dovecot-example.conf revision 861d373feea39d3fe8c3cda75ea25cf418a2e26c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
c797f343be2f3619bb1f5569753166ec49d27bdbChristian Maeder## Dovecot 1.0 configuration file
c797f343be2f3619bb1f5569753166ec49d27bdbChristian Maeder# Default values are shown after each value, it's not required to uncomment
97018cf5fa25b494adffd7e9b4e87320dae6bf47Christian Maeder# any of the lines. Exception to this are paths, they're just examples
c797f343be2f3619bb1f5569753166ec49d27bdbChristian Maeder# with real defaults being based on configure options. The paths listed here
b4fbc96e05117839ca409f5f20f97b3ac872d1edTill Mossakowski# are for configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
c797f343be2f3619bb1f5569753166ec49d27bdbChristian Maeder# --with-ssldir=/etc/ssl
f3a94a197960e548ecd6520bb768cb0d547457bbChristian Maeder# Base directory where to store runtime data.
462ec4b2fa3e0e788eb60dcb4aebc518298f342cChristian Maeder# Protocols we want to be serving:
462ec4b2fa3e0e788eb60dcb4aebc518298f342cChristian Maeder# imap imaps pop3 pop3s
462ec4b2fa3e0e788eb60dcb4aebc518298f342cChristian Maeder#protocols = imap imaps
b190f5c7cf3ddda73724efe5ce82b9585ed76be1Christian Maeder# IP or host address where to listen in for connections. It's not currently
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# possible to specify multiple addresses. "*" listens in all IPv4 interfaces.
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# "[::]" listens in all IPv6 interfaces, but may also listen in all IPv4
462ec4b2fa3e0e788eb60dcb4aebc518298f342cChristian Maeder# interfaces depending on the operating system. You can specify ports with
462ec4b2fa3e0e788eb60dcb4aebc518298f342cChristian Maeder# "host:port".
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder# IP or host address where to listen in for SSL connections. Defaults
b984ff0ba75221f64451c1e69b3977967d4e99a1Christian Maeder# to above if not specified.
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# Disable SSL/TLS support.
89054b2b95a3f92e78324dc852f3d34704e2ca49Christian Maeder#ssl_disable = no
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
8b9fda012e5ee53b7b2320c0638896a0ff6e99f3Christian Maeder# dropping root privileges, so keep the key file unreadable by anyone but
8b9fda012e5ee53b7b2320c0638896a0ff6e99f3Christian Maeder# root. Included doc/mkcert.sh can be used to easily generate self-signed
8b9fda012e5ee53b7b2320c0638896a0ff6e99f3Christian Maeder# certificate, just make sure to update the domains in dovecot-openssl.cnf
8b9fda012e5ee53b7b2320c0638896a0ff6e99f3Christian Maeder#ssl_cert_file = /etc/ssl/certs/dovecot.pem
b190f5c7cf3ddda73724efe5ce82b9585ed76be1Christian Maeder#ssl_key_file = /etc/ssl/private/dovecot.pem
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# SSL parameter file. Master process generates this file for login processes.
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder# It contains Diffie Hellman and RSA parameters.
b190f5c7cf3ddda73724efe5ce82b9585ed76be1Christian Maeder#ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# How often to regenerate the SSL parameters file. Generation is quite CPU
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder# intensive operation. The value is in hours, 0 disables regeneration
b190f5c7cf3ddda73724efe5ce82b9585ed76be1Christian Maeder#ssl_parameters_regenerate = 24
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# SSL ciphers to use
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder#ssl_cipher_list = all:!low
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# Disable LOGIN command and all other plaintext authentications unless
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# IPv6 ::1 addresses are considered secure, this setting has no effect if
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# you connect from those addresses.
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder#disable_plaintext_auth = yes
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# Use this logfile instead of syslog(). /dev/stderr can be used if you want to
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# use stderr for logging (ONLY /dev/stderr - otherwise it is closed).
462ec4b2fa3e0e788eb60dcb4aebc518298f342cChristian Maeder# For informational messages, use this logfile instead of the default
462ec4b2fa3e0e788eb60dcb4aebc518298f342cChristian Maeder#info_log_path =
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# Prefix for each line written to log file. % codes are in strftime(3)
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder#log_timestamp = "%b %d %H:%M:%S "
462ec4b2fa3e0e788eb60dcb4aebc518298f342cChristian Maeder## Login processes
462ec4b2fa3e0e788eb60dcb4aebc518298f342cChristian Maeder# Directory where authentication process places authentication UNIX sockets
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# which login needs to be able to connect to. The sockets are created when
462ec4b2fa3e0e788eb60dcb4aebc518298f342cChristian Maeder# running as root, so you don't have to worry about permissions.
f4741f6b7da52b5417899c8fcbe4349b920b006eChristian Maeder# chroot login process to the login_dir. Only reason not to do this is if you
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# wish to run the whole Dovecot without roots.
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder#login_chroot = yes
f4741f6b7da52b5417899c8fcbe4349b920b006eChristian Maeder# User to use for the login process. Create a completely new user for this,
462ec4b2fa3e0e788eb60dcb4aebc518298f342cChristian Maeder# and don't use it anywhere else. The user must also belong to a group where
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# only it has access, it's used to control access for authentication process.
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder#login_user = dovecot
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# Set max. process size in megabytes. If you don't use
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# login_process_per_connection you might need to grow this.
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder#login_process_size = 16
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# Should each login be processed in it's own process (yes), or should one
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# login process be allowed to process multiple connections (no)? Yes is more
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# secure, espcially with SSL/TLS enabled. No is faster since there's no need
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# to create processes all the time.
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder#login_process_per_connection = yes
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# Number of login processes to create. If login_process_per_user is
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# yes, this is the number of extra processes waiting for users to log in.
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder#login_processes_count = 3
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# Maximum number of extra login processes to create. The extra process count
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# usually stays at login_processes_count, but when multiple users start logging
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# in at the same time more extra processes are created. To prevent fork-bombing
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# we check only once in a second if new processes should be created - if all
15bb922b665fcd44c6230a1202785d0c7890e90cChristian Maeder# of them are used at the time, we double their amount until limit set by this
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# setting is reached. This setting is used only if login_process_per_use is yes.
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder#login_max_processes_count = 128
f4741f6b7da52b5417899c8fcbe4349b920b006eChristian Maeder# Maximum number of connections allowed in login state. When this limit is
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# reached, the oldest connections are dropped. If login_process_per_user
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# is no, this is a per-process value, so the absolute maximum number of users
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# logging in actually login_processes_count * max_logging_users.
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder#login_max_logging_users = 256
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder## Mail processes
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# Maximum number of running mail processes. When this limit is reached,
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# new users aren't allowed to log in.
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder#max_mail_processes = 1024
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# Show more verbose process titles (in ps). Currently shows user name and
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# IP address. Useful for seeing who are actually using the IMAP processes
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# (eg. shared mailboxes or if same uid is used for multiple accounts).
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder#verbose_proctitle = no
15bb922b665fcd44c6230a1202785d0c7890e90cChristian Maeder# Show protocol level SSL errors.
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder#verbose_ssl = no
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder# Valid UID range for users, defaults to 500 and above. This is mostly
76fa667489c5e0868ac68de9f0253ac10f73d0b5Christian Maeder# to make sure that users can't log in as daemons or other system users.
76fa667489c5e0868ac68de9f0253ac10f73d0b5Christian Maeder# Note that denying root logins is hardcoded to dovecot binary and can't
76fa667489c5e0868ac68de9f0253ac10f73d0b5Christian Maeder# be done even if first_valid_uid is set to 0.
76fa667489c5e0868ac68de9f0253ac10f73d0b5Christian Maeder#first_valid_uid = 500
76fa667489c5e0868ac68de9f0253ac10f73d0b5Christian Maeder#last_valid_uid = 0
76fa667489c5e0868ac68de9f0253ac10f73d0b5Christian Maeder# Valid GID range for users, defaults to non-root/wheel. Users having
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# non-valid GID as primary group ID aren't allowed to log in. If user
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# belongs to supplementary groups with non-valid GIDs, those groups are
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder#first_valid_gid = 1
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder#last_valid_gid = 0
b984ff0ba75221f64451c1e69b3977967d4e99a1Christian Maeder# ':' separated list of directories under which chrooting is allowed for mail
b984ff0ba75221f64451c1e69b3977967d4e99a1Christian Maeder# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# This setting doesn't affect login_chroot or auth_chroot variables.
b984ff0ba75221f64451c1e69b3977967d4e99a1Christian Maeder# WARNING: Never add directories here which local users can modify, that
b984ff0ba75221f64451c1e69b3977967d4e99a1Christian Maeder# may lead to root exploit. Usually this should be done only if you don't
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# allow shell access for users. See doc/configuration.txt for more information.
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder#valid_chroot_dirs =
15bb922b665fcd44c6230a1202785d0c7890e90cChristian Maeder# Default chroot directory for mail processes. This can be overridden by
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# giving /./ in user's home directory (eg. /home/./user chroots into /home).
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder#mail_chroot =
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# Default MAIL environment to use when it's not set. By leaving this empty
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# dovecot tries to do some automatic detection as described in
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# doc/mail-storages.txt. There's a few special variables you can use:
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# %u - username
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# %n - user part in user@domain, same as %u if there's no domain
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# %d - domain part in user@domain, empty if user there's no domain
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# %h - home directory
b984ff0ba75221f64451c1e69b3977967d4e99a1Christian Maeder# You can also limit a width of string by giving the number of max. characters
b984ff0ba75221f64451c1e69b3977967d4e99a1Christian Maeder# after the '%' character. For example %1u gives the first character of
e76e6a43f51438215737d6fc176c89da05bb86daChristian Maeder# username. Some examples:
b984ff0ba75221f64451c1e69b3977967d4e99a1Christian Maeder# default_mail_env = maildir:/var/mail/%1u/%u/Maildir
b984ff0ba75221f64451c1e69b3977967d4e99a1Christian Maeder# default_mail_env = mbox:~/mail/:INBOX=/var/mail/%u
b984ff0ba75221f64451c1e69b3977967d4e99a1Christian Maeder# default_mail_env = mbox:/var/mail/%d/%n/:INDEX=/var/indexes/%d/%n
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder#default_mail_env =
b984ff0ba75221f64451c1e69b3977967d4e99a1Christian Maeder# Space-separated list of fields to cache for all mails. Currently these
962d5c684e2b86d1f9c556c096b426e10cc74026Christian Maeder# fields are allowed followed by a list of commands they speed up:
b984ff0ba75221f64451c1e69b3977967d4e99a1Christian Maeder# Envelope - FETCH ENVELOPE and SEARCH FROM, TO, CC, BCC, SUBJECT,
962d5c684e2b86d1f9c556c096b426e10cc74026Christian Maeder# SENTBEFORE, SENTON, SENTSINCE, HEADER MESSAGE-ID,
962d5c684e2b86d1f9c556c096b426e10cc74026Christian Maeder# HEADER IN-REPLY-TO
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# Body - FETCH BODY
962d5c684e2b86d1f9c556c096b426e10cc74026Christian Maeder# Bodystructure - FETCH BODY, BODYSTRUCTURE
962d5c684e2b86d1f9c556c096b426e10cc74026Christian Maeder# MessagePart - FETCH BODY[1.2.3] (ie. body parts), RFC822.SIZE,
962d5c684e2b86d1f9c556c096b426e10cc74026Christian Maeder# SEARCH SMALLER, LARGER, also speeds up BODY/BODYSTRUCTURE
962d5c684e2b86d1f9c556c096b426e10cc74026Christian Maeder# generation. This is always set with mbox mailboxes, and
962d5c684e2b86d1f9c556c096b426e10cc74026Christian Maeder# also default with Maildir.
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# Different IMAP clients work in different ways, that's why Dovecot by default
b984ff0ba75221f64451c1e69b3977967d4e99a1Christian Maeder# only caches MessagePart which speeds up most operations. Whenever client
ee9eddfa6953868fd6fbaff0d9ff68675a13675aChristian Maeder# does something where caching could be used, the field is automatically marked
ee9eddfa6953868fd6fbaff0d9ff68675a13675aChristian Maeder# to be cached later. For example after FETCH BODY the BODY will be cached
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# for all new messages. Normally you should leave this alone, unless you know
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# what most of your IMAP clients are. Caching more fields than needed makes
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# the index files larger and generate useless I/O.
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# With maildir there's one extra optimization - if nothing is cached, indexing
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# the maildir becomes much faster since it's not opening any of the mail files.
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder# This could be useful if your IMAP clients access only new mails.
6cca02cb6a5ae882d887a879f8b7a71941c3715cChristian Maeder#mail_cache_fields = MessagePart
ee9eddfa6953868fd6fbaff0d9ff68675a13675aChristian Maeder# Space-separated list of fields that Dovecot should never set to be cached.
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder# Useful if you want to save disk space at the cost of more I/O when the fields
4fb19f237193a3bd6778f8aee3b6dd8da5856665Christian Maeder#mail_never_cache_fields =
15bb922b665fcd44c6230a1202785d0c7890e90cChristian Maeder# Workarounds for various client bugs:
15bb922b665fcd44c6230a1202785d0c7890e90cChristian Maeder# oe6-fetch-no-newmail:
15bb922b665fcd44c6230a1202785d0c7890e90cChristian Maeder# Never send EXISTS/RECENT when replying to FETCH command. Outlook Express
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder# seems to think they are FETCH replies and gives user "Message no longer
#auth_executable = /usr/libexec/dovecot/dovecot-auth
# userdb = ldap /etc/dovecot-ldap.conf
# passdb = ldap /etc/dovecot-ldap.conf
# userdb = passwd-file /etc/passwd.imap
# passdb = passwd-file /etc/passwd.imap