1 ## Dovecot 1.0 configuration file
3 # Default values are shown after each value, it's not required to uncomment
4 # any of the lines. Exception to this are paths, they're just examples
5 # with real defaults being based on configure options. The paths listed here
6 # are for configure --prefix=/usr --sysconfdir=/etc/dovecot
7 # --localstatedir=/var --with-ssldir=/etc/ssl
9 # Base directory where to store runtime data.
10 #base_dir = /var/run/dovecot/
12 # Protocols we want to be serving:
13 # imap imaps pop3 pop3s
16 # IP or host address where to listen in for connections. It's not currently
17 # possible to specify multiple addresses. "*" listens in all IPv4 interfaces.
18 # "[::]" listens in all IPv6 interfaces, but may also listen in all IPv4
19 # interfaces depending on the operating system. You can specify ports with
24 # IP or host address where to listen in for SSL connections. Defaults
25 # to above non-SSL equilevants if not specified.
29 # Disable SSL/TLS support.
32 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
33 # dropping root privileges, so keep the key file unreadable by anyone but
35 #ssl_cert_file = /etc/ssl/certs/dovecot.pem
36 #ssl_key_file = /etc/ssl/private/dovecot.pem
38 # SSL parameter file. Master process generates this file for login processes.
39 # It contains Diffie Hellman and RSA parameters.
40 #ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat
42 # How often to regenerate the SSL parameters file. Generation is quite CPU
43 # intensive operation. The value is in hours, 0 disables regeneration
45 #ssl_parameters_regenerate = 24
47 # Disable LOGIN command and all other plaintext authentications unless
48 # SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and
49 # IPv6 ::1 addresses are considered secure, this setting has no effect if
50 # you connect from those addresses.
51 #disable_plaintext_auth = yes
53 # Use this logfile instead of syslog(). /dev/stderr can be used if you want to
54 # use stderr for logging (ONLY /dev/stderr - otherwise it is closed).
57 # For informational messages, use this logfile instead of the default
60 # Prefix for each line written to log file. % codes are in strftime(3)
62 #log_timestamp = "%b %d %H:%M:%S "
68 # Directory where authentication process places authentication UNIX sockets
69 # which login needs to be able to connect to. The sockets are created when
70 # running as root, so you don't have to worry about permissions. Note that
71 # everything in this directory is deleted when Dovecot is started.
72 #login_dir = /var/run/dovecot/login
74 # chroot login process to the login_dir. Only reason not to do this is if you
75 # wish to run the whole Dovecot without roots.
76 # http://wiki.dovecot.org/Rootless
86 # Executable location.
87 #login_executable = /usr/lib/dovecot/imap-login
89 # User to use for the login process. Create a completely new user for this,
90 # and don't use it anywhere else. The user must also belong to a group where
91 # only it has access, it's used to control access for authentication process.
92 # Note that this user is NOT used to access mails.
93 # http://wiki.dovecot.org/UserIds
96 # Set max. process size in megabytes. If you don't use
97 # login_process_per_connection you might need to grow this.
98 #login_process_size = 32
100 # Should each login be processed in it's own process (yes), or should one
101 # login process be allowed to process multiple connections (no)? Yes is more
102 # secure, espcially with SSL/TLS enabled. No is faster since there's no need
103 # to create processes all the time.
104 #login_process_per_connection = yes
106 # Number of login processes to create. If login_process_per_user is
107 # yes, this is the number of extra processes waiting for users to log in.
108 #login_processes_count = 3
110 # Maximum number of extra login processes to create. The extra process count
111 # usually stays at login_processes_count, but when multiple users start logging
112 # in at the same time more extra processes are created. To prevent fork-bombing
113 # we check only once in a second if new processes should be created - if all
114 # of them are used at the time, we double their amount until limit set by this
115 # setting is reached. This setting is used only if login_process_per_use is yes.
116 #login_max_processes_count = 128
118 # Maximum number of connections allowed in login state. When this limit is
119 # reached, the oldest connections are dropped. If login_process_per_user
120 # is no, this is a per-process value, so the absolute maximum number of users
121 # logging in actually login_processes_count * max_logging_users.
122 #login_max_logging_users = 256
125 ## POP3 login process
128 # Settings default to same as above, so you don't have to set anything
129 # unless you want to override them.
133 # Exception to above rule being the executable location.
134 #login_executable = /usr/lib/dovecot/pop3-login
140 # Maximum number of running mail processes. When this limit is reached,
141 # new users aren't allowed to log in.
142 #max_mail_processes = 1024
144 # Show more verbose process titles (in ps). Currently shows user name and
145 # IP address. Useful for seeing who are actually using the IMAP processes
146 # (eg. shared mailboxes or if same uid is used for multiple accounts).
147 #verbose_proctitle = no
149 # Show protocol level SSL errors.
152 # Valid UID range for users, defaults to 500 and above. This is mostly
153 # to make sure that users can't log in as daemons or other system users.
154 # Note that denying root logins is hardcoded to dovecot binary and can't
155 # be done even if first_valid_uid is set to 0.
156 #first_valid_uid = 500
159 # Valid GID range for users, defaults to non-root/wheel. Users having
160 # non-valid GID as primary group ID aren't allowed to log in. If user
161 # belongs to supplementary groups with non-valid GIDs, those groups are
166 # Grant access to these extra groups for mail processes. Typical use would be
167 # to give "mail" group write access to /var/mail to be able to create dotlocks.
168 mail_extra_groups = mail
170 # ':' separated list of directories under which chrooting is allowed for mail
171 # processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
172 # This setting doesn't affect login_chroot or auth_chroot variables.
173 # WARNING: Never add directories here which local users can modify, that
174 # may lead to root exploit. Usually this should be done only if you don't
175 # allow shell access for users. See
176 # /usr/share/doc/dovecot-common/configuration.txt for more information.
179 # Default chroot directory for mail processes. This can be overridden by
180 # giving /./ in user's home directory (eg. /home/./user chroots into /home).
183 # Default MAIL environment to use when it's not set. By leaving this empty
184 # dovecot tries to do some automatic detection as described in
185 # /usr/share/doc/dovecot-common/mail-storages.txt. There's a few special
186 # variables you can use:
189 # %n - user part in user@domain, same as %u if there's no domain
190 # %d - domain part in user@domain, empty if user there's no domain
191 # %h - home directory
193 # You can also limit a width of string by giving the number of max. characters
194 # after the '%' character. For example %1u gives the first character of
195 # username. Some examples:
197 # default_mail_env = maildir:/var/mail/%1u/%u/Maildir
198 # default_mail_env = mbox:~/mail/:INBOX=/var/mail/%u
199 # default_mail_env = mbox:/var/mail/%d/%n/:INDEX=/var/indexes/%d/%n
203 # Space-separated list of fields to cache for all mails. Currently these
204 # fields are allowed followed by a list of commands they speed up:
206 # Envelope - FETCH ENVELOPE and SEARCH FROM, TO, CC, BCC, SUBJECT,
207 # SENTBEFORE, SENTON, SENTSINCE, HEADER MESSAGE-ID,
210 # Bodystructure - FETCH BODY, BODYSTRUCTURE
211 # MessagePart - FETCH BODY[1.2.3] (ie. body parts), RFC822.SIZE,
212 # SEARCH SMALLER, LARGER, also speeds up BODY/BODYSTRUCTURE
213 # generation. This is always set with mbox mailboxes, and
214 # also default with Maildir.
216 # Different IMAP clients work in different ways, that's why Dovecot by default
217 # only caches MessagePart which speeds up most operations. Whenever client
218 # does something where caching could be used, the field is automatically marked
219 # to be cached later. For example after FETCH BODY the BODY will be cached
220 # for all new messages. Normally you should leave this alone, unless you know
221 # what most of your IMAP clients are. Caching more fields than needed makes
222 # the index files larger and generate useless I/O.
224 # With maildir there's one extra optimization - if nothing is cached, indexing
225 # the maildir becomes much faster since it's not opening any of the mail files.
226 # This could be useful if your IMAP clients access only new mails.
228 #mail_cache_fields = MessagePart
230 # Space-separated list of fields that Dovecot should never set to be cached.
231 # Useful if you want to save disk space at the cost of more I/O when the fields
233 #mail_never_cache_fields =
235 # Workarounds for various client bugs:
236 # oe6-fetch-no-newmail:
237 # Never send EXISTS/RECENT when replying to FETCH command. Outlook Express
238 # seems to think they are FETCH replies and gives user "Message no longer
239 # in server" error. Note that OE6 still breaks even with this workaround
240 # if synchronization is set to "Headers Only".
242 # Outlook and Outlook Express never abort IDLE command, so if no mail
243 # arrives in half a hour, Dovecot closes the connection. This is still
244 # fine, except Outlook doesn't connect back so you don't see if new mail
246 # outlook-pop3-no-nuls:
247 # Outlook and Outlook Express hang if mails contain NUL characters.
248 # This setting replaces them with 0x80 character.
249 #client_workarounds =
251 # Dovecot can notify client of new mail in selected mailbox soon after it's
252 # received. This setting specifies the minimum interval in seconds between
253 # new mail notifications to client - internally they may be checked more or
254 # less often. Setting this to 0 disables the checking.
255 # NOTE: Evolution client breaks with this option when it's trying to APPEND.
256 #mailbox_check_interval = 0
258 # Like mailbox_check_interval, but used for IDLE command.
259 #mailbox_idle_check_interval = 30
261 # Allow full filesystem access to clients. There's no access checks other than
262 # what the operating system does for the active UID/GID. It works with both
263 # maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
265 #mail_full_filesystem_access = no
267 # Maximum allowed length for custom flag name. It's only forced when trying
268 # to create new flags.
269 #mail_max_flag_length = 50
271 # Save mails with CR+LF instead of plain LF. This makes sending those mails
272 # take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
273 # But it also creates a bit more disk I/O which may just make it slower.
276 # Use mmap() instead of read() to read mail files. read() seems to be a bit
277 # faster with my Linux/x86 and it's better with NFS, so that's the default.
278 #mail_read_mmaped = no
280 # By default LIST command returns all entries in maildir beginning with dot.
281 # Enabling this option makes Dovecot return only entries which are directories.
282 # This is done by stat()ing each entry, so it causes more disk I/O.
283 # (For systems setting struct dirent->d_type, this check is free and it's
284 # done always regardless of this setting)
285 #maildir_stat_dirs = no
287 # Copy mail to another folders using hard links. This is much faster than
288 # actually copying the file. This is problematic only if something modifies
289 # the mail in one folder but doesn't want it modified in the others. I don't
290 # know any MUA which would modify mail files directly. IMAP protocol also
291 # requires that the mails don't change, so it would be problematic in any case.
292 # If you care about performance, enable it.
293 #maildir_copy_with_hardlinks = no
295 # Check if mails' content has been changed by external programs. This slows
296 # down things as extra stat() needs to be called for each file. If changes are
297 # noticed, the message is treated as a new message, since IMAP protocol
298 # specifies that existing messages are immutable.
299 #maildir_check_content_changes = no
301 # Which locking methods to use for locking mbox. There's three available:
302 # dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
303 # solution. If you want to use /var/mail/ like directory, the users
304 # will need write access to that directory.
305 # fcntl : Use this if possible. Works with NFS too if lockd is used.
306 # flock : May not exist in all systems. Doesn't work with NFS.
308 # You can use both fcntl and flock too; if you do the order they're declared
309 # with is important to avoid deadlocks if other MTAs/MUAs are using both fcntl
310 # and flock. Some operating systems don't allow using both of them
311 # simultaneously, eg. BSDs. If dotlock is used, it's always created first.
312 #mbox_locks = dotlock fcntl
314 # Should we create dotlock file even when we want only a read-lock? Setting
315 # this to yes hurts the performance when the mailbox is accessed simultaneously
316 # by multiple processes, but it's needed for reliable reading if no other
317 # locking methods are available.
318 #mbox_read_dotlock = no
320 # Maximum time in seconds to wait for lock (all of them) before aborting.
321 #mbox_lock_timeout = 300
323 # If dotlock exists but the mailbox isn't modified in any way, override the
324 # lock file after this many seconds.
325 #mbox_dotlock_change_timeout = 30
327 # umask to use for mail files and directories
330 # Drop all privileges before exec()ing the mail process. This is mostly
331 # meant for debugging, otherwise you don't get core dumps. Note that setting
332 # this to yes means that log file is opened as the logged in user, which
333 # might not work. It could also be a small security risk if you use single UID
334 # for multiple users, as the users could ptrace() each others processes then.
335 #mail_drop_priv_before_exec = no
341 # Executable location
342 #imap_executable = /usr/lib/dovecot/imap
344 # Set max. process size in megabytes. Most of the memory goes to mmap()ing
345 # files, so it shouldn't harm much even if this limit is set pretty high.
346 #imap_process_size = 256
348 # Support for dynamically loadable modules.
349 #imap_use_modules = no
350 #imap_modules = /usr/lib/dovecot/imap
356 # Executable location
357 #pop3_executable = /usr/lib/dovecot/pop3
359 # Set max. process size in megabytes. Most of the memory goes to mmap()ing
360 # files, so it shouldn't harm much even if this limit is set pretty high.
361 #pop3_process_size = 256
363 # Support for dynamically loadable modules.
364 #pop3_use_modules = no
365 #pop3_modules = /usr/lib/dovecot/pop3
368 ## Authentication processes
371 # An Authentication process is a child process used by Dovecot that
372 # handles the authentication steps. The steps cover an authentication
373 # mechanism (auth_mechanisms, how the client authenticates in the IMAP or
374 # POP3 protocol), which password database should be queried (auth_passdb),
375 # and which user database should be queried (auth_userdb, to obtain
376 # UID, GID, and location of the user's mailbox/home directory).
378 # You can have multiple processes, though a typical configuration will
379 # have only one. Each time "auth = xx" is seen, a new process
380 # definition is started. The point of multiple processes is to be able
381 # to set stricter permissions. (See auth_user below.)
383 # Just remember that only one Authentication process is asked for the
384 # password, so you can't have different passwords accessible through
385 # different process definitions (unless they have different
386 # auth_mechanisms, and you're ok with having different password for
389 # Authentication process name.
392 # Specifies how the client authenticates in the IMAP protocol.
393 # Space separated list of permitted authentication mechanisms:
394 # anonymous plain digest-md5 cram-md5
396 # anonymous - No authentication required.
397 # plain - The password is sent as plain text. All IMAP/POP3 clients
398 # support this, and the password can be encrypted by Dovecot to match
399 # any of the encryption schemes used in password databases.
400 # digest-md5 and cram-md5 - both encrypt the password so it is more
401 # secure in transit, but are not well supported by clients, and
402 # require that the password database use a matching encryption
403 # scheme (or be in plaintext).
405 # See auth.txt for more details.
407 # If you are using SSL there is less benefit to digest-md5 and
408 # cram-md5 as the communication is already encrypted.
409 auth_mechanisms = plain
411 # Space separated list of realms for SASL authentication mechanisms that need
412 # them. You can leave it empty if you don't want to support multiple realms.
413 # Many clients simply use the first one listed here, so keep the default realm
417 # Default realm/domain to use if none was specified. This is used for both
418 # SASL realms and appending @domain to username in plaintext logins.
419 #auth_default_realm =
421 # User database specifies where mails are located and what user/group IDs
422 # own them. For single-UID configuration use "static".
423 # http://wiki.dovecot.org/Authentication
424 # http://wiki.dovecot.org/VirtualUsers
425 # passwd: /etc/passwd or similiar, using getpwnam()
426 # passwd-file <path>: passwd-like file with specified location
427 # static uid=<uid> gid=<gid> home=<dir template>: static settings
428 # vpopmail: vpopmail library
429 # ldap <config path>: LDAP, see /etc/dovecot/dovecot-ldap.conf
430 # mysql <config path>: a MySQL database, see /etc/dovecot/dovecot-mysql.conf
431 # pgsql <config path>: a PostgreSQL database, see
432 # /etc/dovecot/dovecot-pgsql.conf
435 # Password database specifies only the passwords for users.
436 # http://wiki.dovecot.org/Authentication
437 # passwd: /etc/passwd or similiar, using getpwnam()
438 # shadow: /etc/shadow or similiar, using getspnam()
439 # pam [<service> | *]: PAM authentication
440 # passwd-file <path>: passwd-like file with specified location
441 # vpopmail: vpopmail authentication
442 # ldap <config path>: LDAP, see /etc/dovecot/dovecot-ldap.conf
443 # mysql <config path>: a MySQL database, see /etc/dovecot/dovecot-mysql.conf
444 # pgsql <config path>: a PostgreSQL database, see
445 # /etc/dovecot/dovecot-pgsql.conf
448 #auth_executable = /usr/lib/dovecot/dovecot-auth
450 # Set max. process size in megabytes.
451 #auth_process_size = 256
453 # User to use for the process. This user needs access to only user and
454 # password databases, nothing else. Only shadow and pam authentication
455 # requires roots, so use something else if possible. Note that passwd
456 # authentication with BSDs internally accesses shadow files, which also
457 # requires roots. Note that this user is NOT used to access mails.
458 # That user is specified by auth_userdb above.
461 # Directory where to chroot the process. Most authentication backends don't
462 # work if this is set, and there's no point chrooting if auth_user is root.
465 # Number of authentication processes to create
468 # List of allowed characters in username. If the user-given username contains
469 # a character not listed in here, the login automatically fails. This is just
470 # an extra check to make sure user can't exploit any potential quote escaping
471 # vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
472 # set this value to empty.
473 #auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
475 # Username to use for users logging in with ANONYMOUS SASL mechanism
476 #auth_anonymous_username = anonymous
478 # More verbose logging. Useful for figuring out why authentication isn't
482 # Even more verbose logging for debugging purposes. Shows for example SQL
486 # digest-md5 authentication process. It requires special MD5 passwords which
487 # /etc/shadow and PAM doesn't support, so we never need roots to handle it.
488 # Note that the passwd-file is opened before chrooting and dropping root
489 # privileges, so it may be 0600-root owned file.
492 #auth_mechanisms = digest-md5
494 #auth_userdb = passwd-file /etc/passwd.imap
495 #auth_passdb = passwd-file /etc/passwd.imap
496 #auth_user = imapauth
499 # if you plan to use only passwd-file, you don't need the two auth processes,
500 # simply set "auth_methods = plain digest-md5"