www.LinuxHowtos.org
DOVEAD-ACL
Section: Dovecot (1)Updated: February 2026
Index Return to Main Contents
NAME
dovead-acl- Manage Access Control List (ACL)SYNOPSIS
doveadm [lB]GLOBAL OPTIONS[rB] acl command [lB]OPTIONS[rB] [lB]ARGUMENTS[rB]DESCRIPTION
The doveadm acl COMMANDS can be used to execute various Access Control List related actions.GLOBAL OPTIONS
Global doveadm(1) -D-
- Enables verbosity and debug messages.
-O
-
- Do not read any config file, just use defaults. The dovecot_storage_version setting defaults to the latest version, but can be overridden with
-k
-
- Preserve entire environment for doveadm, not just import_environment setting.
-v
-
- Enables verbosity, including progress counter.
-i instanc-name
-
- If using multiple Dovecot instances, choose the config file based on this instance name. See instance_name setting for more information.
-c confi-file
-
- Read configuration from the given confi-file. By default it first reads config socket, and then falls back to /etc/dovecot/dovecot.conf. You can also point this to config socket of some instance running compatible version.
-o setting=value
-
- Overrides the configuration setting from /etc/dovecot/dovecot.conf and from the userdb with the given value. In order to override multiple settings, the -o option may be specified multiple times.
-f formatter
-
-
Specifies the formatter for formatting the output. Supported formatters are:
flow
- prints each line with key=value pairs.
json
- prints a JSON array of JSON objects.
pager
- prints each key: value pair on its own line and separates records with form feed character (^L).
tab
- prints a table header followed by tab separated value lines.
table
- prints a table header followed by adjusted value lines.
-
Specifies the formatter for formatting the output. Supported formatters are:
flow
This command uses by default the output formatter table.
OPTIONS
-A-
- If the -A option is present, the command will be performed for all users. Using this option in combination with system users from userdb { driver = passwd } is not recommended, because it contains also users with a lower UID than the one configured with the first_valid_uid setting. When the SQL userdb module is used, make sure that the userdb_sql_iterate_query setting setting matches your database layout. When using the LDAP userdb module, make sure that the userdb_fields setting and userdb_ldap_iterate_fields setting settings match your LDAP schema. Otherwise doveadm(1) will be unable to iterate over all users.
-F file
-
- Execute the command for all the users in the file. This is similar to the -A option, but instead of getting the list of users from the userdb, they are read from the given file. The file contains one username per line.
-n-userd-lookup
-
- Do not perform userdb lookup. Use the USER environment variable to specify the username.
-S socket_path
-
- The option's argument is either an absolute path to a local UNIX domain socket, or a hostname and port (hostname:port), in order to connect a remote host via a TCP socket. This allows an administrator to execute doveadm(1) mail commands through the given socket.
-u user/mask
-
- Run the command only for the given user. It's also possible to use '*' and '?' wildcards (e.g.-u *@example.org).
ARGUMENTS
id-
-
The id (identifier) is one of:
-
- *
- grou-override = group_name
- *
- user = user_name
- *
- owner
- *
- group = group_name
- *
- authenticated
- *
- anyone
- *
- anonymous, which is an alias for anyone
The ACLs are processed in the precedence given above, so for example if you have given rea-access to a group, you can still remove that from specific users inside the group. Grou-override identifier allows you to override users' ACLs. Probably the most useful reason to do this is to temporarily disable access for some users. For example:
-
user=timo rw grou-override=tempdisabled
-
-
The id (identifier) is one of:
Now if timo is a member of the tempdisabled group, he has no access to the mailbox. This wouldn't be possible with a normal group identifier, because the user=timo would override it. mailbox
-
- The name of the mailbox, for which the ACL manipulation should be done. It's also possible to use the wildcard characters "*" and/or "?" in the mailbox name.
right
-
-
Dovecot ACL right name. This isn't the same as the IMAP ACL letters, which aren't currently supported.
Here is a mapping of the IMAP ACL letters to Dovecot ACL names:
- l-> lookup : Mailbox is visible in mailbox list. Mailbox can be subscribed to.
- r-> read : Mailbox can be opened for reading.
- w-> write : Message flags and keywords can be changed, except [rs]Seen and [rs]Deleted.
- s-> writ-seen : [rs]Seen flag can be changed.
- t-> writ-deleted : [rs]Deleted flag can be changed.
- i-> insert : Messages can be written or copied to the mailbox.
- p-> post : Messages can be posted to the mailbox by doveco-lda, e.g. from Sieve scripts.
- e-> expunge : Messages can be expunged.
-
(but not necessarily under its children, see acl_inheritance. Note: Renaming also requires the delete right.
- x-> delete : Mailbox can be deleted.
- a-> admin : Administration rights to the mailbox (currently: ability to change ACLs for mailbox).
-
Dovecot ACL right name. This isn't the same as the IMAP ACL letters, which aren't currently supported.
Here is a mapping of the IMAP ACL letters to Dovecot ACL names:
COMMANDS
acl add
doveadm [lB]GLOBAL OPTIONS[rB] acl add [lB]-u user | -A | -F file | -n-userd-lookup[rB] [lB]-S socket_path[rB] mailbox id right [lB]right ...[rB] Add ACL rights to the mailbox/id. If the id already exists, the existing rights are preserved.acl debug
doveadm [lB]GLOBAL OPTIONS[rB] acl debug [lB]-u user | -A | -F file | -n-userd-lookup[rB] [lB]-S socket_path[rB] mailbox This command can be used to debug why a shared mailbox isn't accessible to the user. It will list exactly what the problem is.acl delete
doveadm [lB]GLOBAL OPTIONS[rB] acl delete [lB]-u user | -A | -F file | -n-userd-lookup[rB] [lB]-S socket_path[rB] mailbox id Remove the whole ACL entry for the mailbox/id.acl get
doveadm [lB]GLOBAL OPTIONS[rB] acl get [lB]-u user | -A | -F file | -n-userd-lookup[rB] [lB]-S socket_path[rB] [lB]-m[rB] mailbox Show all the ACLs for the mailbox. -m-
- Only show ACLs that match the mailbox.
acl recalc
doveadm [lB]GLOBAL OPTIONS[rB] acl recalc [lB]-u user | -A | -F file | -n-userd-lookup[rB] [lB]-S socket_path[rB] Make sure the user's shared mailboxes exist correctly in the acl_sharing_map.acl remove
doveadm [lB]GLOBAL OPTIONS[rB] acl remove [lB]-u user | -A | -F file | -n-userd-lookup[rB] [lB]-S socket_path[rB] mailbox id right [lB]right ...[rB] Remove the specified ACL rights from the mailbox/id. If all rights are removed, the entry still exists without any rights.acl rights
doveadm [lB]GLOBAL OPTIONS[rB] acl rights [lB]-u user | -A | -F file | -n-userd-lookup[rB] [lB]-S socket_path[rB] mailbox Show the user's current ACL rights for the mailbox.acl set
doveadm [lB]GLOBAL OPTIONS[rB] acl set [lB]-u user | -A | -F file | -n-userd-lookup[rB] [lB]-S socket_path[rB] mailbox id right [lB]right ...[rB] Set ACL rights to the mailbox/id. If the id already exists, the existing rights are replaced.REPORTING BUGS
Report bugs, including doveconf-n output, to the Dovecot Mailing List ladovecot@dovecot.orgra. Information about reporting bugs is available at: https://dovecot.org/bugreport.htmlSEE ALSO
doveadm(1) Additional resources:-
- *
- acl_inheritance