Da: Aki Tuomi <aki.tuomi@open-xchange.com> Inviato: giovedì 6 febbraio 2025 11:49 A: dovecot@iotti.biz; dovecot--- via dovecot <dovecot@dovecot.org> Oggetto: Re: Preventing message deletion

...

On 06/02/2025 12:39 EET dovecot--- via dovecot <dovecot@dovecot.org> wrote:

Hi all

How may I disable message deletions via IMAP for some or all of my users? I read on the net that a possible solution would be to use the ACL IMAP plugin. But the examples I found were not so clear to me. We do not use shared mailboxes or namespaces. Only simple virtual users, each with it's own private mailbox. I would like to use the global acl file both for administration simplicity and because as I understood, global acl enrties take preference over any user setting.

In the ACL page example there is a line:

• user=foo lrw

But in the comment it tells that doing so, every user' mailbox would be shared with the foo user, with the lrw permissions. Which is not what I would want. I don't need to share anything, just to restrict what the user, foo here, can do on his mailbox.

Thank you, Luigi

Hi!

Folder sharing won't actually happen unless you have a shared namespace.

And you can also use owner which refers to the mailbox owner, so

• owner -te

which will mean that the owner is not allowed to expunge or write \deleted flag.

Thank you AKi for the clarification.

At least in this rather old dovecot-2.2.36 from CentOS 7 (I know, it needs updating but I have to do what says the one who pays:) using the negative "-te" form did not work. I found in my logs: dovecot: imap(test@domain.com): Error: Global ACL file /etc/dovecot/global-acls line 1: Unknown ACL '-' and mailbox access was prevented for all users.

I used the form

• user=test@domain.com lrwsipk

And it seem to work now.

Thank you again.

-----Messaggio originale----- Da: Aki Tuomi <aki.tuomi@open-xchange.com> Inviato: giovedì 6 febbraio 2025 13:34 A: dovecot@iotti.biz; dovecot--- via dovecot <dovecot@dovecot.org> Oggetto: Re: R: Preventing message deletion

...

On 06/02/2025 13:16 EET dovecot--- via dovecot <dovecot@dovecot.org> wrote:

...

Da: Aki Tuomi <aki.tuomi@open-xchange.com> Inviato: giovedì 6 febbraio 2025 11:49 A: dovecot@iotti.biz; dovecot--- via dovecot <dovecot@dovecot.org> Oggetto: Re: Preventing message deletion

...

On 06/02/2025 12:39 EET dovecot--- via dovecot <dovecot@dovecot.org> wrote:

Hi all

How may I disable message deletions via IMAP for some or all of my users? I read on the net that a possible solution would be to use the ACL IMAP plugin. But the examples I found were not so clear to me. We do not use shared mailboxes or namespaces. Only simple virtual users, each with it's own private mailbox. I would like to use the global acl file both for administration simplicity and because as I understood, global acl enrties take preference over any user setting.

In the ACL page example there is a line:

• user=foo lrw

But in the comment it tells that doing so, every user' mailbox would be shared with the foo user, with the lrw permissions. Which is not what I would want. I don't need to share anything, just to restrict what the user, foo here, can do on his mailbox.

Thank you, Luigi

Hi!

Folder sharing won't actually happen unless you have a shared namespace.

And you can also use owner which refers to the mailbox owner, so

• owner -te

which will mean that the owner is not allowed to expunge or write \deleted flag.

Thank you AKi for the clarification.

At least in this rather old dovecot-2.2.36 from CentOS 7 (I know, it needs updating but I have to do what says the one who pays:) using the negative "- te" form did not work. I found in my logs: dovecot: imap(test@domain.com): Error: Global ACL file /etc/dovecot/global-acls line 1: Unknown ACL '-' and mailbox access was prevented for all users.

I used the form

• user=test@domain.com lrwsipk

And it seem to work now.

Thank you again.

I would use

• owner lrwsipk

unless it's exactly that one use you want to affect?

Aki

Sorry for the late reply: I made some test.

The solution suggested works. Indeed, I used the explicit username and not "owner" in the acl line just because I have to restrict only some users.

But another problem appeared. Now it's not possible to move messages between IMAP folders. I dumped the traffic and a MOVE imap command Is issued. I found that the "e" (expunge) acl right is what is missing, which was cleared out to prevent deletions. I just imagine that there is no solution to prevent message delete, but allow move, but hope there are other solutions.

Thank you Luigi