Access Control Defaults¶
Administrators¶
Regardless of the ACL on a mailbox, users who are listed in the
admins
configuration option in imapd.conf(5) implicitly
have the l
and a
rights on all mailboxes.
Administrators can also see across domains which normal users cannot.
Warning
An admin user should not be a normal email account.
Mailbox owners¶
The user who owns a mailbox folder has additional rights which are set regardless of any additional ACLs. These are:
l - lookup
a - administer
These are set in implicit_owner_rights
of imapd.conf(5).
Default¶
For all other mailboxes not owned by a user, any user accessing these mailboxes have the following default privileges:
l - lookup
r - read contents
s - seen
These are set in defaultacl
of imapd.conf(5).
Initial ACLs for Newly Created Mailboxes¶
When a mailbox is created, its ACL starts off with a copy of the ACL of its closest parent mailbox. When a user is created, the ACL on the user’s INBOX
starts off with a single entry granting all rights to the user. When a non-user mailbox is created and does not have a parent, its ACL is initialized to the value of the defaultacl
option in imapd.conf(5).
Other Implicit Rights¶
Note that some rights are available implicitly, for example ‘anonymous’
always has ‘p’ on user INBOXes, and users always have la
rights on
mailboxes within their INBOX hierarchy.