dovecot - Apr 2015 - ACL syntax for setting specified folders within Maildir/ read-only for owner

Hi,

I have dovecot (2.2.16, see dovecot -n at end) installed to /opt on 
CentOS 6 for access on a local network. I would like to create an 
archival mail account which will reduce the primary account file size 
and still make older emails easily accessible. How can I set specified 
folders in this Maildir read-only with ACL? For example, I included this 
in the dovecot-acl file to specify protected folders in the archives@ 
Maildir but it did not work:

"Email 2013/*" user=archives lrs
"Email 2014/*" user=archives lrs

Also tried this on folders without spaces with no success (the folders 
were still delete-able by the user via the Thunderbird client). Each 
"Email..." folder has several child folders that should also be
read-only.

BTW, what is the maximum size for a Maildir that Dovecot can comfortably 
handle?

Thanks!

Kepa

dovecot -n:
# 2.2.16: /opt/dovecot/etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-504.12.2.el6.x86_64 x86_64 CentOS release 6.6 (Final)
mail_location = maildir:~/Maildir
mail_plugins = acl
namespace inbox {
   inbox = yes
   location [mailbox info ...]
     plugin {
   acl = vfile:/opt/dovecot/etc/dovecot/dovecot-acl
}
protocols = imap
service imap-login {
   inet_listener imaps {
     port = 993
     ssl = yes
   }
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
   driver = passwd
}
protocol imap {
   mail_plugins = acl imap_acl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 3 Apr 2015, kepa wrote:
> I have dovecot (2.2.16, see dovecot -n at end) installed to /opt on CentOS
6
> for access on a local network. I would like to create an archival mail 
> account which will reduce the primary account file size and still make
older
> emails easily accessible. How can I set specified folders in this Maildir
> read-only with ACL? For example, I included this in the dovecot-acl file to
see: http://wiki2.dovecot.org/ACL

There is the "owner" identifier. But, IMHO, the owner always has the 
permission to change the ACLs.
> specify protected folders in the archives@ Maildir but it did not work:
>
> "Email 2013/*" user=archives lrs
> "Email 2014/*" user=archives lrs
The user is named "archives"?
> Also tried this on folders without spaces with no success (the folders were
> still delete-able by the user via the Thunderbird client). Each
"Email..."
> folder has several child folders that should also be read-only.
Better use doveadm acl add command to change ACLs. For whatever reason, I 
found the ACLs may not get effective immediately otherwise.
If you really want to have readonly-Submailboxes, you need to do it via 
filesystem permissions.
> BTW, what is the maximum size for a Maildir that Dovecot can comfortably 
> handle?
I haven't found a mail client, that could cope with Dovecot's limits, so
I
cannot say. Or to phrase this sentence differently, if there was trouble, 
the client couldn't cope with the number of messages.

- -- 

Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBVSUTBHz1H7kL/d9rAQK/CQgAlvSfmUyULh2seLQlfHlloSQ5IoVhVAPV
+1VtKuAMcUQ6eUmK5fDXg9ogsmlI8miZIJfz2uSZ2tMcvdxLrd4Yy2KKue0x6LFr
+BEb1kWtXZfV8NuCIIveLrizvA+baImU4MybPma1oQ2CNVkfO1RRYmZw+ZkLAxq8
CodUvYp71DGBQBheEBU+zdsguvfRFSxYFCdDYeNCthKTerIoAzxgDf/27JZY1Cph
46TtkvP5eydnrQr2RFlZykUXt6pRQ2PYRyOFgEX2+gK4RMNAsAJNFhQ94p6TAfZe
aojQ5M/NEqto4F90FVmdSqCmzO1hO8Je2DdqguIZFkQlrXMPVJpQng==XuPB
-----END PGP SIGNATURE-----