From: Alex Dehnert Date: Sun, 7 Aug 2016 04:01:43 +0000 (-0400) Subject: Config updates with new dovecot version (I assume, anyway) X-Git-Url: https://dehnerts.com/gitweb/?a=commitdiff_plain;h=6693b71c663930e35c2df3c6b368731694ee80ba;p=sysconfig%2Fdovecot.git Config updates with new dovecot version (I assume, anyway) --- diff --git a/README b/README index 93a422b..9dcc22a 100644 --- a/README +++ b/README @@ -1,2 +1,2 @@ Configuration files go to this directory. See example configuration files in -/usr/share/doc/dovecot/example-config/ +/usr/share/doc/dovecot-core/example-config/ diff --git a/conf.d/10-auth.conf b/conf.d/10-auth.conf index ce6e098..3567979 100644 --- a/conf.d/10-auth.conf +++ b/conf.d/10-auth.conf @@ -6,6 +6,7 @@ # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. +# See also ssl=required setting. #disable_plaintext_auth = yes # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that @@ -47,7 +48,7 @@ auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ012345 # the standard variables here, eg. %Lu would lowercase the username, %n would # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into # "-AT-". This translation is done after auth_username_translation changes. -#auth_username_format = +#auth_username_format = %Lu # If you want to allow master users to log in by specifying the master # username within the normal username string (ie. not using SASL mechanism's diff --git a/conf.d/10-director.conf b/conf.d/10-director.conf index d2d7664..31e97e9 100644 --- a/conf.d/10-director.conf +++ b/conf.d/10-director.conf @@ -25,6 +25,11 @@ # If you enable this, you'll also need to add inet_listener for the port. #director_doveadm_port = 0 +# How the username is translated before being hashed. Useful values include +# %Ln if user can log in with or without @domain, %Ld if mailboxes are shared +# within domain. +#director_username_hash = %Lu + # To enable director service, uncomment the modes and assign a port. service director { unix_listener login/director { diff --git a/conf.d/10-logging.conf b/conf.d/10-logging.conf index 7633a67..cf49e86 100644 --- a/conf.d/10-logging.conf +++ b/conf.d/10-logging.conf @@ -26,6 +26,7 @@ # In case of password mismatches, log the attempted password. Valid values are # no, plain and sha1. sha1 can be useful for detecting brute force password # attempts vs. user simply trying the same password over and over again. +# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6). #auth_verbose_passwords = no # Even more verbose logging for debugging purposes. Shows for example SQL @@ -66,7 +67,7 @@ log_timestamp = "%Y-%m-%d %H:%M:%S " # string. #login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c -# Login log format. %$ contains login_log_format_elements string, %s contains +# Login log format. %s contains login_log_format_elements string, %$ contains # the data we want to log. #login_log_format = %$: %s diff --git a/conf.d/10-mail.conf b/conf.d/10-mail.conf index d32dcd1..89ea4c6 100644 --- a/conf.d/10-mail.conf +++ b/conf.d/10-mail.conf @@ -40,12 +40,7 @@ mail_location = maildir:~/.maildir # namespaces you'll typically want to enable ACL plugin also, otherwise all # users can access all the shared mailboxes, assuming they have permissions # on filesystem level to do so. -# -# REMEMBER: If you add any namespaces, the default namespace must be added -# explicitly, ie. mail_location does nothing unless you have a namespace -# without a location setting. Default namespace is simply done by having a -# namespace with empty prefix. -#namespace { +namespace inbox { # Namespace type: private, shared or public #type = private @@ -64,7 +59,7 @@ mail_location = maildir:~/.maildir # There can be only one INBOX, and this setting defines which namespace # has it. - #inbox = no + inbox = yes # If namespace is hidden, it's not advertised to clients via NAMESPACE # extension. You'll most likely also want to set list=no. This is mostly @@ -81,7 +76,7 @@ mail_location = maildir:~/.maildir # Namespace handles its own subscriptions. If set to "no", the parent # namespace handles them (empty prefix should always have this as "yes") #subscriptions = yes -#} +} # Example shared namespace configuration #namespace { @@ -103,6 +98,8 @@ mail_location = maildir:~/.maildir # List the shared/ namespace only if there are visible shared mailboxes. #list = children #} +# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"? +#mail_shared_explicit_inbox = no # System user and group used to access mails. If you use multiple, userdb # can override these by returning uid or gid fields. You can use either numbers @@ -131,6 +128,10 @@ mail_location = maildir:~/.maildir # or ~user/. #mail_full_filesystem_access = no +# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but +# soon intended to be used by METADATA as well. +#mail_attribute_dict = + ## ## Mail processes ## @@ -214,6 +215,10 @@ mail_location = maildir:~/.maildir ## Mailbox handling optimizations ## +# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are +# also required for IMAP NOTIFY extension to be enabled. +#mailbox_list_index = no + # The minimum number of mails in a mailbox before updates are done to cache # file. This allows optimizing Dovecot's behavior to do less disk writes at # the cost of more disk reads. @@ -232,6 +237,14 @@ mail_location = maildir:~/.maildir # the extra CRs wrong and cause problems. #mail_save_crlf = no +# Max number of mails to keep open and prefetch to memory. This only works with +# some mailbox formats and/or operating systems. +#mail_prefetch_count = 0 + +# How often to scan for stale temporary files and delete them (0 = never). +# These should exist only after Dovecot dies in the middle of saving mails. +#mail_temp_scan_interval = 1w + ## ## Maildir-specific settings ## @@ -251,6 +264,12 @@ mail_location = maildir:~/.maildir # when its mtime changes unexpectedly or when we can't find the mail otherwise. #maildir_very_dirty_syncs = no +# If enabled, Dovecot doesn't use the S= in the Maildir filenames for +# getting the mail's physical size, except when recalculating Maildir++ quota. +# This can be useful in systems where a lot of the Maildir filenames have a +# broken size. The performance hit for enabling this is very small. +#maildir_broken_filename_sizes = no + ## ## mbox-specific settings ## @@ -269,8 +288,14 @@ mail_location = maildir:~/.maildir # in is important to avoid deadlocks if other MTAs/MUAs are using multiple # locking methods as well. Some operating systems don't allow using some of # them simultaneously. +# +# The Debian value for mbox_write_locks differs from upstream Dovecot. It is +# changed to be compliant with Debian Policy (section 11.6) for NFS safety. +# Dovecot: mbox_write_locks = dotlock fcntl +# Debian: mbox_write_locks = fcntl dotlock +# #mbox_read_locks = fcntl -#mbox_write_locks = dotlock fcntl +#mbox_write_locks = fcntl dotlock # Maximum time to wait for lock (all of them) before aborting. #mbox_lock_timeout = 5 mins @@ -304,6 +329,12 @@ mail_location = maildir:~/.maildir # If an index file already exists it's still read, just not updated. #mbox_min_index_size = 0 +# Mail header selection algorithm to use for MD5 POP3 UIDLs when +# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired +# algorithm, but it fails if the first Received: header isn't unique in all +# mails. An alternative algorithm is "all" that selects all headers. +#mbox_md5 = apop3d + ## ## mdbox-specific settings ## @@ -328,8 +359,6 @@ mail_location = maildir:~/.maildir # also allows single instance storage for them. Other backends don't support # this for now. -# WARNING: This feature hasn't been tested much yet. Use at your own risk. - # Directory root where to store mail attachments. Disabled, if empty. #mail_attachment_dir = diff --git a/conf.d/10-ssl.conf b/conf.d/10-ssl.conf index 4cff433..cac7f8c 100644 --- a/conf.d/10-ssl.conf +++ b/conf.d/10-ssl.conf @@ -23,6 +23,16 @@ ssl_key = . +# Default is postmaster@. %d expands to recipient domain. #postmaster_address = -# Hostname to use in various parts of sent mails, eg. in Message-Id. -# Default is the system's real hostname. +# Hostname to use in various parts of sent mails (e.g. in Message-Id) and +# in LMTP replies. Default is the system's real hostname@domain. #hostname = # If user is over quota, return with temporary failure instead of diff --git a/conf.d/90-quota.conf b/conf.d/90-quota.conf index 6984da6..db1f718 100644 --- a/conf.d/90-quota.conf +++ b/conf.d/90-quota.conf @@ -17,6 +17,11 @@ plugin { #quota_rule = *:storage=1G #quota_rule2 = Trash:storage=+100M + + # LDA/LMTP allows saving the last mail to bring user from under quota to + # over quota, if the quota doesn't grow too high. Default is to allow as + # long as quota will stay under 10% above the limit. Also allowed e.g. 10M. + #quota_grace = 10%% } ## diff --git a/conf.d/90-sieve.conf b/conf.d/90-sieve.conf index 516ac46..1ebf9f3 100644 --- a/conf.d/90-sieve.conf +++ b/conf.d/90-sieve.conf @@ -1,6 +1,6 @@ ## ## Settings for the Sieve interpreter -## +## # Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf # by adding it to the respective mail_plugins= settings. @@ -16,68 +16,90 @@ plugin { # command line tool. # --> See sieve_before fore executing scripts before the user's personal # script. - #sieve_global_path = /var/lib/dovecot/sieve/default.sieve + #sieve_default = /var/lib/dovecot/sieve/default.sieve # Directory for :personal include scripts for the include extension. This # is also where the ManageSieve service stores the user's scripts. sieve_dir = ~/sieve - # Directory for :global include scripts for the include extension. + # Directory for :global include scripts for the include extension. #sieve_global_dir = # Path to a script file or a directory containing script files that need to be # executed before the user's script. If the path points to a directory, all # the Sieve scripts contained therein (with the proper .sieve extension) are - # executed. The order of execution is determined by the file names, using a - # normal 8bit per-character comparison. + # executed. The order of execution within a directory is determined by the + # file names, using a normal 8bit per-character comparison. Multiple script + # file or directory paths can be specified by appending an increasing number. #sieve_before = + #sieve_before2 = + #sieve_before3 = (etc...) # Identical to sieve_before, only the specified scripts are executed after the - # user's script (only when keep is still in effect!). + # user's script (only when keep is still in effect!). Multiple script file or + # directory paths can be specified by appending an increasing number. #sieve_after = - - # Which Sieve language extensions are available to users. By default, all + #sieve_after2 = + #sieve_after2 = (etc...) + + # Which Sieve language extensions are available to users. By default, all # supported extensions are available, except for deprecated extensions or # those that are still under development. Some system administrators may want # to disable certain Sieve extensions or enable those that are not available # by default. This setting can use '+' and '-' to specify differences relative # to the default. For example `sieve_extensions = +imapflags' will enable the - # deprecated imapflags extension in addition to all extensions thatwere - # already enabled by default. + # deprecated imapflags extension in addition to all extensions were already + # enabled by default. #sieve_extensions = +notify +imapflags + # Which Sieve language extensions are ONLY available in global scripts. This + # can be used to restrict the use of certain Sieve extensions to administrator + # control, for instance when these extensions can cause security concerns. + # This setting has higher precedence than the `sieve_extensions' setting + # (above), meaning that the extensions enabled with this setting are never + # available to the user's personal script no matter what is specified for the + # `sieve_extensions' setting. The syntax of this setting is similar to the + # `sieve_extensions' setting, with the difference that extensions are + # enabled or disabled for exclusive use in global scripts. Currently, no + # extensions are marked as such by default. + #sieve_global_extensions = + # The Pigeonhole Sieve interpreter can have plugins of its own. Using this # setting, the used plugins can be specified. Check the Dovecot wiki # (wiki2.dovecot.org) or the pigeonhole website # (http://pigeonhole.dovecot.org) for available plugins. + # The sieve_extprograms plugin is included in this release. #sieve_plugins = - # The separator that is expected between the :user and :detail - # address parts introduced by the subaddress extension. This may - # also be a sequence of characters (e.g. '--'). The current - # implementation looks for the separator from the left of the - # localpart and uses the first one encountered. The :user part is + # The separator that is expected between the :user and :detail + # address parts introduced by the subaddress extension. This may + # also be a sequence of characters (e.g. '--'). The current + # implementation looks for the separator from the left of the + # localpart and uses the first one encountered. The :user part is # left of the separator and the :detail part is right. This setting # is also used by Dovecot's LMTP service. #recipient_delimiter = + - # The maximum size of a Sieve script. The compiler will refuse to - # compile any script larger than this limit. + # The maximum size of a Sieve script. The compiler will refuse to compile any + # script larger than this limit. If set to 0, no limit on the script size is + # enforced. #sieve_max_script_size = 1M - # The maximum number of actions that can be performed during a single - # script execution. + # The maximum number of actions that can be performed during a single script + # execution. If set to 0, no limit on the total number of actions is enforced. #sieve_max_actions = 32 - # The maximum number of redirect actions that can be performed during - # a single script execution. + # The maximum number of redirect actions that can be performed during a single + # script execution. If set to 0, no redirect actions are allowed. #sieve_max_redirects = 4 - # The maximum number of personal Sieve scripts a single user can have. + # The maximum number of personal Sieve scripts a single user can have. If set + # to 0, no limit on the number of scripts is enforced. # (Currently only relevant for ManageSieve) #sieve_quota_max_scripts = 0 - # The maximum amount of disk storage a single user's scripts may occupy. - # (Currently only relevant for ManageSieve) + # The maximum amount of disk storage a single user's scripts may occupy. If + # set to 0, no limit on the used amount of disk storage is enforced. + # (Currently only relevant for ManageSieve) #sieve_quota_max_storage = 0 } diff --git a/conf.d/auth-deny.conf.ext b/conf.d/auth-deny.conf.ext index f2d897d..ce3f1cf 100644 --- a/conf.d/auth-deny.conf.ext +++ b/conf.d/auth-deny.conf.ext @@ -1,4 +1,4 @@ -# Deny access for users. Included from auth.conf. +# Deny access for users. Included from 10-auth.conf. # Users can be (temporarily) disabled by adding a passdb with deny=yes. # If the user is found from that database, authentication will fail. diff --git a/conf.d/auth-master.conf.ext b/conf.d/auth-master.conf.ext index 8e5107f..2cf128f 100644 --- a/conf.d/auth-master.conf.ext +++ b/conf.d/auth-master.conf.ext @@ -1,4 +1,4 @@ -# Authentication for master users. Included from auth.conf. +# Authentication for master users. Included from 10-auth.conf. # By adding master=yes setting inside a passdb you make the passdb a list # of "master users", who can log in as anyone else. diff --git a/conf.d/auth-passwdfile.conf.ext b/conf.d/auth-passwdfile.conf.ext index 81ab213..42f0e5e 100644 --- a/conf.d/auth-passwdfile.conf.ext +++ b/conf.d/auth-passwdfile.conf.ext @@ -1,19 +1,20 @@ -# Authentication for passwd-file users. Included from auth.conf. +# Authentication for passwd-file users. Included from 10-auth.conf. # # passwd-like file with specified location. # passdb { driver = passwd-file - args = /etc/dovecot/extra-users.passwd + args = scheme=CRYPT username_format=%u /etc/dovecot/extra-users.passwd } -#passdb { -# driver = passwd-file -# args = scheme=CRYPT username_format=%u /etc/dovecot/users -#} +userdb { + driver = passwd-file + args = username_format=%u /etc/dovecot/extra-users.passwd + + # Default fields that can be overridden by passwd-file + #default_fields = quota_rule=*:storage=1G -#userdb { -# driver = passwd-file -# args = username_format=%u /etc/dovecot/users -#} + # Override fields from passwd-file + #override_fields = home=/home/virtual/%u +} diff --git a/conf.d/auth-static.conf.ext b/conf.d/auth-static.conf.ext index 238d517..90890c5 100644 --- a/conf.d/auth-static.conf.ext +++ b/conf.d/auth-static.conf.ext @@ -1,4 +1,4 @@ -# Static passdb. Included from auth.conf. +# Static passdb. Included from 10-auth.conf. # This can be used for situations where Dovecot doesn't need to verify the # username or the password, or if there is a single password for all users: diff --git a/conf.d/auth-system.conf.ext b/conf.d/auth-system.conf.ext index 56f4659..23f943c 100644 --- a/conf.d/auth-system.conf.ext +++ b/conf.d/auth-system.conf.ext @@ -1,4 +1,4 @@ -# Authentication for system users. Included from auth.conf. +# Authentication for system users. Included from 10-auth.conf. # # # @@ -51,6 +51,9 @@ userdb { driver = passwd # [blocking=no] #args = + + # Override fields from passwd + #override_fields = home=/home/virtual/%u } # Static settings generated from template diff --git a/conf.d/auth-vpopmail.conf.ext b/conf.d/auth-vpopmail.conf.ext index 355237d..f2da976 100644 --- a/conf.d/auth-vpopmail.conf.ext +++ b/conf.d/auth-vpopmail.conf.ext @@ -1,4 +1,4 @@ -# Authentication for vpopmail users. Included from auth.conf. +# Authentication for vpopmail users. Included from 10-auth.conf. # # diff --git a/dovecot-dict-sql.conf.ext b/dovecot-dict-sql.conf.ext index 674a25f..a9a903f 100644 --- a/dovecot-dict-sql.conf.ext +++ b/dovecot-dict-sql.conf.ext @@ -1,3 +1,5 @@ +# This file is commonly accessed via dict {} section in dovecot.conf + #connect = host=localhost dbname=mails user=testuser password=pass # CREATE TABLE quota ( diff --git a/dovecot-sql.conf.ext b/dovecot-sql.conf.ext index b650c57..77e8187 100644 --- a/dovecot-sql.conf.ext +++ b/dovecot-sql.conf.ext @@ -1,3 +1,6 @@ +# This file is commonly accessed via passdb {} or userdb {} section in +# conf.d/auth-sql.conf.ext + # This file is opened as root, so it should be owned by root and mode 0600. # # http://wiki2.dovecot.org/AuthDatabase/SQL diff --git a/dovecot.conf b/dovecot.conf index c9732b8..c802011 100644 --- a/dovecot.conf +++ b/dovecot.conf @@ -9,6 +9,10 @@ # and tabs are ignored. If you want to use either of these explicitly, put the # value inside quotes, eg.: key = "# char and trailing whitespace " +# Most (but not all) settings can be overridden by different protocols and/or +# source/destination IPs by placing the settings inside sections, for example: +# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { } + # Default values are shown for each setting, it's not required to uncomment # those. These are exceptions to this though: No sections (e.g. namespace {}) # or plugin settings are added by default, they're listed only as examples. @@ -28,7 +32,10 @@ # Base directory where to store runtime data. #base_dir = /var/run/dovecot/ -# Name of this instance. Used to prefix all Dovecot processes in ps output. +# Name of this instance. In multi-instance setup doveadm and other commands +# can use -i to select which instance is used (an alternative +# to -c ). The instance name is also added to Dovecot processes +# in ps output. #instance_name = dovecot # Greeting message for clients. @@ -40,9 +47,14 @@ # these networks. Typically you'd specify your IMAP proxy servers here. #login_trusted_networks = -# Sepace separated list of login access check sockets (e.g. tcpwrap) +# Space separated list of login access check sockets (e.g. tcpwrap) #login_access_sockets = +# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do +# proxying. This isn't necessary normally, but may be useful if the destination +# IP is e.g. a load balancer's IP. +#auth_proxy_self = + # Show more verbose process titles (in ps). Currently shows user name and # IP address. Useful for seeing who are actually using the IMAP processes # (eg. shared mailboxes or if same uid is used for multiple accounts).