Hi! I am setting up a new dovecot server in order to replace my old one. I am migrating from 2.3.6 to 2.4.1. I knew it would have been difficult but I didn't think so much. At the moment I am stuck in converting my configuration of Public mailboxes with ACLs. Even if I carefully checked the documentation, I do not understand clearly some point. My server has 2 Public Mailboxes that should be seen r/w by some user, read only by some other, not seen at all by all the others. Folders created in the Public Mailboxes need to have the same access privileges as the parent Public Mailbox.
In 2.3 I set up a global ACL file containing the list of all privileges (some lines like "MAILBOX_NAME* user=USERNAME lrs" with the privileges of each user for the two mailboxes and their content) and it worked like a charm. I cannot get the same in 2.4. What I understand from dovecot 2.4 docs -correct me if I am wrong- is:
- the global ACL file (and folder) is gone, deprecated;
- I need to create a file in each folder shared in the public folder;
- I need to enable "acl_driver = vfile" in 90-acl.conf.
If I configure this way, it seems to work but I need to create a dovecot-acl file in every folder existing in the Public Mailbox... Given that the file is the same for every folder (since I do not need different privileges in my environment), should I really waste all of this time?
Please, can you tell me if I am misunderstanding this argument? The dovecot 2.4 choice for this feature is really this or I am missing something? There is definitely no way to have something like the 2.3 global ACL file?
Thank for help and patience. Bye
Lukas
On 21/01/2026 13:38 EET Lukas via dovecot <dovecot@dovecot.org> wrote:
Hi! I am setting up a new dovecot server in order to replace my old one. I am migrating from 2.3.6 to 2.4.1. I knew it would have been difficult but I didn't think so much. At the moment I am stuck in converting my configuration of Public mailboxes with ACLs. Even if I carefully checked the documentation, I do not understand clearly some point. My server has 2 Public Mailboxes that should be seen r/w by some user, read only by some other, not seen at all by all the others. Folders created in the Public Mailboxes need to have the same access privileges as the parent Public Mailbox.
In 2.3 I set up a global ACL file containing the list of all privileges (some lines like "MAILBOX_NAME* user=USERNAME lrs" with the privileges of each user for the two mailboxes and their content) and it worked like a charm. I cannot get the same in 2.4. What I understand from dovecot 2.4 docs -correct me if I am wrong- is:
- the global ACL file (and folder) is gone, deprecated;
- I need to create a file in each folder shared in the public folder;
- I need to enable "acl_driver = vfile" in 90-acl.conf.
If I configure this way, it seems to work but I need to create a dovecot-acl file in every folder existing in the Public Mailbox... Given that the file is the same for every folder (since I do not need different privileges in my environment), should I really waste all of this time?
Please, can you tell me if I am misunderstanding this argument? The dovecot 2.4 choice for this feature is really this or I am missing something? There is definitely no way to have something like the 2.3 global ACL file?
Thank for help and patience. Bye
Lukas
Hi!
ACL rules can be configured in config file now:
acl_driver = vfile
can create many but use only one.
group @acl_ruleset acl_ruleset1 { acl user=user1 { rights = lri } acl anyone { rights = } }
group @acl_ruleset acl_default { acl group=people { rights = lri } acl anyone { rights = } }
namespace public { mail_path = /home/public/mail mail_index_private_path = %{home}/.public
mailbox "foo" { @acl_ruleset = acl_ruleset1 } mailbox "bar" { @acl_ruleset = acl_ruleset1 }
@acl_ruleset = acl_default }
Aki
Hi Aki! Thank you very much for replying. I must admin that I thought this way (in the config file) was available for the private namespace...! But, if I read well, this solution considers only one namespace with two example folders in it. What I had with dovecot 2.3 is a little different (I apologize if I was unclear). Try to be more precise. If I look at the Folders situation in Roundcube (or in any mail client), I see the standard folders (Sent, Drafts, Trash, Junk) and two Public Folders (let's say FOO and BAR) that are created in the config as two namespaces. In Roundcube, the users with "lrwstipekxa" rights can freely create and delete folders in FOO and BAR and in the folders they contains, the ones with "lrs" rights can see and set read flag, the others don't see them at all. In dovecot 2.4, with the dovecot-acl files I cannot reproduce the same situation: I can create the two namespaces, I see them in Roundcube but cannot create folders in FOO and BAR. The strange thingh is that, if I manually create a folder -let's say TEST- then I can create and delete folders in TEST and in its subfolder but still not in FOO and BAR. What I need to know is: there is a way to reproduce the 2.3 behavior also in 2.4 or the new dovecot changes no longer allow it?
As soon I have a little time, I will try your solution but it seems to take the dovecot-acl files solution in the dovecot config file, isn't it?
Anyway, thank you so much for support.
Lukas
On 22/01/2026 09:17 EET Lukas via dovecot <dovecot@dovecot.org> wrote:
Hi Aki! Thank you very much for replying. I must admin that I thought this way (in the config file) was available for the private namespace...! But, if I read well, this solution considers only one namespace with two example folders in it. What I had with dovecot 2.3 is a little different (I apologize if I was unclear). Try to be more precise. If I look at the Folders situation in Roundcube (or in any mail client), I see the standard folders (Sent, Drafts, Trash, Junk) and two Public Folders (let's say FOO and BAR) that are created in the config as two namespaces. In Roundcube, the users with "lrwstipekxa" rights can freely create and delete folders in FOO and BAR and in the folders they contains, the ones with "lrs" rights can see and set read flag, the others don't see them at all. In dovecot 2.4, with the dovecot-acl files I cannot reproduce the same situation: I can create the two namespaces, I see them in Roundcube but cannot create folders in FOO and BAR. The strange thingh is that, if I manually create a folder -let's say TEST- then I can create and delete folders in TEST and in its subfolder but still not in FOO and BAR.
You could set the acl on namespace level?
namespace public { acl user=admin { rights = lrwstipekxa } }
I am not sure I fully understand your issue though.
Aki
Hi again Aki!
I implemented your solution and, yes, I confirm that works the same way the solution with dovecot-acl files works. Two ways of reaching the same result (being yours a little bit comfortable even if requires a dovecot restart). But I need what I described in my previous reply. Thanks a lot
Lukas
Hi Lukas,
I created the following DokuWiki entry for myself, which also deals with ACL in and with shared mailboxes, for example. Maybe, you may find something here that could help you.
https://dokuwiki.tachtler.net/doku.php?id=tachtler:dovecot_archlinux_-_share...
Best regards, Klaus.
On 1/21/26 12:38, Lukas via dovecot wrote:
Hi! I am setting up a new dovecot server in order to replace my old one. I am migrating from 2.3.6 to 2.4.1. I knew it would have been difficult but I didn't think so much. At the moment I am stuck in converting my configuration of Public mailboxes with ACLs. Even if I carefully checked the documentation, I do not understand clearly some point. My server has 2 Public Mailboxes that should be seen r/w by some user, read only by some other, not seen at all by all the others. Folders created in the Public Mailboxes need to have the same access privileges as the parent Public Mailbox.
In 2.3 I set up a global ACL file containing the list of all privileges (some lines like "MAILBOX_NAME* user=USERNAME lrs" with the privileges of each user for the two mailboxes and their content) and it worked like a charm. I cannot get the same in 2.4. What I understand from dovecot 2.4 docs -correct me if I am wrong- is:
- the global ACL file (and folder) is gone, deprecated;
- I need to create a file in each folder shared in the public folder;
- I need to enable "acl_driver = vfile" in 90-acl.conf.
If I configure this way, it seems to work but I need to create a dovecot-acl file in every folder existing in the Public Mailbox... Given that the file is the same for every folder (since I do not need different privileges in my environment), should I really waste all of this time?
Please, can you tell me if I am misunderstanding this argument? The dovecot 2.4 choice for this feature is really this or I am missing something? There is definitely no way to have something like the 2.3 global ACL file?
Thank for help and patience. Bye
Lukas
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
--
e-Mail : klaus@tachtler.net Homepage: https://www.tachtler.net DokuWiki: https://dokuwiki.tachtler.net
Hi Lukas,
Perhaps gobal-acls can also help you, as I used it when configuring a master user, for example — see also the following section from my DokuWiki, which I created for myself:
https://dokuwiki.tachtler.net/doku.php?id=tachtler:dovecot_archlinux_-_maste...
Best regards, Klaus.
On 1/21/26 12:38, Lukas via dovecot wrote:
Hi! I am setting up a new dovecot server in order to replace my old one. I am migrating from 2.3.6 to 2.4.1. I knew it would have been difficult but I didn't think so much. At the moment I am stuck in converting my configuration of Public mailboxes with ACLs. Even if I carefully checked the documentation, I do not understand clearly some point. My server has 2 Public Mailboxes that should be seen r/w by some user, read only by some other, not seen at all by all the others. Folders created in the Public Mailboxes need to have the same access privileges as the parent Public Mailbox.
In 2.3 I set up a global ACL file containing the list of all privileges (some lines like "MAILBOX_NAME* user=USERNAME lrs" with the privileges of each user for the two mailboxes and their content) and it worked like a charm. I cannot get the same in 2.4. What I understand from dovecot 2.4 docs -correct me if I am wrong- is:
- the global ACL file (and folder) is gone, deprecated;
- I need to create a file in each folder shared in the public folder;
- I need to enable "acl_driver = vfile" in 90-acl.conf.
If I configure this way, it seems to work but I need to create a dovecot-acl file in every folder existing in the Public Mailbox... Given that the file is the same for every folder (since I do not need different privileges in my environment), should I really waste all of this time?
Please, can you tell me if I am misunderstanding this argument? The dovecot 2.4 choice for this feature is really this or I am missing something? There is definitely no way to have something like the 2.3 global ACL file?
Thank for help and patience. Bye
Lukas
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
--
e-Mail : klaus@tachtler.net Homepage: https://www.tachtler.net DokuWiki: https://dokuwiki.tachtler.net
Hi Klaus! Thank you very much! A took a look but my need is a public, not shared, namespace solution. They have different configuration. Even if I do not understand german language, I checked and tried with the global-acls file but it doesn't work, at least for my needs.
Lukas
participants (3)
-
Aki Tuomi
-
Klaus Tachtler
-
lukas@email.it