Setting ACLs on IMAP folders – Not just for administrators

In my last post I discussed what IMAP ACLs are implemented by MDaemon, and a little about how they work. In this post I want to make everyone aware of the ways that ACLs can be managed.

ACLs can be changed a number of different ways, not only by administrators using the MDaemon interface. ACLs can be changed using any of the following methods:

  • The MDaemon GUI, under public folders or from within the user editor.
  • The WebAdmin GUI, in similar locations.
  • WorldClient allows users to share folders and set permissions.
  • Outlook Connector allows users to share folders and set permissions.
  • Any IMAP client can be used to set permissions.
  • You can even change ACLs by using “telnet” to connect to the IMAP server.

This is significant as it allows any user to share their own IMAP folders out to other users. Note that only users who have the “administer” ACL or are a WebAdmin domain admin or global administrator can change ACLs.

To understand how to change rights, I have lifted the following information from RFC2086 – IMAP4 ACL extension

To set ACLs, use the SETACL command:

4.1. SETACL

Arguments: mailbox name
authentication identifier
access right modification

Data: no specific data for this command

Result: OK – setacl completed
NO – setacl failure: can’t set acl
BAD – command unknown or arguments invalid

The SETACL command changes the access control list on the specified mailbox so that the specified identifier is granted permissions as specified in the third argument.

The third argument is a string containing an optional plus (“+”) or minus (“-“) prefix, followed by zero or more rights characters. If the string starts with a plus, the following rights are added to any existing rights for the identifier. If the string starts with a minus, the following rights are removed from any existing rights for the identifier. If the string does not start with a plus or minus, the rights replace any existing rights for the identifier.

To retrieve ACLs on existing folders, use GETACL:

4.3. GETACL

Arguments: mailbox name

Data: untagged responses: ACL

Result: OK – getacl completed
NO – getacl failure: can’t get acl
BAD – command unknown or arguments invalid

The GETACL command returns the access control list for mailbox in an untagged ACL reply.

Example: C: A002 GETACL INBOX
S: * ACL INBOX Fred rwipslda
S: A002 OK Getacl complete

For more information and a few additional commands, please do read RFC2086 – IMAP4 ACL extension

CC BY-NC-ND 4.0 Setting ACLs on IMAP folders – Not just for administrators by Dave Warren (everything-mdaemon.com) is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

2 Replies to “Setting ACLs on IMAP folders – Not just for administrators”

  1. hi
    Many thanks
    But i am having some little config problem
    i create IMAP “Mail” folder for a user but do not want it to be deleted . However i want user to be able to ” Empty all” mail in that created folder

    Can you help

  2. IMAP ACLs are relatively limited, although I don’t actually recall if the delete permission allows the folder to be deleted, it might not as this might need the admin permission. Test and see?

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.