ACL ignored for master users

Mon, 12 Aug 2019 07:24:55 -0700 

Hi there!

I can't get ACL working for master users. Login as master user works fine 
though, and I am able to access any mailbox using the 
auth_master_user_separator "*", tested e.g. via Python's imaplib:

>>> import imaplib
>>> imap = imaplib.IMAP4_SSL('imap.example.com')
>>> imap.login('f...@example.com*admin-acldemo', '**********')
('OK', [b'Logged in'])

My /etc/dovecot/dovecot-acl looks like this:

* user=admin lr
b...@example.com user=admin-acldemo lr

So, if I didn't misunderstand 
https://wiki.dovecot.org/Authentication/MasterUsers and 
https://wiki.dovecot.org/ACL documentation, this should only give "admin" 
master user access to all mailaccounts and limiting "admin-acldemo" master user 
to only a single mailaccount.
But no matter what I put into dovecot-acl (it could even be empty), master 
users always have access to all existing mailaccounts. The whole dovecot-acl 
seems to be ignored and there are no logs pointing to any problem (syntax, 
access permissions) with that file.

In mail.log I am getting a successful login message:

dovecot: imap-login: Login: user=<f...@example.com>, method=PLAIN, rip=..., 
lip=..., mpid=42371, TLS, session=<T9GKEuyPKGxRPtGS>

My current setup (relevant config options):

# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.1 (db5c74be)
# OS: Linux 4.15.18-18-pve x86_64 Debian 9.9 
auth_master_user_separator = *
mail_plugins = quota acl
passdb {
  args = /etc/dovecot/passwd.masterusers
  driver = passwd-file
  master = yes
  pass = yes
}
plugin {
  acl = vfile:/etc/dovecot/dovecot-acl
  acl_user = %u
  master_user = %u
}
protocol lmtp {
  mail_plugins = quota acl sieve
}
protocol lda {
  mail_plugins = quota acl sieve
}
protocol imap {
  mail_plugins = quota acl imap_acl imap_quota
}

On ACL documentation it says:

> Note that master users have their own ACLs. They're not the the mailbox 
> owners, so by default they have no permissions to any of the mailboxes

and on Authentication/MasterUsers documentation:

> If ACL plugin is enabled, the Master user is still subject to ACLs just like 
> any other user, which means that by default the master user has no access to 
> any mailboxes of the user.

So it must be somehow possible to limit master users to specific mailbox(es) 
via ACL. If I disable `master = yes` master users won't be able to login at all.

Any help greatly appreciated! Thanks in advance.
Cheers,
Philip

Reply via email to