[Dovecot] "list" ACL privilege ignored for LSUB command?

Willie Gillespie wgillespie+dovecot at es2eng.com
Mon Nov 22 22:04:08 EET 2010

Timo Sirainen wrote:
> On Mon, 2010-11-22 at 12:22 -0700, Willie Gillespie wrote:
>> Two things I noticed though:
>> SUBSCRIBE-ing to the mailbox is still successful
> Hmm. I kind of disagree with the RFC there.. If you have 'r' rights to
> the mailbox, you can select it. You know that it exists then. Why
> couldn't you be able to subscribe to it? It even makes sense to me that
> if there are mailboxes that +r-l that user should be able to subscribe
> to them to make it easier to access them.

Makes sense.  And it's strange because the RFC states that SUBSCRIBE and 
LSUB only require rights "if the server checks for mailbox existence 
when performing SUBSCRIBE." (page 14 of RFC 4314)

So the fact that you can SUBSCRIBE/LSUB to mailboxes without the lookup 
ACL isn't too far off anyway.

>> LSUB will list mailboxes which I do not have lookup rights to
> This is intentional. If you have ever subscribed to a mailbox, it's in
> your subscriptions list and it won't go away until UNSUBSCRIBE. It
> doesn't matter if the mailbox is deleted or its ACLs change.
> But, yes, I should restrict the SUBSCRIBE more. Currently it's possible
> to subscribe as long as there is any rights to the mailbox. (But if
> there are no rights, it's not possible to subscribe, so I don't really
> consider this a security hole.) I should probably change it to "l" or
> "r". I'll anyway ask what other IMAP people think about this.

I actually ran into this originally with an unusual setup: We wanted a 
public namespace which handled it's own subscriptions... but then we 
wanted to restrict the namespace to a subset of users.  ACLs restricted 
this properly for the most part, but LSUB still listed all the mailboxes 
to everyone regardless of whether or not they had any rights.

So that didn't work for us.  =)  Not a big deal, we have other ways we 
can make things work for our situation.  If somehow LSUB filtered out 
mailboxes for which it had no rights to, it would fix that unique 
problem though.

Is there a better way to provide a set of mailboxes to a subset of users 
with a shared subscription list (subscriptions = yes)?

More information about the dovecot mailing list