dovecot - ACL(Access Control Lists)

最後更新: 2017-10-31




Dovecot supports only virtual ACL files.

Note that using ACLs doesn't grant mail processes any extra filesystem permissions that they already don't have.


ACL vfile backend


vfile backend supports per-mailbox ACLs and global ACLs.


ACL 檔的格式:

Default: dovecot-acl

<identifier> <ACLs> [:<named ACLs>]


  • group-override=group name
  • user=user name
  • group=group name


  • l    lookup
  • r    read


tab (or multiple spaces) instead of a space character between fields may not work


The ACLS are processed in the precedence given above, so for example if you have given read-access to a group, you can still remove that from specific users inside the group.

user=timo rw

Now if timo is in tempdisabled group, he has no access to the mailbox




一共有 11 種權限

l  lookup

Mailbox is visible in mailbox list. Mailbox can be subscribed to.

r  read

Mailbox can be opened for reading.

w  write

Message flags and keywords can be changed, except \Seen and \Deleted

s  write-seen

t  write-deleted

i  insert

Messages can be written or copied to the mailbox

p  post

Messages can be posted to the mailbox by LDA, e.g. from Sieve scripts

e  expunge

Messages can be expunged

k  create

Mailboxes can be created (or renamed) directly under this mailbox (but not necessarily under its children, see ACL Inheritance section above) (renaming also requires delete rights)

x delete

Mailbox can be deleted

a admin

Administration rights to the mailbox (currently: ability to change ACLs for mailbox)


全權: ilwstpekxar


ACL Cache(dovecot-acl-list )


dovecot-acl-list file lists all mailboxes that have "l" rights assigned.

If you manually add/edit dovecot-acl files, you may need to delete the dovecot-acl-list to get the mailboxes visible.