1IMAPD.CONF(5) File Formats Manual IMAPD.CONF(5)
2*
6
9 imapd.conf - IMAP configuration file
10
12 /etc/imapd.conf is the configuration file for the Cyrus IMAP server.
13 It defines local parameters for IMAP.
14 Each line of the /etc/imapd.conf file has the form
16 option: value
18 where option is the name of the configuration option being set and
20 value is the value that the configuration option is being set to.
21 Although there is no limit to the length of a line, a ``\'' (backslash)
23 character may be used as the last character on a line to force it to
24 continue on the next one. No additional whitespace is inserted before
25 or after the ``\''. Note that a line that is split using ``\'' charac‐
26 ter(s) is still considered a single line. For example
27 option:\
29 value1 value2 \
30 value3
31 is equivalent to
33 option: value1 value2 value3
35 Blank lines and lines beginning with ``#'' are ignored.
37 For boolean and enumerated options, the values ``yes'', ``on'', ``t'',
39 ``true'' and ``1'' turn the option on, the values ``no'', ``off'',
40 ``f'', ``false'' and ``0'' turn the option off.
41
43 The sections below detail options that can be placed in the
44 /etc/imapd.conf file, and show each option's default value. Some
45 options have no default value, these are listed with ``<no default>''.
46 Some options default to the empty string, these are listed with
47 ``<none>''.
48 admins: <empty string>
51 The list of userids with administrative rights. Separate each
52 userid with a space. Sites using Kerberos authentication may use
53 separate "admin" instances.
54 Note that accounts used by users should not be administrators. Admin‐
56 istrative accounts should not receive mail. That is, if user "jbRo" is
57 a user reading mail, he should not also be in the admins line. Some
58 problems may occur otherwise, most notably the ability of administra‐
59 tors to create top-level mailboxes visible to users, but not writable
60 by users.
61 afspts_localrealms: <none>
63 The list of realms which are to be treated as local, and thus
64 stripped during identifier canonicalization (for the AFSPTS
65 ptloader module). This is different from loginrealms in that it
66 occurs later in the authorization process (as the user id is
67 canonified for PTS lookup)
68 afspts_mycell: <none>
70 Cell to use for AFS PTS lookups. Defaults to the local cell.
71 allowallsubscribe: 0
73 Allow subscription to nonexistent mailboxes. This option is typi‐
74 cally used on backend servers in a Murder so that users can sub‐
75 scribe to mailboxes that don't reside on their "home" server.
76 This option can also be used as a workaround for IMAP clients
77 which don't play well with nonexistent or unselectable mailboxes
78 (e.g., Microsoft Outlook).
79 allowanonymouslogin: 0
81 Permit logins by the user "anonymous" using any password. Also
82 allows use of the SASL ANONYMOUS mechanism.
83 allowapop: 1
85 Allow use of the POP3 APOP authentication command.
86 Note that this command requires that SASL is compiled with APOP sup‐
88 port, that the plaintext passwords are available in a SASL auxprop
89 backend (e.g., sasldb), and that the system can provide enough entropy
90 (e.g., from /dev/urandom) to create a challenge in the banner.
91 allownewnews: 0
93 Allow use of the NNTP NEWNEWS command.
94 Note that this is a very expensive command and should only be enabled
96 when absolutely necessary.
97 allowplaintext: 0
99 Allow the use of cleartext passwords on the wire.
100 allowusermoves: 0
102 Allow moving user accounts (with associated meta-data) via RENAME
103 or XFER.
104 Note that measures should be taken to make sure that the user being
106 moved is not logged in, and cannot login during the move. Failure to
107 do so may result in the user's meta-data (seen state, subscriptions,
108 etc) being corrupted or out of date.
109 altnamespace: 0
111 Use the alternate IMAP namespace, where personal folders reside at
112 the same level in the hierarchy as INBOX.
113 This option ONLY applies where interaction takes place with the
115 client/user. Currently this is limited to the IMAP protocol (imapd)
116 and Sieve scripts (lmtpd). This option does NOT apply to admin tools
117 such as cyradm (admins ONLY), reconstruct, quota, etc., NOR does it
118 affect LMTP delivery of messages directly to mailboxes via plus-
119 addressing.
120 annotation_db: skiplist
122 The cyrusdb backend to use for mailbox annotations.
123 Allowed values: berkeley, berkeley-hash, skiplist
125 anyoneuseracl: 1
127 Should non-admin users be allowed to set ACLs for the 'anyone'
128 user on their mailboxes? In a large organization this can cause
129 support problems, but it's enabled by default.
130 annotation_definitions: <none>
132 File containing external (third-party) annotation definitions.
133 Each line of the file specifies the properties of an annotation and has
135 the following form:
136 name, scope, attrib-type, proxy-type, attrib-names, acl
138 name is the hierarchical name as in the draft standard, typically of
140 the form /vendor/acme/blurdybloop
141 scope
143 specifies whether the annotation is for the server or a mailbox
144 attrib-type
146 specifies the attribute data type which is one of: string, bool‐
147 ean, int, uint, or content-type
148 proxy-type
150 specifies whether this attribute is for the backend or proxy
151 servers or both (proxy_and_backend)
152 attrib-names
154 is the space-separated list of available attributes for the anno‐
155 tation. Possible attribute names are (where the suffixless foo
156 permits both foo.priv and foo.shared): alue, value.shared,
157 value.priv, size, size.shared, size.priv, modifiedsince, modi‐
158 fiedsince.shared, modifiedsince.priv, content-type, content-
159 type.shared, content-type.priv
160 acl is the extra ACL requirements for setting annotations. This is the
162 standard IMAP ACL permission bit string format. Particularly use‐
163 ful is the a right to require admin privileges. Note that some ACL
164 requirements (read and write on the mailbox) are hard-wired in the
165 server
166 Blank lines and lines beginning with ``#'' are ignored.
168 auth_mech: unix
171 The authorization mechanism to use.
172 Allowed values: unix, pts, krb, krb5
174 autocreatequota: 0
176 If nonzero, normal users may create their own IMAP accounts by
177 creating the mailbox INBOX. The user's quota is set to the value
178 if it is positive, otherwise the user has unlimited quota.
179 berkeley_cachesize: 512
181 Size (in kilobytes) of the shared memory buffer pool (cache) used
182 by the berkeley environment. The minimum allowed value is 20.
183 The maximum allowed value is 4194303 (4GB).
184 berkeley_locks_max: 50000
186 Maximum number of locks to be held or requested in the berkeley
187 environment.
188 berkeley_txns_max: 100
190 Maximum number of transactions to be supported in the berkeley
191 environment.
192 client_timeout: 10
194 Number of seconds to wait before returning a timeout failure when
195 performing a client connection (e.g., in a murder environment)
196 createonpost: 0
198 If yes, when lmtpd receives an incoming mail for an INBOX that
199 does not exist, then the INBOX is automatically created by lmtpd.
200 autocreateinboxfolders: <none>
202 If a user does not have an INBOX created then the INBOX as well as
203 some INBOX subfolders are created under two conditions. 1. The
204 user logins via the IMAP or the POP3 protocol. (autocreatequota
205 option must have a nonzero value) 2. A message arrives for the
206 user through the LMTPD protocol.(createonpost option must be yes)
207 autocreateinboxfolders is a list of INBOX's subfolders separated
208 by a "|", that are automatically created by the server under the
209 previous two situations.
210 autosubscribeinboxfolders: <none>
212 A list of folder names, separated by "|", that the users get auto‐
213 matically subscribed to, when their INBOX is created. These folder
214 names must have been included in the autocreateinboxfolders option
215 of the imapd.conf.
216 autosubscribesharedfolders: <none>
218 A list of shared folders (bulletin boards), separated by "|", that
219 the users get automatically subscribed to, after their INBOX is
220 created. The shared folder must have been created and the user
221 must have the required permissions to get subscribed to it. Other‐
222 wise, subscribing to the shared folder fails.
223 autosubscribe_all_sharedfolders: 0
225 If set to yes, the user is automatically subscribed to all shared
226 folders, one has permission to subscribe to.
227 autocreate_sieve_script: <none>
229 The full path of a file that contains a sieve script. This script
230 automatically becomes a user's initial default sieve filter
231 script. When this option is not defined, no default sieve filter
232 is created. The file must be readable by the cyrus daemon.
233 autocreate_sieve_compiledscript: <none>
235 The full path of a file that contains a compiled in bytecode sieve
236 script. This script automatically becomes a user's initial default
237 sieve filter script. If this option is not specified, or the
238 filename doesn't exist then the script defined by autocre‐
239 ate_sieve_script is compiled on the fly and installed as the
240 user's default sieve script
241 generate_compiled_sieve_script: 0
243 If set to yes and no compiled sieve script file exists, the sieve
244 script which is compiled on the fly will be saved in the file name
245 that autocreate_sieve_compiledscript option points to. In order a
246 compiled script to be generated, autocreate_sieve_script and
247 autocreate_sieve_compiledscript must have valid values
248 autocreate_users: anyone
250 A space separated list of users and/or groups that are allowed
251 their INBOX to be automatically created.
252 configdirectory: <none>
254 The pathname of the IMAP configuration directory. This field is
255 required.
256 debug_command: <none>
258 Debug command to be used by processes started with -D option. The
259 string is a C format string that gets 3 options: the first is the
260 name of the executable (without path). The second is the pid
261 (integer) and the third is the service ID. Example:
262 /usr/local/bin/gdb /usr/cyrus/bin/%s %d
263 defaultacl: anyone lrs
265 The Access Control List (ACL) placed on a newly-created (non-user)
266 mailbox that does not have a parent mailbox.
267 defaultdomain: <none>
269 The default domain for virtual domain support
270 defaultpartition: <none>
272 The partition name used by default for new mailboxes. If not
273 specified, the partition with the most free space will be used for
274 new mailboxes.
275 defaultserver: <none>
277 The backend server name used by default for new mailboxes. If not
278 specified, the server with the most free space will be used for
279 new mailboxes.
280 deletedprefix: DELETED
282 If "delete_mode" set to be "delayed", the prefix for the deleted
283 mailboxes hierarchy. The hierarchy delimiter will be automati‐
284 cally appended.
285 delete_mode: immediate
287 The manner in which mailboxes are deleted. "Immediate" mode is the
288 default behavior in which mailboxes are removed immediately. In
289 "delayed" mode, mailboxes are renamed to a special hiearchy
290 defined by the "deletedprefix" option to be removed later by
291 cyr_expire.
292 Allowed values: immediate, delayed
295 deleteright: c
297 Deprecated - only used for backwards compatibility with existing
298 installations. Lists the old RFC 2086 right which was used to
299 grant the user the ability to delete a mailbox. If a user has
300 this right, they will automatically be given the new 'x' right.
301 disconnect_on_vanished_mailbox: 0
303 If enabled, IMAP/POP3/NNTP clients will be disconnected by the
304 server if the currently selected mailbox is (re)moved by another
305 session. Otherwise, the missing mailbox is treated as empty while
306 in use by the client.
307 duplicate_db: berkeley-nosync
309 The cyrusdb backend to use for the duplicate delivery suppression
310 and sieve.
311 Allowed values: berkeley, berkeley-nosync, berkeley-hash, berke‐
313 ley-hash-nosync, skiplist, sql
314 duplicatesuppression: 1
316 If enabled, lmtpd will suppress delivery of a message to a mailbox
317 if a message with the same message-id (or resent-message-id) is
318 recorded as having already been delivered to the mailbox. Records
319 the mailbox and message-id/resent-message-id of all successful
320 deliveries.
321 expunge_mode: immediate
323 The mode in which messages (and their corresponding cache entries)
324 are expunged. "Immediate" mode is the default behavior in which
325 the message files and cache entries are purged at the time of the
326 EXPUNGE. In "delayed" mode, the messages are removed from the
327 mailbox index at the time of the EXPUNGE (hiding them from the
328 client), but the message files and cache entries are left behind,
329 to be purged at a later time by "cyr_expire". This reduces the
330 amount of I/O that takes place at the time of EXPUNGE and should
331 result in greater responsiveness for the client, especially when
332 expunging a large number of messages.
333 Allowed values: immediate, delayed
335 flushseenstate: 0
337 If enabled, changes to the seen state will be flushed to disk
338 immediately, otherwise changes will be cached and flushed when the
339 mailbox is closed. This option may be used to fix the problem of
340 previously read messages being marked as unread in Microsoft Out‐
341 look, at the expense of a loss of performance/scalability.
342 foolstupidclients: 0
344 If enabled, only list the personal namespace when a LIST "*" is
345 performed (it changes the request to a LIST "INBOX*").
346 force_sasl_client_mech: <none>
348 Force preference of a given SASL mechanism for client side opera‐
349 tions (e.g., murder environments). This is separate from (and
350 overridden by) the ability to use the <host shortname>_mechs
351 option to set preferred mechanisms for a specific host
352 fulldirhash: 0
354 If enabled, uses an improved directory hashing scheme which hashes
355 on the entire username instead of using just the first letter as
356 the hash. This changes hash algorithm used for quota and user
357 directories and if hashimapspool is enabled, the entire mail
358 spool.
359 Note that this option CANNOT be changed on a live system. The server
361 must be quiesced and then the directories moved with the rehash util‐
362 ity.
363 guid_mode: off
365 The method used to calculate Globally Unique IDentifiers of mes‐
366 sages (used by the replication engine). The "sha1" method calcu‐
367 lates a SHA1 hash of the entire message
368 Allowed values: off, sha1
370 hashimapspool: 0
372 If enabled, the partitions will also be hashed, in addition to the
373 hashing done on configuration directories. This is recommended if
374 one partition has a very bushy mailbox tree.
375 hostname_mechs: <none>
377 Force a particular list of SASL mechanisms to be used when authen‐
378 ticating to the backend server hostname (where hostname is the
379 short hostname of the server in question). If it is not specified
380 it will query the server for available mechanisms and pick one to
381 use. - Cyrus Murder
382 hostname_password: <none>
384 The password to use for authentication to the backend server host‐
385 name (where hostname is the short hostname of the server) - Cyrus
386 Murder
387 idlesocket: {configdirectory}/socket/idle
389 Unix domain socket that idled listens on.
390 ignorereference: 0
392 For backwards compatibility with Cyrus 1.5.10 and earlier --
393 ignore the reference argument in LIST or LSUB commands.
394 imapidlepoll: 60
396 The interval (in seconds) for polling for mailbox changes and
397 ALERTs while running the IDLE command. This option is used when
398 idled is not enabled or cannot be contacted. The minimum value is
399 1. A value of 0 will disable IDLE.
400 imapidresponse: 1
402 If enabled, the server responds to an ID command with a parameter
403 list containing: version, vendor, support-url, os, os-version,
404 command, arguments, environment. Otherwise the server returns
405 NIL.
406 imapmagicplus: 0
408 Only list a restricted set of mailboxes via IMAP by using
409 userid+namespace syntax as the authentication/authorization id.
410 Using userid+ (with an empty namespace) will list only subscribed
411 mailboxes.
412 implicit_owner_rights: lkxa
414 The implicit Access Control List (ACL) for the owner of a mailbox.
415 @include: <none>
417 Directive which includes the specified file as part of the config‐
418 uration. If the path to the file is not absolute, CYRUS_PATH is
419 prepended.
420 improved_mboxlist_sort: 0
422 If enabled, a special comparator will be used which will correctly
423 sort mailbox names that contain characters such as ' ' and '-'.
424 Note that this option SHOULD NOT be changed on a live system. The
426 mailboxes database should be dumped before the option is changed,
427 removed, and then undumped after changing the option.
428 ldap_authz: <none>
430 SASL authorization ID for the LDAP server
431 ldap_base: <empty string>
433 Contains the LDAP base dn for the LDAP ptloader module
434 ldap_bind_dn: <none>
436 Bind DN for the connection to the LDAP server (simple bind). Do
437 not use for anonymous simple binds
438 ldap_deref: never
440 Specify how aliases dereferencing is handled during search.
441 Allowed values: search, find, always, never
443 ldap_filter: (uid=%u)
445 Specify a filter that searches user identifiers. The following
446 tokens can be used in the filter string:
447 %% = % %u = user %U = user portion of %u (%U = test when %u
449 = test@domain.tld) %d = domain portion of %u if available (%d =
450 domain.tld when %u = %test@domain.tld), otherwise same as %r %D
451 = user dn. (use when ldap_member_method: filter) %1-9 = domain
452 tokens (%1 = tld, %2 = domain when %d = domain.tld)
453 ldap_filter is not used when ldap_sasl is enabled.
455 ldap_group_base: <empty string>
457 LDAP base dn for ldap_group_filter.
458 ldap_group_filter: (cn=%u)
460 Specify a filter that searches for group identifiers. See
461 ldap_filter for more options.
462 ldap_group_scope: sub
464 Specify search scope for ldap_group_filter.
465 Allowed values: sub, one, base
467 ldap_id: <none>
469 SASL authentication ID for the LDAP server
470 ldap_mech: <none>
472 SASL mechanism for LDAP authentication
473 ldap_member_attribute: <none>
475 See ldap_member_method.
476 ldap_member_base: <empty string>
478 LDAP base dn for ldap_member_filter.
479 ldap_member_filter: (member=%D)
481 Specify a filter for "ldap_member_method: filter". See ldap_fil‐
482 ter for more options.
483 ldap_member_method: attribute
485 Specify a group method. The "attribute" method retrieves groups
486 from a multi-valued attribute specified in ldap_member_attribute.
487 The "filter" method uses a filter, specified by ldap_member_fil‐
489 ter, to find groups; ldap_member_attribute is a single-value
490 attribute group name.
491 Allowed values: attribute, filter
493 ldap_member_scope: sub
495 Specify search scope for ldap_member_filter.
496 Allowed values: sub, one, base
498 ldap_password: <none>
500 Password for the connection to the LDAP server (SASL and simple
501 bind). Do not use for anonymous simple binds
502 ldap_realm: <none>
504 SASL realm for LDAP authentication
505 ldap_referrals: 0
507 Specify whether or not the client should follow referrals.
508 ldap_restart: 1
510 Specify whether or not LDAP I/O operations are automatically
511 restarted if they abort prematurely.
512 ldap_sasl: 1
514 Use SASL for LDAP binds in the LDAP PTS module.
515 ldap_sasl_authc: <none>
517 Deprecated. Use ldap_id
518 ldap_sasl_authz: <none>
520 Deprecated. Use ldap_authz
521 ldap_sasl_mech: <none>
523 Deprecated. Use ldap_mech
524 ldap_sasl_password: <none>
526 Deprecated. User ldap_password
527 ldap_sasl_realm: <none>
529 Deprecated. Use ldap_realm
530 ldap_scope: sub
532 Specify search scope.
533 Allowed values: sub, one, base
535 ldap_servers: ldap://localhost/
537 Deprecated. Use ldap_uri
538 ldap_size_limit: 1
540 Specify a number of entries for a search request to return.
541 ldap_start_tls: 0
543 Use StartTLS extended operation. Do not use ldaps: ldap_uri when
544 this option is enabled.
545 ldap_time_limit: 5
547 Specify a number of seconds for a search request to complete.
548 ldap_timeout: 5
550 Specify a number of seconds a search can take before timing out.
551 ldap_tls_cacert_dir: <none>
553 Path to directory with CA (Certificate Authority) certificates.
554 ldap_tls_cacert_file: <none>
556 File containing CA (Certificate Authority) certificate(s).
557 ldap_tls_cert: <none>
559 File containing the client certificate.
560 ldap_tls_check_peer: 0
562 Require and verify server certificate. If this option is yes, you
563 must specify ldap_tls_cacert_file or ldap_tls_cacert_dir.
564 ldap_tls_ciphers: <none>
566 List of SSL/TLS ciphers to allow. The format of the string is
567 described in ciphers(1).
568 ldap_tls_key: <none>
570 File containing the private client key.
571 ldap_uri: <none>
573 Contains a list of the URLs of all the LDAP servers when using the
574 LDAP PTS module.
575 ldap_version: 3
577 Specify the LDAP protocol version. If ldap_start_tls and/or
578 ldap_use_sasl are enabled, ldap_version will be automatically set
579 to 3.
580 lmtp_downcase_rcpt: 0
582 If enabled, lmtpd will convert the recipient addresses to lower‐
583 case (up to a '+' character, if present).
584 lmtp_fuzzy_mailbox_match: 0
586 If enabled, and the mailbox specified in the detail part of the
587 recipient (everything after the '+') does not exist, lmtpd will
588 try to find the closest match (ignoring case, ignoring whitespace,
589 falling back to parent) to the specified mailbox name.
590 lmtp_over_quota_perm_failure: 0
592 If enabled, lmtpd returns a permanent failure code when a user's
593 mailbox is over quota. By default, the failure is temporary,
594 causing the MTA to queue the message and retry later.
595 lmtp_strict_quota: 0
597 If enabled, lmtpd returns a failure code when the incoming message
598 will cause the user's mailbox to exceed its quota. By default,
599 the failure won't occur until the mailbox is already over quota.
600 lmtpsocket: {configdirectory}/socket/lmtp
602 Unix domain socket that lmtpd listens on, used by deliver(8). This
603 should match the path specified in cyrus.conf(5).
604 loginrealms: <empty string>
606 The list of remote realms whose users may authenticate using
607 cross-realm authentication identifiers. Separate each realm name
608 by a space. (A cross-realm identity is considered any identity
609 returned by SASL with an "@" in it.).
610 loginuseacl: 0
612 If enabled, any authentication identity which has a rights on a
613 user's INBOX may log in as that user.
614 logtimestamps: 0
616 Include notations in the protocol telemetry logs indicating the
617 number of seconds since the last command or response.
618 mailbox_default_options: 0
620 Default "options" field for the mailbox on create. You'll want to
621 know what you're doing before setting this, but it can apply some
622 default annotations like condstore or duplicate supression
623 mailnotifier: <none>
625 Notifyd(8) method to use for "MAIL" notifications. If not set,
626 "MAIL" notifications are disabled.
627 maxheaderlines: 1000
629 Maximum number of lines of header that will be processed into
630 cache records. Default 1000. If set to zero, it is unlimited.
631 If a message hits the limit, an error will be logged and the rest
632 of the lines in the header will be skipped. This is to avoid mal‐
633 formed messages causing giant cache records
634 maxmessagesize: 0
636 Maximum incoming LMTP message size. If non-zero, lmtpd will
637 reject messages larger than maxmessagesize bytes. If set to 0,
638 this will allow messages of any size (the default).
639 maxquoted: 131072
641 Maximum size of a single quoted string for the parser. Default
642 128k
643 maxword: 131072
645 Maximum size of a single word for the parser. Default 128k
646 mboxkey_db: skiplist
648 The cyrusdb backend to use for mailbox keys.
649 Allowed values: berkeley, skiplist
651 mboxlist_db: skiplist
653 The cyrusdb backend to use for the mailbox list.
654 Allowed values: flat, berkeley, berkeley-hash, skiplist
656 metapartition_files: <empty string>
658 Space-separated list of metadata files to be stored on a meta‐
659 partition rather than in the mailbox directory on a spool parti‐
660 tion.
661 Allowed values: header, index, cache, expunge, squat
663 metapartition-name: <none>
665 The pathname of the metadata partition name, corresponding to
666 spool partition partition-name. For any mailbox residing in a
667 directory on partition-name, the metadata files listed in meta‐
668 partition_files will be stored in a corresponding directory on
669 metapartition-name. Note that not every partition-name option is
670 required to have a corresponding metapartition-name option, so
671 that you can selectively choose which spool partitions will have
672 separate metadata partitions.
673 mupdate_authname: <none>
675 The SASL username (Authentication Name) to use when authenticating
676 to the mupdate server (if needed).
677 mupdate_config: standard
679 The configuration of the mupdate servers in the Cyrus Murder. The
680 "standard" config is one in which there are discreet frontend
681 (proxy) and backend servers. The "unified" config is one in which
682 a server can be both a frontend and backend. The "replicated"
683 config is one in which multiple backend servers all share the same
684 mailspool, but each have their own "replicated" copy of mail‐
685 boxes.db.
686 Allowed values: standard, unified, replicated
688 md5_dir: /var/lib/imap/md5
690 Top level directory for MD5 store manipulated by make_md5. File
691 structure within this directory is one file for each user on the
692 system, hashed on the first letter of the userid (e.g.,
693 /var/imap/md5/d/dpc22).
694 Note: This Invoca RPM build uses /var/lib/imap/md5 by default instead
696 of /var/imap/md5 for md5_dir.
697 md5_user_map: <none>
699 Map file (cdb) to allow partial make_md5 runs. Maps username to
700 UID
701 munge8bit: 1
703 If enabled, lmtpd munges messages with 8-bit characters in the
704 headers. The 8-bit characters are changed to `X'. If reject8bit
705 is enabled, setting munge8bit has no effect. (A proper solution
706 to non-ASCII characters in headers is offered by RFC 2047 and its
707 predecessors.)
708 mupdate_connections_max: 128
710 The max number of connections that a mupdate process will allow,
711 this is related to the number of file descriptors in the mupdate
712 process. Beyond this number connections will be immediately
713 issued a BYE response.
714 mupdate_password: <none>
716 The SASL password (if needed) to use when authenticating to the
717 mupdate server.
718 mupdate_port: 3905
720 The port of the mupdate server for the Cyrus Murder
721 mupdate_realm: <none>
723 The SASL realm (if needed) to use when authenticating to the mup‐
724 date server.
725 mupdate_retry_delay: 20
727 The base time to wait between connection retries to the mupdate
728 server.
729 mupdate_server: <none>
731 The mupdate server for the Cyrus Murder
732 mupdate_username: <empty string>
734 The SASL username (Authorization Name) to use when authenticating
735 to the mupdate server
736 mupdate_workers_max: 50
738 The maximum number of mupdate worker threads (overall)
739 mupdate_workers_maxspare: 10
741 The maximum number of idle mupdate worker threads
742 mupdate_workers_minspare: 2
744 The minimum number of idle mupdate worker threads
745 mupdate_workers_start: 5
747 The number of mupdate worker threads to start
748 netscapeurl: <none>
750 If enabled at compile time, this specifies a URL to reply when
751 Netscape asks the server where the mail administration HTTP server
752 is. Administrators should set this to a local resource.
753 newsmaster: news
755 Userid that is used for checking access controls when executing
756 Usenet control messages. For instance, to allow articles to be
757 automatically deleted by cancel messages, give the "news" user the
758 'd' right on the desired mailboxes. To allow newsgroups to be
759 automatically created, deleted and renamed by the corresponding
760 control messages, give the "news" user the 'c' right on the
761 desired mailbox hierarchies.
762 newspeer: <none>
764 A list of whitespace-separated news server specifications to which
765 articles should be fed. Each server specification is a string of
766 the form [user[:pass]@]host[:port][/wildmat] where 'host' is the
767 fully qualified hostname of the server, 'port' is the port on
768 which the server is listening, 'user' and 'pass' are the authenti‐
769 cation credentials and 'wildmat' is a pattern that specifies which
770 groups should be fed. If no 'port' is specified, port 119 is
771 used. If no 'wildmat' is specified, all groups are fed. If
772 'user' is specified (even if empty), then the NNTP POST command
773 will be used to feed the article to the server, otherwise the
774 IHAVE command will be used.
775 A '@' may be used in place of '!' in the wildmat to prevent feed‐
777 ing articles cross-posted to the given group, otherwise cross-
778 posted articles are fed if any part of the wildmat matches. For
779 example, the string "peer.example.com:*,!control.*,@local.*" would
780 feed all groups except control messages and local groups to
781 peer.example.com. In the case of cross-posting to local groups,
782 these articles would not be fed.
783 newspostuser: <none>
785 Userid used to deliver usenet articles to newsgroup folders (usu‐
786 ally via lmtp2nntp). For example, if set to "post", email sent to
787 "post+comp.mail.imap" would be delivered to the "comp.mail.imap"
788 folder.
789 When set, the Cyrus NNTP server will add a To: header to each
791 incoming usenet article. This To: header will contain email
792 delivery addresses corresponding to each newsgroup in the News‐
793 groups: header. By default, a To: header is not added to usenet
794 articles.
795 newsprefix: <none>
797 Prefix to be prepended to newsgroup names to make the correspond‐
798 ing IMAP mailbox names.
799 nntptimeout: 3
801 Set the length of the NNTP server's inactivity autologout timer,
802 in minutes. The minimum value is 3, the default.
803 notifysocket: {configdirectory}/socket/notify
805 Unix domain socket that the mail notification daemon listens on.
806 partition-name: <none>
808 The pathname of the partition name. At least one partition path‐
809 name MUST be specified. If the defaultpartition option is used,
810 then its pathname MUST be specified. For example, if the value of
811 the defaultpartion option is default, then the partition-default
812 field is required.
813 plaintextloginpause: 0
815 Number of seconds to pause after a successful plaintext login.
816 For systems that support strong authentication, this permits users
817 to perceive a cost of using plaintext passwords. (This does not
818 affect the use of PLAIN in SASL authentications.)
819 plaintextloginalert: <none>
821 Message to send to client after a successful plaintext login.
822 popexpiretime: -1
824 The number of days advertised as being the minimum a message may
825 be left on the POP server before it is deleted (via the CAPA com‐
826 mand, defined in the POP3 Extension Mechanism, which some clients
827 may support). "NEVER", the default, may be specified with a nega‐
828 tive number. The Cyrus POP3 server never deletes mail, no matter
829 what the value of this parameter is. However, if a site imple‐
830 ments a less liberal policy, it needs to change this parameter
831 accordingly.
832 popminpoll: 0
834 Set the minimum amount of time the server forces users to wait
835 between successive POP logins, in minutes.
836 popsubfolders: 0
838 Allow access to subfolders of INBOX via POP3 by using userid+sub‐
839 folder syntax as the authentication/authorization id.
840 poppollpadding: 1
842 Create a softer minimum poll restriction. Allows poppollpadding
843 connections before the minpoll restriction is triggered. Addi‐
844 tionally, one padding entry is recovered every popminpoll minutes.
845 This allows for the occasional polling rate faster than popmin‐
846 poll, (i.e., for clients that require a send/receive to send mail)
847 but still enforces the rate long-term. Default is 1 (disabled).
848 The easiest way to think of it is a queue of past connections,
850 with one slot being filled for every connection, and one slot
851 being cleared every popminpoll minutes. When the queue is full,
852 the user will not be able to check mail again until a slot is
853 cleared. If the user waits a sufficient amount of time, they will
854 get back many or all of the slots.
855 poptimeout: 10
857 Set the length of the POP server's inactivity autologout timer, in
858 minutes. The minimum value is 10, the default.
859 popuseacl: 0
861 Enforce IMAP ACLs in the pop server. Due to the nature of the
862 POP3 protocol, the only rights which are used by the pop server
863 are 'r', user to open the mailbox and list/retrieve messages. The
864 't' right allows the user to delete messages. The 's' right
865 allows messages retrieved by the user to have the \Seen flag set
866 (only if popuseimapflags is also enabled).
867 popuseimapflags: 0
869 If enabled, the pop server will set and obey IMAP flags. Messages
870 having the \Deleted flag are ignored as if they do not exist.
871 Messages that are retrieved by the client will have the \Seen flag
872 set. All messages will have the \Recent flag unset.
873 postmaster: postmaster
875 Username that is used as the 'From' address in rejection MDNs pro‐
876 duced by sieve.
877 postuser: <empty string>
879 Userid used to deliver messages to shared folders. For example,
880 if set to "bb", email sent to "bb+shared.blah" would be delivered
881 to the "shared.blah" folder. By default, an email address of
882 "+shared.blah" would be used.
883 proxy_authname: proxy
885 The authentication name to use when authenticating to a backend
886 server in the Cyrus Murder.
887 proxy_compress: 0
889 Try to enable protocol-specific compression when performing a
890 client connection to a backend server in the Cyrus Murder.
891 Note that this should only be necessary over slow network connections.
893 Also note that currently only IMAP and MUPDATE support compression.
894 proxy_password: <none>
896 The default password to use when authenticating to a backend
897 server in the Cyrus Murder. May be overridden on a host-specific
898 basis using the hostname_password option.
899 proxy_realm: <none>
901 The authentication realm to use when authenticating to a backend
902 server in the Cyrus Murder
903 proxyd_allow_status_referral: 0
905 Set to true to allow proxyd to issue referrals to clients that
906 support it when answering the STATUS command. This is disabled by
907 default since some clients issue many STATUS commands in a row,
908 and do not cache the connections that these referrals would cause,
909 thus resulting in a higher authentication load on the respective
910 backend server.
911 proxyd_disable_mailbox_referrals: 0
913 Set to true to disable the use of mailbox-referrals on the proxy
914 servers.
915 proxyservers: <none>
917 A list of users and groups that are allowed to proxy for other
918 users, separated by spaces. Any user listed in this will be
919 allowed to login for any other user: use with caution.
920 pts_module: afskrb
922 The PTS module to use.
923 Allowed values: afskrb, ldap
925 ptloader_sock: <none>
927 Unix domain socket that ptloader listens on. (defaults to con‐
928 figdir/ptclient/ptsock)
929 ptscache_db: berkeley
931 The cyrusdb backend to use for the pts cache.
932 Allowed values: berkeley, berkeley-hash, skiplist
934 ptscache_timeout: 10800
936 The timeout (in seconds) for the PTS cache database when using the
937 auth_krb_pts authorization method (default: 3 hours).
938 ptskrb5_convert524: 1
940 When using the AFSKRB ptloader module with Kerberos 5 canonical‐
941 ization, do the final 524 conversion to get a n AFS style name
942 (using '.' instead of '/', and using short names
943 ptskrb5_strip_default_realm: 1
945 When using the AFSKRB ptloader module with Kerberos 5 canonical‐
946 ization, strip the default realm from the userid (this does not
947 affect the stripping of realms specified by the afspts_localrealms
948 option)
949 qosmarking: cs0
951 This specifies the Class Selector or Differentiated Services Code
952 Point designation on IP headers (in the ToS field).
953 Allowed values: cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11,
955 af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43,
956 ef
957 quota_db: quotalegacy
959 The cyrusdb backend to use for quotas.
960 Allowed values: flat, berkeley, berkeley-hash, skiplist, sql, quo‐
962 talegacy
963 quotawarn: 90
965 The percent of quota utilization over which the server generates
966 warnings.
967 quotawarnkb: 0
969 The maximum amount of free space (in kB) at which to give a quota
970 warning (if this value is 0, or if the quota is smaller than this
971 amount, than warnings are always given).
972 reject8bit: 0
974 If enabled, lmtpd rejects messages with 8-bit characters in the
975 headers.
976 rfc2046_strict: 0
978 If enabled, imapd will be strict (per RFC 2046) when matching MIME
979 boundary strings. This means that boundaries containing other
980 boundaries as substrings will be treated as identical. Since
981 enabling this option will break some messages created by Eudora
982 5.1 (and earlier), it is recommended that it be left disabled
983 unless there is good reason to do otherwise.
984 rfc3028_strict: 1
986 If enabled, Sieve will be strict (per RFC 3028) with regards to
987 which headers are allowed to be used in address and envelope
988 tests. This means that only those headers which are defined to
989 contain addresses will be allowed in address tests and only "to"
990 and "from" will be allowed in envelope tests. When disabled, ANY
991 grammatically correct header will be allowed.
992 sasl_auto_transition: 0
994 If enabled, the SASL library will automatically create authentica‐
995 tion secrets when given a plaintext password. See the SASL docu‐
996 mentation.
997 sasl_maximum_layer: 256
999 Maximum SSF (security strength factor) that the server will allow
1000 a client to negotiate.
1001 sasl_minimum_layer: 0
1003 The minimum SSF that the server will allow a client to negotiate.
1004 A value of 1 requires integrity protection; any higher value
1005 requires some amount of encryption.
1006 sasl_option: 0
1008 Any SASL option can be set by preceding it with "sasl_". This
1009 file overrides the SASL configuration file.
1010 sasl_pwcheck_method: <none>
1012 The mechanism used by the server to verify plaintext passwords.
1013 Possible values include "auxprop", "saslauthd", and "pwcheck".
1014 seenstate_db: skiplist
1016 The cyrusdb backend to use for the seen state.
1017 Allowed values: flat, berkeley, berkeley-hash, skiplist
1019 sendmail: /usr/lib/sendmail
1021 The pathname of the sendmail executable. Sieve invokes sendmail
1022 for sending rejections, redirects and vacation responses.
1023 serverlist: <none>
1025 Whitespace separated list of backend server names. Used for find‐
1026 ing server with the most available free space for proxying CREATE.
1027 servername: <none>
1029 This is the hostname visible in the greeting messages of the POP,
1030 IMAP and LMTP daemons. If it is unset, then the result returned
1031 from gethostname(2) is used.
1032 serverinfo: on
1034 The server information to display in the greeting and capability
1035 responses. Information is displayed as follows:
1036 "off" = no server information in the greeting or capabilities
1038 "min" = servername in the greeting; no server information in the
1039 capabilities
1040 "on" = servername and product version in the greeting; product
1041 version in the capabilities
1042 Allowed values: off, min, on
1044 sha1_dir: <none>
1046 Top level directory for SHA1 store manipulated by make_sha1. File
1047 structure within this directory is one file for each user on the
1048 system, hashed on the first letter of the userid (e.g:
1049 /var/imap/sha1/d/dpc22).
1050 sharedprefix: Shared Folders
1052 If using the alternate IMAP namespace, the prefix for the shared
1053 namespace. The hierarchy delimiter will be automatically
1054 appended.
1055 sieve_allowreferrals: 1
1057 If enabled, timsieved will issue referrals to clients when the
1058 user's scripts reside on a remote server (in a Murder). Other‐
1059 wise, timsieved will proxy traffic to the remote server.
1060 sieve_extensions: fileinto reject vacation imapflags notify envelope
1062 relational regex subaddress copy
1063 Space-separated list of Sieve extensions allowed to be used in
1064 sieve scripts, enforced at submission by timsieved(8). Any previ‐
1065 ously installed script will be unaffected by this option and will
1066 continue to execute regardless of the extensions used. This
1067 option has no effect on options that are disabled at compile time
1068 (e.g., "regex").
1069 Allowed values: fileinto, reject, vacation, imapflags, notify,
1071 include, envelope, body, relational, regex, subaddress, copy
1072 sieve_maxscriptsize: 32
1074 Maximum size (in kilobytes) any sieve script can be, enforced at
1075 submission by timsieved(8).
1076 sieve_maxscripts: 5
1078 Maximum number of sieve scripts any user may have, enforced at
1079 submission by timsieved(8).
1080 sieve_utf8fileinto: 0
1082 If enabled, the sieve engine expects folder names for the fileinto
1083 action in scripts to use UTF8 encoding. Otherwise, modified UTF7
1084 encoding should be used.
1085 sieve_sasl_send_unsolicited_capability: 0
1087 If enabled, timsieved will emit a capability response after a suc‐
1088 cessful SASL authentication, per draft-martin-managesieve-12.txt .
1089 sievedir: /usr/sieve
1091 If sieveusehomedir is false, this directory is searched for Sieve
1092 scripts.
1093 sievenotifier: <none>
1095 Notifyd(8) method to use for "SIEVE" notifications. If not set,
1096 "SIEVE" notifications are disabled.
1097 This method is only used when no method is specified in the script.
1099 sieveusehomedir: 0
1101 If enabled, lmtpd will look for Sieve scripts in user's home
1102 directories: ~user/.sieve.
1103 anysievefolder: 0
1105 It must be "yes" in order to permit the autocreation of any INBOX
1106 subfolder requested by a sieve filter, through the "fileinto"
1107 action. (default = no)
1108 autosievefolders: <none>
1110 It is a "|" separated list of subfolders of INBOX that will be
1111 automatically created, if requested by a sieve filter, through the
1112 "fileinto" action. (default = null) i.e. autosievefolders: Junk |
1113 Spam
1114 singleinstancestore: 1
1116 If enabled, imapd, lmtpd and nntpd attempt to only write one copy
1117 of a message per partition and create hard links, resulting in a
1118 potentially large disk savings.
1119 skiplist_always_checkpoint: 1
1121 If enabled, this option forces the skiplist cyrusdb backend to
1122 always checkpoint when doing a recovery. This causes slightly
1123 more IO, but on the other hand leads to more efficient databases,
1124 and the entire file is already "hot".
1125 skiplist_unsafe: 0
1127 If enabled, this option forces the skiplist cyrusdb backend to not
1128 sync writes to the disk. Enabling this option is NOT RECOMMENDED.
1129 soft_noauth: 1
1131 If enabled, lmtpd returns temporary failures if the client does
1132 not successfully authenticate. Otherwise lmtpd returns permanent
1133 failures (causing the mail to bounce immediately).
1134 sql_database: <none>
1136 Name of the database which contains the cyrusdb table(s).
1137 sql_engine: <none>
1139 Name of the SQL engine to use.
1140 Allowed values: mysql, pgsql, sqlite
1142 sql_hostnames: <empty string>
1144 Comma separated list of SQL servers (in host[:port] format).
1145 sql_passwd: <none>
1147 Password to use for authentication to the SQL server.
1148 sql_user: <none>
1150 Username to use for authentication to the SQL server.
1151 sql_usessl: 0
1153 If enabled, a secure connection will be made to the SQL server.
1154 srvtab: <empty string>
1156 The pathname of srvtab file containing the server's private key.
1157 This option is passed to the SASL library and overrides its
1158 default setting.
1159 submitservers: <none>
1161 A list of users and groups that are allowed to resolve
1162 "urlauth=submit+" IMAP URLs, separated by spaces. Any user listed
1163 in this will be allowed to fetch the contents of any valid
1164 "urlauth=submit+" IMAP URL: use with caution.
1165 subscription_db: flat
1167 The cyrusdb backend to use for the subscriptions list.
1168 Allowed values: flat, berkeley, berkeley-hash, skiplist
1170 statuscache: 0
1172 Enable/disable the imap status cache.
1173 statuscache_db: berkeley-nosync
1175 The cyrusdb backend to use for the imap status cache.
1176 Allowed values: berkeley, berkeley-nosync, berkeley-hash, berke‐
1178 ley-hash-nosync, skiplist
1179 sync_authname: <none>
1181 The authentication name to use when authenticating to a sync
1182 server.
1183 sync_batch_size: 0
1185 Maximum number of messages to upload to a replica at one time. A
1186 batch size of 0, the default, will disable batching (ALL messages
1187 will be sent).
1188 sync_compress: 0
1190 Enable compression on replication traffic
1191 sync_host: <none>
1193 Name of the host (replica running sync_server(8)) to which repli‐
1194 cation actions will be sent by sync_client(8).
1195 sync_log: 0
1197 Enable replication action logging by lmtpd(8), imapd(8), pop3d(8),
1198 and nntpd(8). The log {configdirectory}/sync/log is used by
1199 sync_client(8) for "rolling" replication.
1200 sync_password: <none>
1202 The default password to use when authenticating to a sync server.
1203 sync_realm: <none>
1205 The authentication realm to use when authenticating to a sync
1206 server.
1207 sync_repeat_interval: 1
1209 Minimum interval (in seconds) between replication runs in rolling
1210 replication mode. If a replication run takes longer than this
1211 time, we repeat immediately.
1212 sync_shutdown_file: <none>
1214 Simple latch used to tell sync_client(8) that it should shut down
1215 at the next opportunity. Safer than sending signals to running
1216 processes
1217 syslog_prefix: <none>
1219 String to be prepended to the process name in syslog entries.
1220 temp_path: /tmp
1222 The pathname to store temporary files in
1223 timeout: 30
1225 The length of the IMAP server's inactivity autologout timer, in
1226 minutes. The minimum value is 30, the default.
1227 tls_ca_file: <none>
1229 File containing one or more Certificate Authority (CA) certifi‐
1230 cates.
1231 tls_ca_path: <none>
1233 Path to directory with certificates of CAs. This directory must
1234 have filenames with the hashed value of the certificates (see
1235 openssl(XXX)).
1236 tlscache_db: berkeley-nosync
1238 The cyrusdb backend to use for the TLS cache.
1239 Allowed values: berkeley, berkeley-nosync, berkeley-hash, berke‐
1241 ley-hash-nosync, skiplist, sql
1242 tls_cert_file: <none>
1244 File containing the certificate presented for server authentica‐
1245 tion during STARTTLS. A value of "disabled" will disable SSL/TLS.
1246 tls_cipher_list: DEFAULT
1248 The list of SSL/TLS ciphers to allow. The format of the string is
1249 described in ciphers(1).
1250 tls_key_file: <none>
1252 File containing the private key belonging to the server certifi‐
1253 cate. A value of "disabled" will disable SSL/TLS.
1254 tls_require_cert: 0
1256 Require a client certificate for ALL services (imap, pop3, lmtp,
1257 sieve).
1258 tls_session_timeout: 1440
1260 The length of time (in minutes) that a TLS session will be cached
1261 for later reuse. The maximum value is 1440 (24 hours), the
1262 default. A value of 0 will disable session caching.
1263 umask: 077
1265 The umask value used by various Cyrus IMAP programs.
1266 userdeny_db: flat
1268 The cyrusdb backend to use for the user access list.
1269 Allowed values: flat, berkeley, berkeley-hash, skiplist, sql
1271 user_folder_limit: 0
1273 Limit the number of folders a user can create in their INBOX. Set
1274 to 0 (default) for no limit. Only affects folders in user.
1275 username_tolower: 1
1277 Convert usernames to all lowercase before login/authentication.
1278 This is useful with authentication backends which ignore case dur‐
1279 ing username lookups (such as LDAP).
1280 userprefix: Other Users
1282 If using the alternate IMAP namespace, the prefix for the other
1283 users namespace. The hierarchy delimiter will be automatically
1284 appended.
1285 unix_group_enable: 1
1287 Should we look up groups when using auth_unix (disable this if you
1288 are not using groups in ACLs for your IMAP server, and you are
1289 using auth_unix with a backend (such as LDAP) that can make get‐
1290 grent() calls very slow)
1291 unixhierarchysep: 0
1293 Use the UNIX separator character '/' for delimiting levels of
1294 mailbox hierarchy. The default is to use the netnews separator
1295 character '.'.
1296 virtdomains: off
1298 Enable virtual domain support. If enabled, the user's domain will
1299 be determined by splitting a fully qualified userid at the last
1300 '@' or '%' symbol. If the userid is unqualified, and the virtdo‐
1301 mains option is set to "on", then the domain will be determined by
1302 doing a reverse lookup on the IP address of the incoming network
1303 interface, otherwise the user is assumed to be in the default
1304 domain (if set).
1305 Allowed values: off, userid, on
1307 normalizeuid: 0
1309 Lowercase uid and strip leading and trailing blanks. It is recom‐
1310 mended to set this to yes, especially if OpenLDAP is used as
1311 authentication source.
1312
1315 imapd(8), pop3d(8), nntpd(8), lmtpd(8), timsieved(8), idled(8), noti‐
1316 fyd(8), deliver(8), cyrus-master(8), ciphers(1)
1317CMU Project Cyrus IMAPD.CONF(5)