ACL ignored for master users

Philip Iezzi lists at iezzi.ch
Mon Aug 12 17:24:07 EEST 2019 

Hi there!

I can't get ACL working for master users. Login as master user works fine though, and I am able to access any mailbox using the auth_master_user_separator "*", tested e.g. via Python's imaplib:

>>> import imaplib
>>> imap = imaplib.IMAP4_SSL('imap.example.com')
>>> imap.login('foo at example.com*admin-acldemo', '**********')
('OK', [b'Logged in'])

My /etc/dovecot/dovecot-acl looks like this:

* user=admin lr
bar at example.com user=admin-acldemo lr

So, if I didn't misunderstand https://wiki.dovecot.org/Authentication/MasterUsers and https://wiki.dovecot.org/ACL documentation, this should only give "admin" master user access to all mailaccounts and limiting "admin-acldemo" master user to only a single mailaccount.
But no matter what I put into dovecot-acl (it could even be empty), master users always have access to all existing mailaccounts. The whole dovecot-acl seems to be ignored and there are no logs pointing to any problem (syntax, access permissions) with that file.

In mail.log I am getting a successful login message:

dovecot: imap-login: Login: user=<foo at example.com>, method=PLAIN, rip=..., lip=..., mpid=42371, TLS, session=<T9GKEuyPKGxRPtGS>

My current setup (relevant config options):

# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.1 (db5c74be)
# OS: Linux 4.15.18-18-pve x86_64 Debian 9.9 
auth_master_user_separator = *
mail_plugins = quota acl
passdb {
  args = /etc/dovecot/passwd.masterusers
  driver = passwd-file
  master = yes
  pass = yes
}
plugin {
  acl = vfile:/etc/dovecot/dovecot-acl
  acl_user = %u
  master_user = %u
}
protocol lmtp {
  mail_plugins = quota acl sieve
}
protocol lda {
  mail_plugins = quota acl sieve
}
protocol imap {
  mail_plugins = quota acl imap_acl imap_quota
}

On ACL documentation it says:

> Note that master users have their own ACLs. They're not the the mailbox owners, so by default they have no permissions to any of the mailboxes

and on Authentication/MasterUsers documentation:

> If ACL plugin is enabled, the Master user is still subject to ACLs just like any other user, which means that by default the master user has no access to any mailboxes of the user.

So it must be somehow possible to limit master users to specific mailbox(es) via ACL. If I disable `master = yes` master users won't be able to login at all.

Any help greatly appreciated! Thanks in advance.
Cheers,
Philip

More information about the dovecot mailing list