DOVEADM-ACL(1) Dovecot DOVEADM-ACL(1)
NAME
doveadm-acl - Manage Access Control List (ACL)
SYNOPSIS
doveadm [GLOBAL OPTIONS] acl command [OPTIONS] [ARGUMENTS]
DESCRIPTION
The doveadm acl COMMANDS can be used to execute various Access Control
List related actions.
GLOBAL OPTIONS
Global doveadm(1)
-D
Enables verbosity and debug messages.
-O
Do not read any config file, just use defaults. The dovecot_stor-
age_version setting defaults to the latest version, but can be over-
ridden with
-k
Preserve entire environment for doveadm, not just import_environment
setting.
-v
Enables verbosity, including progress counter.
-i instance-name
If using multiple Dovecot instances, choose the config file based on
this instance name.
See instance_name setting for more information.
-c config-file
Read configuration from the given config-file. By default it first
reads config socket, and then falls back to /etc/dovecot/dove-
cot.conf. You can also point this to config socket of some instance
running compatible version.
-o setting=value
Overrides the configuration setting from /etc/dovecot/dovecot.conf
and from the userdb with the given value. In order to override mul-
tiple settings, the -o option may be specified multiple times.
-f formatter
Specifies the formatter for formatting the output. Supported format-
ters are:
flow
prints each line with key=value pairs.
pager
prints each key: value pair on its own line and separates records
with form feed character (^L).
tab
prints a table header followed by tab separated value lines.
table
prints a table header followed by adjusted value lines.
This command uses by default the output formatter table.
OPTIONS
-A
If the -A option is present, the command will be performed for all
users. Using this option in combination with system users from
userdb { driver = passwd } is not recommended, because it contains
also users with a lower UID than the one configured with the
first_valid_uid setting.
When the SQL userdb module is used, make sure that the
userdb_sql_iterate_query setting setting matches your database lay-
out.
When using the LDAP userdb module, make sure that the userdb_fields
setting and userdb_ldap_iterate_fields setting settings match your
LDAP schema. Otherwise doveadm(1) will be unable to iterate over all
users.
-F file
Execute the command for all the users in the file. This is similar
to the -A option, but instead of getting the list of users from the
userdb, they are read from the given file. The file contains one
username per line.
--no-userdb-lookup
Do not perform userdb lookup. Use the USER environment variable to
specify the username.
-S socket_path
The option's argument is either an absolute path to a local UNIX do-
main socket, or a hostname and port (hostname:port), in order to
connect a remote host via a TCP socket.
This allows an administrator to execute doveadm(1) mail commands
through the given socket.
-u user/mask
Run the command only for the given user. It's also possible to use
'*' and '?' wildcards (e.g. -u *@example.org).
ARGUMENTS
id
The id (identifier) is one of:
• group-override = group_name
• user = user_name
• owner
• group = group_name
• authenticated
• anyone
• anonymous, which is an alias for anyone
The ACLs are processed in the precedence given above, so for example if
you have given read-access to a group, you can still remove that from
specific users inside the group.
Group-override identifier allows you to override users' ACLs. Probably
the most useful reason to do this is to temporarily disable access for
some users. For example:
user=timo rw
group-override=tempdisabled
Now if timo is a member of the tempdisabled group, he has no access to
the mailbox. This wouldn't be possible with a normal group identifier,
because the user=timo would override it.
mailbox
The name of the mailbox, for which the ACL manipulation should be
done. It's also possible to use the wildcard characters "*" and/or
"?" in the mailbox name.
right
Dovecot ACL right name. This isn't the same as the IMAP ACL letters,
which aren't currently supported.
Here is a mapping of the IMAP ACL letters to Dovecot ACL names:
l -> lookup : Mailbox is visible in mailbox list. Mailbox can be
subscribed to.
r -> read : Mailbox can be opened for reading.
w -> write : Message flags and keywords can be changed, except \Seen
and \Deleted.
s -> write-seen : \Seen flag can be changed.
t -> write-deleted : \Deleted flag can be changed.
i -> insert : Messages can be written or copied to the mailbox.
p -> post : Messages can be posted to the mailbox by dovecot-lda,
e.g. from Sieve scripts.
e -> expunge : Messages can be expunged.
(but not necessarily under its children, see acl_inheritance. Note:
Renaming also requires the delete right.
x -> delete : Mailbox can be deleted.
a -> admin : Administration rights to the mailbox (currently: abil-
ity to change ACLs for mailbox).
COMMANDS
acl add
doveadm [GLOBAL OPTIONS] acl add [-u user | -A | -F file | --no-userdb-
lookup] [-S socket_path] mailbox id right [right ...]
Add ACL rights to the mailbox/id. If the id already exists, the existing
rights are preserved.
acl debug
doveadm [GLOBAL OPTIONS] acl debug [-u user | -A | -F file | --no-
userdb-lookup] [-S socket_path] mailbox
This command can be used to debug why a shared mailbox isn't accessible
to the user. It will list exactly what the problem is.
acl delete
doveadm [GLOBAL OPTIONS] acl delete [-u user | -A | -F file | --no-
userdb-lookup] [-S socket_path] mailbox id
Remove the whole ACL entry for the mailbox/id.
acl get
doveadm [GLOBAL OPTIONS] acl get [-u user | -A | -F file | --no-userdb-
lookup] [-S socket_path] [-m] mailbox
Show all the ACLs for the mailbox.
-m
Only show ACLs that match the mailbox.
acl recalc
doveadm [GLOBAL OPTIONS] acl recalc [-u user | -A | -F file | --no-
userdb-lookup] [-S socket_path]
Make sure the user's shared mailboxes exist correctly in the acl_shar-
ing_map.
acl remove
doveadm [GLOBAL OPTIONS] acl remove [-u user | -A | -F file | --no-
userdb-lookup] [-S socket_path] mailbox id right [right ...]
Remove the specified ACL rights from the mailbox/id. If all rights are
removed, the entry still exists without any rights.
acl rights
doveadm [GLOBAL OPTIONS] acl rights [-u user | -A | -F file | --no-
userdb-lookup] [-S socket_path] mailbox
Show the user's current ACL rights for the mailbox.
acl set
doveadm [GLOBAL OPTIONS] acl set [-u user | -A | -F file | --no-userdb-
lookup] [-S socket_path] mailbox id right [right ...]
Set ACL rights to the mailbox/id. If the id already exists, the existing
rights are replaced.
REPORTING BUGS
Report bugs, including doveconf -n output, to the Dovecot Mailing List
⟨dovecot@dovecot.org⟩. Information about reporting bugs is available at:
https://dovecot.org/bugreport.html
SEE ALSO
doveadm(1)
Additional resources:
• acl_inheritance
78ffb79 March 2025 DOVEADM-ACL(1)
Generated by dwww version 1.16 on Tue Dec 16 05:45:03 CET 2025.