From: Alex Dehnert <adehnert@mit.edu>
Date: Sun, 10 Mar 2019 04:42:16 +0000 (+0000)
Subject: New dovecot config from Raspbian
X-Git-Url: https://dehnerts.com/gitweb/?a=commitdiff_plain;h=47f1fb62315ed26bdfa4559339b0a739e69fc4c8;p=sysconfig%2Fdovecot.git

New dovecot config from Raspbian
---

diff --git a/conf.d/10-auth.conf b/conf.d/10-auth.conf
index 5a69bcc..16a0d75 100644
--- a/conf.d/10-auth.conf
+++ b/conf.d/10-auth.conf
@@ -6,6 +6,7 @@
 # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
 # matches the local IP (ie. you're connecting from the same computer), the
 # connection is considered secure and plaintext authentication is allowed.
+# See also ssl=required setting.
 #disable_plaintext_auth = yes
 
 # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
@@ -47,7 +48,7 @@
 # the standard variables here, eg. %Lu would lowercase the username, %n would
 # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
 # "-AT-". This translation is done after auth_username_translation changes.
-#auth_username_format =
+#auth_username_format = %Lu
 
 # If you want to allow master users to log in by specifying the master
 # username within the normal username string (ie. not using SASL mechanism's
diff --git a/conf.d/10-director.conf b/conf.d/10-director.conf
index d2d7664..31e97e9 100644
--- a/conf.d/10-director.conf
+++ b/conf.d/10-director.conf
@@ -25,6 +25,11 @@
 # If you enable this, you'll also need to add inet_listener for the port.
 #director_doveadm_port = 0
 
+# How the username is translated before being hashed. Useful values include
+# %Ln if user can log in with or without @domain, %Ld if mailboxes are shared
+# within domain.
+#director_username_hash = %Lu
+
 # To enable director service, uncomment the modes and assign a port.
 service director {
   unix_listener login/director {
diff --git a/conf.d/10-logging.conf b/conf.d/10-logging.conf
index 7633a67..14798f1 100644
--- a/conf.d/10-logging.conf
+++ b/conf.d/10-logging.conf
@@ -26,6 +26,7 @@
 # In case of password mismatches, log the attempted password. Valid values are
 # no, plain and sha1. sha1 can be useful for detecting brute force password
 # attempts vs. user simply trying the same password over and over again.
+# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).
 #auth_verbose_passwords = no
 
 # Even more verbose logging for debugging purposes. Shows for example SQL
@@ -59,14 +60,13 @@ plugin {
 # Prefix for each line written to log file. % codes are in strftime(3)
 # format.
 #log_timestamp = "%b %d %H:%M:%S "
-log_timestamp = "%Y-%m-%d %H:%M:%S "
 
 # Space-separated list of elements we want to log. The elements which have
 # a non-empty variable value are joined together to form a comma-separated
 # string.
 #login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
 
-# Login log format. %$ contains login_log_format_elements string, %s contains
+# Login log format. %s contains login_log_format_elements string, %$ contains
 # the data we want to log.
 #login_log_format = %$: %s
  
@@ -74,7 +74,8 @@ log_timestamp = "%Y-%m-%d %H:%M:%S "
 # possible variables you can use.
 #mail_log_prefix = "%s(%u): "
 
-# Format to use for logging mail deliveries. You can use variables:
+# Format to use for logging mail deliveries. See doc/wiki/Variables.txt for
+# list of all variables you can use. Some of the common ones include:
 #  %$ - Delivery status message (e.g. "saved to INBOX")
 #  %m - Message-ID
 #  %s - Subject
diff --git a/conf.d/10-mail.conf b/conf.d/10-mail.conf
index d32dcd1..c85a187 100644
--- a/conf.d/10-mail.conf
+++ b/conf.d/10-mail.conf
@@ -81,6 +81,8 @@ mail_location = maildir:~/.maildir
   # Namespace handles its own subscriptions. If set to "no", the parent
   # namespace handles them (empty prefix should always have this as "yes")
   #subscriptions = yes
+
+  # See 15-mailboxes.conf for definitions of special mailboxes.
 #}
 
 # Example shared namespace configuration
@@ -103,6 +105,8 @@ mail_location = maildir:~/.maildir
   # List the shared/ namespace only if there are visible shared mailboxes.
   #list = children
 #}
+# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
+#mail_shared_explicit_inbox = no
 
 # System user and group used to access mails. If you use multiple, userdb
 # can override these by returning uid or gid fields. You can use either numbers
@@ -131,6 +135,22 @@ mail_location = maildir:~/.maildir
 # or ~user/.
 #mail_full_filesystem_access = no
 
+# Dictionary for key=value mailbox attributes. This is used for example by
+# URLAUTH and METADATA extensions.
+#mail_attribute_dict =
+
+# A comment or note that is associated with the server. This value is
+# accessible for authenticated users through the IMAP METADATA server
+# entry "/shared/comment". 
+#mail_server_comment = ""
+
+# Indicates a method for contacting the server administrator. According to
+# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that
+# is currently not enforced. Use for example mailto:admin@example.com. This
+# value is accessible for authenticated users through the IMAP METADATA server
+# entry "/shared/admin".
+#mail_server_admin = 
+
 ##
 ## Mail processes
 ##
@@ -149,13 +169,6 @@ mail_location = maildir:~/.maildir
 #   never: Never use it (best performance, but crashes can lose data)
 #mail_fsync = optimized
 
-# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches
-# whenever needed. If you're using only a single mail server this isn't needed.
-#mail_nfs_storage = no
-# Mail index files also exist in NFS. Setting this to yes requires
-# mmap_disable=yes and fsync_disable=no.
-#mail_nfs_index = no
-
 # Locking method for index files. Alternatives are fcntl, flock and dotlock.
 # Dotlocking uses some tricks which may create more disk I/O than other locking
 # methods. NFS users: flock doesn't work, remember to change mmap_disable.
@@ -214,6 +227,10 @@ mail_location = maildir:~/.maildir
 ## Mailbox handling optimizations
 ##
 
+# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
+# also required for IMAP NOTIFY extension to be enabled.
+#mailbox_list_index = no
+
 # The minimum number of mails in a mailbox before updates are done to cache
 # file. This allows optimizing Dovecot's behavior to do less disk writes at
 # the cost of more disk reads.
@@ -221,7 +238,7 @@ mail_location = maildir:~/.maildir
 
 # When IDLE command is running, mailbox is checked once in a while to see if
 # there are any new mails or other changes. This setting defines the minimum
-# time to wait between those checks. Dovecot can also use dnotify, inotify and
+# time to wait between those checks. Dovecot can also use inotify and
 # kqueue to find out immediately when changes occur.
 #mailbox_idle_check_interval = 30 secs
 
@@ -232,6 +249,14 @@ mail_location = maildir:~/.maildir
 # the extra CRs wrong and cause problems.
 #mail_save_crlf = no
 
+# Max number of mails to keep open and prefetch to memory. This only works with
+# some mailbox formats and/or operating systems.
+#mail_prefetch_count = 0
+
+# How often to scan for stale temporary files and delete them (0 = never).
+# These should exist only after Dovecot dies in the middle of saving mails.
+#mail_temp_scan_interval = 1w
+
 ##
 ## Maildir-specific settings
 ##
@@ -251,6 +276,16 @@ mail_location = maildir:~/.maildir
 # when its mtime changes unexpectedly or when we can't find the mail otherwise.
 #maildir_very_dirty_syncs = no
 
+# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
+# getting the mail's physical size, except when recalculating Maildir++ quota.
+# This can be useful in systems where a lot of the Maildir filenames have a
+# broken size. The performance hit for enabling this is very small.
+#maildir_broken_filename_sizes = no
+
+# Always move mails from new/ directory to cur/, even when the \Recent flags
+# aren't being reset.
+#maildir_empty_new = no
+
 ##
 ## mbox-specific settings
 ##
@@ -269,8 +304,14 @@ mail_location = maildir:~/.maildir
 # in is important to avoid deadlocks if other MTAs/MUAs are using multiple
 # locking methods as well. Some operating systems don't allow using some of
 # them simultaneously.
+#
+# The Debian value for mbox_write_locks differs from upstream Dovecot. It is
+# changed to be compliant with Debian Policy (section 11.6) for NFS safety.
+#       Dovecot: mbox_write_locks = dotlock fcntl
+#       Debian:  mbox_write_locks = fcntl dotlock
+#
 #mbox_read_locks = fcntl
-#mbox_write_locks = dotlock fcntl
+#mbox_write_locks = fcntl dotlock
 
 # Maximum time to wait for lock (all of them) before aborting.
 #mbox_lock_timeout = 5 mins
@@ -304,6 +345,12 @@ mail_location = maildir:~/.maildir
 # If an index file already exists it's still read, just not updated.
 #mbox_min_index_size = 0
 
+# Mail header selection algorithm to use for MD5 POP3 UIDLs when
+# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
+# algorithm, but it fails if the first Received: header isn't unique in all
+# mails. An alternative algorithm is "all" that selects all headers.
+#mbox_md5 = apop3d
+
 ##
 ## mdbox-specific settings
 ##
@@ -328,8 +375,6 @@ mail_location = maildir:~/.maildir
 # also allows single instance storage for them. Other backends don't support
 # this for now.
 
-# WARNING: This feature hasn't been tested much yet. Use at your own risk.
-
 # Directory root where to store mail attachments. Disabled, if empty.
 #mail_attachment_dir =
 
diff --git a/conf.d/10-master.conf b/conf.d/10-master.conf
index 019c1fd..5068100 100644
--- a/conf.d/10-master.conf
+++ b/conf.d/10-master.conf
@@ -32,7 +32,7 @@ service imap-login {
   #process_min_avail = 0
 
   # If you set service_count=0, you probably need to grow this.
-  #vsz_limit = 64M
+  #vsz_limit = $default_vsz_limit
 }
 
 service pop3-login {
@@ -61,7 +61,7 @@ service lmtp {
 service imap {
   # Most of the memory goes to mmap()ing files. You may need to increase this
   # limit if you have huge mailboxes.
-  #vsz_limit = 256M
+  #vsz_limit = $default_vsz_limit
 
   # Max. number of IMAP processes (connections)
   #process_limit = 1024
@@ -74,12 +74,20 @@ service pop3 {
 
 service auth {
   # auth_socket_path points to this userdb socket by default. It's typically
-  # used by dovecot-lda, doveadm, possibly imap process, etc. Its default
-  # permissions make it readable only by root, but you may need to relax these
-  # permissions. Users that have access to this socket are able to get a list
-  # of all usernames and get results of everyone's userdb lookups.
+  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
+  # full permissions to this socket are able to get a list of all usernames and
+  # get the results of everyone's userdb lookups.
+  #
+  # The default 0666 mode allows anyone to connect to the socket, but the
+  # userdb lookups will succeed only if the userdb returns an "uid" field that
+  # matches the caller process's UID. Also if caller's uid or gid matches the
+  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
+  #
+  # To give the caller full permissions to lookup all users, set the mode to
+  # something else than 0666 and Dovecot lets the kernel enforce the
+  # permissions (e.g. 0777 allows everyone full permissions).
   unix_listener auth-userdb {
-    #mode = 0600
+    #mode = 0666
     #user = 
     #group = 
   }
diff --git a/conf.d/10-tcpwrapper.conf b/conf.d/10-tcpwrapper.conf
new file mode 100644
index 0000000..b237d96
--- /dev/null
+++ b/conf.d/10-tcpwrapper.conf
@@ -0,0 +1,14 @@
+# 10-tcpwrapper.conf
+#
+# service name for hosts.{allow|deny} are those defined as
+# inet_listener in master.conf
+#
+#login_access_sockets = tcpwrap
+#
+#service tcpwrap {
+#  unix_listener login/tcpwrap {
+#    group = $default_login_user
+#    mode = 0600
+#    user = $default_login_user
+#  }
+#}
diff --git a/conf.d/15-lda.conf b/conf.d/15-lda.conf
index 42318a8..6eadbf4 100644
--- a/conf.d/15-lda.conf
+++ b/conf.d/15-lda.conf
@@ -3,11 +3,11 @@
 ##
 
 # Address to use when sending rejection mails.
-# Default is postmaster@<your domain>.
+# Default is postmaster@<your domain>. %d expands to recipient domain.
 #postmaster_address =
 
-# Hostname to use in various parts of sent mails, eg. in Message-Id.
-# Default is the system's real hostname.
+# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
+# in LMTP replies. Default is the system's real hostname@domain.
 #hostname = 
 
 # If user is over quota, return with temporary failure instead of
diff --git a/conf.d/15-mailboxes.conf b/conf.d/15-mailboxes.conf
new file mode 100644
index 0000000..cd5b21b
--- /dev/null
+++ b/conf.d/15-mailboxes.conf
@@ -0,0 +1,78 @@
+##
+## Mailbox definitions
+##
+
+# Each mailbox is specified in a separate mailbox section. The section name
+# specifies the mailbox name. If it has spaces, you can put the name
+# "in quotes". These sections can contain the following mailbox settings:
+#
+# auto:
+#   Indicates whether the mailbox with this name is automatically created
+#   implicitly when it is first accessed. The user can also be automatically
+#   subscribed to the mailbox after creation. The following values are
+#   defined for this setting:
+# 
+#     no        - Never created automatically.
+#     create    - Automatically created, but no automatic subscription.
+#     subscribe - Automatically created and subscribed.
+#  
+# special_use:
+#   A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
+#   mailbox. There are no validity checks, so you could specify anything
+#   you want in here, but it's not a good idea to use flags other than the
+#   standard ones specified in the RFC:
+#
+#     \All      - This (virtual) mailbox presents all messages in the
+#                 user's message store. 
+#     \Archive  - This mailbox is used to archive messages.
+#     \Drafts   - This mailbox is used to hold draft messages.
+#     \Flagged  - This (virtual) mailbox presents all messages in the
+#                 user's message store marked with the IMAP \Flagged flag.
+#     \Junk     - This mailbox is where messages deemed to be junk mail
+#                 are held.
+#     \Sent     - This mailbox is used to hold copies of messages that
+#                 have been sent.
+#     \Trash    - This mailbox is used to hold messages that have been
+#                 deleted.
+#
+# comment:
+#   Defines a default comment or note associated with the mailbox. This
+#   value is accessible through the IMAP METADATA mailbox entries
+#   "/shared/comment" and "/private/comment". Users with sufficient
+#   privileges can override the default value for entries with a custom
+#   value.
+
+# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
+namespace inbox {
+  # These mailboxes are widely used and could perhaps be created automatically:
+  mailbox Drafts {
+    special_use = \Drafts
+  }
+  mailbox Junk {
+    special_use = \Junk
+  }
+  mailbox Trash {
+    special_use = \Trash
+  }
+
+  # For \Sent mailboxes there are two widely used names. We'll mark both of
+  # them as \Sent. User typically deletes one of them if duplicates are created.
+  mailbox Sent {
+    special_use = \Sent
+  }
+  mailbox "Sent Messages" {
+    special_use = \Sent
+  }
+
+  # If you have a virtual "All messages" mailbox:
+  #mailbox virtual/All {
+  #  special_use = \All
+  #  comment = All my messages
+  #}
+
+  # If you have a virtual "Flagged" mailbox:
+  #mailbox virtual/Flagged {
+  #  special_use = \Flagged
+  #  comment = All my flagged messages
+  #}
+}
diff --git a/conf.d/20-imap.conf b/conf.d/20-imap.conf
index 99f7833..b7dd95d 100644
--- a/conf.d/20-imap.conf
+++ b/conf.d/20-imap.conf
@@ -2,57 +2,74 @@
 ## IMAP specific settings
 ##
 
-protocol imap {
-  # Maximum IMAP command line length. Some clients generate very long command
-  # lines with huge mailboxes, so you may need to raise this if you get
-  # "Too long argument" or "IMAP command line too large" errors often.
-  #imap_max_line_length = 64k
+# If nothing happens for this long while client is IDLEing, move the connection
+# to imap-hibernate process and close the old imap process. This saves memory,
+# because connections use very little memory in imap-hibernate process. The
+# downside is that recreating the imap process back uses some resources.
+#imap_hibernate_timeout = 0
 
-  # Maximum number of IMAP connections allowed for a user from each IP address.
-  # NOTE: The username is compared case-sensitively.
-  #mail_max_userip_connections = 10
+# Maximum IMAP command line length. Some clients generate very long command
+# lines with huge mailboxes, so you may need to raise this if you get
+# "Too long argument" or "IMAP command line too large" errors often.
+#imap_max_line_length = 64k
+
+# IMAP logout format string:
+#  %i - total number of bytes read from client
+#  %o - total number of bytes sent to client
+#  %{fetch_hdr_count} - Number of mails with mail header data sent to client
+#  %{fetch_hdr_bytes} - Number of bytes with mail header data sent to client
+#  %{fetch_body_count} - Number of mails with mail body data sent to client
+#  %{fetch_body_bytes} - Number of bytes with mail body data sent to client
+#  %{deleted} - Number of mails where client added \Deleted flag
+#  %{expunged} - Number of mails that client expunged
+#  %{trashed} - Number of mails that client copied/moved to the
+#               special_use=\Trash mailbox.
+#imap_logout_format = in=%i out=%o
+
+# Override the IMAP CAPABILITY response. If the value begins with '+',
+# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
+#imap_capability = 
+
+# How long to wait between "OK Still here" notifications when client is
+# IDLEing.
+#imap_idle_notify_interval = 2 mins
+
+# ID field names and values to send to clients. Using * as the value makes
+# Dovecot use the default value. The following fields have default values
+# currently: name, version, os, os-version, support-url, support-email.
+#imap_id_send = 
 
+# ID fields sent by client to log. * means everything.
+#imap_id_log =
+
+# Workarounds for various client bugs:
+#   delay-newmail:
+#     Send EXISTS/RECENT new mail notifications only when replying to NOOP
+#     and CHECK commands. Some clients ignore them otherwise, for example OSX
+#     Mail (<v2.1). Outlook Express breaks more badly though, without this it
+#     may show user "Message no longer in server" errors. Note that OE6 still
+#     breaks even with this workaround if synchronization is set to
+#     "Headers Only".
+#   tb-extra-mailbox-sep:
+#     Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
+#     adds extra '/' suffixes to mailbox names. This option causes Dovecot to
+#     ignore the extra '/' instead of treating it as invalid mailbox name.
+#   tb-lsub-flags:
+#     Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
+#     This makes Thunderbird realize they aren't selectable and show them
+#     greyed out, instead of only later giving "not selectable" popup error.
+#
+# The list is space-separated.
+#imap_client_workarounds = 
+
+# Host allowed in URLAUTH URLs sent by client. "*" allows all.
+#imap_urlauth_host =
+
+protocol imap {
   # Space separated list of plugins to load (default is global mail_plugins).
   #mail_plugins = $mail_plugins
 
-  # IMAP logout format string:
-  #  %i - total number of bytes read from client
-  #  %o - total number of bytes sent to client
-  #imap_logout_format = bytes=%i/%o
-
-  # Override the IMAP CAPABILITY response. If the value begins with '+',
-  # add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
-  #imap_capability = 
-
-  # How long to wait between "OK Still here" notifications when client is
-  # IDLEing.
-  #imap_idle_notify_interval = 2 mins
-
-  # ID field names and values to send to clients. Using * as the value makes
-  # Dovecot use the default value. The following fields have default values
-  # currently: name, version, os, os-version, support-url, support-email.
-  #imap_id_send = 
-
-  # ID fields sent by client to log. * means everything.
-  #imap_id_log =
-
-  # Workarounds for various client bugs:
-  #   delay-newmail:
-  #     Send EXISTS/RECENT new mail notifications only when replying to NOOP
-  #     and CHECK commands. Some clients ignore them otherwise, for example OSX
-  #     Mail (<v2.1). Outlook Express breaks more badly though, without this it
-  #     may show user "Message no longer in server" errors. Note that OE6 still
-  #     breaks even with this workaround if synchronization is set to
-  #     "Headers Only".
-  #   tb-extra-mailbox-sep:
-  #     With mbox storage a mailbox can contain either mails or submailboxes,
-  #     but not both. Thunderbird separates these two by forcing server to
-  #     accept '/' suffix in mailbox names in subscriptions list.
-  #   tb-lsub-flags:
-  #     Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
-  #     This makes Thunderbird realize they aren't selectable and show them
-  #     greyed out, instead of only later giving "not selectable" popup error.
-  #
-  # The list is space-separated.
-  #imap_client_workarounds = 
+  # Maximum number of IMAP connections allowed for a user from each IP address.
+  # NOTE: The username is compared case-sensitively.
+  #mail_max_userip_connections = 10
 }
diff --git a/conf.d/90-quota.conf b/conf.d/90-quota.conf
index 6984da6..db1f718 100644
--- a/conf.d/90-quota.conf
+++ b/conf.d/90-quota.conf
@@ -17,6 +17,11 @@
 plugin {
   #quota_rule = *:storage=1G
   #quota_rule2 = Trash:storage=+100M
+
+  # LDA/LMTP allows saving the last mail to bring user from under quota to
+  # over quota, if the quota doesn't grow too high. Default is to allow as
+  # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
+  #quota_grace = 10%%
 }
 
 ##
diff --git a/conf.d/90-sieve-extprograms.conf b/conf.d/90-sieve-extprograms.conf
new file mode 100644
index 0000000..17dcb77
--- /dev/null
+++ b/conf.d/90-sieve-extprograms.conf
@@ -0,0 +1,44 @@
+# Sieve Extprograms plugin configuration
+
+# Don't forget to add the sieve_extprograms plugin to the sieve_plugins setting.
+# Also enable the extensions you need (one or more of vnd.dovecot.pipe,
+# vnd.dovecot.filter and vnd.dovecot.execute) by adding these	to the
+# sieve_extensions or sieve_global_extensions settings. Restricting these
+# extensions to a global context using sieve_global_extensions is recommended.
+
+plugin {
+
+  # The directory where the program sockets are located for the
+  # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
+  # respectively. The name of each unix socket contained in that directory
+  # directly maps to a program-name referenced from the Sieve script.
+  #sieve_pipe_socket_dir = sieve-pipe
+  #sieve_filter_socket_dir = sieve-filter
+  #sieve_execute_socket_dir = sieve-execute
+
+  # The directory where the scripts are located for direct execution by the
+  # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
+  # respectively. The name of each script contained in that directory
+  # directly maps to a program-name referenced from the Sieve script.
+  #sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
+  #sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
+  #sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute
+}
+
+# An example program service called 'do-something' to pipe messages to
+#service do-something {
+  # Define the executed script as parameter to the sieve service
+  #executable = script /usr/lib/dovecot/sieve-pipe/do-something.sh
+
+  # Use some unprivileged user for executing the program
+  #user = dovenull
+
+  # The unix socket located in the sieve_pipe_socket_dir (as defined in the 
+  # plugin {} section above)
+  #unix_listener sieve-pipe/do-something {
+    # LDA/LMTP must have access
+  #  user = vmail  
+  #  mode = 0600
+  #}
+#}
+
diff --git a/conf.d/90-sieve.conf b/conf.d/90-sieve.conf
index 516ac46..38cee71 100644
--- a/conf.d/90-sieve.conf
+++ b/conf.d/90-sieve.conf
@@ -1,10 +1,26 @@
 ##
 ## Settings for the Sieve interpreter
-## 
+##
 
 # Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
 # by adding it to the respective mail_plugins= settings.
 
+# The Sieve interpreter can retrieve Sieve scripts from several types of
+# locations. The default `file' location type is a local filesystem path
+# pointing to a Sieve script file or a directory containing multiple Sieve
+# script files. More complex setups can use other location types such as
+# `ldap' or `dict' to fetch Sieve scripts from remote databases.
+#
+# All settings that specify the location of one ore more Sieve scripts accept
+# the following syntax:
+#
+# location = [<type>:]path[;<option>[=<value>][;...]]
+#
+# If the type prefix is omitted, the script location type is 'file' and the 
+# location is interpreted as a local filesystem path pointing to a Sieve script
+# file or directory. Refer to Pigeonhole wiki or INSTALL file for more
+# information.
+
 plugin {
   # The path to the user's main active script. If ManageSieve is used, this the
   # location of the symbolic link controlled by ManageSieve.
@@ -15,8 +31,13 @@ plugin {
   # doesn't exist. Be sure to pre-compile this script manually using the sievec
   # command line tool.
   # --> See sieve_before fore executing scripts before the user's personal
+  # The default Sieve script when the user has none. This is the location of a
+  # global sieve script file, which gets executed ONLY if user's personal Sieve
+  # script doesn't exist. Be sure to pre-compile this script manually using the
+  # sievec command line tool if the binary is not stored in a global location.
+  # --> See sieve_before for executing scripts before the user's personal
   #     script.
-  #sieve_global_path = /var/lib/dovecot/sieve/default.sieve
+  #sieve_default = /var/lib/dovecot/sieve/default.sieve
 
   # Directory for :personal include scripts for the include extension. This
   # is also where the ManageSieve service stores the user's scripts.
@@ -32,52 +53,153 @@ plugin {
   # normal 8bit per-character comparison. 
   #sieve_before =
 
+  # Location Sieve of scripts that need to be executed before the user's
+  # personal script. If a 'file' location path points to a directory, all the 
+  # Sieve scripts contained therein (with the proper `.sieve' extension) are
+  # executed. The order of execution within that directory is determined by the
+  # file names, using a normal 8bit per-character comparison.
+  #
+  # Multiple script locations can be specified by appending an increasing number
+  # to the setting name. The Sieve scripts found from these locations are added
+  # to the script execution sequence in the specified order. Reading the
+  # numbered sieve_before settings stops at the first missing setting, so no
+  # numbers may be skipped.
+  #sieve_before = /var/lib/dovecot/sieve.d/
+  #sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
+  #sieve_before3 = (etc...)
+
   # Identical to sieve_before, only the specified scripts are executed after the
-  # user's script (only when keep is still in effect!). 
+  # user's script (only when keep is still in effect!). Multiple script
+  # locations can be specified by appending an increasing number.
   #sieve_after =
-   
-  # Which Sieve language extensions are available to users. By default, all 
+  #sieve_after2 =
+  #sieve_after2 = (etc...)
+
+  # Which Sieve language extensions are available to users. By default, all
   # supported extensions are available, except for deprecated extensions or
   # those that are still under development. Some system administrators may want
   # to disable certain Sieve extensions or enable those that are not available
   # by default. This setting can use '+' and '-' to specify differences relative
   # to the default. For example `sieve_extensions = +imapflags' will enable the
-  # deprecated imapflags extension in addition to all extensions thatwere
-  # already enabled by default. 
+  # deprecated imapflags extension in addition to all extensions were already
+  # enabled by default.
   #sieve_extensions = +notify +imapflags
 
+  # Which Sieve language extensions are ONLY available in global scripts. This
+  # can be used to restrict the use of certain Sieve extensions to administrator
+  # control, for instance when these extensions can cause security concerns.
+  # This setting has higher precedence than the `sieve_extensions' setting
+  # (above), meaning that the extensions enabled with this setting are never
+  # available to the user's personal script no matter what is specified for the
+  # `sieve_extensions' setting. The syntax of this setting is similar to the
+  # `sieve_extensions' setting, with the difference that extensions are
+  # enabled or disabled for exclusive use in global scripts. Currently, no
+  # extensions are marked as such by default.
+  #sieve_global_extensions =
+
   # The Pigeonhole Sieve interpreter can have plugins of its own. Using this
   # setting, the used plugins can be specified. Check the Dovecot wiki
   # (wiki2.dovecot.org) or the pigeonhole website
   # (http://pigeonhole.dovecot.org) for available plugins.
+  # The sieve_extprograms plugin is included in this release.
   #sieve_plugins =
 
-  # The separator that is expected between the :user and :detail 
-  # address parts introduced by the subaddress extension. This may 
-  # also be a sequence of characters (e.g. '--'). The current 
-  # implementation looks for the separator from the left of the 
-  # localpart and uses the first one encountered. The :user part is 
+  # The separator that is expected between the :user and :detail
+  # address parts introduced by the subaddress extension. This may
+  # also be a sequence of characters (e.g. '--'). The current
+  # implementation looks for the separator from the left of the
+  # localpart and uses the first one encountered. The :user part is
   # left of the separator and the :detail part is right. This setting
   # is also used by Dovecot's LMTP service.
   #recipient_delimiter = +
 
-  # The maximum size of a Sieve script. The compiler will refuse to 
-  # compile any script larger than this limit.
+  # The maximum size of a Sieve script. The compiler will refuse to compile any
+  # script larger than this limit. If set to 0, no limit on the script size is
+  # enforced.
   #sieve_max_script_size = 1M
 
-  # The maximum number of actions that can be performed during a single
-  # script execution.
+  # The maximum number of actions that can be performed during a single script
+  # execution. If set to 0, no limit on the total number of actions is enforced.
   #sieve_max_actions = 32
 
-  # The maximum number of redirect actions that can be performed during
-  # a single script execution.
+  # The maximum number of redirect actions that can be performed during a single
+  # script execution. If set to 0, no redirect actions are allowed.
   #sieve_max_redirects = 4
 
-  # The maximum number of personal Sieve scripts a single user can have.
+  # The maximum number of personal Sieve scripts a single user can have. If set
+  # to 0, no limit on the number of scripts is enforced.
   # (Currently only relevant for ManageSieve)
   #sieve_quota_max_scripts = 0
 
-  # The maximum amount of disk storage a single user's scripts may occupy.
-  # (Currently only relevant for ManageSieve) 
+  # The maximum amount of disk storage a single user's scripts may occupy. If
+  # set to 0, no limit on the used amount of disk storage is enforced.
+  # (Currently only relevant for ManageSieve)
   #sieve_quota_max_storage = 0
+
+  # The primary e-mail address for the user. This is used as a default when no
+  # other appropriate address is available for sending messages. If this setting
+  # is not configured, either the postmaster or null "<>" address is used as a
+  # sender, depending on the action involved. This setting is important when
+  # there is no message envelope to extract addresses from, such as when the
+  # script is executed in IMAP.
+  #sieve_user_email =
+
+  # The path to the file where the user log is written. If not configured, a
+  # default location is used. If the main user's personal Sieve (as configured
+  # with sieve=) is a file, the logfile is set to <filename>.log by default. If
+  # it is not a file, the default user log file is ~/.dovecot.sieve.log.
+  #sieve_user_log =
+
+  # Specifies what envelope sender address is used for redirected messages.
+  # The following values are supported for this setting:
+  #
+  #   "sender"         - The sender address is used (default).
+  #   "recipient"      - The final recipient address is used.
+  #   "orig_recipient" - The original recipient is used.
+  #   "user_email"     - The user's primary address is used. This is
+  #                      configured with the "sieve_user_email" setting. If
+  #                      that setting is unconfigured, "user_mail" is equal to
+  #                      "recipient".
+  #   "postmaster"     - The postmaster_address configured for the LDA.
+  #   "<user@domain>"  - Redirected messages are always sent from user@domain.
+  #                      The angle brackets are mandatory. The null "<>" address
+  #                      is also supported.
+  #
+  # This setting is ignored when the envelope sender is "<>". In that case the
+  # sender of the redirected message is also always "<>".
+  #sieve_redirect_envelope_from = sender
+
+  ## TRACE DEBUGGING
+  # Trace debugging provides detailed insight in the operations performed by
+  # the Sieve script. These settings apply to both the LDA Sieve plugin and the
+  # IMAPSIEVE plugin. 
+  #
+  # WARNING: On a busy server, this functionality can quickly fill up the trace
+  # directory with a lot of trace files. Enable this only temporarily and as
+  # selective as possible.
+  
+  # The directory where trace files are written. Trace debugging is disabled if
+  # this setting is not configured or if the directory does not exist. If the 
+  # path is relative or it starts with "~/" it is interpreted relative to the
+  # current user's home directory.
+  #sieve_trace_dir =
+  
+  # The verbosity level of the trace messages. Trace debugging is disabled if
+  # this setting is not configured. Possible values are:
+  #
+  #   "actions"        - Only print executed action commands, like keep,
+  #                      fileinto, reject and redirect.
+  #   "commands"       - Print any executed command, excluding test commands.
+  #   "tests"          - Print all executed commands and performed tests.
+  #   "matching"       - Print all executed commands, performed tests and the
+  #                      values matched in those tests.
+  #sieve_trace_level =
+  
+  # Enables highly verbose debugging messages that are usually only useful for
+  # developers.
+  #sieve_trace_debug = no
+  
+  # Enables showing byte code addresses in the trace output, rather than only
+  # the source line numbers.
+  #sieve_trace_addresses = no 
 }
diff --git a/conf.d/auth-checkpassword.conf.ext b/conf.d/auth-checkpassword.conf.ext
new file mode 100644
index 0000000..b2fb13a
--- /dev/null
+++ b/conf.d/auth-checkpassword.conf.ext
@@ -0,0 +1,21 @@
+# Authentication for checkpassword users. Included from 10-auth.conf.
+#
+# <doc/wiki/AuthDatabase.CheckPassword.txt>
+
+passdb {
+  driver = checkpassword
+  args = /usr/bin/checkpassword
+}
+
+# passdb lookup should return also userdb info
+userdb {
+  driver = prefetch
+}
+
+# Standard checkpassword doesn't support direct userdb lookups.
+# If you need checkpassword userdb, the checkpassword must support
+# Dovecot-specific extensions.
+#userdb {
+#  driver = checkpassword
+#  args = /usr/bin/checkpassword
+#}
diff --git a/conf.d/auth-deny.conf.ext b/conf.d/auth-deny.conf.ext
index f2d897d..ce3f1cf 100644
--- a/conf.d/auth-deny.conf.ext
+++ b/conf.d/auth-deny.conf.ext
@@ -1,4 +1,4 @@
-# Deny access for users. Included from auth.conf.
+# Deny access for users. Included from 10-auth.conf.
 
 # Users can be (temporarily) disabled by adding a passdb with deny=yes.
 # If the user is found from that database, authentication will fail.
diff --git a/conf.d/auth-dict.conf.ext b/conf.d/auth-dict.conf.ext
new file mode 100644
index 0000000..0be4847
--- /dev/null
+++ b/conf.d/auth-dict.conf.ext
@@ -0,0 +1,16 @@
+# Authentication via dict backend. Included from 10-auth.conf.
+#
+# <doc/wiki/AuthDatabase.Dict.txt>
+
+passdb {
+  driver = dict
+
+  # Path for dict configuration file, see
+  # example-config/dovecot-dict-auth.conf.ext
+  args = /etc/dovecot/dovecot-dict-auth.conf.ext
+}
+
+userdb {
+  driver = dict
+  args = /etc/dovecot/dovecot-dict-auth.conf.ext
+}
diff --git a/conf.d/auth-master.conf.ext b/conf.d/auth-master.conf.ext
index 8e5107f..2cf128f 100644
--- a/conf.d/auth-master.conf.ext
+++ b/conf.d/auth-master.conf.ext
@@ -1,4 +1,4 @@
-# Authentication for master users. Included from auth.conf.
+# Authentication for master users. Included from 10-auth.conf.
 
 # By adding master=yes setting inside a passdb you make the passdb a list
 # of "master users", who can log in as anyone else.
diff --git a/conf.d/auth-sql.conf.ext b/conf.d/auth-sql.conf.ext
new file mode 100644
index 0000000..ccbea86
--- /dev/null
+++ b/conf.d/auth-sql.conf.ext
@@ -0,0 +1,30 @@
+# Authentication for SQL users. Included from 10-auth.conf.
+#
+# <doc/wiki/AuthDatabase.SQL.txt>
+
+passdb {
+  driver = sql
+
+  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
+  args = /etc/dovecot/dovecot-sql.conf.ext
+}
+
+# "prefetch" user database means that the passdb already provided the
+# needed information and there's no need to do a separate userdb lookup.
+# <doc/wiki/UserDatabase.Prefetch.txt>
+#userdb {
+#  driver = prefetch
+#}
+
+userdb {
+  driver = sql
+  args = /etc/dovecot/dovecot-sql.conf.ext
+}
+
+# If you don't have any user-specific settings, you can avoid the user_query
+# by using userdb static instead of userdb sql, for example:
+# <doc/wiki/UserDatabase.Static.txt>
+#userdb {
+  #driver = static
+  #args = uid=vmail gid=vmail home=/var/vmail/%u
+#}
diff --git a/conf.d/auth-system.conf.ext b/conf.d/auth-system.conf.ext
index 56f4659..23f943c 100644
--- a/conf.d/auth-system.conf.ext
+++ b/conf.d/auth-system.conf.ext
@@ -1,4 +1,4 @@
-# Authentication for system users. Included from auth.conf.
+# Authentication for system users. Included from 10-auth.conf.
 #
 # <doc/wiki/PasswordDatabase.txt>
 # <doc/wiki/UserDatabase.txt>
@@ -51,6 +51,9 @@ userdb {
   driver = passwd
   # [blocking=no]
   #args = 
+
+  # Override fields from passwd
+  #override_fields = home=/home/virtual/%u
 }
 
 # Static settings generated from template <doc/wiki/UserDatabase.Static.txt>
diff --git a/conf.d/auth-vpopmail.conf.ext b/conf.d/auth-vpopmail.conf.ext
index 355237d..f2da976 100644
--- a/conf.d/auth-vpopmail.conf.ext
+++ b/conf.d/auth-vpopmail.conf.ext
@@ -1,4 +1,4 @@
-# Authentication for vpopmail users. Included from auth.conf.
+# Authentication for vpopmail users. Included from 10-auth.conf.
 #
 # <doc/wiki/AuthDatabase.VPopMail.txt>
 
diff --git a/dovecot-dict-auth.conf.ext b/dovecot-dict-auth.conf.ext
new file mode 100644
index 0000000..79f43de
--- /dev/null
+++ b/dovecot-dict-auth.conf.ext
@@ -0,0 +1,54 @@
+# This file is commonly accessed via passdb {} or userdb {} section in
+# conf.d/auth-dict.conf.ext
+
+# Dictionary URI
+#uri = 
+
+# Default password scheme
+default_pass_scheme = MD5
+
+# Username iteration prefix. Keys under this are assumed to contain usernames.
+iterate_prefix = userdb/
+
+# Should iteration be disabled for this userdb? If this userdb acts only as a
+# cache there's no reason to try to iterate the (partial & duplicate) users.
+#iterate_disable = no
+
+# The example here shows how to do multiple dict lookups and merge the replies.
+# The "passdb" and "userdb" keys are JSON objects containing key/value pairs,
+# for example: { "uid": 1000, "gid": 1000, "home": "/home/user" }
+
+key passdb {
+  key = passdb/%u
+  format = json
+}
+key userdb {
+  key = userdb/%u
+  format = json
+}
+key quota {
+  key = userdb/%u/quota
+  #format = value
+  # The default_value is used if the key isn't found. If default_value setting
+  # isn't specified at all (even as empty), the passdb/userdb lookup fails with
+  # "user doesn't exist".
+  default_value = 100M
+}
+
+# Space separated list of keys whose values contain key/value paired objects.
+# All the key/value pairs inside the object are added as passdb fields.
+passdb_objects = passdb
+
+#passdb_fields {
+#}
+
+# Userdb key/value object list.
+userdb_objects = userdb
+
+userdb_fields {
+  # dict:<key> refers to key names
+  quota_rule = *:storage=%{dict:quota}
+
+  # dict:<key>.<objkey> refers to the objkey inside (JSON) object
+  mail = maildir:%{dict:userdb.home}/Maildir
+}
diff --git a/dovecot-dict-sql.conf.ext b/dovecot-dict-sql.conf.ext
index 674a25f..a9a903f 100644
--- a/dovecot-dict-sql.conf.ext
+++ b/dovecot-dict-sql.conf.ext
@@ -1,3 +1,5 @@
+# This file is commonly accessed via dict {} section in dovecot.conf
+
 #connect = host=localhost dbname=mails user=testuser password=pass
 
 # CREATE TABLE quota (
diff --git a/dovecot-sql.conf.ext b/dovecot-sql.conf.ext
index b650c57..a434244 100644
--- a/dovecot-sql.conf.ext
+++ b/dovecot-sql.conf.ext
@@ -1,3 +1,6 @@
+# This file is commonly accessed via passdb {} or userdb {} section in
+# conf.d/auth-sql.conf.ext
+
 # This file is opened as root, so it should be owned by root and mode 0600.
 #
 # http://wiki2.dovecot.org/AuthDatabase/SQL
@@ -44,13 +47,15 @@
 #     host, port, user, password, dbname
 #
 #   But also adds some new settings:
-#     client_flags        - See MySQL manual
-#     ssl_ca, ssl_ca_path - Set either one or both to enable SSL
-#     ssl_cert, ssl_key   - For sending client-side certificates to server
-#     ssl_cipher          - Set minimum allowed cipher security (default: HIGH)
-#     option_file         - Read options from the given file instead of
-#                           the default my.cnf location
-#     option_group        - Read options from the given group (default: client)
+#     client_flags           - See MySQL manual
+#     ssl_ca, ssl_ca_path    - Set either one or both to enable SSL
+#     ssl_cert, ssl_key      - For sending client-side certificates to server
+#     ssl_cipher             - Set minimum allowed cipher security (default: HIGH)
+#     ssl_verify_server_cert - Verify that the name in the server SSL certificate
+#                              matches the host (default: no)
+#     option_file            - Read options from the given file instead of
+#                              the default my.cnf location
+#     option_group           - Read options from the given group (default: client)
 # 
 #   You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
 #   Note that currently you can't use spaces in parameters.
diff --git a/dovecot.conf b/dovecot.conf
index c9732b8..c802011 100644
--- a/dovecot.conf
+++ b/dovecot.conf
@@ -9,6 +9,10 @@
 # and tabs are ignored. If you want to use either of these explicitly, put the
 # value inside quotes, eg.: key = "# char and trailing whitespace  "
 
+# Most (but not all) settings can be overridden by different protocols and/or
+# source/destination IPs by placing the settings inside sections, for example:
+# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
+
 # Default values are shown for each setting, it's not required to uncomment
 # those. These are exceptions to this though: No sections (e.g. namespace {})
 # or plugin settings are added by default, they're listed only as examples.
@@ -28,7 +32,10 @@
 # Base directory where to store runtime data.
 #base_dir = /var/run/dovecot/
 
-# Name of this instance. Used to prefix all Dovecot processes in ps output.
+# Name of this instance. In multi-instance setup doveadm and other commands
+# can use -i <instance_name> to select which instance is used (an alternative
+# to -c <config_path>). The instance name is also added to Dovecot processes
+# in ps output.
 #instance_name = dovecot
 
 # Greeting message for clients.
@@ -40,9 +47,14 @@
 # these networks. Typically you'd specify your IMAP proxy servers here.
 #login_trusted_networks =
 
-# Sepace separated list of login access check sockets (e.g. tcpwrap)
+# Space separated list of login access check sockets (e.g. tcpwrap)
 #login_access_sockets = 
 
+# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
+# proxying. This isn't necessary normally, but may be useful if the destination
+# IP is e.g. a load balancer's IP.
+#auth_proxy_self =
+
 # Show more verbose process titles (in ps). Currently shows user name and
 # IP address. Useful for seeing who are actually using the IMAP processes
 # (eg. shared mailboxes or if same uid is used for multiple accounts).