## Dovecot configuration file ################################################################################ #mail_debug = yes # Base directory where to store runtime data. #base_dir = /var/run/dovecot/ # Protocols we want to be serving: imap imaps pop3 pop3s # If you only want to use dovecot-auth, you can set this to "none". #protocols = imap pop3 imaps pop3s managesieve protocols = imap pop3 managesieve # Disable LOGIN command and all other plaintext authentications unless # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. disable_plaintext_auth = no # Syslog facility to use if you're logging to syslog. Usually if you don't # want to use "mail", you'll use local0..local7. Also other standard # facilities are supported. syslog_facility = auth # Prefix for each line written to log file. % codes are in strftime(3) # format. #log_timestamp = "%b %d %H:%M:%S " log_timestamp = "%Y-%m-%d %H:%M:%S " # Disable SSL/TLS support. ssl = no ssl_cert_file = /usr/local/ssl/certs/imapd.pem ssl_key_file = /usr/local/ssl/private/imapd.key ssl_cipher_list = ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM # Mailbox locations and namespaces # There are a few special variables you can use, eg.: # %u - username # %n - user part in user@domain, same as %u if there's no domain # %d - domain part in user@domain, empty if there's no domain # %h - home directory # See doc/wiki/Variables.txt for full list. Some examples: # mail_location = maildir:~/Maildir # mail_location = mbox:~/mail:INBOX=/var/mail/%u # mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n mail_location = maildir:/var/spool/postfix/virtual/%d%/%n/Maildir # REMEMBER: If you add any namespaces, the default namespace must be added # explicitly, ie. mail_location does nothing unless you have a namespace # without a location setting. Default namespace is simply done by having a # namespace with empty prefix. namespace private { # Hierarchy separator to use. You should use the same separator for all # namespaces or some clients get confused. '/' is usually a good one. # The default however depends on the underlying mail storage format. #separator = separator = / # Prefix required to access this namespace. This needs to be different for # all namespaces. For example "Public/". #prefix = # Physical location of the mailbox. This is in same format as # mail_location, which is also the default for it. #location = # There can be only one INBOX, and this setting defines which namespace # has it. #inbox = no inbox = yes # If namespace is hidden, it's not advertised to clients via NAMESPACE # extension. You'll most likely also want to set list=no. This is mostly # useful when converting from another server with different namespaces which # you want to deprecate but still keep working. For example you can create # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/". #hidden = yes # Show the mailboxes under this namespace with LIST command. This makes the # namespace visible for clients that don't support NAMESPACE extension. # "children" value lists child mailboxes, but hides the namespace prefix. #list = yes # Namespace handles its own subscriptions. If set to "no", the parent # namespace handles them (empty prefix should always have this as "yes") #subscriptions = yes subscriptions = yes } # Example shared namespace configuration namespace shared { #separator = / separator = / # Mailboxes are visible under "shared/user@domain/" # %%n, %%d and %%u are expanded to the destination user. #prefix = shared/%%u/ prefix = shared/%%u/ # Mail location for other users' mailboxes. Note that %variables and ~/ # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the # destination user's data. #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u location = maildir:/var/spool/postfix/virtual/%%d/%%n/Maildir:INDEX=/var/spool/postfix/virtual/%%d/%%n/Maildir/shared/%%d/%%n # Use the default namespace for saving subscriptions. #subscriptions = no subscriptions = no # List the shared/ namespace only if there are visible shared mailboxes. #list = children list = children } # public mailboxes #namespace public { # separator = / # prefix = Public/ # location = maildir:/var/spool/postfix/virtual/%d/public/Maildir # hidden = no # list = yes # # each user manages the public folder subscriptions by it's own # subscriptions = no #} # System user and group used to access mails. If you use multiple, userdb # can override these by returning uid or gid fields. You can use either numbers # or names. mail_uid = vmail mail_gid = vmail # Group to enable temporarily for privileged operations. Currently this is # used only with INBOX when either its initial creation or dotlocking fails. # Typically this is set to "mail" to give access to /var/mail. mail_privileged_group = vmail ## IMAP specific settings protocol imap { # Login executable location. #login_executable = /usr/libexec/dovecot/imap-login login_executable = /usr/local/dovecot/imap-login # IMAP executable location. Changing this allows you to execute other # binaries before the imap process is executed. # # This would write rawlogs into user's ~/dovecot.rawlog/, if it exists: # mail_executable = /usr/libexec/dovecot/rawlog /usr/libexec/dovecot/imap # # # This would attach gdb into the imap process and write backtraces into # /tmp/gdbhelper.* files: # mail_executable = /usr/libexec/dovecot/gdbhelper /usr/libexec/dovecot/imap # #mail_executable = /usr/libexec/dovecot/imap mail_executable = /usr/local/dovecot/imap # Maximum IMAP command line length in bytes. Some clients generate very long # command lines with huge mailboxes, so you may need to raise this if you get # "Too long argument" or "IMAP command line too large" errors often. #imap_max_line_length = 65536 # Maximum number of IMAP connections allowed for a user from each IP address. # NOTE: The username is compared case-sensitively. #mail_max_userip_connections = 10 # Support for dynamically loadable plugins. mail_plugins is a space separated # list of plugins to load. mail_plugins = autocreate acl imap_acl mail_plugin_dir = /usr/lib/dovecot/imap # IMAP logout format string: # %i - total number of bytes read from client # %o - total number of bytes sent to client #imap_logout_format = bytes=%i/%o # Override the IMAP CAPABILITY response. #imap_capability = # How many seconds to wait between "OK Still here" notifications when # client is IDLEing. #imap_idle_notify_interval = 120 # ID field names and values to send to clients. Using * as the value makes # Dovecot use the default value. The following fields have default values # currently: name, version, os, os-version, support-url, support-email. #imap_id_send = # ID fields sent by client to log. * means everything. #imap_id_log = # Workarounds for various client bugs: # delay-newmail: # Send EXISTS/RECENT new mail notifications only when replying to NOOP # and CHECK commands. Some clients ignore them otherwise, for example OSX # Mail ( (e.g. %Uf for the filename in uppercase) # # %v - Mailbox's IMAP UIDVALIDITY # %u - Mail's IMAP UID # %m - MD5 sum of the mailbox headers in hex (mbox only) # %f - filename (maildir only) # # If you want UIDL compatibility with other POP3 servers, use: # UW's ipop3d : %08Xv%08Xu # Courier : %f or %v-%u (both might be used simultaneosly) # Cyrus (<= 2.1.3) : %u # Cyrus (>= 2.1.4) : %v.%u # Dovecot v0.99.x : %v.%u # tpop3d : %Mf # # Note that Outlook 2003 seems to have problems with %v.%u format which was # Dovecot's default, so if you're building a new server it would be a good # idea to change this. %08Xu%08Xv should be pretty fail-safe. # #pop3_uidl_format = %08Xu%08Xv pop3_uidl_format = %08Xv%08Xu # Permanently save UIDLs sent to POP3 clients, so pop3_uidl_format changes # won't change those UIDLs. Currently this works only with Maildir. #pop3_save_uidl = no # POP3 logout format string: # %i - total number of bytes read from client # %o - total number of bytes sent to client # %t - number of TOP commands # %p - number of bytes sent to client as a result of TOP command # %r - number of RETR commands # %b - number of bytes sent to client as a result of RETR command # %d - number of deleted messages # %m - number of messages (before deletion) # %s - mailbox size in bytes (before deletion) #pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s # Maximum number of POP3 connections allowed for a user from each IP address. # NOTE: The username is compared case-sensitively. #mail_max_userip_connections = 3 mail_max_userip_connections = 10 # Support for dynamically loadable plugins. mail_plugins is a space separated # list of plugins to load. #mail_plugins = #mail_plugin_dir = /usr/lib/dovecot/pop3 mail_plugins = autocreate mail_plugin_dir = /usr/lib/dovecot/pop3 # Workarounds for various client bugs: # outlook-no-nuls: # Outlook and Outlook Express hang if mails contain NUL characters. # This setting replaces them with 0x80 character. # oe-ns-eoh: # Outlook Express and Netscape Mail breaks if end of headers-line is # missing. This option simply sends it if it's missing. # The list is space-separated. #pop3_client_workarounds = pop3_client_workarounds = outlook-no-nuls oe-ns-eoh } ## MANAGESIEVE specific settings protocol managesieve { # Login executable location. #login_executable = /usr/libexec/dovecot/managesieve-login login_executable = /usr/local/dovecot/managesieve-login # ManageSieve executable location. See IMAP's mail_executable above for # examples how this could be changed. #mail_executable = /usr/libexec/dovecot/managesieve mail_executable = /usr/local/dovecot/managesieve # Maximum ManageSieve command line length in bytes. This setting is # directly borrowed from IMAP. But, since long command lines are very # unlikely with ManageSieve, changing this will not be very useful. #managesieve_max_line_length = 65536 # ManageSieve logout format string: # %i - total number of bytes read from client # %o - total number of bytes sent to client #managesieve_logout_format = bytes=%i/%o # To fool ManageSieve clients that are focused on timesieved you can # specify the IMPLEMENTATION capability that the dovecot reports to clients # (default: "dovecot"). #managesieve_implementation_string = Cyrus timsieved v2.2.13 # The ManageSieve service also uses the sieve and sieve_dir settings # of the Sieve plugin. These are configured in the plugin {} section of # this config file. } # LDA specific settings protocol lda { # Address to use when sending rejection mails. postmaster_address = postmaster # Hostname to use in various parts of sent mails, eg. in Message-Id. # Default is the system's real hostname. #hostname = # Support for dynamically loadable plugins. mail_plugins is a space separated # list of plugins to load. #mail_plugins = #mail_plugin_dir = /usr/lib/dovecot/lda mail_plugins = sieve acl mail_plugin_dir = /usr/lib/dovecot/lda # If user is over quota, return with temporary failure instead of # bouncing the mail. quota_full_tempfail = yes # Format to use for logging mail deliveries. You can use variables: # %$ - Delivery status message (e.g. "saved to INBOX") # %m - Message-ID # %s - Subject # %f - From address deliver_log_format = msgid=%m: %$ # Binary to use for sending mails. #sendmail_path = /usr/lib/sendmail # Subject: header to use for rejection mails. You can use the same variables # as for rejection_reason below. #rejection_subject = Automatically rejected mail # Human readable error message for rejection mails. You can use variables: # %n = CRLF, %r = reason, %s = original subject, %t = recipient #rejection_reason = Your message to <%t> was automatically rejected:%n%r rejection_reason = Your message to <%t> was automatically rejected:%n%r # UNIX socket path to master authentication server to find users. #auth_socket_path = /var/run/dovecot/auth-master } ## ## Authentication processes ## # Executable location #auth_executable = /usr/local/dovecot/dovecot-auth auth_executable = /usr/local/dovecot/dovecot-auth # Set max. process size in megabytes. #auth_process_size = 256 # Authentication cache size in kilobytes. 0 means it's disabled. # Note that bsdauth, PAM and vpopmail require cache_key to be set for caching # to be used. #auth_cache_size = 0 # Time to live in seconds for cached data. After this many seconds the cached # record is no longer used, *except* if the main database lookup returns # internal failure. We also try to handle password changes automatically: If # user's previous authentication was successful, but this one wasn't, the # cache isn't used. For now this works only with plaintext authentication. #auth_cache_ttl = 3600 # TTL for negative hits (user not found). 0 disables caching them completely. #auth_cache_negative_ttl = 3600 # Space separated list of realms for SASL authentication mechanisms that need # them. You can leave it empty if you don't want to support multiple realms. # Many clients simply use the first one listed here, so keep the default realm # first. #auth_realms = # Default realm/domain to use if none was specified. This is used for both # SASL realms and appending @domain to username in plaintext logins. #auth_default_realm = # List of allowed characters in username. If the user-given username contains # a character not listed in here, the login automatically fails. This is just # an extra check to make sure user can't exploit any potential quote escaping # vulnerabilities with SQL/LDAP databases. If you want to allow all characters, # set this value to empty. auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ # Username character translations before it's looked up from databases. The # value contains series of from -> to characters. For example "#@/@" means # that '#' and '/' characters are translated to '@'. #auth_username_translation = # Username formatting before it's looked up from databases. You can use # the standard variables here, eg. %Lu would lowercase the username, %n would # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into # "-AT-". This translation is done after auth_username_translation changes. #auth_username_format = %n # If you want to allow master users to log in by specifying the master # username within the normal username string (ie. not using SASL mechanism's # support for it), you can specify the separator character here. The format # is then . UW-IMAP uses "*" as the # separator, so that could be a good choice. #auth_master_user_separator = # Username to use for users logging in with ANONYMOUS SASL mechanism #auth_anonymous_username = anonymous # More verbose logging. Useful for figuring out why authentication isn't # working. #auth_verbose = no # Even more verbose logging for debugging purposes. Shows for example SQL # queries. auth_debug = no # In case of password mismatches, log the passwords and used scheme so the # problem can be debugged. Enabling this also enables auth_debug. #auth_debug_passwords = no # Maximum number of dovecot-auth worker processes. They're used to execute # blocking passdb and userdb queries (eg. MySQL and PAM). They're # automatically created and destroyed as needed. #auth_worker_max_count = 30 # Number of auth requests to handle before destroying the process. This may # be useful if PAM plugins leak memory. #auth_worker_max_request_count = 0 # Host name to use in GSSAPI principal names. The default is to use the # name returned by gethostname(). #auth_gssapi_hostname = # Kerberos keytab to use for the GSSAPI mechanism. Will use the system # default (usually /etc/krb5.keytab) if not specified. #auth_krb5_keytab = # Do NTLM authentication using Samba's winbind daemon and ntlm_auth helper. # #auth_ntlm_use_winbind = no # Path for Samba's ntlm_auth helper binary. #auth_winbind_helper_path = /usr/bin/ntlm_auth # Number of seconds to delay before replying to failed authentications. #auth_failure_delay = 2 auth default { # Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey # gss-spnego # NOTE: See also disable_plaintext_auth setting. mechanisms = plain login digest-md5 cram-md5 # # Password database is used to verify user's password (and nothing more). # You can have multiple passdbs and userdbs. This is useful if you want to # allow both system users (/etc/passwd) and virtual users to login without # duplicating the system users into virtual database. # # # # By adding master=yes setting inside a passdb you make the passdb a list # of "master users", who can log in as anyone else. Unless you're using PAM, # you probably still want the destination user to be looked up from passdb # that it really exists. This can be done by adding pass=yes setting to the # master passdb. # Users can be temporarily disabled by adding a passdb with deny=yes. # If the user is found from that database, authentication will fail. # The deny passdb should always be specified before others, so it gets # checked first. Here's an example: #passdb passwd-file { # File contains a list of usernames, one per line #args = /etc/dovecot.deny #deny = yes #} # SQL database passdb sql { # Path for SQL configuration file, see doc/dovecot-sql-example.conf args = /etc/dovecot/dovecot-sql.conf.ext } # passwd-like file with specified location # static settings generated from template userdb static { # Template for the fields. Can return anything a userdb could normally # return. For example: # # args = uid=500 gid=500 home=/var/mail/%u # # If you use deliver, it needs to look up users only from the userdb. This # of course doesn't work with static because there is no list of users. # Normally static userdb handles this by doing a passdb lookup. This works # with most passdbs, with PAM being the most notable exception. If you do # the user verification another way, you can add allow_all_users=yes to # the args in which case the passdb lookup is skipped. # args = uid=910 gid=910 home=/var/spool/postfix/virtual/%d/%n mail=maildir:/var/spool/postfix/virtual/%d/%n/Maildir } # SQL database #userdb sql { # # Path for SQL configuration file, see doc/dovecot-sql-example.conf # args = /etc/dovecot/dovecot-sql.conf.ext #} # User to use for the process. This user needs access to only user and # password databases, nothing else. Only shadow and pam authentication # requires roots, so use something else if possible. Note that passwd # authentication with BSDs internally accesses shadow files, which also # requires roots. Note that this user is NOT used to access mails. # That user is specified by userdb above. user = root # Directory where to chroot the process. Most authentication backends don't # work if this is set, and there's no point chrooting if auth_user is root. # Note that valid_chroot_dirs isn't needed to use this setting. #chroot = # Number of authentication processes to create #count = 1 # Require a valid SSL client certificate or the authentication fails. #ssl_require_client_cert = no # Take the username from client's SSL certificate, using # X509_NAME_get_text_by_NID() which returns the subject's DN's # CommonName. #ssl_username_from_cert = no # It's possible to export the authentication interface to other programs: socket listen { master { # Master socket provides access to userdb information. It's typically # used to give Dovecot's local delivery agent access to userdb so it # can find mailbox locations. path = /var/run/dovecot/auth-master mode = 0600 # Default user/group is the one who started dovecot-auth (root) user = vmail #group = } client { # The client socket is generally safe to export to everyone. Typical use # is to export it to your SMTP server so it can do SMTP AUTH lookups # using it. path = /var/spool/postfix/private/auth mode = 0660 user = mail group = mail } } } # If you wish to use another authentication server than dovecot-auth, you can # use connect sockets. They are assumed to be already running, Dovecot's master # process only tries to connect to them. They don't need any other settings # than the path for the master socket, as the configuration is done elsewhere. # Note that the client sockets must exist in the login_dir. #auth external { # socket connect { # master { # path = /var/run/dovecot/auth-master # } # } #} ## ## Dictionary server settings ## # Dictionary can be used by some plugins to store key=value lists. # Currently this is only used by dict quota backend. The dictionary can be # used either directly or though a dictionary server. The following dict block # maps dictionary names to URIs when the server is used. These can then be # referenced using URIs in format "proxy::". dict { quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext expire = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext acl = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext } # Path to Berkeley DB's configuration file. See doc/dovecot-db-example.conf #dict_db_config = ## ## Plugin settings ## plugin { # Here you can give some extra environment variables to mail processes. # This is mostly meant for passing parameters to plugins. %variable # expansion is done for all values. # Quota plugin. Multiple backends are supported: # dirsize: Find and sum all the files found from mail directory. # Extremely SLOW with Maildir. It'll eat your CPU and disk I/O. # dict: Keep quota stored in dictionary (eg. SQL) # maildir: Maildir++ quota # fs: Read-only support for filesystem quota # # Quota limits are set using "quota_rule" parameters, either in here or in # userdb. It's also possible to give mailbox-specific limits, for example: # quota_rule = *:storage=1048576 # quota_rule2 = Trash:storage=102400 # User has now 1GB quota, but when saving to Trash mailbox the user gets # additional 100MB. # # Multiple quota roots are also possible, for example: # quota = dict:user::proxy::quota # quota2 = dict:domain:%d:proxy::quota_domain # quota_rule = *:storage=102400 # quota2_rule = *:storage=1048576 # Gives each user their own 100MB quota and one shared 1GB quota within # the domain. # # You can execute a given command when user exceeds a specified quota limit. # Each quota root has separate limits. Only the command for the first # exceeded limit is excecuted, so put the highest limit first. # Note that % needs to be escaped as %%, otherwise "% " expands to empty. # quota_warning = storage=95%% /usr/local/bin/quota-warning.sh 95 # quota_warning2 = storage=80%% /usr/local/bin/quota-warning.sh 80 #quota = maildir # ACL plugin. vfile backend reads ACLs from "dovecot-acl" file from maildir # directory. You can also optionally give a global ACL directory path where # ACLs are applied to all users' mailboxes. The global ACL directory contains # one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter # specifies how many seconds to wait between stat()ing dovecot-acl file # to see if it changed. #acl = vfile:/etc/dovecot-acls:cache_secs=300 acl = vfile # To let users LIST mailboxes shared by other users, Dovecot needs a # shared mailbox dictionary. For example: #acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes #acl_shared_dict = file:/etc/dovecot/shared-mailboxes acl_shared_dict = proxy::acl # Convert plugin. If set, specifies the source storage path which is # converted to destination storage (mail_location) when the user logs in. # The existing mail directory is renamed to -converted. #convert_mail = mbox:%h/mail # Skip mailboxes which we can't open successfully instead of aborting. #convert_skip_broken_mailboxes = no # Skip directories beginning with '.' #convert_skip_dotdirs = no # If source storage has mailbox names with destination storage's hierarchy # separators, replace them with this character. #convert_alt_hierarchy_char = _ # Trash plugin. When saving a message would make user go over quota, this # plugin automatically deletes the oldest mails from configured mailboxes # until the message can be saved within quota limits. The configuration file # is a text file where each line is in format: # Mails are first deleted in lowest -> highest priority number order #trash = /etc/dovecot-trash.conf # Expire plugin. Mails are expunged from mailboxes after being there the # configurable time. The first expiration date for each mailbox is stored in # a dictionary so it can be quickly determined which mailboxes contain # expired mails. The actual expunging is done in a nightly cronjob, which # you must set up: # dovecot --exec-mail ext /usr/local/dovecot/expire-tool #expire = Trash 7 Spam 30 #expire_dict = proxy::expire # Lazy expunge plugin. Currently works only with maildirs. When a user # expunges mails, the mails are moved to a mailbox in another namespace # (1st). When a mailbox is deleted, the mailbox is moved to another namespace # (2nd) as well. Also if the deleted mailbox had any expunged messages, # they're moved to a 3rd namespace. The mails won't be counted in quota, # and they're not deleted automatically (use a cronjob or something). #lazy_expunge = .EXPUNGED/ .DELETED/ .DELETED/.EXPUNGED/ # Events to log. Also available: flag_change append #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename # Group events within a transaction to one line. #mail_log_group_events = no # Available fields: uid, box, msgid, from, subject, size, vsize, flags # size and vsize are available only for expunge and copy events. #mail_log_fields = uid box msgid size autocreate = Trash autocreate2 = Sent autocreate3 = Drafts autosubscribe = Trash autosubscribe2 = Sent autosubscribe3 = Drafts fts = squat # Sieve plugin (http://wiki.dovecot.org/LDA/Sieve) and ManageSieve service # # Location of the active script. When ManageSieve is used this is actually # a symlink pointing to the active script in the sieve storage directory. sieve=~/.dovecot.sieve # # The path to the directory where the personal Sieve scripts are stored. For # ManageSieve this is where the uploaded scripts are stored. sieve_dir=~/sieve }