[Dovecot] "list" ACL privilege ignored for LSUB command?
Willie Gillespie
wgillespie+dovecot at es2eng.com
Mon Nov 22 21:22:25 EET 2010
Hello, I am new to this list, so feel free to correct me if I do
something wrong. I don't have a problem, just a question.
The RFC which covers IMAP ACLs [1] states that one of the standard
rights is:
l - lookup (mailbox is visible to LIST/LSUB commands, SUBSCRIBE
mailbox)
If I have a shared or public namespace and have a mailbox for which I do
not have lookup rights, Dovecot seems to do great with the LIST commands
at not showing it to me.
Two things I noticed though:
SUBSCRIBE-ing to the mailbox is still successful
LSUB will list mailboxes which I do not have lookup rights to
I imagine the first issue is easy enough to correct since it's just
another check before actually subscribing. The second issue seems a
little more difficult in my mind since Dovecot seems to just dump the
subscription files to the client without checking whether the mailbox is
allowed or not. I imagine a similar issue popped up with the LIST
command and that's why the dovecot-acl-list files exist.
Anyway, am I right in my observations, or am I completely overlooking
something obvious?
Thanks!
Willie
[1] http://tools.ietf.org/html/rfc4314#section-2.1
Dovecot's wiki also indicates support for this in
http://wiki1.dovecot.org/ACL#ACL_files
I'm using version 1.2.9 with the acl and imap_acl mail_plugins in case
that matters.
More information about the dovecot
mailing list