Global ACLs are intended to apply to a few mailboxes for all users. For example
you could have a master user called "spam" that would have access to each
user's "spam" mailbox, but nothing else.
Global ACLs are kind of ugly. A mailbox's ACL is found from exactly the same
name as what the mailbox's virtual name is. So for example if you have
namespace {
separator = /
prefix = foo/
}
And you have a mailbox called foo/bar, the global ACL is looked up from the
<global dir>/foo/bar. The problem there of course is what if you want to set
global ACLs for "foo". You can't have both directory and a file called "foo".
So if this happens, Dovecot instead looks up the ACLs from <global
dir>/foo/.DEFAULT file. The name for this file is slightly confusing, and also
of course if there really is a mailbox called ".DEFAULT" it won't really work
well.
Global acl is currently configured by giving its path to acl setting, such as:
plugin {
acl = vfile:/etc/dovecot/global-acls
}
So plan #1: deprecate this usage. If global-acls is a directory, keep using the
old method. But the new preferred method would be for it to be a file that
contains all of the global ACLs. Typically there should be very few entries, so
this should also be more efficient. Also this would allow setting default ACLs
for namespaces by using wildcards. For example you could have:
* masteruser +lrw
spam spamuser +lr
test/* testuser +lr
etc.
The * would match only within a single namespace, so if you had more than one,
the * entry would match only the one having prefix="". The * entry would be
especially helpful for master users who you intend to have access to user's all
mailboxes. Currently there is no good way to implement this.
Plan #2: Add support for per-user default namespace ACLs. In the mail root
directory if "dovecot-default-acl" file exists, it's used as the default ACLs.
I'm not entirely sure what should happen if it conflicts with the global ACLs.
Probably they both should be simply merged, since both can only be created by
an admin. Probably the per-user ACL should be allowed to override the global
ACLs.
Any thoughts? Since neither of these would break backwards compatibility, I
could add them to v2.0.x.
