Configuration files go to this directory. See example configuration files in
-/usr/share/doc/dovecot/example-config/
+/usr/share/doc/dovecot-core/example-config/
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
+# See also ssl=required setting.
#disable_plaintext_auth = yes
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
-#auth_username_format =
+#auth_username_format = %Lu
# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# If you enable this, you'll also need to add inet_listener for the port.
#director_doveadm_port = 0
+# How the username is translated before being hashed. Useful values include
+# %Ln if user can log in with or without @domain, %Ld if mailboxes are shared
+# within domain.
+#director_username_hash = %Lu
+
# To enable director service, uncomment the modes and assign a port.
service director {
unix_listener login/director {
# In case of password mismatches, log the attempted password. Valid values are
# no, plain and sha1. sha1 can be useful for detecting brute force password
# attempts vs. user simply trying the same password over and over again.
+# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).
#auth_verbose_passwords = no
# Even more verbose logging for debugging purposes. Shows for example SQL
# string.
#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
-# Login log format. %$ contains login_log_format_elements string, %s contains
+# Login log format. %s contains login_log_format_elements string, %$ contains
# the data we want to log.
#login_log_format = %$: %s
# namespaces you'll typically want to enable ACL plugin also, otherwise all
# users can access all the shared mailboxes, assuming they have permissions
# on filesystem level to do so.
-#
-# REMEMBER: If you add any namespaces, the default namespace must be added
-# explicitly, ie. mail_location does nothing unless you have a namespace
-# without a location setting. Default namespace is simply done by having a
-# namespace with empty prefix.
-#namespace {
+namespace inbox {
# Namespace type: private, shared or public
#type = private
# There can be only one INBOX, and this setting defines which namespace
# has it.
- #inbox = no
+ inbox = yes
# If namespace is hidden, it's not advertised to clients via NAMESPACE
# extension. You'll most likely also want to set list=no. This is mostly
# Namespace handles its own subscriptions. If set to "no", the parent
# namespace handles them (empty prefix should always have this as "yes")
#subscriptions = yes
-#}
+}
# Example shared namespace configuration
#namespace {
# List the shared/ namespace only if there are visible shared mailboxes.
#list = children
#}
+# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
+#mail_shared_explicit_inbox = no
# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or ~user/.
#mail_full_filesystem_access = no
+# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but
+# soon intended to be used by METADATA as well.
+#mail_attribute_dict =
+
##
## Mail processes
##
## Mailbox handling optimizations
##
+# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
+# also required for IMAP NOTIFY extension to be enabled.
+#mailbox_list_index = no
+
# The minimum number of mails in a mailbox before updates are done to cache
# file. This allows optimizing Dovecot's behavior to do less disk writes at
# the cost of more disk reads.
# the extra CRs wrong and cause problems.
#mail_save_crlf = no
+# Max number of mails to keep open and prefetch to memory. This only works with
+# some mailbox formats and/or operating systems.
+#mail_prefetch_count = 0
+
+# How often to scan for stale temporary files and delete them (0 = never).
+# These should exist only after Dovecot dies in the middle of saving mails.
+#mail_temp_scan_interval = 1w
+
##
## Maildir-specific settings
##
# when its mtime changes unexpectedly or when we can't find the mail otherwise.
#maildir_very_dirty_syncs = no
+# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
+# getting the mail's physical size, except when recalculating Maildir++ quota.
+# This can be useful in systems where a lot of the Maildir filenames have a
+# broken size. The performance hit for enabling this is very small.
+#maildir_broken_filename_sizes = no
+
##
## mbox-specific settings
##
# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
# locking methods as well. Some operating systems don't allow using some of
# them simultaneously.
+#
+# The Debian value for mbox_write_locks differs from upstream Dovecot. It is
+# changed to be compliant with Debian Policy (section 11.6) for NFS safety.
+# Dovecot: mbox_write_locks = dotlock fcntl
+# Debian: mbox_write_locks = fcntl dotlock
+#
#mbox_read_locks = fcntl
-#mbox_write_locks = dotlock fcntl
+#mbox_write_locks = fcntl dotlock
# Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins
# If an index file already exists it's still read, just not updated.
#mbox_min_index_size = 0
+# Mail header selection algorithm to use for MD5 POP3 UIDLs when
+# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
+# algorithm, but it fails if the first Received: header isn't unique in all
+# mails. An alternative algorithm is "all" that selects all headers.
+#mbox_md5 = apop3d
+
##
## mdbox-specific settings
##
# also allows single instance storage for them. Other backends don't support
# this for now.
-# WARNING: This feature hasn't been tested much yet. Use at your own risk.
-
# Directory root where to store mail attachments. Disabled, if empty.
#mail_attachment_dir =
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
#ssl_ca =
+# Require that CRL check succeeds for client certificates.
+#ssl_require_crl = yes
+
+# Directory and/or file for trusted SSL CA certificates. These are used only
+# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
+# directory is usually /etc/ssl/certs in Debian-based systems and the file is
+# /etc/pki/tls/cert.pem in RedHat-based systems.
+#ssl_client_ca_dir =
+#ssl_client_ca_file =
+
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
+# DH parameters length to use.
+#ssl_dh_parameters_length = 1024
+
# How often to regenerate the SSL parameters file. Generation is quite CPU
# intensive operation. The value is in hours, 0 disables regeneration
# entirely.
#ssl_parameters_regenerate = 168
+# SSL protocols to use
+#ssl_protocols = !SSLv2
+
# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+
+# Prefer the server's order of ciphers over client's.
+#ssl_prefer_server_ciphers = no
+
+# SSL crypto device to use, for valid values run "openssl engine"
+#ssl_crypto_device =
##
# Address to use when sending rejection mails.
-# Default is postmaster@<your domain>.
+# Default is postmaster@<your domain>. %d expands to recipient domain.
#postmaster_address =
-# Hostname to use in various parts of sent mails, eg. in Message-Id.
-# Default is the system's real hostname.
+# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
+# in LMTP replies. Default is the system's real hostname@domain.
#hostname =
# If user is over quota, return with temporary failure instead of
plugin {
#quota_rule = *:storage=1G
#quota_rule2 = Trash:storage=+100M
+
+ # LDA/LMTP allows saving the last mail to bring user from under quota to
+ # over quota, if the quota doesn't grow too high. Default is to allow as
+ # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
+ #quota_grace = 10%%
}
##
##
## Settings for the Sieve interpreter
-##
+##
# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
# by adding it to the respective mail_plugins= settings.
# command line tool.
# --> See sieve_before fore executing scripts before the user's personal
# script.
- #sieve_global_path = /var/lib/dovecot/sieve/default.sieve
+ #sieve_default = /var/lib/dovecot/sieve/default.sieve
# Directory for :personal include scripts for the include extension. This
# is also where the ManageSieve service stores the user's scripts.
sieve_dir = ~/sieve
- # Directory for :global include scripts for the include extension.
+ # Directory for :global include scripts for the include extension.
#sieve_global_dir =
# Path to a script file or a directory containing script files that need to be
# executed before the user's script. If the path points to a directory, all
# the Sieve scripts contained therein (with the proper .sieve extension) are
- # executed. The order of execution is determined by the file names, using a
- # normal 8bit per-character comparison.
+ # executed. The order of execution within a directory is determined by the
+ # file names, using a normal 8bit per-character comparison. Multiple script
+ # file or directory paths can be specified by appending an increasing number.
#sieve_before =
+ #sieve_before2 =
+ #sieve_before3 = (etc...)
# Identical to sieve_before, only the specified scripts are executed after the
- # user's script (only when keep is still in effect!).
+ # user's script (only when keep is still in effect!). Multiple script file or
+ # directory paths can be specified by appending an increasing number.
#sieve_after =
-
- # Which Sieve language extensions are available to users. By default, all
+ #sieve_after2 =
+ #sieve_after2 = (etc...)
+
+ # Which Sieve language extensions are available to users. By default, all
# supported extensions are available, except for deprecated extensions or
# those that are still under development. Some system administrators may want
# to disable certain Sieve extensions or enable those that are not available
# by default. This setting can use '+' and '-' to specify differences relative
# to the default. For example `sieve_extensions = +imapflags' will enable the
- # deprecated imapflags extension in addition to all extensions thatwere
- # already enabled by default.
+ # deprecated imapflags extension in addition to all extensions were already
+ # enabled by default.
#sieve_extensions = +notify +imapflags
+ # Which Sieve language extensions are ONLY available in global scripts. This
+ # can be used to restrict the use of certain Sieve extensions to administrator
+ # control, for instance when these extensions can cause security concerns.
+ # This setting has higher precedence than the `sieve_extensions' setting
+ # (above), meaning that the extensions enabled with this setting are never
+ # available to the user's personal script no matter what is specified for the
+ # `sieve_extensions' setting. The syntax of this setting is similar to the
+ # `sieve_extensions' setting, with the difference that extensions are
+ # enabled or disabled for exclusive use in global scripts. Currently, no
+ # extensions are marked as such by default.
+ #sieve_global_extensions =
+
# The Pigeonhole Sieve interpreter can have plugins of its own. Using this
# setting, the used plugins can be specified. Check the Dovecot wiki
# (wiki2.dovecot.org) or the pigeonhole website
# (http://pigeonhole.dovecot.org) for available plugins.
+ # The sieve_extprograms plugin is included in this release.
#sieve_plugins =
- # The separator that is expected between the :user and :detail
- # address parts introduced by the subaddress extension. This may
- # also be a sequence of characters (e.g. '--'). The current
- # implementation looks for the separator from the left of the
- # localpart and uses the first one encountered. The :user part is
+ # The separator that is expected between the :user and :detail
+ # address parts introduced by the subaddress extension. This may
+ # also be a sequence of characters (e.g. '--'). The current
+ # implementation looks for the separator from the left of the
+ # localpart and uses the first one encountered. The :user part is
# left of the separator and the :detail part is right. This setting
# is also used by Dovecot's LMTP service.
#recipient_delimiter = +
- # The maximum size of a Sieve script. The compiler will refuse to
- # compile any script larger than this limit.
+ # The maximum size of a Sieve script. The compiler will refuse to compile any
+ # script larger than this limit. If set to 0, no limit on the script size is
+ # enforced.
#sieve_max_script_size = 1M
- # The maximum number of actions that can be performed during a single
- # script execution.
+ # The maximum number of actions that can be performed during a single script
+ # execution. If set to 0, no limit on the total number of actions is enforced.
#sieve_max_actions = 32
- # The maximum number of redirect actions that can be performed during
- # a single script execution.
+ # The maximum number of redirect actions that can be performed during a single
+ # script execution. If set to 0, no redirect actions are allowed.
#sieve_max_redirects = 4
- # The maximum number of personal Sieve scripts a single user can have.
+ # The maximum number of personal Sieve scripts a single user can have. If set
+ # to 0, no limit on the number of scripts is enforced.
# (Currently only relevant for ManageSieve)
#sieve_quota_max_scripts = 0
- # The maximum amount of disk storage a single user's scripts may occupy.
- # (Currently only relevant for ManageSieve)
+ # The maximum amount of disk storage a single user's scripts may occupy. If
+ # set to 0, no limit on the used amount of disk storage is enforced.
+ # (Currently only relevant for ManageSieve)
#sieve_quota_max_storage = 0
}
-# Deny access for users. Included from auth.conf.
+# Deny access for users. Included from 10-auth.conf.
# Users can be (temporarily) disabled by adding a passdb with deny=yes.
# If the user is found from that database, authentication will fail.
-# Authentication for master users. Included from auth.conf.
+# Authentication for master users. Included from 10-auth.conf.
# By adding master=yes setting inside a passdb you make the passdb a list
# of "master users", who can log in as anyone else.
-# Authentication for passwd-file users. Included from auth.conf.
+# Authentication for passwd-file users. Included from 10-auth.conf.
#
# passwd-like file with specified location.
# <doc/wiki/AuthDatabase.PasswdFile.txt>
passdb {
driver = passwd-file
- args = /etc/dovecot/extra-users.passwd
+ args = scheme=CRYPT username_format=%u /etc/dovecot/extra-users.passwd
}
-#passdb {
-# driver = passwd-file
-# args = scheme=CRYPT username_format=%u /etc/dovecot/users
-#}
+userdb {
+ driver = passwd-file
+ args = username_format=%u /etc/dovecot/extra-users.passwd
+
+ # Default fields that can be overridden by passwd-file
+ #default_fields = quota_rule=*:storage=1G
-#userdb {
-# driver = passwd-file
-# args = username_format=%u /etc/dovecot/users
-#}
+ # Override fields from passwd-file
+ #override_fields = home=/home/virtual/%u
+}
-# Static passdb. Included from auth.conf.
+# Static passdb. Included from 10-auth.conf.
# This can be used for situations where Dovecot doesn't need to verify the
# username or the password, or if there is a single password for all users:
-# Authentication for system users. Included from auth.conf.
+# Authentication for system users. Included from 10-auth.conf.
#
# <doc/wiki/PasswordDatabase.txt>
# <doc/wiki/UserDatabase.txt>
driver = passwd
# [blocking=no]
#args =
+
+ # Override fields from passwd
+ #override_fields = home=/home/virtual/%u
}
# Static settings generated from template <doc/wiki/UserDatabase.Static.txt>
-# Authentication for vpopmail users. Included from auth.conf.
+# Authentication for vpopmail users. Included from 10-auth.conf.
#
# <doc/wiki/AuthDatabase.VPopMail.txt>
+# This file is commonly accessed via dict {} section in dovecot.conf
+
#connect = host=localhost dbname=mails user=testuser password=pass
# CREATE TABLE quota (
+# This file is commonly accessed via passdb {} or userdb {} section in
+# conf.d/auth-sql.conf.ext
+
# This file is opened as root, so it should be owned by root and mode 0600.
#
# http://wiki2.dovecot.org/AuthDatabase/SQL
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace "
+# Most (but not all) settings can be overridden by different protocols and/or
+# source/destination IPs by placing the settings inside sections, for example:
+# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
+
# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/
-# Name of this instance. Used to prefix all Dovecot processes in ps output.
+# Name of this instance. In multi-instance setup doveadm and other commands
+# can use -i <instance_name> to select which instance is used (an alternative
+# to -c <config_path>). The instance name is also added to Dovecot processes
+# in ps output.
#instance_name = dovecot
# Greeting message for clients.
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =
-# Sepace separated list of login access check sockets (e.g. tcpwrap)
+# Space separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets =
+# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
+# proxying. This isn't necessary normally, but may be useful if the destination
+# IP is e.g. a load balancer's IP.
+#auth_proxy_self =
+
# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
projects / sysconfig / dovecot.git / commitdiff