Confused about dovecot ACL

HTMLServices.it info at htmlservices.it
Thu Jul 11 20:43:35 EEST 2019 

Hello everyone

sorry i'm not very experienced and also my english

I installed a centos 7 server with ispconfig postfix dovecot 2.2.36 and 
roundcube, this server is only a mail archive, so my need is that ALL 
the mailboxes are read-only on roundcube/imap and any user must NOT 
delete the messages. ... so I configured dovecot's ALC following the 
guide "https://wiki2.dovecot.org/ACL" I think I did everything correctly 
and I don't get errors but entering the webmail roundcube I CAN DELETE 
MESSAGES ..... it seems that the acl have no effect ....

added to the dovecot configuration file /etc/dovecot/dovecot.conf
______________________________________
....
plugin {
   acl = vfile: / etc / dovecot / dovecot-acl
}
.....
protocol imap {
   mail_plugins = $ mail_plugins imap_acl
}
mail_plugins = acl
.....
______________________________________

created the "global" file /etc/dovecot/dovecot-acl and inserted that the 
test user has only lookup and reading rights (lr):

* user=test at test.com lr
______________________________________

my dovecot.conf
*********************************
listen = *,[::]
protocols = imap pop3
auth_mechanisms = plain login
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_protocols =  !SSLv3
passdb {
   args = /etc/dovecot-sql.conf
   driver = sql
}
userdb {
   driver = prefetch
}
userdb {
   args = /etc/dovecot-sql.conf
   driver = sql
}
plugin {
   acl = vfile:/etc/dovecot/dovecot-acl
   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
   sieve=/var/vmail/%d/%n/.sieve
}
service auth {
   unix_listener /var/spool/postfix/private/auth {
     group = postfix
     mode = 0660
     user = postfix
   }
   unix_listener auth-userdb {
     group = vmail
     mode = 0600
     user = vmail
   }
   user = root
}
service lmtp {
   unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
   }
}
service imap-login {
   client_limit = 1000
   process_limit = 500
}
protocol imap {
   mail_plugins = $mail_plugins imap_acl
   mail_plugins = quota imap_quota
}
protocol pop3 {
   pop3_uidl_format = %08Xu%08Xv
   mail_plugins = quota
}
protocol lda {
   mail_plugins = sieve quota
   postmaster_address = root at localhost
}
protocol lmtp {
   postmaster_address = admin at htmlservices.it
   mail_plugins = quota sieve
}
mail_plugins = $mail_plugins quota
mail_plugins = acl
*********************************

my dovecot-acl
*********************************
* user=test at test.com lr
*********************************

"debug"
*********************************
[root at archivio ~]# doveadm -Dv acl debug -u test at test.com INBOX
Debug: Loading modules from directory: /usr/lib64/dovecot
Debug: Module loaded: /usr/lib64/dovecot/lib01_acl_plugin.so
Debug: Loading modules from directory: /usr/lib64/dovecot/doveadm
Debug: Module loaded: /usr/lib64/dovecot/doveadm/lib10_doveadm_acl_plugin.so
Debug: Skipping module doveadm_expire_plugin, because dlopen() failed: 
/usr/lib64/dovecot/doveadm/lib10_doveadm_expire_plugin.so: undefined 
symbol: expire_set_deinit (this is usually intentional, so just ignore 
this message)
Debug: Skipping module doveadm_quota_plugin, because dlopen() failed: 
/usr/lib64/dovecot/doveadm/lib10_doveadm_quota_plugin.so: undefined 
symbol: quota_user_module (this is usually intentional, so just ignore 
this message)
Debug: Module loaded: 
/usr/lib64/dovecot/doveadm/lib10_doveadm_sieve_plugin.so
Debug: Skipping module doveadm_fts_lucene_plugin, because dlopen() 
failed: /usr/lib64/dovecot/doveadm/lib20_doveadm_fts_lucene_plugin.so: 
undefined symbol: lucene_index_iter_deinit (this is usually intentional, 
so just ignore this message)
Debug: Skipping module doveadm_fts_plugin, because dlopen() failed: 
/usr/lib64/dovecot/doveadm/lib20_doveadm_fts_plugin.so: undefined 
symbol: fts_user_get_language_list (this is usually intentional, so just 
ignore this message)
Debug: Skipping module doveadm_mail_crypt_plugin, because dlopen() 
failed: /usr/lib64/dovecot/doveadm/libdoveadm_mail_crypt_plugin.so: 
undefined symbol: mail_crypt_box_get_pvt_digests (this is usually 
intentional, so just ignore this message)
doveadm(test at test.com): Debug: Added userdb setting: 
mail=maildir:/var/vmail/test.com/test/Maildir
doveadm(test at test.com): Debug: Added userdb setting: 
plugin/quota_rule=*:storage=0B
doveadm(test at test.com): Debug: Added userdb setting: 
plugin/sieve=/var/vmail/test.com/test/.sieve
doveadm(test at test.com): Debug: Effective uid=5000, gid=5000, 
home=/var/vmail/test.com/test
doveadm(test at test.com): Debug: acl: No acl_shared_dict setting - shared 
mailbox listing is disabled
doveadm(test at test.com): Debug: maildir++: 
root=/var/vmail/test.com/test/Maildir, index=, indexpvt=, control=, 
inbox=/var/vmail/test.com/test/Maildir, alt=
doveadm(test at test.com): Debug: acl: initializing backend with data: 
vfile:/etc/dovecot/dovecot-acl
doveadm(test at test.com): Debug: acl: acl username = test at test.com
doveadm(test at test.com): Debug: acl: owner = 1
doveadm(test at test.com): Debug: acl vfile: Global ACL file: 
/etc/dovecot/dovecot-acl
doveadm(test at test.com): Info: Mailbox 'INBOX' is in namespace ''
doveadm(test at test.com): Info: Mailbox path: /var/vmail/test.com/test/Maildir
doveadm(test at test.com): Info: All message flags are shared across users 
in mailbox
doveadm(test at test.com): Debug: Mailbox 'INBOX' matches global ACL 
pattern '*'
doveadm(test at test.com): Debug: Mailbox 'INBOX' matches global ACL 
pattern '*'
doveadm(test at test.com): Debug: Mailbox 'INBOX' matches global ACL 
pattern '*'
doveadm(test at test.com): Debug: acl vfile: file 
/var/vmail/test.com/test/Maildir/dovecot-acl not found
doveadm(test at test.com): Info: User test at test.com has rights: lookup read
doveadm(test at test.com): Info: Mailbox in user's private namespace
doveadm(test at test.com): Info: Mailbox INBOX is visible in LIST
[root at archivio ~]#
*********************************

if I see the line "Info: User test at test.com has rights: lookup read" it 
seems that the ACL (lookup and read) are correctly applied,
but as I was saying above, entering the user test at test.com on the 
webmail, I can do everything I want to also delete the e-mails ..... 
these are days I try to understand but I don't understand what I'm wrong 
and how to solve  ....
thank you all in advance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190711/9abb7fea/attachment-0001.html>

More information about the dovecot mailing list