ACL: dovecot-acl-list and acl_globals_only

Peter Chiochetti pch at myzel.net
Fri Dec 6 15:17:38 EET 2019


Reword of attempt from last week, also workaround/possible culprit found:

In dovecot 2.2.22 the stanza "* group=Guest" in the global ACL vfile did 
stop dovecot from showing anybody in group "Guest" any mailbox but INBOX 
in imap LIST command.

So I had to grant lookup right extra, eg. "Sent group=ALL lrwsi" to show 
the Sent mailbox and also allow insert etc.

The use case is very simple: First, take away all the rights, 
selectively grant rights afterwards.

After upgrading to 2.2.33 recently, only INBOX got shown. No way to 
grant any more rights. Turning on mail_debug=yes, dovecot logged

> imap(...): Debug: acl: Mailbox not in dovecot-acl-list: Sent

Yet, I had configured acl_globals_only = yes, so dovecot-acl-list should 
not matter at all, should'nt it?

Indeed, there was commit 95c8d28ebfc13f3252b71c71f3d5c0d809110a08 in the 
time between 2.2.22 and 2.2.33 concerning just this.

Further indeed, removing acl_globals_only from my local.conf re-enables 
the 2.2.22 behaviour (at least now, with 2.3.9).

Performance impact for me is negligible. Maybe there is a regression 
lurking in acl_mailbox_list_iter_next_info, in that a list is expected, 
that wont ever exist, with acl_globals_only on?

-- 
peter


More information about the dovecot mailing list