## Authentication processes
##
-# Disable LOGIN command and all other plaintext authentications unless
-# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
+# Enable LOGIN command and all other plaintext authentications even if
+# SSL/TLS is not used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
-# connection is considered secure and plaintext authentication is allowed.
-# See also ssl=required setting.
-#disable_plaintext_auth = yes
+# connection is considered secure and plaintext authentication is allowed,
+# unless ssl = required.
+#auth_allow_cleartext = yes
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
-# bsdauth and PAM require cache_key to be set for caching to be used.
+# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =
-
+#
# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
-#auth_default_realm =
+#auth_default_domain =
# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =
-# Username formatting before it's looked up from databases. You can use
-# the standard variables here, eg. %Lu would lowercase the username, %n would
-# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
-# "-AT-". This translation is done after auth_username_translation changes.
-#auth_username_format = %Lu
+# Username formatting before it's looked up from databases.
+#auth_username_format = %{user|lower}
+#auth_username_format = %{user|username|lower}
# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous
-# Maximum number of dovecot-auth worker processes. They're used to execute
-# blocking passdb and userdb queries (eg. MySQL and PAM). They're
-# automatically created and destroyed as needed.
-#auth_worker_max_count = 30
-
# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
#auth_krb5_keytab =
# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
-# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
+# ntlm_auth helper. <https://doc.dovecot.org/latest/core/config/auth/mechanisms/winbind.html>
#auth_use_winbind = no
# Path for Samba's ntlm_auth helper binary.
auth_ssl_username_from_cert = no
# Space separated list of wanted authentication mechanisms:
-# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
-# gss-spnego
-# NOTE: See also disable_plaintext_auth setting.
+# plain login digest-md5 cram-md5 ntlm anonymous gssapi
+# gss-spnego xoauth2 oauthbearer
+# NOTE: See also auth_allow_cleartext setting.
auth_mechanisms = plain login
##
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
-# <doc/wiki/PasswordDatabase.txt>
+# <https://doc.dovecot.org/latest/core/config/auth/passdb.html>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
-# <doc/wiki/UserDatabase.txt>
+# <https://doc.dovecot.org/latest/core/config/auth/userdb.html>
#!include auth-deny.conf.ext
#!include auth-master.conf.ext
+#!include auth-oauth2.conf.ext
-#!include auth-system.conf.ext
-!include auth-sql.conf.ext
+!include auth-system.conf.ext
+#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
-#!include auth-checkpassword.conf.ext
#!include auth-static.conf.ext
## Logging verbosity and debugging.
##
-# Log filter is a space-separated list conditions. If any of the conditions
-# match, the log filter matches (i.e. they're ORed together). Parenthesis
-# are supported if multiple conditions need to be matched together.
-# Supported conditions are:
-# event:<name wildcard> - Match event name. '*' and '?' wildcards supported.
-# source:<filename>[:<line number>] - Match source code filename [and line]
-# field:<key>=<value wildcard> - Match field key to a value. Can be specified
-# multiple times to match multiple keys.
-# cat[egory]:<value> - Match a category. Can be specified multiple times to
-# match multiple categories.
-# For example: event:http_request_* (cat:error cat:storage)
-
-# Filter to specify what debug logging to enable. This will eventually replace
-# mail_debug and auth_debug settings.
-#log_debug =
-
-# Crash after logging a matching event. For example category:error will crash
-# any time an error is logged, which can be useful for debugging.
-#log_core_filter =
-
# Log unsuccessful authentication attempts and the reasons why they failed.
-#auth_verbose = no
+auth_verbose = no
# In case of password mismatches, log the attempted password. Valid values are
# no, plain and sha1. sha1 can be useful for detecting brute force password
# attempts vs. user simply trying the same password over and over again.
-# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).
#auth_verbose_passwords = no
+# To chain multiple logging conditions you can use,
+# log_debug=$SET:log_debug or category=xxx
+
# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
-#auth_debug = no
-
+#log_debug=category=auth
+#
# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Enabling this also enables auth_debug.
-#auth_debug_passwords = no
+auth_debug_passwords = no
# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
-#mail_debug = no
+#log_debug=category=mail
# Show protocol level SSL errors.
-#verbose_ssl = no
+#log_debug=category=ssl
# mail_log plugin provides more event logging for mail processes.
-plugin {
- # Events to log. Also available: flag_change append
- #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
- # Available fields: uid, box, msgid, from, subject, size, vsize, flags
- # size and vsize are available only for expunge and copy events.
- #mail_log_fields = uid box msgid size
-}
+#mail_plugins {
+# notify = yes
+# mail_log = yes
+#}
+# Events to log. Also available: flag_change append
+#mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename flag_change append
+# Available fields: uid, box, msgid, from, subject, size, vsize, flags
+# size and vsize are available only for expunge and copy events.
+#mail_log_fields = uid box msgid size from subject vsize flags
+# only log cached fields
+#mail_log_cached_only = yes
##
## Log formatting.
# Space-separated list of elements we want to log. The elements which have
# a non-empty variable value are joined together to form a comma-separated
# string.
-#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
+#login_log_format_elements = user=<%{user}> method=%{mechanism} rip=%{remote_ip} lip=%{local_ip} mpid=%{mail_pid} %{secured} session=<%{session}>
-# Login log format. %s contains login_log_format_elements string, %$ contains
+# Login log format. %{elements} contains login_log_format_elements string, %{message} contains
# the data we want to log.
-#login_log_format = %$: %s
-
-# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
-# possible variables you can use.
-#mail_log_prefix = "%s(%u)<%{pid}><%{session}>: "
-
-# Format to use for logging mail deliveries:
-# %$ - Delivery status message (e.g. "saved to INBOX")
-# %m / %{msgid} - Message-ID
-# %s / %{subject} - Subject
-# %f / %{from} - From address
-# %p / %{size} - Physical size
-# %w / %{vsize} - Virtual size
-# %e / %{from_envelope} - MAIL FROM envelope
-# %{to_envelope} - RCPT TO envelope
-# %{delivery_time} - How many milliseconds it took to deliver the mail
-# %{session_time} - How long LMTP session took, not including delivery_time
-# %{storage_id} - Backend-specific ID for mail, e.g. Maildir filename
-#deliver_log_format = msgid=%m: %$
+#login_log_format = %{message}: %{elements}
+
+# Log prefix for mail processes. See
+# https://doc.dovecot.org/latest/core/settings/variables.html#mail-service-user-variables
+# for list of possible variables.
+#mail_log_prefix = "%{service}(%{user})<%{process:pid}><%{session}>: "
+
+# Format to use for logging mail deliveries. See https://doc.dovecot.org/latest/core/summaries/settings.html#deliver_log_format
+# for list of possible variables.
+#deliver_log_format = msgid=%{msgid}: %{message} (subject=%{subject} from=%{from} size=%{size})
#
# There are a few special variables you can use, eg.:
#
-# %u - username
-# %n - user part in user@domain, same as %u if there's no domain
-# %d - domain part in user@domain, empty if there's no domain
-# %h - home directory
+# %{user} - username
+# %{user|username} - user part in user@domain, same as %u if there's no domain
+# %{user|domain} - domain part in user@domain, empty if there's no domain
+# %{home} - home directory
#
-# See doc/wiki/Variables.txt for full list. Some examples:
+# See https://doc.dovecot.org/latest/core/settings/variables.html for full list
+# of variables.
#
-# mail_location = maildir:~/Maildir
-# mail_location = mbox:~/mail:INBOX=/var/mail/%u
-# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
+# Example:
+# mail_driver = maildir
+# mail_path = ~/Maildir
+# mail_inbox_path = ~/Maildir/.INBOX
#
-# <doc/wiki/MailLocation.txt>
-#
-mail_location = maildir:/var/vmail/%n
+
+# Debian defaults
+# Note that upstream considers mbox deprecated and strongly recommends
+# against its use in production environments. See further information
+# at
+# https://doc.dovecot.org/2.4.1/core/config/mailbox/formats/mbox.html
+mail_driver = maildir
+mail_path = /var/vmail/%{user | username}
+mail_inbox_path = /var/vmail/%{user | username}/.INBOX
# If you need to set multiple mailbox locations or want to change default
# namespace settings, you can do it by defining namespace sections.
#prefix =
# Physical location of the mailbox. This is in same format as
- # mail_location, which is also the default for it.
- #location =
-
+ # mail location, which is also the default for it.
+ # mail_driver =
+ # mail_path =
+ #
# There can be only one INBOX, and this setting defines which namespace
# has it.
inbox = yes
}
# Example shared namespace configuration
-#namespace {
+#namespace shared {
#type = shared
#separator = /
# Mailboxes are visible under "shared/user@domain/"
- # %%n, %%d and %%u are expanded to the destination user.
- #prefix = shared/%%u/
+ # $user, $domain and $username are expanded to the destination user.
+ #prefix = shared/$user/
- # Mail location for other users' mailboxes. Note that %variables and ~/
- # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
+ # Mail location for other users' mailboxes. Note that %{variables} and ~/
+ # expands to the logged in user's data. %{owner_user} and %{owner_home}
# destination user's data.
- #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
+ #mail_driver = maildir
+ #mail_path = %{owner_home}/Maildir
+ #mail_index_path = ~/Maildir/shared/%{owner_user}
# Use the default namespace for saving subscriptions.
#subscriptions = no
# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
-# or names. <doc/wiki/UserIds.txt>
+# or names. <https://doc.dovecot.org/latest/core/config/system_users.html#uids>
mail_uid = vmail
mail_gid = vmail
# Dictionary for key=value mailbox attributes. This is used for example by
# URLAUTH and METADATA extensions.
-#mail_attribute_dict =
+#mail_attribute {
+# dict file {
+# path = %{home}/Maildir/dovecot-attributes
+# }
+#}
# A comment or note that is associated with the server. This value is
# accessible for authenticated users through the IMAP METADATA server
# settings. If this setting is empty, "/./" in home dirs are ignored.
# WARNING: Never add directories here which local users can modify, that
# may lead to root exploit. Usually this should be done only if you don't
-# allow shell access for users. <doc/wiki/Chrooting.txt>
+# allow shell access for users. <https://doc.dovecot.org/latest/core/config/chrooting.html>
#valid_chroot_dirs =
# Default chroot directory for mail processes. This can be overridden for
#auth_socket_path = /var/run/dovecot/auth-userdb
# Directory where to look up mail plugins.
-#mail_plugin_dir = /usr/lib/dovecot/modules
+#mail_plugin_dir = /usr/lib/dovecot
# Space separated list of plugins to load for all services. Plugins specific to
# IMAP, LDA, etc. are added to this list in their own .conf files.
#mail_plugins =
+#
+# To add plugins, use
+#mail_plugins {
+# plugin = yes
+#}
##
## Mailbox handling optimizations
# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
# locking methods as well. Some operating systems don't allow using some of
# them simultaneously.
-#
-# The Debian value for mbox_write_locks differs from upstream Dovecot. It is
-# changed to be compliant with Debian Policy (section 11.6) for NFS safety.
-# Dovecot: mbox_write_locks = dotlock fcntl
-# Debian: mbox_write_locks = fcntl dotlock
-#
#mbox_read_locks = fcntl
-#mbox_write_locks = fcntl dotlock
+#mbox_write_locks = dotlock fcntl
# Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins
# filesystems (ext4, xfs).
#mdbox_preallocate_space = no
-##
-## Mail attachments
-##
-
-# sdbox and mdbox support saving mail attachments to external files, which
-# also allows single instance storage for them. Other backends don't support
-# this for now.
-
-# Directory root where to store mail attachments. Disabled, if empty.
-#mail_attachment_dir =
-
-# Attachments smaller than this aren't saved externally. It's also possible to
-# write a plugin to disable saving specific attachments externally.
-#mail_attachment_min_size = 128k
-
-# Filesystem backend to use for saving attachments:
-# posix : No SiS done by Dovecot (but this might help FS's own deduplication)
-# sis posix : SiS with immediate byte-by-byte comparison during saving
-# sis-queue posix : SiS with delayed comparison and deduplication
-#mail_attachment_fs = sis posix
-
-# Hash format to use in attachment filenames. You can add any text and
-# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
-# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
-#mail_attachment_hash = %{sha1}
-
# Settings to control adding $HasAttachment or $HasNoAttachment keywords.
# By default, all MIME parts with Content-Disposition=attachment, or inlines
# with filename parameter are consired attachments.
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
- # is faster. <doc/wiki/LoginProcess.txt>
- #service_count = 1
+ # is faster. <https://doc.dovecot.org/2.4.1/core/config/service.html#service_restart_request_count>
+ #service_restart_request_count = 1
# Number of processes to always keep waiting for more connections.
#process_min_avail = 0
- # If you set service_count=0, you probably need to grow this.
- #vsz_limit = $default_vsz_limit
+ # If you set service_restart_request_count=0, you probably need to grow this.
+ #vsz_limit = 256M # default
}
service pop3-login {
inet_listener submission {
#port = 587
}
+ inet_listener submissions {
+ #port = 465
+ }
}
service lmtp {
- unix_listener /var/spool/postfix/private/dovecot-lmtp {
+ unix_listener lmtp {
mode = 0600
user = postfix
group = postfix
# Create inet listener only if you can't use the above UNIX socket
#inet_listener lmtp {
# Avoid making LMTP visible for the entire internet
- #address =
- #port =
+ #listen = 127.0.0.1
+ #port = 24
#}
}
service imap {
# Most of the memory goes to mmap()ing files. You may need to increase this
# limit if you have huge mailboxes.
- #vsz_limit = $default_vsz_limit
+ #vsz_limit = 256M # default
# Max. number of IMAP processes (connections)
#process_limit = 1024
}
# Auth process is run as this user.
- #user = $default_internal_user
+ #user = $SET:default_internal_user
}
service auth-worker {
# Auth worker process is run as root by default, so that it can access
# /etc/shadow. If this isn't necessary, the user should be changed to
- # $default_internal_user.
+ # $SET:default_internal_user.
#user = root
}
--- /dev/null
+##
+## Statistics and metrics
+##
+
+# Dovecot supports gathering statistics from events.
+# Currently there are no statistics logged by default, and therefore they must
+# be explicitly added using the metric configuration blocks.
+#
+# Unlike old stats, the new statistics do not require any plugins loaded.
+#
+# See https://doc.dovecot.org/latest/core/config/statistics.html for details
+
+##
+## Example metrics
+##
+
+#metric auth_success {
+# filter = (event=auth_request_finished AND success=yes)
+#}
+#
+#metric auth_failure {
+# filter = (event=auth_request_finished AND NOT success=yes)
+## See exporter config later in this file
+## can be used to replace auth_verbose=yes
+# exporter = log
+#}
+#
+#metric imap_command {
+# filter = event=imap_command_finished
+# group_by cmd_name {
+# method discrete {
+# }
+# }
+# group_by tagged_reply_state {
+# method discrete {
+# }
+# }
+#}
+#
+#metric smtp_command {
+# filter = event=smtp_server_command_finished and protocol=submission
+# group_by cmd_name {
+# method discrete {
+# }
+# }
+# group_by status_code {
+# method discrete {
+# }
+# }
+# group_by duration {
+# method exponential {
+# base = 10
+# min_magnitude = 1
+# max_magnitude = 5
+# }
+# }
+#}
+#
+#metric lmtp_command {
+# filter = event=smtp_server_command_finished and protocol=lmtp
+# group_by cmd_name {
+# method discrete {
+# }
+# }
+# group_by status_code {
+# method discrete {
+# }
+# }
+# group_by duration {
+# method exponential {
+# base = 10
+# min_magnitude = 1
+# max_magnitude = 5
+# }
+# }
+#}
+#
+#metric mail_delivery {
+# filter = event=mail_delivery_finished
+# group_by duration {
+# method exponential {
+# base = 10
+# min_magnitude = 1
+# max_magnitude = 5
+# }
+# }
+#}
+
+##
+## Prometheus
+##
+
+# To allow access to statistics with Prometheus, enable http listener
+# on stats process. Stats will be available on /metrics path.
+#
+# See https://doc.dovecot.org/latest/core/config/statistics.html#openmetrics for more
+# details.
+
+#service stats {
+# inet_listener http {
+# port = 9900
+# }
+#}
+
+##
+## Event exporting
+##
+
+# You can also export individual events.
+#
+# See https://doc.dovecot.org/configuration_manual/event_export/ for more
+# details.
+
+#event_exporter log {
+# format = json
+# time_format = rfc3339
+#}
+#
+#metric imap_commands {
+# exporter = log
+# filter = event=imap_command_finished
+#}
## SSL settings
##
-# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+# SSL/TLS support: yes, no, required. <https://doc.dovecot.org/latest/core/config/ssl.html>
ssl = required
-# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
-# dropping root privileges, so keep the key file unreadable by anyone but
-# root. Included doc/mkcert.sh can be used to easily generate self-signed
-# certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = <${mail_ssl_cert_dir}/fullchain.pem
-ssl_key = <${mail_ssl_cert_dir}/privkey.pem
+# PEM encoded X.509 SSL/TLS certificate and private key. By default, Debian
+# installs a self-signed certificate. This is useful for testing, but you
+# should obtain a real certificate from a recognized certificate authority.
+#
+# These files are opened before dropping root privileges, so keep the key file
+# unreadable by anyone but root. Included /usr/share/dovecot/mkcert.sh can be
+# used to easily generate self-signed certificate, just make sure to update the
+# domains in dovecot-openssl.cnf
+#
+# Preferred permissions: root:root 0444
+ssl_server_cert_file = ${mail_ssl_cert_dir}/fullchain.pem
+# Preferred permissions: root:root 0400
+ssl_server_key_file = ${mail_ssl_cert_dir}/privkey.pem
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
-#ssl_key_password =
+#ssl_server_key_password =
# PEM encoded trusted certificate authority. Set this only if you intend to use
-# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
-# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
-ssl_ca = <${ca_dir}/ca.crl
+# ssl_request_client_cert=yes. The file should contain the CA certificate(s)
+# followed by the matching CRL(s). (e.g. ssl_server_ca_file = /etc/ssl/certs/ca.pem)
+ssl_server_ca_file = ${ca_dir}/ca.crl
# Require that CRL check succeeds for client certificates.
-ssl_require_crl = yes
-
-# Directory and/or file for trusted SSL CA certificates. These are used only
-# when Dovecot needs to act as an SSL client (e.g. imapc backend or
-# submission service). The directory is usually /etc/ssl/certs in
-# Debian-based systems and the file is /etc/pki/tls/cert.pem in
-# RedHat-based systems. Note that ssl_client_ca_file isn't recommended with
-# large CA bundles, because it leads to excessive memory usage.
-#ssl_client_ca_dir =
-ssl_client_ca_dir = /etc/ssl/certs
-#ssl_client_ca_file =
-
-# Require valid cert when connecting to a remote server
-#ssl_client_require_valid_cert = yes
+ssl_server_require_crl = yes
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
-#ssl_verify_client_cert = no
+#ssl_server_request_client_cert = no
# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
-#ssl_cert_username_field = commonName
-
-# SSL DH parameters
-# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
-# Or migrate from old ssl-parameters.dat file with the command dovecot
-# gives on startup when ssl_dh is unset.
-ssl_dh = </usr/share/dovecot/dh.pem
+#ssl_server_cert_username_field = commonName
-# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
-# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
-#ssl_min_protocol = TLSv1
+# SSL protocols to use. Debian systems specify TLSv1.2 by default, which should
+# be reasonbly secure and compatible with existing clients.
+ssl_min_protocol = TLSv1.2
+# Diffie-Hellman parameters are no longer required and should be phased out.
+# They do not work with ECDH(E) and require DH(E) ciphers.
+ssl_server_dh_file = /usr/share/dovecot/dh.pem
-# SSL ciphers to use, the default is:
+# SSL ciphers to use
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
-# To disable non-EC DH, use:
-#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
-
-# Colon separated list of elliptic curves to use. Empty value (the default)
-# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
-# example of a valid value.
-#ssl_curve_list =
-
-# Prefer the server's order of ciphers over client's.
-#ssl_prefer_server_ciphers = no
# SSL crypto device to use, for valid values run "openssl engine"
-#ssl_crypto_device =
-
-# SSL extra options. Currently supported options are:
-# compression - Enable compression.
-# no_ticket - Disable SSL session tickets.
-#ssl_options =
+#ssl_crypto_device = /dev/crypto
#
#service tcpwrap {
# unix_listener login/tcpwrap {
-# group = $default_login_user
+# group =
# mode = 0600
-# user = $default_login_user
+# user =
# }
#}
#lda_mailbox_autosubscribe = no
protocol lda {
- # Space separated list of plugins to load (default is global mail_plugins).
- #mail_plugins = $mail_plugins
+ # Boolean list of plugins to load
+ #mail_plugins {
+ # sieve = yes
+ #}
}
mailbox Drafts {
special_use = \Drafts
}
- mailbox Spam {
+ mailbox Junk {
special_use = \Junk
}
mailbox Trash {
mailbox Sent {
special_use = \Sent
}
+ mailbox "Sent Messages" {
+ special_use = \Sent
+ }
# If you have a virtual "All messages" mailbox:
mailbox virtual/All {
protocol imap {
# Space separated list of plugins to load (default is global mail_plugins).
- #mail_plugins = $mail_plugins
+ #mail_plugins =
# Maximum number of IMAP connections allowed for a user from each IP address.
# NOTE: The username is compared case-sensitively.
protocol lmtp {
# Space separated list of plugins to load (default is global mail_plugins).
- #mail_plugins = $mail_plugins
+ #mail_plugins =
}
--- /dev/null
+##
+## Dictionary server settings
+##
+
+# Dictionary can be used to store key=value lists. This is used by several
+# plugins. The dictionary can be accessed either directly or though a
+# dictionary server. The following dict block maps dictionary names to URIs
+# when the server is used. These can then be referenced using URIs in format
+# "proxy::<name>".
+
+dict_server {
+# dict quota {
+# driver = sql
+# sql_driver = mysql
+# hostname = localhost
+#
+# dict_map priv/quota/storage {
+# sql_table = quota
+# username_field = username
+# value_field bytes {
+# type = uint
+# }
+# }
+#
+# dict_map priv/quota/messages {
+# sql_table = quota
+# username_field = username
+# value_field messages {
+# type = uint
+# }
+# }
+# }
+}
+
# one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter
# specifies how many seconds to wait between stat()ing dovecot-acl file
# to see if it changed.
-plugin {
- #acl = vfile:/etc/dovecot/global-acls:cache_secs=300
-}
+
+#acl_driver = vfile
+## Deprecated ACL global path
+#acl_global_path = /etc/dovecot/global-acls
+#acl_cache_ttl = 5m
+
+## New inline ACLs
+#mailbox INBOX {
+# acl user=testuser {
+# rights = lri
+# }
+#}
# To let users LIST mailboxes shared by other users, Dovecot needs a
# shared mailbox dictionary. For example:
-plugin {
- #acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes
-}
+#acl_sharing_map {
+# dict file {
+# path = /var/lib/dovecot/shared-mailboxes
+# }
+#}
--- /dev/null
+##
+## Plugin settings
+##
+
+# All wanted plugins must be listed in mail_plugins setting before any of the
+# settings take effect. See <https://doc.dovecot.org/latest/> for list of plugins and
+# their configuration. Note that %{variable} expansion is done for all values.
+
+## See https://doc.dovecot.org/latest/core/plugins/fts.html for FTS information
+
+fts_autoindex = yes
+fts_autoindex_max_recent_msgs = 999
+fts_search_add_missing = yes
+
+## for attachment decoding
+
+#fts_decoder_driver = tika
+#fts_decoder_tika_url = http://localhost:9998/tika/
+
+## for solr
+#fts solr {
+# url = http://localhost:8983/solr/dovecot/
+#}
+
+# See 90-fts-flatcurve.conf in the dovecot-flatcurve package for
+# settings specific to that driver
##
# Note that you also have to enable quota plugin in mail_plugins setting.
-# <doc/wiki/Quota.txt>
+## <https://doc.dovecot.org/latest/core/plugins/quota.html>
##
## Quota limits
# from userdb. It's also possible to give mailbox-specific limits, for example
# to give additional 100 MB when saving to Trash:
-plugin {
- #quota_rule = *:storage=1G
- #quota_rule2 = Trash:storage=+100M
-
- # LDA/LMTP allows saving the last mail to bring user from under quota to
- # over quota, if the quota doesn't grow too high. Default is to allow as
- # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
- #quota_grace = 10%%
+#mail_plugins {
+# quota = yes
+#}
- # Quota plugin can also limit the maximum accepted mail size.
- #quota_max_mail_size = 100M
-}
+#quota "User quota" {
+# storage_size = 1G
+#}
+#
+#namespace inbox {
+# mailbox Trash {
+# quota_storage_extra = 100M
+# }
+#}
##
## Quota warnings
# UNIX socket (quota-warning below).
# Note that % needs to be escaped as %%, otherwise "% " expands to empty.
-plugin {
- #quota_warning = storage=95%% quota-warning 95 %u
- #quota_warning2 = storage=80%% quota-warning 80 %u
-}
+#quota "User quota" {
+# warning warn-95 {
+# quota_storage_percentage = 95
+# execute quota-warning {
+# args = 95 %{user}
+# }
+# }
+# warning warn-80 {
+# quota_storage_percentage = 80
+# execute quota-warning {
+# args = 80 %{user}
+# }
+# }
+#}
# Example quota-warning service. The unix listener's permissions should be
# set in a way that mail processes can connect to it. Below example assumes
##
# Multiple backends are supported:
-# dirsize: Find and sum all the files found from mail directory.
-# Extremely SLOW with Maildir. It'll eat your CPU and disk I/O.
-# dict: Keep quota stored in dictionary (eg. SQL)
+# count: Default and recommended, quota driver tracks the quota internally within Dovecot's index files.
# maildir: Maildir++ quota
# fs: Read-only support for filesystem quota
-
-plugin {
- #quota = dirsize:User quota
- #quota = maildir:User quota
- #quota = dict:User quota::proxy::quota
- #quota = fs:User quota
-}
-
-# Multiple quota roots are also possible, for example this gives each user
-# their own 100MB quota and one shared 1GB quota within the domain:
-plugin {
- #quota = dict:user::proxy::quota
- #quota2 = dict:domain:%d:proxy::quota_domain
- #quota_rule = *:storage=102400
- #quota2_rule = *:storage=1048576
-}
+#quota "User quota" {
+# driver = count
+#}
--- /dev/null
+# Sieve Extprograms plugin configuration
+
+# Don't forget to add the sieve_extprograms plugin to the sieve_plugins setting.
+# Also enable the extensions you need (one or more of vnd.dovecot.pipe,
+# vnd.dovecot.filter and vnd.dovecot.execute) by adding these to the
+# sieve_extensions or sieve_global_extensions settings. Restricting these
+# extensions to a global context using sieve_global_extensions is recommended.
+
+# The directory where the program sockets are located for the
+# vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
+# respectively. The name of each unix socket contained in that directory
+# directly maps to a program-name referenced from the Sieve script.
+#sieve_pipe_socket_dir = sieve-pipe
+#sieve_filter_socket_dir = sieve-filter
+#sieve_execute_socket_dir = sieve-execute
+
+# The directory where the scripts are located for direct execution by the
+# vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
+# respectively. The name of each script contained in that directory
+# directly maps to a program-name referenced from the Sieve script.
+#sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
+#sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
+#sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute
+
+# An example program service called 'do-something' to pipe messages to
+#service do-something {
+ # Define the executed script as parameter to the sieve service
+ #executable = script /usr/lib/dovecot/sieve-pipe/do-something.sh
+
+ # Use some unprivileged user for executing the program
+ #user = dovenull
+
+ # The unix socket located in the sieve_pipe_socket_dir (as defined in the
+ # plugin {} section above)
+ #unix_listener sieve-pipe/do-something {
+ # LDA/LMTP must have access
+ # user = vmail
+ # mode = 0600
+ #}
+#}
+
--- /dev/null
+##
+## Settings for the Sieve interpreter
+##
+
+# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
+# by adding it to the respective mail_plugins { sieve = yes } settings.
+
+# See https://doc.dovecot.org/latest/core/plugins/sieve.html
+
+# Personal sieve script location
+#sieve_script personal {
+# driver = file
+# path = ~/sieve
+# active_path = ~/.dovecot.sieve
+#}
+
+# Default sieve script location
+#sieve_script default {
+# type = default
+# name = default
+# driver = file
+# path = /etc/dovecot/sieve/default/
+#}
+
+
+# Which Sieve language extensions are available to users. By default, all
+# supported extensions are available, except for deprecated extensions or
+# those that are still under development. Some system administrators may want
+# to disable certain Sieve extensions or enable those that are not available
+# by default. This setting can use 'yes' and 'no' to specify differences relative
+# to the default. For example `imapflags = yes' will enable the
+# deprecated imapflags extension in addition to all extensions were already
+# enabled by default.
+#sieve_extensions {
+# mboxmetadata = yes
+# vnd.dovecot.debug = yes
+#}
+
+# Which Sieve language extensions are ONLY available in global scripts. This
+# can be used to restrict the use of certain Sieve extensions to administrator
+# control, for instance when these extensions can cause security concerns.
+# This setting has higher precedence than the `sieve_extensions' setting
+# (above), meaning that the extensions enabled with this setting are never
+# available to the user's personal script no matter what is specified for the
+# `sieve_extensions' setting. The syntax of this setting is similar to the
+# `sieve_extensions' setting, with the difference that extensions are
+# enabled or disabled for exclusive use in global scripts. Currently, no
+# extensions are marked as such by default.
+#sieve_global_extensions =
+
+# The Pigeonhole Sieve interpreter can have plugins of its own. Using this
+# setting, the used plugins can be specified. Check the Dovecot documentation
+# https://doc.dovecot.org/latest/core/plugins/sieve.html
+
+#sieve_plugins = sieve_imapsieve sieve_extprograms
+#sieve_pipe_bin_dir = /usr/share/dovecot-pigeonhole/sieve
+#sieve_execute_bin_dir = /usr/share/dovecot-pigeonhole/sieve
+#sieve_global_extensions {
+# vnd.dovecot.pipe = yes
+# vnd.dovecot.execute = yes
+#}
+#imapsieve_url =
+
+# The separator that is expected between the :user and :detail
+# address parts introduced by the subaddress extension. This may
+# also be a sequence of characters (e.g. '--'). The current
+# implementation looks for the separator from the left of the
+# localpart and uses the first one encountered. The :user part is
+# left of the separator and the :detail part is right. This setting
+# is also used by Dovecot's LMTP service.
+#recipient_delimiter = +-_
+
+# The maximum size of a Sieve script. The compiler will refuse to compile any
+# script larger than this limit. If set to 0, no limit on the script size is
+# enforced.
+#sieve_max_script_size = 1M
+
+# The maximum number of actions that can be performed during a single script
+# execution. If set to 0, no limit on the total number of actions is enforced.
+#sieve_max_actions = 32
+
+# The maximum number of redirect actions that can be performed during a single
+# script execution. If set to 0, no redirect actions are allowed.
+#sieve_max_redirects = 4
+
+# The maximum number of personal Sieve scripts a single user can have. If set
+# to 0, no limit on the number of scripts is enforced.
+# (Currently only relevant for ManageSieve)
+#sieve_quota_script_count = 0
+
+# The maximum amount of disk storage a single user's scripts may occupy. If
+# set to 0, no limit on the used amount of disk storage is enforced.
+# (Currently only relevant for ManageSieve)
+#sieve_quota_storage_size = 0
+
+
+#mailbox Spam {
+## From elsewhere to Spam folder
+# sieve_script report-spam {
+# type = before
+# cause = copy
+# path = /etc/dovecot/report-spam.sieve
+# }
+#}
+
+## From Spam folder to elsewhere
+#imapsieve_from Spam {
+# sieve_script report-ham {
+# type = before
+# cause = copy
+# path = /etc/dovecot/report-ham.sieve
+# }
+#}
-# Deny access for users. Included from 10-auth.conf.
+# Deny access for users. Included from auth.conf.
# Users can be (temporarily) disabled by adding a passdb with deny=yes.
# If the user is found from that database, authentication will fail.
# checked first.
# Example deny passdb using passwd-file. You can use any passdb though.
-passdb {
- driver = passwd-file
- deny = yes
-
- # File contains a list of usernames, one per line
- args = /etc/dovecot/deny-users
-}
+#passdb deny {
+# driver = passwd-file
+# deny = yes
+#
+## File contains a list of usernames, one per line
+# passwd_file_path = /etc/dovecot/deny-users
+#}
-# Authentication for master users. Included from 10-auth.conf.
+# Authentication for master users. Included from auth.conf.
# By adding master=yes setting inside a passdb you make the passdb a list
# of "master users", who can log in as anyone else.
-# <doc/wiki/Authentication.MasterUsers.txt>
+# <https://doc.dovecot.org/latest/core/config/auth/master_users.html>
# Example master user passdb using passwd-file. You can use any passdb though.
-passdb {
- driver = passwd-file
- master = yes
- args = /etc/dovecot/master-users
-
- # Unless you're using PAM, you probably still want the destination user to
- # be looked up from passdb that it really exists. pass=yes does that.
- pass = yes
-}
+#passdb master-passwd-file {
+# driver = passwd-file
+# master = yes
+# passwd_file_path = /etc/dovecot/master-users
+#}
--- /dev/null
+#auth_mechanisms {
+# xoauth2 = yes
+# oauthbearer = yes
+#}
+#oauth2 {
+# tokeninfo_url = https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=
+# introspection_url = https://www.googleapis.com/oauth2/v2/userinfo
+# #force_introspection = yes
+# username_attribute = email
+#}
+
+# with local validation
+#oauth2 {
+# introspection_mode = local
+# username_attribute = email
+# oauth2_local_validation {
+# dict fs {
+# fs posix {
+# prefix = /etc/dovecot/oauth2-keys/
+# }
+# }
+# }
+#}
-# Authentication for passwd-file users. Included from 10-auth.conf.
+# Authentication for passwd-file users. Included from auth.conf.
#
# passwd-like file with specified location.
-# <doc/wiki/AuthDatabase.PasswdFile.txt>
+# <https://doc.dovecot.org/latest/core/config/auth/databases/passwd_file.html>
-passdb {
- driver = passwd-file
- args = scheme=CRYPT username_format=%u /etc/dovecot/users
-}
+#passdb passwd-file {
+# default_password_scheme = crypt
+# auth_username_format = %{user}
+# passwd_file_path = /etc/dovecot/users
+#}
-userdb {
- driver = passwd-file
- args = username_format=%u /etc/dovecot/users
+#userdb passwd-file {
+# auth_username_format = %{user}
+# passwd_file_path = /etc/dovecot/users
- # Default fields that can be overridden by passwd-file
- #default_fields = quota_rule=*:storage=1G
-
- # Override fields from passwd-file
- #override_fields = home=/home/virtual/%u
-}
+# fields {
+# quota_rule:default=*:storage=1G
+# home=/home/virtual/%{user}
+# }
+#}
-# Authentication for SQL users. Included from 10-auth.conf.
+# Authentication for SQL users. Included from auth.conf.
#
-# <doc/wiki/AuthDatabase.SQL.txt>
+# <https://doc.dovecot.org/latest/core/config/auth/databases/sql.html>
-passdb {
- driver = sql
+# For the sql passdb module, you'll need a database with a table that
+# contains fields for at least the username and password. If you want to
+# use the user@domain syntax, you might want to have a separate domain
+# field as well.
+#
+# If your users all have the same uig/gid, and have predictable home
+# directories, you can use the static userdb module to generate the home
+# dir based on the username and domain. In this case, you won't need fields
+# for home, uid, or gid in the database.
+#
+# If you prefer to use the sql userdb module, you'll want to add fields
+# for home, uid, and gid. Here is an example table:
+#
+# CREATE TABLE users (
+# username VARCHAR(128) NOT NULL,
+# domain VARCHAR(128) NOT NULL,
+# password VARCHAR(64) NOT NULL,
+# home VARCHAR(255) NOT NULL,
+# uid INTEGER NOT NULL,
+# gid INTEGER NOT NULL,
+# active CHAR(1) DEFAULT 'Y' NOT NULL
+# );
+
+# Database driver: mysql, pgsql, sqlite
+sql_driver = pgsql
+
+# Database connection string. This is driver-specific setting.
+#
+# HA / round-robin load-balancing is supported by giving multiple host
+# settings, like: host=sql1.host.org host=sql2.host.org
+#
+# pgsql:
+# For available options, see the PostgreSQL documention for the
+# PQconnectdb function of libpq.
+# Use maxconns=n (default 5) to change how many connections Dovecot can
+# create to pgsql.
+#
+# mysql:
+# Basic options emulate PostgreSQL option names:
+# host, port, user, password, dbname
+#
+# But also adds some new settings:
+# client_flags - See MySQL manual
+# ssl_ca, ssl_ca_path - Set either one or both to enable SSL
+# ssl_cert, ssl_key - For sending client-side certificates to server
+# ssl_cipher - Set minimum allowed cipher security (default: HIGH)
+# option_file - Read options from the given file instead of
+# the default my.cnf location
+# option_group - Read options from the given group (default: client)
+#
+# You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
+# Note that currently you can't use spaces in parameters.
+#
+# sqlite:
+# The path to the database file.
+#
+# Examples:
+# mysql 192.168.1.1 {
+# dbname = users
+# }
+# mysql sql.example.com {
+# ssl = yes
+# user = virtual
+# password = blarg
+# dbname = virtual
+# }
+# sqlite /etc/dovecot/authdb.sqlite {
+# }
+#
+#mysql /var/run/mysqld/mysqld.sock {
+# user = dovecot
+# password = dvmail
+# dbname = dovecot
+#}
+#mysql localhost {
+# ...
+#}
+
+pgsql localhost {
+ parameters {
+ dbname = mail_db
+ user = dovecot
+ }
+}
- # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
- args = /etc/dovecot/dovecot-sql.conf.ext
+passdb sql {
+# default_password_scheme = SHA256
+ query = \
+ SELECT username, domain, password \
+ FROM users \
+ WHERE username = '%{user | username}' AND active = 'Y'
}
+# passdb query to retrieve the password. It can return fields:
+# password - The user's password. This field must be returned.
+# user - user@domain from the database. Needed with case-insensitive lookups.
+# username and domain - An alternative way to represent the "user" field.
+#
+# The "user" field is often necessary with case-insensitive lookups to avoid
+# e.g. "name" and "nAme" logins creating two different mail directories. If
+# your user and domain names are in separate fields, you can return "username"
+# and "domain" fields instead of "user".
+#
+# The query can also return other fields which have a special meaning, see
+# https://doc.dovecot.org/latest/core/config/auth/passdb.html#extra-fields
+#
+# Commonly used available substitutions (see https://doc.dovecot.org/latest/core/settings/variables.html
+# for full list):
+# %{user} = entire user@domain
+# %{user|username} = user part of user@domain
+# %{user|domain} = domain part of user@domain
+#
+# Note that these can be used only as input to SQL query. If the query outputs
+# any of these substitutions, they're not touched. Otherwise it would be
+# difficult to have eg. usernames containing '%' characters.
+#
+# Example:
+# query = SELECT userid AS user, pw AS password \
+# FROM users WHERE userid = '%u' AND active = 'Y'
+#
+# query = \
+# SELECT userid as username, domain, password \
+# FROM users WHERE userid = '%{user|username}' AND domain = '%{user|domain}'
+#}
+
+#userdb sql {
+# userdb query to retrieve the user information. It can return fields:
+# uid - System UID (overrides mail_uid setting)
+# gid - System GID (overrides mail_gid setting)
+# home - Home directory
+# mail_driver - Mail driver
+# mail_path - Mail storage path
+#
+# None of these are strictly required. If you use a single UID and GID, and
+# home or mail directory fits to a template string, you could use userdb static
+# instead. For a list of all fields that can be returned, see
+# Examples:
+# query = SELECT home, uid, gid FROM users WHERE userid = '%{user}'
+# query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%{user}'
+# query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%{user}'
+#
+# query = \
+# SELECT home, uid, gid \
+# FROM users WHERE userid = '%{user|username}' AND domain = '%{user|domain}'
+
+# Query to get a list of all usernames.
+# iterate_query = SELECT username AS user,domain FROM users
+
+# userdb_ldap {
+# iterate_fields {
+# home = /var/vmail/%{home}
+# }
+# }
+#}
+
+#passdb static {
+# fields {
+# user=%{user|username|lower}
+# noauthenticate=yes
+# }
+## you can remove next line if you want to always normalize your usernames
+# skip = authenticated
+#}
+
# "prefetch" user database means that the passdb already provided the
# needed information and there's no need to do a separate userdb lookup.
-# <doc/wiki/UserDatabase.Prefetch.txt>
-#userdb {
-# driver = prefetch
+# <https://doc.dovecot.org/latest/core/config/auth/databases/prefetch.html>
+#userdb prefetch {
#}
-#userdb {
-# driver = sql
-# args = /etc/dovecot/dovecot-sql.conf.ext
+#userdb static {
+# fields {
+# user=%{user|lower}
+# }
+# you can remove next line if you want to always normalize your usernames
+# skip = found
#}
# If you don't have any user-specific settings, you can avoid the user_query
# by using userdb static instead of userdb sql, for example:
-# <doc/wiki/UserDatabase.Static.txt>
-userdb {
- driver = static
- args = uid=vmail gid=vmail home=/var/vmail/%n
-}
+# <https://doc.dovecot.org/latest/core/config/auth/databases/static.html>
+#userdb static {
+ #fields {
+ # uid = vmail
+ # gid = vmail
+ # home = /var/vmail/%{user}
+ #}
+#}
-# Static passdb. Included from 10-auth.conf.
+# Static passdb. Included from auth.conf.
# This can be used for situations where Dovecot doesn't need to verify the
# username or the password, or if there is a single password for all users:
# - proxy backend, where the frontend already verified the password
# - authentication with SSL certificates
# - simple testing
+#
+# Each passdb must have unique name, but if you onlu use it once per driver
+# you can use driver name as passdb/userdb section name.
-#passdb {
-# driver = static
-# args = proxy=y host=%1Mu.example.com nopassword=y
+#passdb static {
+# fields {
+# proxy = y
+# host = %{user|md5|substr(1)}.example.com
+# nopassword = y
+# }
#}
-#passdb {
+#passdb static2 {
# driver = static
-# args = password=test
+# fields {
+# password = test
+# }
#}
-#userdb {
-# driver = static
-# args = uid=vmail gid=vmail home=/home/%u
+#userdb static {
+# fields {
+# uid = vmail
+# gid = vmail
+# home = /home/%{user}
+# }
#}
-# Authentication for system users. Included from 10-auth.conf.
+# Authentication for system users. Included from auth.conf.
#
-# <doc/wiki/PasswordDatabase.txt>
-# <doc/wiki/UserDatabase.txt>
+# <https://doc.dovecot.org/latest/core/config/auth/passdb.html>
+# <https://doc.dovecot.org/latest/core/config/auth/userdb.html>
+
+# Driver is only needed if the section name is not same as driver's name.
# PAM authentication. Preferred nowadays by most systems.
# PAM is typically used with either userdb passwd or userdb static.
# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
-# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
-passdb {
- driver = pam
- # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
- # [cache_key=<key>] [<service name>]
- #args = dovecot
+# authentication to actually work. <https://doc.dovecot.org/latest/core/config/auth/databases/pam.html>
+passdb pam {
+# driver = pam
+# session = yes
+# setcred = yes
+# failure_show_msg = yes
+# max_requests = 20
+# service_name = dovecot
+# skip = authenticated
+# fields {
+# }
+}
+
+userdb passwd {
}
# System users (NSS, /etc/passwd, or similar).
# In many systems nowadays this uses Name Service Switch, which is
-# configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt>
-#passdb {
- #driver = passwd
- # [blocking=no]
- #args =
-#}
-
-# Shadow passwords for system users (NSS, /etc/shadow or similar).
-# Deprecated by PAM nowadays.
-# <doc/wiki/PasswordDatabase.Shadow.txt>
-#passdb {
- #driver = shadow
- # [blocking=no]
- #args =
+# configured in /etc/nsswitch.conf. <https://doc.dovecot.org/latest/core/config/auth/databases/passwd.html>
+#passdb passwb {
#}
# PAM-like authentication for OpenBSD.
-# <doc/wiki/PasswordDatabase.BSDAuth.txt>
-#passdb {
- #driver = bsdauth
- # [blocking=no] [cache_key=<key>]
- #args =
+# <https://doc.dovecot.org/latest/core/config/auth/databases/bsd.html>
+#passdb bsdauth {
#}
##
## User databases
##
-# System users (NSS, /etc/passwd, or similar). In many systems nowadays this
+# System users (NSS, /etc/passwd, or similiar). In many systems nowadays this
# uses Name Service Switch, which is configured in /etc/nsswitch.conf.
-userdb {
- # <doc/wiki/AuthDatabase.Passwd.txt>
- driver = passwd
- # [blocking=no]
- #args =
-
- # Override fields from passwd
- #override_fields = home=/home/virtual/%u
-}
+#userdb passwd-file {
+ #driver = passwd-file
+ #auth_username_format=%{user|lower}
+ #passwd_file_path = /etc/passwd
+ #fields {
+ # user= %{user|lower}
+ # name = %{user|lower}
+ # home = /var/vmail/%{user}
+ #}
+ #skip = found
+#}
-# Static settings generated from template <doc/wiki/UserDatabase.Static.txt>
-#userdb {
+# Static settings generated from template <https://doc.dovecot.org/latest/core/config/auth/databases/static.html>
+#userdb static {
#driver = static
# Can return anything a userdb could normally return. For example:
- #
- # args = uid=500 gid=500 home=/var/mail/%u
- #
+ # fields {
+ # uid = 500
+ # gid = 500
+ # home = /var/mail/%{user}
+ # }
# LDA and LMTP needs to look up users only from the userdb. This of course
# doesn't work with static userdb because there is no list of users.
# Normally static userdb handles this by doing a passdb lookup. This works
# with most passdbs, with PAM being the most notable exception. If you do
- # the user verification another way, you can add allow_all_users=yes to
- # the args in which case the passdb lookup is skipped.
- #
- #args =
+ # the user verification another way, you can add allow_all_users=yes
+ # in which case the passdb lookup is skipped.
+ #allow_all_users = yes
#}
## Dovecot configuration file
-# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
+# If you're in a hurry, see https://doc.dovecot.org/latest/core/config/guides/quick.html
# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace "
-# Most (but not all) settings can be overridden by different protocols and/or
-# source/destination IPs by placing the settings inside sections, for example:
-# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
-
# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
-# options. The paths listed here are for configure --prefix=/usr
-# --sysconfdir=/etc --localstatedir=/var
+# options. The paths listed here are for configure --prefix=/usr/local
+# --sysconfdir=/usr/local/etc --localstatedir=/var
+
+dovecot_config_version = 2.4.0
+dovecot_storage_version = 2.4.0
-# Enable installed protocols
+# Protocols we want to be serving.
+#protocols = imap pop3 lmtp
!include_try /usr/share/dovecot/protocols.d/*.protocol
# A comma separated list of IPs or hosts where to listen in for connections.
# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
-# these networks. Typically you'd specify your IMAP proxy servers here.
+# these networks, unless ssl=required.
+# Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =
-# Space separated list of login access check sockets (e.g. tcpwrap)
-#login_access_sockets =
-
# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
# proxying. This isn't necessary normally, but may be useful if the destination
# IP is e.g. a load balancer's IP.
# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
-#verbose_proctitle = no
+#verbose_proctitle = yes
# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# Space separated list of environment variables that are preserved on Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
-#import_environment = TZ
-
-##
-## Dictionary server settings
-##
-
-# Dictionary can be used to store key=value lists. This is used by several
-# plugins. The dictionary can be accessed either directly or though a
-# dictionary server. The following dict block maps dictionary names to URIs
-# when the server is used. These can then be referenced using URIs in format
-# "proxy::<name>".
-
-dict {
- #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
- #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
-}
+#import_environment {
+# TZ=%{env:TZ}
+#}
# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
projects / server.git / commitdiff