OnWorks favicon

maildiracl - Online in the Cloud

Run maildiracl in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command maildiracl that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator



maildiracl - manage access control lists


maildiracl {-reset} {maildir}

maildiracl {-list} {maildir} {INBOX[.folder]}

maildiracl {-set} {maildir} {INBOX[.folder]} {[-]identifier} {[+/-]rights}

maildiracl {-delete} {maildir} {INBOX[.folder]} {[-]identifier}

maildiracl {-compute} {maildir} {INBOX[.folder]} {identifier...}


maildiracl manages “access control lists” (or ACLs) of the Courier IMAP server maildir
folders. Access control lists are used primarily to provide fine-grained control for
accessing virtual shared folders via IMAP.

The Courier IMAP server server implements two types of shared folders: filesystem
permission-based shared folders, as well as virtual shared folders based on IMAP
access control lists. Use the maildiracl command to set up access control lists for
virtual shared folders. Use the maildirmake(1)[1], command to implement shared folders
based on filesystem permissions.

See the Courier IMAP server documentation for additional information on setting up
virtual shared folders.

ACL overview
ACLs provide a fine-grained mechanism for controlling access to shared folders. ACLs may
be used to specify, for example, that user1 may only open and read the messages in the
folder; and user2 can not only do that, but also delete messages, and create subfolders.

Each folder maintains its own individual access control list, that specifies who can do
what to the folder. An ACL is a list of “identifier” and “rights” pairs. Each “identifier”
and “rights” pair means that an entity called “identifier” (using the UTF-8 character set)
is allowed to do “rights” on this folder. “rights” consists of one or more letters, each
letter signifies a particular action:


identifier may modify this folder's ACLs.


identifier may create subfolders of this folder (this includes renaming another folder
as this folder's subfolders).


identifier may remove deleted messages from this folder.


identifier may add messages to this folder (either uploading them one by one, or
copying messages from another folder).


identifier may actually see that this folder exists. If identifier does not have the
“l” right on this folder, the folder is effectively invisible to identifier.


identifier may open this folder. Note that if identifier knows the name of this
folder, it can open it even if identifier does not the “l” right on this folder.


identifier may mark messages in this folder as seen, or unseen.


identifier may mark messages in this folder as deleted, or undeleted.


identifier may change other status flags of messages in this folder. May also add or
remove custom keywords on individual messages.


identifier may delete this folder (which includes renaming this folder as another
mailbox's subfoler.

Negative rights
An ACL entry of “-identifier” and “rights” is called a “negative right”, which
explicitly removes “rights” from “identifier”. More than one “identifier” is usually
used to determine the actual rights someone has for the given folder. The actual
access rights are determined by taking all rights from all applicable identifier, than
subtracting any negative rights, as specified in the following section.

Access rights on a given folder are computed by obtained the rights on the following
identifiers, then subtracting the negative rights on the same identifiers:

The owner of the maildir containing this folder. The maildir's INBOX's ACL
defaults to all rights for its owner. A new folder's ACL is the same as its
parent's ACL. In all cases, trying to remove the “a” right from the owner (either
directly or using a negative right) results in an error.

This identifier refers literally to every userid. The associated rights (or
negative rights) are always used.

This is a synonym from “anyone”.

Rights (or negative rights) for IMAP account “loginid”.

“loginid” is what's logged to syslog after a succesful login. In some
situations “loginid” is not exactly the actual login ID used by the IMAP

Rights (or negative rights) for account group “name”. Access rights are granted to
an account group as a whole. The account options feature of the Courier
Authentication Library specifies which account belongs to which account group. See
courier-authlib's documentation for more information.

This is an alias for “group=administrators”. Accounts that are members of an
account group called “administrators” are considered administrative accounts, and
automatically receive all access rights on all accessible folders.

Consider the following access control list:

owner aceilrstwx
anyone lr
user=john w
-user=mary r
administrators aceilrstwx

This access control list specifies that the folder's owner has complete control over
the mailbox (as well as the administrators, which have complete access to every
folder); everyone else can see it and open it, except for “mary” who can see that the
mailbox exists, but can't open it; additionally, “john” can change the status and
keywords of individual messages (but not mark them as deleted/undeleted or
seen/unseen, which requires additional rights).


maildiracl -reset maildir

This command resets access control lists in maildir which as a path to a maildir. Under
certain conditions, the files where a folder's ACLs are saved may continue to exist after
the folder is removed. The -reset options goes through maildir and removes all stale ACL
files for removed folders.

The Courier IMAP server normally performs this maintenance function automatically. It
is not necessary to run this command under normal conditions.

maildiracl -list maildir folder

This command lists the access control lists set for folder. folder must be either “INBOX”
or “INBOX.folder.subfolder”, which is the same naming convention for the Courier IMAP

maildiracl -set maildir folder identifier rights

Puts identifier (which may begin with a minus sign to specify a negative right) and rights
in folder's access control list. Existing rights for identifier (or identifier) are
replaced by rights unless “rights” begins with “+” or “-”, which modifies the existing
rights by adding or removing from them accordingly. Some examples:

maildiracl -set /home/user1/Maildir INBOX.Sent user=john lr

maildiracl -set /home/user2/Maildir INBOX.Notes anyone -r

maildiracl -set /home/user3/Maildir INBOX.Private -user=tom +r

Observe that the last command revokes the “r” right from “tom”, by adding it as a
negative right.

maildiracl -delete maildir folder identifier

This command removes identifier from folder's access control list, if it exists. Use
“-identifier” to remove negative rights.

maildiracl -compute maildir folder [identifier]+

This command takes a list of one or more identifiers. All access rights for the
identifiers are combined together, then any appropriate negative rights are removed, and
the result is printed on standard output. Use the following procedure to compute access
rights the same way as they are computed by the Courier IMAP server:

maildiracl -compute /home/tom46/Maildir INBOX.Sent owner user=tom46

This command computes access rights “tom46” has on his own folder.

maildiracl -compute /home/john34/Maildir INBOX.Public user=tom46

This command computes access rights “tom46” has on “john34”'s folder.


The owner of the mailbox must always have the “a” amd “l” access rights. The
administrators group must always have all access rights to all folders. Attempts to set
access control lists, that do not include these minimum access rights, will be rejected.

Use maildiracl online using onworks.net services

Free Servers & Workstations

Download Windows & Linux apps

  • 1
    OpenPDF - Fork of iText
    OpenPDF - Fork of iText
    OpenPDF is a Java library for creating
    and editing PDF files with a LGPL and
    MPL open source license. OpenPDF is the
    LGPL/MPL open source successor of iText,
    Download OpenPDF - Fork of iText
  • 2
    SAGA - System for Automated
    Geoscientific Analyses - is a Geographic
    Information System (GIS) software with
    immense capabilities for geodata
    processing and ana...
    Download SAGA GIS
  • 3
    Toolbox for Java/JTOpen
    Toolbox for Java/JTOpen
    The IBM Toolbox for Java / JTOpen is a
    library of Java classes supporting the
    client/server and internet programming
    models to a system running OS/400,
    i5/OS, o...
    Download Toolbox for Java/JTOpen
  • 4
    D3.js (or D3 for Data-Driven Documents)
    is a JavaScript library that allows you
    to produce dynamic, interactive data
    visualizations in web browsers. With D3
    Download D3.js
  • 5
    A fast tunnel proxy that helps you
    bypass firewalls This is an application
    that can also be fetched from
    It ha...
    Download Shadowsocks
  • 6
    GLPI Themes
    GLPI Themes
    Download release at
    Color themes for GLPI 0.84 and 0.85 New
    Modifications for GLPI This is an
    application that c...
    Download GLPI Themes
  • 7
    SMPlayer is a free media player for
    Windows and Linux with built-in codecs
    that can also play YouTube videos. One
    of the most interesting features of
    Download SMPlayer
  • More »

Linux commands