Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  DOVEADM-ACL (1)


doveadm-acl - Manage Access Control List (ACL)


Reporting Bugs
See Also


doveadm [-Dv] [-f formatter] acl command [OPTIONS] [ARGUMENTS]


The doveadm acl COMMANDS can be used to execute various Access Control List related actions.


Global doveadm(1) options:
-D Enables verbosity and debug messages.
-f formatter
  Specifies the formatter for formatting the output. Supported formatters are:
flow prints each line with key=value pairs.
pager prints each key: value pair on its own line and separates records with form feed character (^L).
tab prints a table header followed by tab separated value lines.
table prints a table header followed by adjusted value lines.
-o setting=value
  Overrides the configuration setting from /usr/local/etc/dovecot/dovecot.conf and from the userdb with the given value. In order to override multiple settings, the -o option may be specified multiple times.
-v Enables verbosity, including progress counter.
This command uses by default the output formatter table.
Command specific options:
-A If the -A option is present, the command will be performed for all users. Using this option in combination with system users from userdb { driver = passwd } is not recommended, because it contains also users with a lower UID than the one configured with the first_valid_uid setting.

When the SQL userdb module is used make sure that the iterate_query setting in /usr/local/etc/dovecot/dovecot-sql.conf.ext matches your database layout. When using the LDAP userdb module, make sure that the iterate_attrs and iterate_filter settings in /usr/local/etc/dovecot/dovecot-ldap.conf.ext match your LDAP schema. Otherwise doveadm(1) will be unable to iterate over all users.

-F file Execute the command for all the users in the file. This is similar to the -A option, but instead of getting the list of users from the userdb, they are read from the given file. The file contains one username per line.
-S socket_path
  The option\(aqs argument is either an absolute path to a local UNIX domain socket, or a hostname and port (hostname:port), in order to connect a remote host via a TCP socket.

This allows an administrator to execute doveadm(1) mail commands through the given socket.

-u user/mask
  Run the command only for the given user. It\(aqs also possible to use \(aq*\(aq and \(aq?\(aq wildcards (e.g. -u *
When neither the -A option, nor the -F file option, nor the -u user was specified, the command will be executed with the environment of the currently logged in user.


id The id (identifier) is one of:
* group-override= group_name
* user= user_name
* owner
* group= group_name
* authenticated
* anyone (or anonymous, which is an alias for anyone)

The ACLs are processed in the precedence given above, so for example if you have given read-access to a group, you can still remove that from specific users inside the group.
Group-override identifier allows you to override users\(aq ACLs. Probably the most useful reason to do this is to temporarily disable access for some users. For example:

user=timo rw

Now if timo is a member of the tempdisabled group, he has no access to the mailbox. This wouldn\(aqt be possible with a normal group identifier, because the user=timo would override it.

  The name of the mailbox, for which the ACL manipulation should be done. It\(aqs also possible to use the wildcard characters \(dq*\(dq and/or \(dq?\(dq in the mailbox name.
right Dovecot ACL right name. This isn\(aqt the same as the IMAP ACL letters, which aren\(aqt currently supported. Here is a mapping of the IMAP ACL letters to Dovecot ACL names:
l -> lookup
  Mailbox is visible in mailbox list. Mailbox can be subscribed to.
r -> read
  Mailbox can be opened for reading.
w -> write
  Message flags and keywords can be changed, except \(rsSeen and \(rsDeleted.
s -> write-seen
  \(rsSeen flag can be changed.
t -> write-deleted
  \(rsDeleted flag can be changed.
i -> insert
  Messages can be written or copied to the mailbox.
p -> post
  Messages can be posted to the mailbox by dovecot-lda, e.g. from Sieve scripts.
e -> expunge
  Messages can be expunged.
k -> create
  Mailboxes can be created/renamed directly under this mailbox (but not necessarily under its children, see ACL Inheritance in the wiki).
Note: Renaming also requires the delete right.
x -> delete
  Mailbox can be deleted.
a -> admin
  Administration rights to the mailbox (currently: ability to change ACLs for mailbox).


    acl add

doveadm acl add [-u user|-A|-F file] [-S socket_path] mailbox id right [right ...]

Add ACL rights to the mailbox/id. If the id already exists, the existing rights are preserved.

    acl debug

doveadm acl debug [-u user|-A|-F file] [-S socket_path] mailbox

This command can be used to debug why a shared mailbox isn\(aqt accessible to the user. It will list exactly what the problem is.

    acl delete

doveadm acl delete [-u user|-A|-F file] [-S socket_path] mailbox id

Remove the whole ACL entry for the mailbox/id.

    acl get

doveadm acl get [-u user|-A|-F file] [-S socket_path] [-m] mailbox

Show all the ACLs for the mailbox.

    acl recalc

doveadm acl recalc [-u user|-A|-F file] [-S socket_path]

Make sure the user\(aqs shared mailboxes exist correctly in the acl_shared_dict.

    acl remove

doveadm acl remove [-u user|-A|-F file] [-S socket_path] mailbox id right [right ...]

Remove the specified ACL rights from the mailbox/id. If all rights are removed, the entry still exists without any rights.

    acl rights

doveadm acl rights [-u user|-A|-F file] [-S socket_path] mailbox

Show the user\(aqs current ACL rights for the mailbox.

    acl set

doveadm acl set [-u user|-A|-F file] [-S socket_path] mailbox id right [right ...]

Set ACL rights to the mailbox/id. If the id already exists, the existing rights are replaced.


Report bugs, including doveconf -n output, to the Dovecot Mailing List <>. Information about reporting bugs is available at:


doveadm(1), dovecot-lda(1)

Additional resources:
ACL Inheritance

Search for    or go to Top of page |  Section 1 |  Main Index

Dovecot v2.2 DOVEADM-ACL (1) 2015-05-09

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.