid=3847f021dbd2606448930000d55fb758 uid_validity=1684067036 uid_next=1 subs=no last_change=0 last_subs=0
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Mailbox INBOX: local=d04ec020dbd2606448930000d55fb758/0/1, remote=d04ec020dbd2606448930000d55fb758/0/1: Mailboxes are equal
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Mailbox Junk: local=3847f021dbd2606448930000d55fb758/0/1, remote=3847f021dbd2606448930000d55fb758/0/1: Mailboxes are equal
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: doveadm-sieve: Iterating Sieve mailbox attributes
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: sieve: Pigeonhole version 0.5.16 (09c29328) initializing
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: sieve: include: sieve_global is not set; it is currently not possible to include `:global' scripts.
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: sieve: Sieve Extprograms plugin for Pigeonhole version 0.5.16 (09c29328) loaded
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: sieve: file storage: Using active Sieve script path: /srv/vmail/spinaczbiurowy/aga/.dovecot.sieve
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: sieve: file storage: Using script storage path: /srv/vmail/spinaczbiurowy/aga/.sieve
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: sieve: file storage: Using permissions from /srv/vmail/spinaczbiurowy/aga/.sieve: mode=0700 gid=-1
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: sieve: file storage: Relative path to sieve storage in active link: .sieve/
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: sieve: file storage: sync: Synchronization active
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: reading file /srv/vmail/spinaczbiurowy/aga/.maildir/dovecot-acl
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: reading file /srv/vmail/spinaczbiurowy/aga/.maildir/dovecot-acl
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: file /srv/vmail/spinaczbiurowy/aga/.maildir/Junk/dovecot-acl not found
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: reading file /srv/vmail/spinaczbiurowy/aga/.maildir/dovecot-acl
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: file /srv/vmail/spinaczbiurowy/aga/.maildir/Archive/dovecot-acl not found
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: file /srv/vmail/spinaczbiurowy/aga/.maildir/Drafts/dovecot-acl not found
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: file /srv/vmail/spinaczbiurowy/aga/.maildir/Trash/dovecot-acl not found
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: file /srv/vmail/spinaczbiurowy/aga/.maildir/Sent/dovecot-acl not found
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: reading file /srv/vmail/spinaczbiurowy/aga/.maildir/dovecot-acl
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: dict(file)<>: Iterating prefix shared/shared-boxes/
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: dict(file)<>: Iteration finished, got 1 rows
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: dict(file)<>: Starting transaction
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: dict(file)<>: Unsetting 'shared/shared-boxes/user/micha/aga'
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: dict(file)<>: Dict transaction finished
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: dict(file)<>: Starting transaction
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: dict(file)<>: Setting 'shared/shared-boxes/user/micha/aga' to '1'
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: dict(file)<>: Dict transaction finished
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Import INBOX: Import attribute vendor/vendor.dovecot/pvt/acl/user=micha: Nonexistent locally
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Import INBOX: Import change type=save GUID=1684067035.M549474P37704.lennier,S=667,W=686 UID=1 hdr_hash= result=GUIDs match
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Import INBOX: Last common UID=1. Delayed expunges=
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Import INBOX: Saved UIDs:
May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Import INBOX: Finish update: min_next_uid=2 min_first_recent_uid=1 min_highest_modseq=10 min_highest_pvt_modseq=0
May 14 20:59:16 doveadm(34202): Debug: auth-master: conn unix:/run/dovecot/auth-userdb (pid=34051,uid=0): Disconnected: Connection closed (fd=8

Failure! The access right appeared again:

$ doveadm acl debug -u micha shared/aga
doveadm(micha): Info: Mailbox 'INBOX' is in namespace 'shared/aga/'
doveadm(micha): Info: Mailbox path: /srv/vmail/spinaczbiurowy/aga/.maildir
doveadm(micha): Info: All message flags are shared across users in mailbox
doveadm(micha): Info: User micha has rights: lookup read write write-seen write-deleted insert expunge create delete admin
doveadm(micha): Info: Mailbox found from dovecot-acl-list
doveadm(micha): Info: User aga found from ACL shared dict
doveadm(micha): Info: Mailbox shared/aga is visible in LIST

What is going on?

--
MiCHA