dovecot - public, shared folder





dovecot v2.x


Public Mailboxes

Public mailboxes are created by defining a public namespace and creating the wanted mailboxes under it.


mail_plugins = ... acl

protocol imap {
    mail_plugins = ... imap_acl

plugin {
  acl = vfile
  acl_shared_dict = proxy::acl

dict {
  acl = mysql:/etc/dovecot/dovecot-share-folder.conf

namespace {
    type = shared
    separator = /
    prefix = Shared/%%u/
    location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%Ld/%%Ln

    # this namespace should handle its own subscriptions or not.
    subscriptions = yes
    list = children


connect = host= port=3306 dbname=vmail user=vmailadmin password=xxxxxxxxxxxxxx
map {
    pattern = shared/shared-boxes/user/$to/$from
    table = share_folder
    value_field = dummy

    fields {
        from_user = $from
        to_user = $to

# To share mailbox to anyone, please uncomment 'acl_anyone = allow' in
# dovecot.conf
map {
    pattern = shared/shared-boxes/anyone/$from
    table = anyone_shares
    value_field = dummy
    fields {
        from_user = $from


list=children: specifies that if no one has shared mailboxes to the user, the "shared" directory isn't listed by the LIST command.
(visible always, you can set list=yes)


%%h:  the user's home directory is asked from auth process via auth-userdb socket


Dirty Shared Folder


ln -s /home/user2/Maildir/.Work /home/user1/Maildir/.shared.user2

ln -s /home/user3/Maildir/.Work /home/user1/Maildir/.shared.user3

With Maildir++ layout it's not possible to automatically share "mailbox and its children".

You'll need to symlink each mailbox separately.



Set ACL By telnet


  • MYRIGHTS <mailbox>: Returns the user's current rights to the mailbox.

  • GETACL <mailbox>: Returns the mailbox's all ACLs.

  • SETACL <mailbox> <id> [+|-]<rights>: Give <id> the specified rights to the mailbox.

  • DELETEACL <mailbox> [-]<id>: Delete <id>'s ACL from the mailbox.


# Share folder `Sent` with user,
# with permissions: read (r), lookup (l) and insert (i).

telnet localhost 143

. login passwd
. OK [... ACL ..] Logged in
. SETACL Sent rli

After you shared folder with SETACL command, dovecot will insert a record in MySQL database.


Set ACL By Roundcube Plugin


* Roundcubemail has official plugin acl to manage mailbox sharing.


// Set to an empty array to exclude all special aci subjects.
//$config['acl_specials'] = array('anyone', 'anonymous');



ACL backend


The ACL code was written to allow multiple ACL backends,
but currently Dovecot supports only virtual ACL files.

Note that using ACLs doesn't grant mail processes any extra filesystem permissions that they already don't have.
You must make sure that the processes have enough permissions to be able to access the mailboxes.


ACL vfile backend ()

vfile backend supports per-mailbox ACLs and global ACLs.
Per-mailbox ACLs are stored in dovecot-acl named file, which exists in:
maildir: The Maildir's mail directory (eg. ~/Maildir, ~/Maildir/.folder/)

<identifier> <ACLs>


List cache(dovecot-acl-list)

Location: Maildir/dovecot-acl-list

Format: Size FolderName

dovecot-acl-list file lists all mailboxes that have "l" rights assigned. If you manually add/edit dovecot-acl files, you may need to delete the dovecot-acl-list to get the mailboxes visible.





doveadm acl debug -u user@domain shared/user/box