IMAP4 allows the use of shared mailboxes. Therefore it makes sense to have some control over the rights a user has on a mailbox. Those rights are defined with access control lists (ACL). Cyrus IMAPd uses ACLs to control access to any type of mailbox, be it private, shared or public.
Every mailbox contains an ACL, which is a list of access control entries. Those entries consists of a userid and the rights, the user has on the particular mailbox.
The rights are (RFC4314):
l - lookup (mailbox is visible to LIST/LSUB commands, SUBSCRIBE
mailbox)
r - read (SELECT the mailbox, perform STATUS)
s - keep seen/unseen information across sessions (set or clear
\SEEN flag via STORE, also set \SEEN during APPEND/COPY/
FETCH BODY[...])
w - write (set or clear flags other than \SEEN and \DELETED via
STORE, also set them during APPEND/COPY)
i - insert (perform APPEND, COPY into mailbox)
p - post (send mail to submission address for mailbox,
not enforced by IMAP4 itself)
k - create mailboxes (CREATE new sub-mailboxes in any
implementation-defined hierarchy, parent mailbox for the new
mailbox name in RENAME)
x - delete mailbox (DELETE mailbox, old mailbox name in RENAME)
t - delete messages (set or clear \DELETED flag via STORE, set
\DELETED flag during APPEND/COPY)
e - perform EXPUNGE and expunge as a part of CLOSE
a - administer (perform SETACL/DELETEACL/GETACL/LISTRIGHTS)
"c" and "d" are obsolete as of RFC4314 (section 2.1.1.).
To administer ACLs in cyrus, you can use cyradm:
setaclmailbox shared.questions jenny lrs
listaclmailbox shared.questions
deleteaclmailbox shared.questions jenny
Some optimizations:
- Use shorter command names:
sam
, lam
, dam
- Use wildcards for mailboxes:
sam shared.* jenny lrs
- Use anyone to set rights for all users:
sam shared.* anyone lrswipkxtecda
- Use all to allow everything:
sam shared.* anyone all
- Prefixing the user name with a dash can be used to "remove" rights to a mailbox:
sam shared.secret -edgar all