.TH "DOVEADM-ACL" "1" "March 2025" "78ffb79" "Dovecot"
.SH "NAME"
\fBdoveadm-acl\fR - Manage Access Control List (ACL)
.SH "SYNOPSIS"
.P
\fBdoveadm\fR \[lB]\fIGLOBAL OPTIONS\fR\[rB] \fBacl\fR \fIcommand\fR \[lB]\fIOPTIONS\fR\[rB] \[lB]\fIARGUMENTS\fR\[rB]
.SH "DESCRIPTION"
.P
The \fBdoveadm acl\fR \fICOMMANDS\fR can be used to execute various Access Control List related actions.
.SH "GLOBAL OPTIONS"
.P
Global doveadm(1) 
.P
\fB-D\fR
.RS 0
.RS 4
.P
Enables \fIverbosity\fR and debug messages.
.RE 0

.RE 0

.P
\fB-O\fR
.RS 0
.RS 4
.P
Do not read any config file, just use defaults. The \fBdovecot_storage_version\fR setting defaults to the latest version, but can be overridden with 
.RE 0

.RE 0

.P
\fB-k\fR
.RS 0
.RS 4
.P
Preserve entire environment for doveadm, not just \fBimport_environment\fR setting.
.RE 0

.RE 0

.P
\fB-v\fR
.RS 0
.RS 4
.P
Enables verbosity, including progress counter.
.RE 0

.RE 0

.P
\fB-i\fR \fIinstance-name\fR
.RS 0
.RS 4
.P
If using multiple Dovecot instances, choose the config file based on this instance name.
.P
See \fBinstance_name\fR setting for more information.
.RE 0

.RE 0

.P
\fB-c\fR \fIconfig-file\fR
.RS 0
.RS 4
.P
Read configuration from the given \fIconfig-file\fR. By default it first reads config socket, and then falls back to \fI/etc/dovecot/dovecot.conf\fR. You can also point this to config socket of some instance running compatible version.
.RE 0

.RE 0

.P
\fB-o\fR \fIsetting\fR\fB=\fR\fIvalue\fR
.RS 0
.RS 4
.P
Overrides the configuration \fIsetting\fR from \fI/etc/dovecot/dovecot.conf\fR and from the userdb with the given \fIvalue\fR. In order to override multiple settings, the \fB-o\fR option may be specified multiple times.
.RE 0

.RE 0

.P
\fB-f\fR \fIformatter\fR
.RS 0
.RS 4
.P
Specifies the \fIformatter\fR for formatting the output. Supported formatters are:
.P
\fBflow\fR
.RS 4
.P
prints each line with \fIkey\fR\fB=\fR\fIvalue\fR pairs.
.RE 0

.P
\fBpager\fR
.RS 4
.P
prints each \fIkey\fR: \fIvalue\fR pair on its own line and separates records with form feed character (\fB^L\fR).
.RE 0

.P
\fBtab\fR
.RS 4
.P
prints a table header followed by tab separated value lines.
.RE 0

.P
\fBtable\fR
.RS 4
.P
prints a table header followed by adjusted value lines.
.RE 0

.RE 0

.RE 0

.P
This command uses by default the output formatter \fBtable\fR.
.SH "OPTIONS"
.P
\fB-A\fR
.RS 0
.RS 4
.P
If the \fB-A\fR option is present, the \fIcommand\fR will be performed for all users. Using this option in combination with system users from \fBuserdb { driver = passwd }\fR is not recommended, because it contains also users with a lower UID than the one configured with the \fBfirst_valid_uid\fR setting.
.P
When the SQL userdb module is used, make sure that the \fBuserdb_sql_iterate_query\fR setting setting matches your database layout.
.P
When using the LDAP userdb module, make sure that the \fBuserdb_fields\fR setting and \fBuserdb_ldap_iterate_fields\fR setting settings match your LDAP schema. Otherwise doveadm(1) will be unable to iterate over all users.
.RE 0

.RE 0

.P
\fB-F\fR \fIfile\fR
.RS 0
.RS 4
.P
Execute the \fIcommand\fR for all the users in the \fIfile\fR. This is similar to the \fB-A\fR option, but instead of getting the list of users from the userdb, they are read from the given \fIfile\fR. The \fIfile\fR contains one username per line.
.RE 0

.RE 0

.P
\fB--no-userdb-lookup\fR
.RS 0
.RS 4
.P
Do not perform userdb lookup. Use the \fBUSER\fR environment variable to specify the username.
.RE 0

.RE 0

.P
\fB-S\fR \fIsocket_path\fR
.RS 0
.RS 4
.P
The option's argument is either an absolute path to a local UNIX domain socket, or a hostname and port (\fIhostname\fR:\fIport\fR), in order to connect a remote host via a TCP socket.
.P
This allows an administrator to execute doveadm(1) mail commands through the given socket.
.RE 0

.RE 0

.P
\fB-u\fR \fIuser/mask\fR
.RS 0
.RS 4
.P
Run the \fIcommand\fR only for the given \fIuser\fR. It's also possible to use '\fB*\fR' and '\fB?\fR' wildcards (e.g. -u *@example.org).
.RE 0

.RE 0

.SH "ARGUMENTS"
.P
\fIid\fR
.RS 0
.RS 4
.P
The id (identifier) is one of:
.RS 4
.IP \(bu 4
\fBgroup-override\fR = \fIgroup_name\fR
.IP \(bu 4
\fBuser\fR = \fIuser_name\fR
.IP \(bu 4
\fBowner\fR
.IP \(bu 4
\fBgroup\fR = \fIgroup_name\fR
.IP \(bu 4
\fBauthenticated\fR
.IP \(bu 4
\fBanyone\fR
.IP \(bu 4
\fBanonymous\fR, which is an alias for anyone
.RE 0

.P
The ACLs are processed in the precedence given above, so for example if you have given read-access to a group, you can still remove that from specific users inside the group.
.P
Group-override identifier allows you to override users' ACLs. Probably the most useful reason to do this is to temporarily disable access for some users. For example:
.P
.RS 2
.nf
user=timo rw
group-override=tempdisabled
.fi
.RE
.RE 0

.RE 0

.P
Now if timo is a member of the tempdisabled group, he has no access to the mailbox. This wouldn't be possible with a normal group identifier, because the \fBuser=timo\fR would override it.
.P
\fImailbox\fR
.RS 0
.RS 4
.P
The name of the mailbox, for which the ACL manipulation should be done. It's also possible to use the wildcard characters "*\fB\fB" and/or "\fB?\fR" in the mailbox name.
.RE 0

.RE 0

.P
\fIright\fR
.RS 0
.RS 4
.P
Dovecot ACL right name. This isn't the same as the IMAP ACL letters, which aren't currently supported.
.P
Here is a mapping of the IMAP ACL letters to Dovecot ACL names:
.RS 4
.P
\fBl -> lookup\fR : \fIMailbox\fR is visible in mailbox list. \fIMailbox\fR can be subscribed to.
.RE 0

.RS 4
.P
\fBr -> read\fR : \fIMailbox\fR can be opened for reading.
.RE 0

.RS 4
.P
\fBw -> write\fR : Message flags and keywords can be changed, except \fB\[rs]Seen\fR and \fB\[rs]Deleted\fR.
.RE 0

.RS 4
.P
\fBs -> write-seen\fR : \fB\[rs]Seen\fR flag can be changed.
.RE 0

.RS 4
.P
\fBt -> write-deleted\fR : \fB\[rs]Deleted\fR flag can be changed.
.RE 0

.RS 4
.P
\fBi -> insert\fR : Messages can be written or copied to the \fImailbox\fR.
.RE 0

.RS 4
.P
\fBp -> post\fR : Messages can be posted to the \fImailbox\fR by \fBdovecot-lda\fR, e.g. from Sieve scripts.
.RE 0

.RS 4
.P
\fBe -> expunge\fR : Messages can be expunged.
.RE 0

.RS 4
.P
 (but not necessarily under its children, see acl_inheritance. Note: Renaming also requires the delete right.
.RE 0

.RS 4
.P
\fBx -> delete\fR : \fIMailbox\fR can be deleted.
.RE 0

.RS 4
.P
\fBa -> admin\fR : Administration rights to the \fImailbox\fR (currently: ability to change ACLs for \fImailbox\fR).
.RE 0

.RE 0

.RE 0

.SH "COMMANDS"
.SS "acl add"
.P
\fBdoveadm\fR \[lB]\fIGLOBAL OPTIONS\fR\[rB] acl add \[lB]\fB-u\fR \fIuser\fR | \fB-A\fR | \fB-F\fR \fIfile\fR | \fB--no-userdb-lookup\fR\[rB] \[lB]\fB-S\fR \fIsocket_path\fR\[rB] \fImailbox id\fR \fIright\fR \[lB]\fIright\fR ...\[rB]
.P
Add ACL rights to the \fImailbox\fR/\fIid\fR. If the \fIid\fR already exists, the existing rights are preserved.
.SS "acl debug"
.P
\fBdoveadm\fR \[lB]\fIGLOBAL OPTIONS\fR\[rB] acl debug \[lB]\fB-u\fR \fIuser\fR | \fB-A\fR | \fB-F\fR \fIfile\fR | \fB--no-userdb-lookup\fR\[rB] \[lB]\fB-S\fR \fIsocket_path\fR\[rB] \fImailbox\fR
.P
This command can be used to debug why a shared mailbox isn't accessible to the user. It will list exactly what the problem is.
.SS "acl delete"
.P
\fBdoveadm\fR \[lB]\fIGLOBAL OPTIONS\fR\[rB] acl delete \[lB]\fB-u\fR \fIuser\fR | \fB-A\fR | \fB-F\fR \fIfile\fR | \fB--no-userdb-lookup\fR\[rB] \[lB]\fB-S\fR \fIsocket_path\fR\[rB] \fImailbox id\fR
.P
Remove the whole ACL entry for the \fImailbox\fR/\fIid\fR.
.SS "acl get"
.P
\fBdoveadm\fR \[lB]\fIGLOBAL OPTIONS\fR\[rB] acl get \[lB]\fB-u\fR \fIuser\fR | \fB-A\fR | \fB-F\fR \fIfile\fR | \fB--no-userdb-lookup\fR\[rB] \[lB]\fB-S\fR \fIsocket_path\fR\[rB] \[lB]\fB-m\fR\[rB] \fImailbox\fR
.P
Show all the ACLs for the \fImailbox\fR.
.P
\fB-m\fR
.RS 0
.RS 4
.P
Only show ACLs that match the mailbox.
.RE 0

.RE 0

.SS "acl recalc"
.P
\fBdoveadm\fR \[lB]\fIGLOBAL OPTIONS\fR\[rB] acl recalc \[lB]\fB-u\fR \fIuser\fR | \fB-A\fR | \fB-F\fR \fIfile\fR | \fB--no-userdb-lookup\fR\[rB] \[lB]\fB-S\fR \fIsocket_path\fR\[rB]
.P
Make sure the \fIuser\fR's shared mailboxes exist correctly in the \fIacl_sharing_map\fR.
.SS "acl remove"
.P
\fBdoveadm\fR \[lB]\fIGLOBAL OPTIONS\fR\[rB] acl remove \[lB]\fB-u\fR \fIuser\fR | \fB-A\fR | \fB-F\fR \fIfile\fR | \fB--no-userdb-lookup\fR\[rB] \[lB]\fB-S\fR \fIsocket_path\fR\[rB] \fImailbox id\fR \fIright\fR \[lB]\fIright\fR ...\[rB]
.P
Remove the specified ACL rights from the \fImailbox\fR/\fIid\fR. If all rights are removed, the entry still exists without any rights.
.SS "acl rights"
.P
\fBdoveadm\fR \[lB]\fIGLOBAL OPTIONS\fR\[rB] acl rights \[lB]\fB-u\fR \fIuser\fR | \fB-A\fR | \fB-F\fR \fIfile\fR | \fB--no-userdb-lookup\fR\[rB] \[lB]\fB-S\fR \fIsocket_path\fR\[rB] \fImailbox\fR
.P
Show the \fIuser\fR's current ACL rights for the \fImailbox\fR.
.SS "acl set"
.P
\fBdoveadm\fR \[lB]\fIGLOBAL OPTIONS\fR\[rB] acl set \[lB]\fB-u\fR \fIuser\fR | \fB-A\fR | \fB-F\fR \fIfile\fR | \fB--no-userdb-lookup\fR\[rB] \[lB]\fB-S\fR \fIsocket_path\fR\[rB] \fImailbox id\fR \fIright\fR \[lB]\fIright\fR ...\[rB]
.P
Set ACL rights to the \fImailbox\fR/\fIid\fR. If the \fIid\fR already exists, the existing rights are replaced.
.SH "REPORTING BUGS"
.P
Report bugs, including \fIdoveconf -n\fR output, to the Dovecot Mailing List \fI\(ladovecot@dovecot.org\(ra\fR. Information about reporting bugs is available at: https://dovecot.org/bugreport.html
.SH "SEE ALSO"
.P
doveadm(1)
.P
Additional resources:
.RS 0
.IP \(bu 4
acl_inheritance
.RE 0