dovecot-example.conf revision fe594abcaff07e7f69be1ce3bfcc7a62ff033e74
1281N/A## Dovecot 1.0 configuration file 1186N/A# '#' character and everything after it is treated as comments. Extra spaces 0N/A# and tabs are ignored. If you want to use either of these explicitly, put the 0N/A# value inside quotes, eg.: key = "# char and trailing whitespace " 1281N/A# Default values are shown after each value, it's not required to uncomment 0N/A# any of the lines. Exception to this are paths, they're just examples 0N/A# with real defaults being based on configure options. The paths listed here 0N/A# are for configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var 0N/A# Base directory where to store runtime data. 0N/A# Protocols we want to be serving: 0N/A# imap imaps pop3 pop3s 0N/A#protocols = imap imaps 0N/A# IP or host address where to listen in for connections. It's not currently 1164N/A# possible to specify multiple addresses. "*" listens in all IPv4 interfaces. 1186N/A# "[::]" listens in all IPv6 interfaces, but may also listen in all IPv4 98N/A# interfaces depending on the operating system. You can specify ports with 1186N/A# "host:port", although with multiple protocols you probably want to move this 1186N/A# setting inside protocol imap/pop3 { ... } section, so you can specify 1186N/A# IP or host address where to listen in for SSL connections. Defaults 58N/A# to above if not specified. 1281N/A# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before 1281N/A# dropping root privileges, so keep the key file unreadable by anyone but 1281N/A# File containing trusted SSL certificate authorities. Usually not needed. 1281N/A# Request client to send a certificate. 1281N/A#ssl_verify_client_cert = no 1281N/A# SSL parameter file. Master process generates this file for login processes. 1281N/A# It contains Diffie Hellman and RSA parameters. 1281N/A# How often to regenerate the SSL parameters file. Generation is quite CPU 1186N/A# intensive operation. The value is in hours, 0 disables regeneration 1186N/A#ssl_parameters_regenerate = 24 1281N/A# Disable LOGIN command and all other plaintext authentications unless 1281N/A# SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and 1281N/A# IPv6 ::1 addresses are considered secure, this setting has no effect if 1281N/A# you connect from those addresses. 1281N/A#disable_plaintext_auth = yes 1281N/A# Use this logfile instead of syslog(). /dev/stderr can be used if you want to 1281N/A# For informational messages, use this logfile instead of the default 1186N/A# Prefix for each line written to log file. % codes are in strftime(3) 1364N/A#log_timestamp = "%b %d %H:%M:%S " 207N/A# Directory where authentication process places authentication UNIX sockets 1186N/A# which login needs to be able to connect to. The sockets are created when 1281N/A# running as root, so you don't have to worry about permissions. Note that 1281N/A# everything in this directory is deleted when Dovecot is started. 1281N/A# chroot login process to the login_dir. Only reason not to do this is if you 1281N/A# wish to run the whole Dovecot without roots. 1281N/A# User to use for the login process. Create a completely new user for this, 1281N/A# and don't use it anywhere else. The user must also belong to a group where 1281N/A# only it has access, it's used to control access for authentication process. 1281N/A# Set max. process size in megabytes. If you don't use 1281N/A# login_process_per_connection you might need to grow this. 1281N/A# Should each login be processed in it's own process (yes), or should one 1281N/A# login process be allowed to process multiple connections (no)? Yes is more 1281N/A# secure, espcially with SSL/TLS enabled. No is faster since there's no need 1281N/A# to create processes all the time. 1281N/A#login_process_per_connection = yes 1281N/A# Number of login processes to create. If login_process_per_user is 1186N/A# yes, this is the number of extra processes waiting for users to log in. 99N/A#login_processes_count = 3 1281N/A# Maximum number of extra login processes to create. The extra process count 1281N/A# usually stays at login_processes_count, but when multiple users start logging 1281N/A# in at the same time more extra processes are created. To prevent fork-bombing 1281N/A# we check only once in a second if new processes should be created - if all 1281N/A# of them are used at the time, we double their amount until limit set by this 1281N/A# setting is reached. This setting is used only if login_process_per_use is yes. 1282N/A#login_max_processes_count = 128 1282N/A# Maximum number of connections allowed in login state. When this limit is 1282N/A# reached, the oldest connections are dropped. If login_process_per_user 1282N/A# is no, this is a per-process value, so the absolute maximum number of users 1282N/A# logging in actually login_processes_count * max_logging_users. 1282N/A#login_max_logging_users = 256 1281N/A# Maximum number of running mail processes. When this limit is reached, 1281N/A# new users aren't allowed to log in. 1281N/A# Show more verbose process titles (in ps). Currently shows user name and 1281N/A# IP address. Useful for seeing who are actually using the IMAP processes 1281N/A# (eg. shared mailboxes or if same uid is used for multiple accounts). 1281N/A# Show protocol level SSL errors. 1469N/A# Valid UID range for users, defaults to 500 and above. This is mostly 1281N/A# to make sure that users can't log in as daemons or other system users. 1281N/A# Note that denying root logins is hardcoded to dovecot binary and can't 1469N/A# be done even if first_valid_uid is set to 0. 1281N/A# non-valid GID as primary group ID aren't allowed to log in. If user 1281N/A# belongs to supplementary groups with non-valid GIDs, those groups are 1281N/A# Grant access to these extra groups for mail processes. Typical use would be 1281N/A# to give "mail" group write access to /var/mail to be able to create dotlocks. 1281N/A# ':' separated list of directories under which chrooting is allowed for mail 1281N/A# This setting doesn't affect login_chroot or auth_chroot variables. 1281N/A# WARNING: Never add directories here which local users can modify, that 1281N/A# may lead to root exploit. Usually this should be done only if you don't 1281N/A# Default chroot directory for mail processes. This can be overridden by 1281N/A# giving /./ in user's home directory (eg. /home/./user chroots into /home). 1281N/A# Default MAIL environment to use when it's not set. By leaving this empty 1281N/A# dovecot tries to do some automatic detection as described in 1281N/A# %n - user part in user@domain, same as %u if there's no domain 1281N/A# %d - domain part in user@domain, empty if user there's no domain 1281N/A# Space-separated list of fields to cache for all mails. Currently these 1281N/A# fields are allowed followed by a list of commands they speed up: 1281N/A# Envelope - FETCH ENVELOPE and SEARCH FROM, TO, CC, BCC, SUBJECT, 1281N/A# SENTBEFORE, SENTON, SENTSINCE, HEADER MESSAGE-ID, 1281N/A# Bodystructure - FETCH BODY, BODYSTRUCTURE 1281N/A# generation. This is always set with mbox mailboxes, and 1281N/A# also default with Maildir. 1281N/A# Different IMAP clients work in different ways, that's why Dovecot by default 1281N/A# only caches MessagePart which speeds up most operations. Whenever client 1281N/A# does something where caching could be used, the field is automatically marked 1469N/A# to be cached later. For example after FETCH BODY the BODY will be cached 1469N/A# for all new messages. Normally you should leave this alone, unless you know 1281N/A# what most of your IMAP clients are. Caching more fields than needed makes 1281N/A# the index files larger and generate useless I/O. 1281N/A# With maildir there's one extra optimization - if nothing is cached, indexing 1281N/A# the maildir becomes much faster since it's not opening any of the mail files. 1281N/A# This could be useful if your IMAP clients access only new mails. 1281N/A#mail_cache_fields = MessagePart 1281N/A# Space-separated list of fields that Dovecot should never set to be cached. 1281N/A# Useful if you want to save disk space at the cost of more I/O when the fields 1281N/A# Dovecot can notify client of new mail in selected mailbox soon after it's 1281N/A# received. This setting specifies the minimum interval in seconds between 1281N/A# new mail notifications to client - internally they may be checked more or 1281N/A# less often. Setting this to 0 disables the checking. 1281N/A# NOTE: Evolution client breaks with this option when it's trying to APPEND. 1281N/A# Like mailbox_check_interval, but used for IDLE command. 1186N/A#mailbox_idle_check_interval = 30 1186N/A# Allow full filesystem access to clients. There's no access checks other than 830N/A# what the operating system does for the active UID/GID. It works with both 1186N/A# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/ 1186N/A#mail_full_filesystem_access = no # Maximum allowed length for mail keyword name. It's only forced when trying # to create new keywords. #mail_max_keyword_length = 50 # Save mails with CR+LF instead of plain LF. This makes sending those mails # take less CPU, especially with sendfile() syscall with Linux and FreeBSD. # But it also creates a bit more disk I/O which may just make it slower. # Use mmap() instead of read() to read mail files. read() seems to be a bit # faster with my Linux/x86 and it's better with NFS, so that's the default. # Note that OpenBSD 3.3 and older don't work right with mail_read_mmaped = yes. # Don't use mmap() at all. This is required if you store indexes in remote # filesystems (NFS or clustered filesystem). # Don't write() to mmaped files. This is required for some operating systems # which use separate caches for them, such as OpenBSD. # Don't use fcntl() locking. Alternatives are dotlocking and other tricks # which may be slower. Required for NFS. #fcntl_locks_disable = no # By default LIST command returns all entries in maildir beginning with dot. # Enabling this option makes Dovecot return only entries which are directories. # This is done by stat()ing each entry, so it causes more disk I/O. # (For systems setting struct dirent->d_type, this check is free and it's # done always regardless of this setting) # Copy mail to another folders using hard links. This is much faster than # actually copying the file. This is problematic only if something modifies # the mail in one folder but doesn't want it modified in the others. I don't # know any MUA which would modify mail files directly. IMAP protocol also # requires that the mails don't change, so it would be problematic in any case. # If you care about performance, enable it. #maildir_copy_with_hardlinks = no # Check if mails' content has been changed by external programs. This slows # down things as extra stat() needs to be called for each file. If changes are # noticed, the message is treated as a new message, since IMAP protocol # specifies that existing messages are immutable. #maildir_check_content_changes = no # Which locking methods to use for locking mbox. There's four available: # dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe # solution. If you want to use /var/mail/ like directory, the users # will need write access to that directory. # fcntl : Use this if possible. Works with NFS too if lockd is used. # flock : May not exist in all systems. Doesn't work with NFS. # lockf : May not exist in all systems. Doesn't work with NFS. # You can use multiple locking methods; if you do the order they're declared # in is important to avoid deadlocks if other MTAs/MUAs are using multiple # locking methods as well. Some operating systems don't allow using some of #mbox_write_locks = dotlock fcntl # Maximum time in seconds to wait for lock (all of them) before aborting. # If dotlock exists but the mailbox isn't modified in any way, override the # lock file after this many seconds. #mbox_dotlock_change_timeout = 30 # umask to use for mail files and directories # Drop all privileges before exec()ing the mail process. This is mostly # meant for debugging, otherwise you don't get core dumps. It could be a small # security risk if you use single UID for multiple users, as the users could # ptrace() each others processes then. #mail_drop_priv_before_exec = no # Set max. process size in megabytes. Most of the memory goes to mmap()ing # files, so it shouldn't harm much even if this limit is set pretty high. #mail_log_prefix = "%Up(%u): " ## IMAP specific settings # Login executable location. # IMAP executable location # Maximum IMAP command line length in bytes. Some clients generate very long # command lines with huge mailboxes, so you may need to raise this if you get # "Too long argument" or "IMAP command line too large" errors often. #imap_max_line_length = 65536 # Support for dynamically loadable modules. # Workarounds for various client bugs: # Never send EXISTS/RECENT when replying to FETCH command. Outlook Express # seems to think they are FETCH replies and gives user "Message no longer # in server" error. Note that OE6 still breaks even with this workaround # if synchronization is set to "Headers Only". # Outlook and Outlook Express never abort IDLE command, so if no mail # arrives in half a hour, Dovecot closes the connection. This is still # fine, except Outlook doesn't connect back so you don't see if new mail #imap_client_workarounds = ## POP3 specific settings # Login executable location. # POP3 executable location # Don't try to set mails non-recent with POP3 sessions. This is mostly # intended to reduce disk I/O. With maildir it doesn't move files from # new/ to cur/, with mbox it doesn't write Status-header. #pop3_mails_keep_recent = no # Support for dynamically loadable modules. # Workarounds for various client bugs: # Outlook and Outlook Express hang if mails contain NUL characters. # This setting replaces them with 0x80 character. #pop3_client_workarounds = ## Authentication processes # You can have multiple authentication processes. With plaintext authentication # the password is checked against each process, the first one which succeeds is # used. This is useful if you want to allow both system users (/etc/passwd) # and virtual users to login without duplicating the system users into virtual # Set max. process size in megabytes. # Space separated list of realms for SASL authentication mechanisms that need # them. You can leave it empty if you don't want to support multiple realms. # Many clients simply use the first one listed here, so keep the default realm # Default realm/domain to use if none was specified. This is used for both # SASL realms and appending @domain to username in plaintext logins. # List of allowed characters in username. If the user-given username contains # a character not listed in here, the login automatically fails. This is just # an extra check to make sure user can't exploit any potential quote escaping # vulnerabilities with SQL/LDAP databases. If you want to allow all characters, # set this value to empty. #auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ # Username to use for users logging in with ANONYMOUS SASL mechanism #auth_anonymous_username = anonymous # More verbose logging. Useful for figuring out why authentication isn't # Even more verbose logging for debugging purposes. Shows for example SQL # Space separated list of wanted authentication mechanisms: # plain digest-md5 cram-md5 apop anonymous # Where user database is kept: # passwd: /etc/passwd or similiar, using getpwnam() # passwd-file <path>: passwd-like file with specified location # static uid=<uid> gid=<gid> home=<dir template>: static settings # vpopmail: vpopmail library # Where password database is kept: # passwd: /etc/passwd or similiar, using getpwnam() # shadow: /etc/shadow or similiar, using getspnam() # pam [<service> | *]: PAM authentication # checkpassword <path>: checkpassword executable authentication # passwd-file <path>: passwd-like file with specified location # vpopmail: vpopmail authentication # User to use for the process. This user needs access to only user and # password databases, nothing else. Only shadow and pam authentication # requires roots, so use something else if possible. Note that passwd # authentication with BSDs internally accesses shadow files, which also # Directory where to chroot the process. Most authentication backends don't # work if this is set, and there's no point chrooting if auth_user is root. # Number of authentication processes to create # Require a valid SSL client certificate or the authentication fails. #ssl_require_client_cert = no # PAM doesn't provide a way to get uid, gid or home directory. If you don't # want to use a separate user database (passwd usually), you can use static # userdb = static uid=500 gid=500 home=/var/mail/%u # mechanisms = plain digest-md5 # It's possible to export the authentication interface to other programs, # for example SMTP server which supports talking to Dovecot. Client socket # handles the actual authentication - you give it a username and password # and it returns OK or failure. So it's pretty safe to allow anyone access to # it. Master socket is used to a) query if given client was successfully # authenticated, b) userdb lookups. # listener sockets will be created by Dovecot's master process using the # settings given inside the auth section #auth default_with_listener { # # Default user/group is the one who started dovecot-auth (root) # connect sockets are assumed to be already running, Dovecot's master # process only tries to connect to them. They don't need any other settings # than path for the master socket, as the configuration is done elsewhere. # Note that the client sockets must exist in login_dir.