Sorry about double posting. Thought my previous post didn't make it through.
Still struggling with this problem...
> On 14 Aug 2019, at 15:21, Philip Iezzi <li...@iezzi.ch> wrote:
>
> Hi there!
>
> I can't get ACL working for master users. Login as master user works fine
> though, and I am able to access any mailbox using the
> auth_master_user_separator "*", tested e.g. via Python's imaplib:
>
> import imaplib
> imap = imaplib.IMAP4_SSL('imap.example.com')
> imap.login('f...@example.com*admin-acldemo', '**********')
> ('OK', [b'Logged in'])
>
> My /etc/dovecot/dovecot-acl looks like this:
>
> * user=admin lr
> b...@example.com user=admin-acldemo lr
>
> So, if I didn't misunderstand
> https://wiki.dovecot.org/Authentication/MasterUsers and
> https://wiki.dovecot.org/ACL documentation, this should only give "admin"
> master user access to all mailaccounts and limiting "admin-acldemo" master
> user to only a single mailaccount. That's what I would like to accomplish.
> But no matter what I put into dovecot-acl (it could even be empty), master
> users always have access to all existing mailaccounts. The whole dovecot-acl
> seems to be ignored and there are no logs pointing to any problem (syntax,
> access permissions) with that file.
>
> In mail.log I am getting a successful login message:
> dovecot: imap-login: Login: user=<f...@example.com>, method=PLAIN, ...
> So the login with "f...@example.com*admin-acldemo" seems to get resolved to a
> regular "f...@example.com" user login.
>
> My current setup (relevant config options):
>
> # 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.7.1 (db5c74be)
> # OS: Linux 4.15.18-18-pve x86_64 Debian 9.9
> auth_master_user_separator = *
> mail_plugins = quota acl
> passdb {
> args = /etc/dovecot/passwd.masterusers
> driver = passwd-file
> master = yes
> pass = yes
> }
> plugin {
> acl = vfile:/etc/dovecot/dovecot-acl
> acl_user = %u
> master_user = %u
> }
> protocol lmtp {
> mail_plugins = quota acl sieve
> }
> protocol lda {
> mail_plugins = quota acl sieve
> }
> protocol imap {
> mail_plugins = quota acl imap_acl imap_quota
> }
>
> On ACL documentation it says:
>
>> Note that master users have their own ACLs. They're not the the mailbox
>> owners, so by default they have no permissions to any of the mailboxes
>
> and on Authentication/MasterUsers documentation:
>
>> If ACL plugin is enabled, the Master user is still subject to ACLs just like
>> any other user, which means that by default the master user has no access to
>> any mailboxes of the user.
>
> So it must be somehow possible to limit master users to specific mailbox(es)
> via ACL. I could allow master users to be able to log in as themselves, by
> adding two passdb sections (one with `master = yes`, the other `master =
> no`), but then I see no way to do a user context switch (where ACLs would get
> respected...) after logging in with "admin".
>
> Any help greatly appreciated! Thanks in advance.
> Cheers,
> Philip
>
