dovecot - Feb 2014 - master user and ACL's

Hi,

Quick question...I read in the docs that:
"Master user is still subject to ACLs just like any other user, which 
means that by default the master user has no access to any mailboxes of 
the user."
... and that the standard workaround is to return master_user=%u from 
the userdb.

But why is the master_user authn-id used in the ACLs and not the 
authz-id (requested-login-user) ?

Isn't the whole point of SASL authz-id semantics to have authorization 
resolved based on the authz-id?


/Peter

On 9.2.2014, at 17.36, Peter Mogensen <apm at one.com> wrote:
> Quick question...I read in the docs that:
> "Master user is still subject to ACLs just like any other user, which
means that by default the master user has no access to any mailboxes of the
user."
> ... and that the standard workaround is to return master_user=%u from the
userdb.
> 
> But why is the master_user authn-id used in the ACLs and not the authz-id
(requested-login-user) ?
> 
> Isn't the whole point of SASL authz-id semantics to have authorization
resolved based on the authz-id?
Some people are using master user logins to do other types of things, such as
allowing voicemail software to access only the Voicemail folder of everyone. Or
spam software access only to the Spam folder. Or an alternative read-only
username+password for all users that can access the same user's mails only
read-only.