Forbid IMAP clients create mailboxes in Dovecot

Question

In this specific setup I want to forbid clients to create mailboxes other than the default ones. I searched for this in the documentation but found nothing.

I'm using Dovecot with virtual users.

Answer 1

Dovecot supports the IMAP ACL extension, which allows to configure fine-granular mailbox privileges. Among those, there is the create permission allowing (or denying) the creation of new (sub)mailboxes.

Enable the ACL plugin as described in the Dovecot configuration manual by editing dovecot.conf (or the respective conf.d files as setup by your distribution). From the Dovecot manual:

mail_plugins = acl
protocol imap {
  mail_plugins = $mail_plugins imap_acl
}

plugin {
  # Without global ACLs:
  acl = vfile

  # With global ACL files in /etc/dovecot/dovecot-acls file (v2.2.11+):
  #acl = vfile:/etc/dovecot/dovecot-acl

  # With global ACLs in /etc/dovecot/acls/ directory (obsolete):
  #acl = vfile:/etc/dovecot/acls

  # If enabled, don't try to find dovecot-acl files from mailbox directories.
  # This reduces unnecessary disk I/O when only global ACLs are used. (v2.2.31+)
  #acl_globals_only = yes
}

Instead of manually editing the ACL files, using Dovecot's management tool doveadm acl is preferred. To remove the create permission, use following command line (don't delete the whole ACL, you might also have to create one before starting). -u user denotes the mailbox owner (ie., the user to change the mailbox for). id denotes the user of which you want to modify the ACLs (you can also give access to other users through ACLs), for example user=user_name or anyone.

doveadm acl remove [-u user|-A|-F file] [-S socket_path] mailbox id right [right ...]

You might also want to read about ACL inheritance, although this is less important as you want to deny creation of new mailboxes anyway.