Wednesday, April 9, 2008

Cyrus IMAP permissions

Full access to a Cyrus mailbox is "lrswipcda", as in setacl user/jqpublic jsixpack lrswipcda. This allows Joe Sixpack to map John Q Public's folder and change it any way he sees fit, including granting access to yet more users.

Occasionally, Human Resources or a successor needs access to a former employee's mailbox. A better set of permissions for this case is simply "lr", allowing list and read access while preventing changes.

To revoke permissions, issue a setacl command with empty quotes in place of the privilege flags: setacl user/jqpublic jsixpack "" . Mail clients that present an Other Users folder should remove that folder after this change, but the client might need a restart.

The privilege flags are:
* (l) Lookup (mailbox visible to # LIST/LSUB/UNSEEN)
* (r) Read (SELECT, CHECK, FETCH, PARTIAL, SEARCH, COPY source)
* (s) Seen (STORE \SEEN)
* (w) Write flags other than \SEEN and \DELETED
* (i) Insert (APPEND, COPY destination)*
* (p) Post (send mail to mailbox)
* (c) Create and Delete mailbox (CREATE new sub-mailboxes, RENAME or DELETE mailbox)
* (d) Delete (STORE \DELETED, EXPUNGE)
* (a) Administer (SETACL)

Privilege flags section cribbed adapted from Wil Cooley's presentation at http://nakedape.cc/info/Cyrus-IMAP-Intro/ .

No comments: