xref/dovecot/dovecot-example.conf

	dovecot-example.conf revision 9e89f1d9d0ef06a4ae086a13270b57d76074cfe6
f79d43bbe70a01454049b77d6f15f6369744959eStéphane Graber## Dovecot 1.0 configuration file
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# '#' character and everything after it is treated as comments. Extra spaces
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# and tabs are ignored. If you want to use either of these explicitly, put the
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# value inside quotes, eg.: key = "# char and trailing whitespace  "
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# Default values are shown after each value, it's not required to uncomment
9afe19d634946d50eab30e3b90cb5cebcde39eeaDaniel Lezcano# any of the lines. Exception to this are paths, they're just examples
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# with real defaults being based on configure options. The paths listed here
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# are for configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# --with-ssldir=/etc/ssl
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# Base directory where to store runtime data.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#base_dir = /var/run/dovecot/
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# Protocols we want to be serving:
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#  imap imaps pop3 pop3s
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#protocols = imap imaps
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# IP or host address where to listen in for connections. It's not currently
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# possible to specify multiple addresses. "*" listens in all IPv4 interfaces.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# "[::]" listens in all IPv6 interfaces, but may also listen in all IPv4
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# interfaces depending on the operating system. You can specify ports with
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# "host:port", although with multiple protocols you probably want to move this
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# setting inside protocol imap/pop3 { ... } section, so you can specify
7f95145833bb24f54e037f73ecc37444d6635697Dwight Engen# different ports for IMAP/POP3.
99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normand#listen = *
10fba81b9d0221b8e47aa1e0b43236413b7d28dfMichel Normand
99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normand# IP or host address where to listen in for SSL connections. Defaults
99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normand# to above if not specified.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#ssl_listen =
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# Disable SSL/TLS support.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#ssl_disable = no
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# dropping root privileges, so keep the key file unreadable by anyone but
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# root. Included doc/mkcert.sh can be used to easily generate self-signed
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# certificate, just make sure to update the domains in dovecot-openssl.cnf
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#ssl_cert_file = /etc/ssl/certs/dovecot.pem
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#ssl_key_file = /etc/ssl/private/dovecot.pem
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# File containing trusted SSL certificate authorities. Usually not needed.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#ssl_ca_file =
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# Request client to send a certificate.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#ssl_verify_client_cert = no
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# SSL parameter file. Master process generates this file for login processes.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# It contains Diffie Hellman and RSA parameters.
b4578c5b380130a41a69b5b49c970157acaf1dbbDwight Engen#ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat
b4578c5b380130a41a69b5b49c970157acaf1dbbDwight Engen
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# How often to regenerate the SSL parameters file. Generation is quite CPU
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# intensive operation. The value is in hours, 0 disables regeneration
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# entirely.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#ssl_parameters_regenerate = 24
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# SSL ciphers to use
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#ssl_cipher_list = all:!low
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# Disable LOGIN command and all other plaintext authentications unless
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# IPv6 ::1 addresses are considered secure, this setting has no effect if
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# you connect from those addresses.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#disable_plaintext_auth = yes
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
10fba81b9d0221b8e47aa1e0b43236413b7d28dfMichel Normand# Use this logfile instead of syslog(). /dev/stderr can be used if you want to
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# use stderr for logging (ONLY /dev/stderr - otherwise it is closed).
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#log_path =
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# For informational messages, use this logfile instead of the default
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#info_log_path =
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# Prefix for each line written to log file. % codes are in strftime(3)
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# format.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#log_timestamp = "%b %d %H:%M:%S "
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano##
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano## Login processes
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano##
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# Directory where authentication process places authentication UNIX sockets
f79d43bbe70a01454049b77d6f15f6369744959eStéphane Graber# which login needs to be able to connect to. The sockets are created when
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# running as root, so you don't have to worry about permissions. Note that
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# everything in this directory is deleted when Dovecot is started.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#login_dir = /var/run/dovecot/login
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# chroot login process to the login_dir. Only reason not to do this is if you
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# wish to run the whole Dovecot without roots.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#login_chroot = yes
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# User to use for the login process. Create a completely new user for this,
f79d43bbe70a01454049b77d6f15f6369744959eStéphane Graber# and don't use it anywhere else. The user must also belong to a group where
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# only it has access, it's used to control access for authentication process.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#login_user = dovecot
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# Set max. process size in megabytes. If you don't use
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# login_process_per_connection you might need to grow this.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#login_process_size = 32
99e4008cad9e959b683c6f48411fcf15a92be3b5Michel Normand
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# Should each login be processed in it's own process (yes), or should one
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# login process be allowed to process multiple connections (no)? Yes is more
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# secure, espcially with SSL/TLS enabled. No is faster since there's no need
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# to create processes all the time.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#login_process_per_connection = yes
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# Number of login processes to create. If login_process_per_user is
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# yes, this is the number of extra processes waiting for users to log in.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#login_processes_count = 3
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# Maximum number of extra login processes to create. The extra process count
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# usually stays at login_processes_count, but when multiple users start logging
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# in at the same time more extra processes are created. To prevent fork-bombing
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# we check only once in a second if new processes should be created - if all
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# of them are used at the time, we double their amount until limit set by this
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# setting is reached. This setting is used only if login_process_per_use is yes.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#login_max_processes_count = 128
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# Maximum number of connections allowed in login state. When this limit is
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# reached, the oldest connections are dropped. If login_process_per_user
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# is no, this is a per-process value, so the absolute maximum number of users
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano# logging in actually login_processes_count * max_logging_users.
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano#login_max_logging_users = 256
d823d5b966f49d975a09a8512d084389d6d7ffc7dlezcano

##
## Mail processes
##

# Maximum number of running mail processes. When this limit is reached,
# new users aren't allowed to log in.
#max_mail_processes = 1024

# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no

# Show protocol level SSL errors.
#verbose_ssl = no

# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
#first_valid_uid = 500
#last_valid_uid = 0

# Valid GID range for users, defaults to non-root/wheel. Users having
# non-valid GID as primary group ID aren't allowed to log in. If user
# belongs to supplementary groups with non-valid GIDs, those groups are
# not set.
#first_valid_gid = 1
#last_valid_gid = 0

# Grant access to these extra groups for mail processes. Typical use would be
# to give "mail" group write access to /var/mail to be able to create dotlocks.
#mail_extra_groups =

# ':' separated list of directories under which chrooting is allowed for mail
# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
# This setting doesn't affect login_chroot or auth_chroot variables.
# WARNING: Never add directories here which local users can modify, that
# may lead to root exploit. Usually this should be done only if you don't
# allow shell access for users. See doc/configuration.txt for more information.
#valid_chroot_dirs =

# Default chroot directory for mail processes. This can be overridden by
# giving /./ in user's home directory (eg. /home/./user chroots into /home).
#mail_chroot =

# Default MAIL environment to use when it's not set. By leaving this empty
# dovecot tries to do some automatic detection as described in
# doc/mail-storages.txt. There's a few special variables you can use, eg.:
#
#   %u - username
#   %n - user part in user@domain, same as %u if there's no domain
#   %d - domain part in user@domain, empty if there's no domain
#   %h - home directory
#
# See doc/variables.txt for full list. Some examples:
#
#   default_mail_env = maildir:/var/mail/%1u/%u/Maildir
#   default_mail_env = mbox:~/mail/:INBOX=/var/mail/%u
#   default_mail_env = mbox:/var/mail/%d/%n/:INDEX=/var/indexes/%d/%n
#
#default_mail_env =

# Space-separated list of fields to cache for all mails. Currently these
# fields are allowed followed by a list of commands they speed up:
#
#  Envelope      - FETCH ENVELOPE and SEARCH FROM, TO, CC, BCC, SUBJECT,
#                  SENTBEFORE, SENTON, SENTSINCE, HEADER MESSAGE-ID,
#                  HEADER IN-REPLY-TO
#  Body          - FETCH BODY
#  Bodystructure - FETCH BODY, BODYSTRUCTURE
#  MessagePart   - FETCH BODY[1.2.3] (ie. body parts), RFC822.SIZE,
#                  SEARCH SMALLER, LARGER, also speeds up BODY/BODYSTRUCTURE
#                  generation. This is always set with mbox mailboxes, and
#                  also default with Maildir.
#
# Different IMAP clients work in different ways, that's why Dovecot by default
# only caches MessagePart which speeds up most operations. Whenever client
# does something where caching could be used, the field is automatically marked
# to be cached later. For example after FETCH BODY the BODY will be cached
# for all new messages. Normally you should leave this alone, unless you know
# what most of your IMAP clients are. Caching more fields than needed makes
# the index files larger and generate useless I/O.
#
# With maildir there's one extra optimization - if nothing is cached, indexing
# the maildir becomes much faster since it's not opening any of the mail files.
# This could be useful if your IMAP clients access only new mails.

#mail_cache_fields = MessagePart

# Space-separated list of fields that Dovecot should never set to be cached.
# Useful if you want to save disk space at the cost of more I/O when the fields
# needed.
#mail_never_cache_fields =

# Like mailbox_check_interval, but used for IDLE command.
#mailbox_idle_check_interval = 30

# Allow full filesystem access to clients. There's no access checks other than
# what the operating system does for the active UID/GID. It works with both
# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
# or ~user/.
#mail_full_filesystem_access = no

# Maximum allowed length for mail keyword name. It's only forced when trying
# to create new keywords.
#mail_max_keyword_length = 50

# Save mails with CR+LF instead of plain LF. This makes sending those mails
# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
# But it also creates a bit more disk I/O which may just make it slower.
#mail_save_crlf = no

# Use mmap() instead of read() to read mail files. read() seems to be a bit
# faster with my Linux/x86 and it's better with NFS, so that's the default.
# Note that OpenBSD 3.3 and older don't work right with mail_read_mmaped = yes.
#mail_read_mmaped = no

# Don't use mmap() at all. This is required if you store indexes in remote
# filesystems (NFS or clustered filesystem).
#mmap_disable = no

# Don't write() to mmaped files. This is required for some operating systems
# which use separate caches for them, such as OpenBSD.
#mmap_no_write = no

# Don't use fcntl() locking. Alternatives are dotlocking and other tricks
# which may be slower. Required for NFS.
#fcntl_locks_disable = no

# By default LIST command returns all entries in maildir beginning with dot.
# Enabling this option makes Dovecot return only entries which are directories.
# This is done by stat()ing each entry, so it causes more disk I/O.
# (For systems setting struct dirent->d_type, this check is free and it's
# done always regardless of this setting)
#maildir_stat_dirs = no

# Copy mail to another folders using hard links. This is much faster than
# actually copying the file. This is problematic only if something modifies
# the mail in one folder but doesn't want it modified in the others. I don't
# know any MUA which would modify mail files directly. IMAP protocol also
# requires that the mails don't change, so it would be problematic in any case.
# If you care about performance, enable it.
#maildir_copy_with_hardlinks = no

# Check if mails' content has been changed by external programs. This slows
# down things as extra stat() needs to be called for each file. If changes are
# noticed, the message is treated as a new message, since IMAP protocol
# specifies that existing messages are immutable.
#maildir_check_content_changes = no

# Which locking methods to use for locking mbox. There's four available:
#  dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
#           solution. If you want to use /var/mail/ like directory, the users
#           will need write access to that directory.
#  fcntl  : Use this if possible. Works with NFS too if lockd is used.
#  flock  : May not exist in all systems. Doesn't work with NFS.
#  lockf  : May not exist in all systems. Doesn't work with NFS.
#
# You can use multiple locking methods; if you do the order they're declared
# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
# locking methods as well. Some operating systems don't allow using some of
# them simultaneously.
#mbox_read_locks = fcntl
#mbox_write_locks = dotlock fcntl

# Maximum time in seconds to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 300

# If dotlock exists but the mailbox isn't modified in any way, override the
# lock file after this many seconds.
#mbox_dotlock_change_timeout = 30

# When mbox changes unexpectedly we have to fully read it to find out what
# changed. If the mbox is large this can take a long time. Since the change
# is usually just a newly appended mail, it'd be faster to simply read the
# new mails. If this setting is enabled, Dovecot does this but still safely
# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
# how it's expected to be. The only real downside to this setting is that if
# some other MUA changes message flags, Dovecot doesn't notice it immediately.
# Note that a full sync is done for SELECT, EXAMINE, EXPUNGE and CHECK
# commands.
#mbox_dirty_syncs = yes

# umask to use for mail files and directories
#umask = 0077

# Drop all privileges before exec()ing the mail process. This is mostly
# meant for debugging, otherwise you don't get core dumps. It could be a small
# security risk if you use single UID for multiple users, as the users could
# ptrace() each others processes then.
#mail_drop_priv_before_exec = no

# Set max. process size in megabytes. Most of the memory goes to mmap()ing
# files, so it shouldn't harm much even if this limit is set pretty high.
#mail_process_size = 256

# Log prefix for mail processes. See doc/variables.txt for list of possible
# variables you can use.
#mail_log_prefix = "%Up(%u): "

##
## IMAP specific settings
##

protocol imap {
  # Login executable location.
  #login_executable = /usr/libexec/dovecot/imap-login

  # IMAP executable location
  #mail_executable = /usr/libexec/dovecot/imap
  # This would write rawlogs into ~/dovecot.rawlog/ directory:
  #mail_executable = /usr/libexec/dovecot/rawlog /usr/libexec/dovecot/imap

  # Maximum IMAP command line length in bytes. Some clients generate very long
  # command lines with huge mailboxes, so you may need to raise this if you get
  # "Too long argument" or "IMAP command line too large" errors often.
  #imap_max_line_length = 65536

  # Support for dynamically loadable modules.
  #mail_use_modules = no
  #mail_modules = /usr/lib/dovecot/imap

  # Workarounds for various client bugs:
  #   oe6-fetch-no-newmail:
  #     Never send EXISTS/RECENT when replying to FETCH command. Outlook Express
  #     seems to think they are FETCH replies and gives user "Message no longer
  #     in server" error. Note that OE6 still breaks even with this workaround
  #     if synchronization is set to "Headers Only".
  #   outlook-idle:
  #     Outlook and Outlook Express never abort IDLE command, so if no mail
  #     arrives in half a hour, Dovecot closes the connection. This is still
  #     fine, except Outlook doesn't connect back so you don't see if new mail
  #     arrives.
  #   netscape-eoh:
  #     Netscape 4.x breaks if message headers don't end with the empty "end of
  #     headers" line. Normally all messages have this, but setting this
  #     workaround makes sure that Netscape never breaks by adding the line if
  #     it doesn't exist. This is done only for FETCH BODY[HEADER.FIELDS..]
  #     commands. Note that RFC says this shouldn't be done.
  #imap_client_workarounds =
}

##
## POP3 specific settings
##

protocol pop3 {
  # Login executable location.
  #login_executable = /usr/libexec/dovecot/pop3-login

  # POP3 executable location
  #mail_executable = /usr/libexec/dovecot/pop3

  # Don't try to set mails non-recent with POP3 sessions. This is mostly
  # intended to reduce disk I/O. With maildir it doesn't move files from
  # new/ to cur/, with mbox it doesn't write Status-header.
  #pop3_mails_keep_recent = no

  # Support for dynamically loadable modules.
  #mail_use_modules = no
  #mail_modules = /usr/lib/dovecot/pop3

  # Workarounds for various client bugs:
  #   outlook-no-nuls:
  #     Outlook and Outlook Express hang if mails contain NUL characters.
  #     This setting replaces them with 0x80 character.
  #pop3_client_workarounds =
}

##
## Authentication processes
##

# You can have multiple authentication processes. With plaintext authentication
# the password is checked against each process, the first one which succeeds is
# used. This is useful if you want to allow both system users (/etc/passwd)
# and virtual users to login without duplicating the system users into virtual
# database.

# Executable location
#auth_executable = /usr/libexec/dovecot/dovecot-auth

# Set max. process size in megabytes.
#auth_process_size = 256

# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =

# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm =

# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =

# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous

# More verbose logging. Useful for figuring out why authentication isn't
# working.
#auth_verbose = no

# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
#auth_debug = no

auth default {
  # Space separated list of wanted authentication mechanisms:
  #   plain digest-md5 cram-md5 apop anonymous
  mechanisms = plain

  # Where user database is kept:
  #   passwd: /etc/passwd or similiar, using getpwnam()
  #   passwd-file <path>: passwd-like file with specified location
  #   static uid=<uid> gid=<gid> home=<dir template>: static settings
  #   vpopmail: vpopmail library
  #   ldap <config path>: LDAP, see doc/dovecot-ldap.conf
  #   pgsql <config path>: a PostgreSQL database, see doc/dovecot-pgsql.conf
  #   mysql <config path>: a MySQL database, see doc/dovecot-mysql.conf
  userdb = passwd

  # Where password database is kept:
  #   passwd: /etc/passwd or similiar, using getpwnam()
  #   shadow: /etc/shadow or similiar, using getspnam()
  #   pam [<service> | *]: PAM authentication
  #   checkpassword <path>: checkpassword executable authentication
  #   passwd-file <path>: passwd-like file with specified location
  #   vpopmail: vpopmail authentication
  #   ldap <config path>: LDAP, see doc/dovecot-ldap.conf
  #   pgsql <config path>: a PostgreSQL database, see doc/dovecot-pgsql.conf
  #   mysql <config path>: a MySQL database, see doc/dovecot-mysql.conf
  passdb = pam

  # User to use for the process. This user needs access to only user and
  # password databases, nothing else. Only shadow and pam authentication
  # requires roots, so use something else if possible. Note that passwd
  # authentication with BSDs internally accesses shadow files, which also
  # requires roots.
  user = root

  # Directory where to chroot the process. Most authentication backends don't
  # work if this is set, and there's no point chrooting if auth_user is root.
  #chroot =

  # Number of authentication processes to create
  #count = 1

  # Require a valid SSL client certificate or the authentication fails.
  #ssl_require_client_cert = no
}

# PAM doesn't provide a way to get uid, gid or home directory. If you don't
# want to use a separate user database (passwd usually), you can use static
# userdb.

#auth onlypam {
#  mechanisms = plain
#  userdb = static uid=500 gid=500 home=/var/mail/%u
#  passdb = pam
#  user = dovecot-auth
#}

#auth ldap {
#  mechanisms = plain
#  userdb = ldap /etc/dovecot-ldap.conf
#  passdb = ldap /etc/dovecot-ldap.conf
#  user = dovecot-auth
#}

#auth virtualfile {
#  mechanisms = plain digest-md5
#  userdb = passwd-file /etc/passwd.imap
#  passdb = passwd-file /etc/passwd.imap
#  user = dovecot-auth
#}

# It's possible to export the authentication interface to other programs,
# for example SMTP server which supports talking to Dovecot. Client socket
# handles the actual authentication - you give it a username and password
# and it returns OK or failure. So it's pretty safe to allow anyone access to
# it. Master socket is used to a) query if given client was successfully
# authenticated, b) userdb lookups.

# listener sockets will be created by Dovecot's master process using the
# settings given inside the auth section
#auth default_with_listener {
#  mechanisms = plain
#  passdb = passwd
#  userdb = pam
#  socket listen {
#    master {
#      path = /var/run/dovecot/auth-master
#      #mode = 0600
#      # Default user/group is the one who started dovecot-auth (root)
#      #user =
#      #group =
#    }
#    client {
#      path = /var/run/dovecot-auth-client
#      mode = 0660
#    }
#  }
#}

# connect sockets are assumed to be already running, Dovecot's master
# process only tries to connect to them. They don't need any other settings
# than path for the master socket, as the configuration is done elsewhere.
# Note that the client sockets must exist in login_dir.
#auth external {
#  socket connect {
#    master {
#      path = /var/run/dovecot/auth-master
#    }
#  }
#}