dovecot - Aug 2017 - Hide public mailboxes from some users

Hi all,


I'm trying to set up public mailboxes for a subset of my users. This is on 
dovecot 2.2.27.

I've created a new public namespace, and the new mailboxes indeed show up
for
everyone. So far so good. Now I want to restrict access: these mailboxes 
shouldn't be visible at all except to a fixed list of users. This part I
can't
seem to get working.

I've added acl data along these lines:

```
pubbox anyone 
pubbox/* anyone 

pubbox user=me at example.com lrwstipekxa
pubbox/* user=me at example.com lrwstipekxa
```

However, other users can still see "pubbox" and its subfolders,
although they
can't actually view the contents. This is corroborated by some of the output
of `doveadm mailbox list`:

```
# doveadm -D mailbox list -u other at example.com
?
doveadm(other at example.com): Debug: Namespace : type=public, prefix=pubbox/, 
sep=/, inbox=no, hidden=no, list=children, subscriptions=no
?
doveadm(other at example.com): Debug: Mailbox 'pubbox/Drafts' matches
global ACL
pattern 'pubbox/*'
doveadm(other at example.com): Debug: Mailbox 'pubbox/Drafts' matches
global ACL
pattern 'pubbox/*'
doveadm(other at example.com): Debug: acl vfile: reading file 
/mnt/data/mail/example.com/public/pubbox/mail/Drafts/dovecot-acl
doveadm(other at example.com): Debug: acl: No lookup right to mailbox: 
pubbox/Drafts
doveadm(other at example.com): Debug: Mailbox 'pubbox/Sent' matches
global ACL
pattern 'pubbox/*'
doveadm(other at example.com): Debug: Mailbox 'pubbox/Sent' matches
global ACL
pattern 'pubbox/*'
doveadm(other at example.com): Debug: acl vfile: reading file 
/mnt/data/mail/example.com/public/pubbox/mail/Sent/dovecot-acl
doveadm(other at example.com): Debug: acl: No lookup right to mailbox: 
pubbox/Sent
doveadm(other at example.com): Debug: Mailbox 'pubbox' matches global
ACL pattern
'pubbox'
doveadm(other at example.com): Debug: Mailbox 'pubbox' matches global
ACL pattern
'pubbox'
doveadm(other at example.com): Debug: acl vfile: reading file 
/mnt/data/mail/example.com/public/pubbox/mail/dovecot-acl
pubbox
pubbox/Drafts
pubbox/Sent
INBOX
```

Why do these "pubbox/*" mailboxes show up in the `mailbox list`
output, even
though the debug messages say that the user has no lookup right for them? 

`doveadm acl rights` seems to confirm that `other at example.com` does not have 
the lookup right for these mailboxes. So why do they show up in their email 
clients anyway?


Thanks for any advice!

Perhaps my previous email was a bit long. Let me start with a single question.

Is a user without the "lookup" ACL right to a given mailbox supposed
to be
able to see the mailbox listed in their email client?

> Is a user without the "lookup" ACL right to a given mailbox
supposed to be
> able to see the mailbox listed in their email client?
Anything I can try to debug this further? Any hints or suggestions are 
appreciated :-).