dovecot-example.conf revision 276b3e0947a349da687a9f5c7f3928884e9058f0
c25356d5978632df6203437e1953bcb29e0c736fTimo Sirainen## Dovecot 1.0 configuration file
ecc81625167ed96c04c02aa190a1ea5baa65b474Timo Sirainen# Default values are shown after each value, it's not required to uncomment
49e358eebea107aad9919dcc4bd88cee8519ba2eTimo Sirainen# any of the lines.
49e358eebea107aad9919dcc4bd88cee8519ba2eTimo Sirainen# Port to listen in for IMAP connections. This port is used for TLS
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainen# connections as well. Setting it to 0 disables it.
dd62b77c932d1b518f2a3e4bf80e36542becc256Timo Sirainen#imap_port = 143
87a6b7df39d6822a5a8289a62f32deabff9b75e4Timo Sirainen# Port to listen in for SSL IMAP connections. Setting it to 0 disables it.
87a6b7df39d6822a5a8289a62f32deabff9b75e4Timo Sirainen#imaps_port = 993
87a6b7df39d6822a5a8289a62f32deabff9b75e4Timo Sirainen# IP or host address where to listen in for IMAP connections. Empty means to
87a6b7df39d6822a5a8289a62f32deabff9b75e4Timo Sirainen# listen in all interfaces. It's not possible to specify multiple.
87a6b7df39d6822a5a8289a62f32deabff9b75e4Timo Sirainen#imap_listen =
87a6b7df39d6822a5a8289a62f32deabff9b75e4Timo Sirainen# IP or host address where to listen in for SSL IMAP connections. Defaults
87a6b7df39d6822a5a8289a62f32deabff9b75e4Timo Sirainen# to imap_listen if not specified.
7b29ccd796fc75af86f827192d2f8c0e8f0087bbTimo Sirainen#imaps_listen =
87a6b7df39d6822a5a8289a62f32deabff9b75e4Timo Sirainen# SSL certificate/key, they're opened as root
ecc81625167ed96c04c02aa190a1ea5baa65b474Timo Sirainen#ssl_cert_file = /etc/ssl/certs/imapd.pem
87a6b7df39d6822a5a8289a62f32deabff9b75e4Timo Sirainen#ssl_key_file = /etc/ssl/private/imapd.pem
0dffa25d211be541ee3c953b23566a1a990789dfTimo Sirainen# Disable LOGIN command and all other plaintext authentications unless
0dffa25d211be541ee3c953b23566a1a990789dfTimo Sirainen# SSL/TLS is used (LOGINDISABLED capability)
0dffa25d211be541ee3c953b23566a1a990789dfTimo Sirainen#disable_plaintext_auth = no
0dffa25d211be541ee3c953b23566a1a990789dfTimo Sirainen# Use this logfile instead of syslog()
7b29ccd796fc75af86f827192d2f8c0e8f0087bbTimo Sirainen# Prefix for each line written to log file. % codes are in strftime(3)
ecc81625167ed96c04c02aa190a1ea5baa65b474Timo Sirainen# format. Note the extra space at the end of line.
252db51b6c0a605163326b3ea5d09e9936ca3b29Timo Sirainen#log_timestamp = %b %d %H:%M:%S
5ac0b0bf32898c63da086ae169674ecac151a31eTimo Sirainen## Login process
43834f87bf431198f986e86052a4f6e558fdb07dTimo Sirainen# Executable location
43834f87bf431198f986e86052a4f6e558fdb07dTimo Sirainen#login_executable = /usr/lib/dovecot/imap-login
09801f106cd531a28b4e03ec665e44c421264560Timo Sirainen# User to use for imap-login process
09801f106cd531a28b4e03ec665e44c421264560Timo Sirainen#login_user = imapd
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainen# Directory where imap-auth places authentication UNIX sockets which login
6ef7e31619edfaa17ed044b45861d106a86191efTimo Sirainen# needs to be able to connect to. The sockets are created when running as
a9a928e40e3b691924c8e5e444e3e1a4320aa3bdStephan Bosch# root, so you don't need to give imap-auth any access for it.
212a34c06ff45952c008ae9eec387ced783de6cfPhil Carmody# chroot() imap-login process to the login_dir. Only reason not to do this
212a34c06ff45952c008ae9eec387ced783de6cfPhil Carmody# is if you wish to run the whole imapd without roots.
212a34c06ff45952c008ae9eec387ced783de6cfPhil Carmody#login_chroot = yes
a9a928e40e3b691924c8e5e444e3e1a4320aa3bdStephan Bosch# Number of imap-login processes to use, one or two is enough
a9a928e40e3b691924c8e5e444e3e1a4320aa3bdStephan Bosch#login_processes_count = 1
a9a928e40e3b691924c8e5e444e3e1a4320aa3bdStephan Bosch# Maximum number of connections allowed in login state. When this limit is
a9a928e40e3b691924c8e5e444e3e1a4320aa3bdStephan Bosch# reached, the oldest connections are dropped.
a9a928e40e3b691924c8e5e444e3e1a4320aa3bdStephan Bosch#max_logging_users = 256
a9a928e40e3b691924c8e5e444e3e1a4320aa3bdStephan Bosch## IMAP process
bdcb00145ad87765e3fd22d4ebc4d2c029a326b9Timo Sirainen# Executable location
0c1835a90dd1dcedaeaedd1cd91672299cbeb5beTimo Sirainen#imap_executable = /usr/lib/dovecot/imap
f4735bf7ec2019fdc730e9ebdb39e5a4ea580405Timo Sirainen# Maximum number of running imap processes. When this limit is reached,
f4735bf7ec2019fdc730e9ebdb39e5a4ea580405Timo Sirainen# new users aren't allowed to log in.
ecc81625167ed96c04c02aa190a1ea5baa65b474Timo Sirainen#max_imap_processes = 1024
8cb72c59d5ea4e9e5f638d7ec840bb853f5a188eTimo Sirainen# Valid UID/GID ranges for imap users, defaults to 500 and above.
8cb72c59d5ea4e9e5f638d7ec840bb853f5a188eTimo Sirainen# Note that denying root logins is hardcoded to imap-master binary and
8cb72c59d5ea4e9e5f638d7ec840bb853f5a188eTimo Sirainen# can't be done even if first_valid_uid is set to 0.
8cb72c59d5ea4e9e5f638d7ec840bb853f5a188eTimo Sirainen#first_valid_uid = 500
8cb72c59d5ea4e9e5f638d7ec840bb853f5a188eTimo Sirainen#last_valid_uid = 0
e2ce8d4a6ac5d82a906178148453e7613fab9ba0Timo Sirainen#first_valid_gid = 1
cd56a23e21f1df3f79648cf07e2f4385e2fadebbTimo Sirainen#last_valid_gid = 0
ecc81625167ed96c04c02aa190a1ea5baa65b474Timo Sirainen# ':' separated list of directories under which chrooting is allowed for imap
ecc81625167ed96c04c02aa190a1ea5baa65b474Timo Sirainen# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainen# WARNING: Never add directories here which local users can modify, that
d5cebe7f98e63d4e2822863ef2faa4971e8b3a5dTimo Sirainen# may lead to root exploit. Usually this should be done only if you don't
d5cebe7f98e63d4e2822863ef2faa4971e8b3a5dTimo Sirainen# allow shell access for users.
5ac0b0bf32898c63da086ae169674ecac151a31eTimo Sirainen#valid_chroot_dirs =
a10ed8c47534b4c6b6bf2711ccfe577e720a47b4Timo Sirainen# Copy mail to another folders using hard links. This is much faster than
a10ed8c47534b4c6b6bf2711ccfe577e720a47b4Timo Sirainen# actually copying the file. Only problem with it is that if either of the
1a0ece3e873e3864269ed7eaed957dc10c56d25fTimo Sirainen# mails are modified directly both will change. This isn't a problem with
1a0ece3e873e3864269ed7eaed957dc10c56d25fTimo Sirainen# IMAP however since it offers no way to modify the existing mails. Also
27a44fcfd8d19bffe0f267f20a2b5d3fe7600fddTimo Sirainen# at least mutt modifies mails by deleting the old one and inserting a new
27a44fcfd8d19bffe0f267f20a2b5d3fe7600fddTimo Sirainen# modified mail. So if performance matters at all you should turn this on.
c28f6aa0b70af4811c9ace9114fe827c2f503455Timo Sirainen#maildir_copy_with_hardlinks = no
1a0ece3e873e3864269ed7eaed957dc10c56d25fTimo Sirainen# Check if mails' content has been changed by external programs. This slows
ecc81625167ed96c04c02aa190a1ea5baa65b474Timo Sirainen# down things as extra stat() needs to be called for each file.
ecc81625167ed96c04c02aa190a1ea5baa65b474Timo Sirainen#maildir_check_content_changes = no
46ce4d9273e6df12ef1912bbdb1c8b84b104f394Timo Sirainen# If main index file is incompatible with us, should we overwrite it or
46ce4d9273e6df12ef1912bbdb1c8b84b104f394Timo Sirainen# create a new index with another name. Unless you are running Dovecot in
862ec874f9373e3e499e237d3b9f71fdf1413feeTimo Sirainen# multiple computers with different architectures accessing the same
5af5137f6dc0c9f358b7813e941e26f7bd735b3aTimo Sirainen# mailboxes (eg. via NFS), it's safe to set this "yes".
5af5137f6dc0c9f358b7813e941e26f7bd735b3aTimo Sirainen#overwrite_incompatible_index = no
5af5137f6dc0c9f358b7813e941e26f7bd735b3aTimo Sirainen# umask to use for mail files and directories
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainen## Authentication processes
07e4875d250e7a7157cd99132aafc773cf3cdf83Timo Sirainen# You can have multiple processes; each time "auth = xx" is seen, a new
ecc81625167ed96c04c02aa190a1ea5baa65b474Timo Sirainen# process definition is started. The point of multiple processes is to be
7662010b03ffe5f2a6ecf4b4eb220d1c65efea76Timo Sirainen# able to set stricter permissions to others. For example, plain/PAM
7662010b03ffe5f2a6ecf4b4eb220d1c65efea76Timo Sirainen# authentication requires roots, but if you also use digest-md5 authentication
7662010b03ffe5f2a6ecf4b4eb220d1c65efea76Timo Sirainen# for some users, you can authenticate them without any privileges in a
7662010b03ffe5f2a6ecf4b4eb220d1c65efea76Timo Sirainen# separate auth process. Just remember that only one auth process is asked
ecc81625167ed96c04c02aa190a1ea5baa65b474Timo Sirainen# for the password, so you can't have different passwords with different
71aed7ba87b5fd5e96e97a22d89ac025b883d60aTimo Sirainen# processes (unless they have different auth methods, and you're ok with
71aed7ba87b5fd5e96e97a22d89ac025b883d60aTimo Sirainen# having different password for each method).
71aed7ba87b5fd5e96e97a22d89ac025b883d60aTimo Sirainen# Authentication process name.
71aed7ba87b5fd5e96e97a22d89ac025b883d60aTimo Sirainen# Authentication methods this process allows separated with a space
51e1a1c280ccb461a15827f7987d09cb9708b6e3Timo Sirainen# Space separated list of realms with authentication methods that need them.
51e1a1c280ccb461a15827f7987d09cb9708b6e3Timo Sirainen# This is usually empty or the host name of the server (eg.
463f6ea04af934a68facaca0ff089bc306de3f98Timo Sirainen# - plain auth checks the password from all realms specified in here
463f6ea04af934a68facaca0ff089bc306de3f98Timo Sirainen# - digest-md5 must have the password added for each realm separately, and
463f6ea04af934a68facaca0ff089bc306de3f98Timo Sirainen# many clients simply use the first realm listed here. so if you really
0b6924ad1943fe5c6917fc49f675d8f316b0d939Timo Sirainen# need to add more realms, add them to end of the list.
0b6924ad1943fe5c6917fc49f675d8f316b0d939Timo Sirainen#auth_realms =
ecc81625167ed96c04c02aa190a1ea5baa65b474Timo Sirainen# Where the user information and passwords are stored into:
ecc81625167ed96c04c02aa190a1ea5baa65b474Timo Sirainen# passwd: /etc/passwd or similiar, using getpwnam()
ecc81625167ed96c04c02aa190a1ea5baa65b474Timo Sirainen# shadow: /etc/shadow or similiar, using getspnam()
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainen# pam: PAM authentication
ecc81625167ed96c04c02aa190a1ea5baa65b474Timo Sirainen# passwd-file /etc/passwd.imap: /etc/passwd-like file. Supports digest-md5
ecc81625167ed96c04c02aa190a1ea5baa65b474Timo Sirainen# style passwords
87a6b7df39d6822a5a8289a62f32deabff9b75e4Timo Sirainen# Executable location
87a6b7df39d6822a5a8289a62f32deabff9b75e4Timo Sirainen#auth_executable = /var/lib/dovecot/imap-auth
602a0434db30d8e3292d1c161a803d96a879a74fTimo Sirainen# User to use for the process. Only shadow and pam authentication requires
602a0434db30d8e3292d1c161a803d96a879a74fTimo Sirainen# roots, so use something else if possible.
602a0434db30d8e3292d1c161a803d96a879a74fTimo Sirainen# Directory where to chroot the process
01f4ee4a0243f3fe9af763e1a540cd5cff0d63f5Timo Sirainen#auth_chroot =
7d207b1e77a7b5e3fda640e353acfc86d261fedfTimo Sirainen# Number of authentication processes to create
7d207b1e77a7b5e3fda640e353acfc86d261fedfTimo Sirainen#auth_count = 1
7d207b1e77a7b5e3fda640e353acfc86d261fedfTimo Sirainen# digest-md5 authentication process. It requires special MD5 passwords which
01f4ee4a0243f3fe9af763e1a540cd5cff0d63f5Timo Sirainen# /etc/shadow and PAM doesn't support, so we never need roots to handle it.
4b9f99761df5014c659cd87fddaf6854af428cfcTimo Sirainen# Note that the passwd-file is opened before chrooting and dropping root
4b9f99761df5014c659cd87fddaf6854af428cfcTimo Sirainen# privileges, so it may be 0600-root owned file.
7e1f68ad71d3485f1882142837b01f7a98ca8467Timo Sirainen#auth = digest_md5
4106a25399703eb6cbb166dcbd5bb932cb2f7ad2Timo Sirainen#auth_methods = digest-md5
a3c197999dfe2b0c8ea38cb77cfa5e95026005c0Timo Sirainen#auth_realms =
a3c197999dfe2b0c8ea38cb77cfa5e95026005c0Timo Sirainen#auth_userinfo = passwd-file /etc/passwd.imap
923115fd382904fa13bb09bf307bf2835b52df60Timo Sirainen#auth_user = imapauth
923115fd382904fa13bb09bf307bf2835b52df60Timo Sirainen#auth_chroot = /var/run/dovecot/auth
7e1f68ad71d3485f1882142837b01f7a98ca8467Timo Sirainen# if you plan to use only passwd-file, you don't need the two auth processes,
89e195dfb5c4b0efd9b9f459771a4467674e5b1fTimo Sirainen# simply set "auth_methods = plain digest-md5"