On 2006-11-21 at 16:44 -0600, Rich Graves wrote: > UW-IMAP has no concept of ACLs; to make a mailbox read-only, you simply > manipulate file system permissions. Cyrus has proper ACLs that are > shared between mail delivery and imapd. It's not obvious what you would > want to hack in order to make lmtpd's view of ACLs and mailbox paths > different than imapd's. lmtpd ignores posting permissions when delivering directly to INBOX folders. It's the final parameter of imap/lmtpd.c:deliver_mailbox(), acloverride. Cyrus can _always_ deliver new mail to user inboxes via LMTP, permissions apply for direct delivery to subfolders by +extension addressing and for shared folders, etc. So you probably want to script up an admin tool which, for a user "fred", connects up, does two LISTs: LIST "" "user.fred" LIST "" "user.fred.*" (or "/" instead of ".", depending upon config), then does a GETACL for every folder returned; dump those results out to a backup file in the local filesystem, where a restore tool can automatically put the privs back, then loop through and for every folder, for each identifier with positive rights, remove those rights. The only bit to be really cautious of is to be sure that a restore script properly deals with negative ACL rights, if a user has shared folders which are semi-public, to deal with privacy issues. All AIUI. -Phil ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html