IMAP ACLs reference

There is some confusion about IMAP ACLs, and how they are used and implemented by MDaemon, Outlook Connector and WorldClient.

First, what are ACLs? ACL stands for “Access Control List”, and ACLs are a way of controlling who can see a folder, and what rights a user has within that folder.

There are 10 defined ACLs supported by MDaemon:

  • l – lookup (mailbox is visible to LIST/LSUB commands)
  • r – read (SELECT the mailbox, perform CHECK, FETCH, PARTIAL, SEARCH, COPY from mailbox)
  • s – keep seen/unseen information across sessions (STORE SEEN flag)
  • w – write (STORE flags other than SEEN and DELETED)
  • i – insert (perform APPEND, COPY into mailbox)
  • p – post (send mail to submission address for mailbox, not enforced by IMAP4 itself)
  • c – create (CREATE new sub-mailboxes in any implementation-defined hierarchy)
  • d – delete (STORE DELETED flag, perform EXPUNGE)
  • a – administer (perform SETACL)

Note the differences between “write”, “insert”, “post” and “create” as these tend to confuse people somewhat.

Outlook Connector (and MDaemon Groupware before it) rely on the same set of IMAP ACLs, but implement them somewhat differently. For example, IMAP has no concept of “editing” an item, so instead, when you modify an item in Outlook Connector, Outlook Connector will INSERT a new item and DELETE the old item, so to edit, you require both the INSERT and DELETE rights.

In non-email folders, the “keep seen/unseen”, “w – write”, “p – post” rights are not used and can be ignored.

WorldClient implements ACLs in a nearly identical fashion to MDaemon and Outlook Connector, emulating as many of the permissions as closely as possible.

Note that users own all folders contained within their mailboxes at all times, and the owner of a folder always has all rights and even if these rights aren’t explicitly listed, they are granted. Public folders don’t have an owner.

Lastly, note that ACLs are inherited by subfolders when they are created, but permission changes to a parent don’t apply to children unless the administrator uses the “Set sub” folder to set permissions on subfolders.

Why did MDaemon just restart?

For those wondering why MDaemon unexpectedly restarted, it’s due to a SecurityPlus update.  Alt-N has a knowledgebase article discussing this behaviour.

If you prefer to avoid this situation in the future, there is an option available (also described in the KB article) to avoid automatic updates, however, be certain to monitor for updates manually as several times in the past SecurityPlus was updated due to changes in the definitions update process.

Outlook has blocked access to unsafe attachments

Outlook assumes that users aren’t smart enough to be allowed access to executable file types. This assumption may or may not be valid, depending on your user base.

Microsoft has a writeup with an explanation, but the basic idea is pretty straightforward. Also available is the list of attachments blocked in Outlook 2007.

If you’ve decided your users should have access to certain restricted file types, the process is actually very simple; just a quick registry edit and you’re on your way.

  1. Start…Run…”regedit”
  2. Go to HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security
  3. Create a new string value called Level1Remove
  4. Enter in the file extensions you want to use, such as .exe or .bat
  5. You can have multiple file types separated by a semicolon like this: “.exe;.com”

This applies to Outlook whether or not you use Outlook Connector.