dovecot - Aug 2019 - ACL ignored for master users

Hi there!

I can't get ACL working for master users. Login as master user works fine
though, and I am able to access any mailbox using the auth_master_user_separator
"*", tested e.g. via Python's imaplib:

import imaplib
imap = imaplib.IMAP4_SSL('imap.example.com')
imap.login('foo at example.com*admin-acldemo', '**********')
('OK', [b'Logged in'])

My /etc/dovecot/dovecot-acl looks like this:

* user=admin lr
bar at example.com user=admin-acldemo lr

So, if I didn't misunderstand
https://wiki.dovecot.org/Authentication/MasterUsers and
https://wiki.dovecot.org/ACL documentation, this should only give
"admin" master user access to all mailaccounts and limiting
"admin-acldemo" master user to only a single mailaccount. That's
what I would like to accomplish.
But no matter what I put into dovecot-acl (it could even be empty), master users
always have access to all existing mailaccounts. The whole dovecot-acl seems to
be ignored and there are no logs pointing to any problem (syntax, access
permissions) with that file.

In mail.log I am getting a successful login message:
dovecot: imap-login: Login: user=<foo at example.com>, method=PLAIN, ...
So the login with "foo at example.com*admin-acldemo" seems to get
resolved to a regular "foo at example.com" user login.

My current setup (relevant config options):

# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.1 (db5c74be)
# OS: Linux 4.15.18-18-pve x86_64 Debian 9.9 
auth_master_user_separator = *
mail_plugins = quota acl
passdb {
 args = /etc/dovecot/passwd.masterusers
 driver = passwd-file
 master = yes
 pass = yes
}
plugin {
 acl = vfile:/etc/dovecot/dovecot-acl
 acl_user = %u
 master_user = %u
}
protocol lmtp {
 mail_plugins = quota acl sieve
}
protocol lda {
 mail_plugins = quota acl sieve
}
protocol imap {
 mail_plugins = quota acl imap_acl imap_quota
}

On ACL documentation it says:
> Note that master users have their own ACLs. They're not the the mailbox
owners, so by default they have no permissions to any of the mailboxes
and on Authentication/MasterUsers documentation:
> If ACL plugin is enabled, the Master user is still subject to ACLs just
like any other user, which means that by default the master user has no access
to any mailboxes of the user.
So it must be somehow possible to limit master users to specific mailbox(es) via
ACL. I could allow master users to be able to log in as themselves, by adding
two passdb sections (one with `master = yes`, the other `master = no`), but then
I see no way to do a user context switch (where ACLs would get respected...)
after logging in with "admin".

Any help greatly appreciated! Thanks in advance.
Cheers,
Philip

Sorry about double posting. Thought my previous post didn't make it through.
Still struggling with this problem...
> On 14 Aug 2019, at 15:21, Philip Iezzi <lists at iezzi.ch> wrote:
> 
> Hi there!
> 
> I can't get ACL working for master users. Login as master user works
fine though, and I am able to access any mailbox using the
auth_master_user_separator "*", tested e.g. via Python's imaplib:
> 
> import imaplib
> imap = imaplib.IMAP4_SSL('imap.example.com')
> imap.login('foo at example.com*admin-acldemo',
'**********')
> ('OK', [b'Logged in'])
> 
> My /etc/dovecot/dovecot-acl looks like this:
> 
> * user=admin lr
> bar at example.com user=admin-acldemo lr
> 
> So, if I didn't misunderstand
https://wiki.dovecot.org/Authentication/MasterUsers and
https://wiki.dovecot.org/ACL documentation, this should only give
"admin" master user access to all mailaccounts and limiting
"admin-acldemo" master user to only a single mailaccount. That's
what I would like to accomplish.
> But no matter what I put into dovecot-acl (it could even be empty), master
users always have access to all existing mailaccounts. The whole dovecot-acl
seems to be ignored and there are no logs pointing to any problem (syntax,
access permissions) with that file.
> 
> In mail.log I am getting a successful login message:
> dovecot: imap-login: Login: user=<foo at example.com>, method=PLAIN,
...
> So the login with "foo at example.com*admin-acldemo" seems to get
resolved to a regular "foo at example.com" user login.
> 
> My current setup (relevant config options):
> 
> # 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.7.1 (db5c74be)
> # OS: Linux 4.15.18-18-pve x86_64 Debian 9.9 
> auth_master_user_separator = *
> mail_plugins = quota acl
> passdb {
> args = /etc/dovecot/passwd.masterusers
> driver = passwd-file
> master = yes
> pass = yes
> }
> plugin {
> acl = vfile:/etc/dovecot/dovecot-acl
> acl_user = %u
> master_user = %u
> }
> protocol lmtp {
> mail_plugins = quota acl sieve
> }
> protocol lda {
> mail_plugins = quota acl sieve
> }
> protocol imap {
> mail_plugins = quota acl imap_acl imap_quota
> }
> 
> On ACL documentation it says:
> 
>> Note that master users have their own ACLs. They're not the the
mailbox owners, so by default they have no permissions to any of the mailboxes
> 
> and on Authentication/MasterUsers documentation:
> 
>> If ACL plugin is enabled, the Master user is still subject to ACLs just
like any other user, which means that by default the master user has no access
to any mailboxes of the user.
> 
> So it must be somehow possible to limit master users to specific
mailbox(es) via ACL. I could allow master users to be able to log in as
themselves, by adding two passdb sections (one with `master = yes`, the other
`master = no`), but then I see no way to do a user context switch (where ACLs
would get respected...) after logging in with "admin".
> 
> Any help greatly appreciated! Thanks in advance.
> Cheers,
> Philip
>