[Dovecot] Dovecot not handling r/o mailboxes completely, and problem with ACL as a workaround

Jim Horner jhorner at arinbe.com
Mon May 7 19:46:33 EEST 2007

> In courier-imap, we were able to take advantage of the maildir structure
> and standard unix users/groups to allow 'decsstaff' members to have full
> write access while 'decsall' members only have r/o unless also a member of
> 'decsstaff':
> -rw-rw-r--  1 postlocal  decsstaff  37597 May  5 23:37
> /egr/mail/shared/decs/.support.In/cur/1178422658.M533373P54269.ice
> drwxrwxr-x  2 postlocal  decsstaff  24576 May  5 23:37
> /egr/mail/shared/decs/.support.In/cur
> drwxrws---  6 postlocal  decsall  4096 Apr 22 18:08
> /egr/mail/shared/decs/.support.In drwxrwsr-x  34 postlocal  wheel  4096 May
>  1 07:23 /egr/mail/shared/decs
>   location:
> maildir:/egr/mail/shared-dovecot2/vprgs:CONTROL=%h/Maildir/dovecot/public/c
>ontrol/vprgs:INDEX=%h/Maildir/dovecot/public/indexes/vprgs namespace:
>   type: private
>   separator: /
>   prefix: mail/
>   hidden: yes

> plugin:
>   acl: vfile:/usr/local/etc/dovecot-acls

I use shared folders. I posted a while back about my setup. There have been a 
few changelogs since then concerning ACLs. My setup might be whacked but it 
still continues to work. The simplest example I have is root mail. 

I have mail folders 

drwxrwx---  4 rootmail users /home/services/mail/rootmail/Maildir
     drwxrwx---  4 rootmail users ../.RootmailFolder
     drwxrwx---  4 rootmail users ../.RootmailFolder.general

To get around ACL plugins downside of being unaware of namespaces I create 
a "RootmailFolder" underneath Maildir. No one else probably (hopefully) will 
have a folder named that. If they did then the permissions in the ACL  
plug-in directory would override "owner permissions". Were that to happen 
then you could just put a dovecot-acl file in the user's directory to 
compensate though this is a fuzzy part... this used to work but I haven't 
needed to test it so I don't know if it does still.

I then created a general folder under that. I have a sieve script which pumps 
all mail into the general folder. So this is rootmail's "inbox". I did this 
as a workaround.

<might not be needed nor work anymore>

If you actually want a user 'rootmail' to use an imap client and log into 
their mailbox then you would create a file 


all the files contain:

user=rootmail lrwstie

</might not be needed nor work anymore>

To use the ACL plug-in files must be create in this directory:

> plugin:
>   acl: vfile:/usr/local/etc/dovecot-acls

so I have (using your path) files:


These files contain

user=jhorner lrwstie

My namespace is setup as:

namespace public {
    separator = .
    prefix = ROOTMAIL.
    location = 
    hidden = no
    inbox = no

Everyone can see the namespace but no one but me can access the namespace 
because RootmailFolder is only accessible by me. Those who do try to access a 
forbidden folder get a curt techie error. However, most clients do not show 
the namespace because there aren't any folders underneath the namespace that 
are accessible so this is not a problem for me.

I also have a COMPANY share setup similarly. However there are many many 
folders underneath this share and different people can access different 
folders and I accomplish that using the ACL plug-in similar to above.

I used to use Courier and I was able to duplicate shared folders via the ACL 
plug-in though the folders are now one level deeper, i.e. 
ROOTMAIL/RootmailFolders/general as opposed to ROOTMAIL/general 
(namespace/foldername). Some users did complain. Oh well... most are still 


More information about the dovecot mailing list