1MOSQUITTO.CONF(5) File formats and conventions MOSQUITTO.CONF(5)
2
6 mosquitto.conf - the configuration file for mosquitto
7
9 mosquitto.conf
10
12 mosquitto.conf is the configuration file for mosquitto. This file can
13 reside anywhere as long as mosquitto can read it. By default, mosquitto
14 does not need a configuration file and will use the default values
15 listed below. See mosquitto(8) for information on how to load a
16 configuration file.
17
19 All lines with a # as the very first character are treated as a
20 comment.
21 Configuration lines start with a variable name. The variable value is
23 separated from the name by a single space.
24
26 The authentication options described below allow a wide range of
27 possibilities in conjunction with the listener options. This section
28 aims to clarify the possibilities.
29 The simplest option is to have no authentication at all. This is the
31 default if no other options are given. Unauthenticated encrypted
32 support is provided by using the certificate based SSL/TLS based
33 options cafile/capath, certfile and keyfile.
34 MQTT provides username/password authentication as part of the protocol.
36 Use the password_file option to define the valid usernames and
37 passwords. Be sure to use network encryption if you are using this
38 option otherwise the username and password will be vulnerable to
39 interception. Use the per_listener_settings to control whether
40 passwords are required globally or on a per-listener basis.
41 When using certificate based encryption there are three options that
43 affect authentication. The first is require_certificate, which may be
44 set to true or false. If false, the SSL/TLS component of the client
45 will verify the server but there is no requirement for the client to
46 provide anything for the server: authentication is limited to the MQTT
47 built in username/password. If require_certificate is true, the client
48 must provide a valid certificate in order to connect successfully. In
49 this case, the second and third options, use_identity_as_username and
50 use_subject_as_username, become relevant. If set to true,
51 use_identity_as_username causes the Common Name (CN) from the client
52 certificate to be used instead of the MQTT username for access control
53 purposes. The password is not used because it is assumed that only
54 authenticated clients have valid certificates. This means that any CA
55 certificates you include in cafile or capath will be able to issue
56 client certificates that are valid for connecting to your broker. If
57 use_identity_as_username is false, the client must authenticate as
58 normal (if required by password_file) through the MQTT options. The
59 same principle applies for the use_subject_as_username option, but the
60 entire certificate subject is used as the username instead of just the
61 CN.
62 When using pre-shared-key based encryption through the psk_hint and
64 psk_file options, the client must provide a valid identity and key in
65 order to connect to the broker before any MQTT communication takes
66 place. If use_identity_as_username is true, the PSK identity is used
67 instead of the MQTT username for access control purposes. If
68 use_identity_as_username is false, the client may still authenticate
69 using the MQTT username/password if using the password_file option.
70 Both certificate and PSK based encryption are configured on a
72 per-listener basis.
73 Authentication plugins can be created to augment the password_file,
75 acl_file and psk_file options with e.g. SQL based lookups.
76 It is possible to support multiple authentication schemes at once. A
78 config could be created that had a listener for all of the different
79 encryption options described above and hence a large number of ways of
80 authenticating.
81
83 acl_file file path
84 Set the path to an access control list file. If defined, the
85 contents of the file are used to control client access to topics on
86 the broker.
87 If this parameter is defined then only the topics listed will have
89 access. Topic access is added with lines of the format:
90 topic [read|write|readwrite] <topic>
92 The access type is controlled using "read", "write" or "readwrite".
94 This parameter is optional (unless <topic> includes a space
95 character) - if not given then the access is read/write. <topic>
96 can contain the + or # wildcards as in subscriptions.
97 The first set of topics are applied to anonymous clients, assuming
99 allow_anonymous is true. User specific topic ACLs are added after a
100 user line as follows:
101 user <username>
103 The username referred to here is the same as in password_file. It
105 is not the clientid.
106 It is also possible to define ACLs based on pattern substitution
108 within the topic. The form is the same as for the topic keyword,
109 but using pattern as the keyword.
110 pattern [read|write|readwrite] <topic>
112 The patterns available for substition are:
114 · %c to match the client id of the client
116 · %u to match the username of the client
118 The substitution pattern must be the only text for that level of
120 hierarchy. Pattern ACLs apply to all users even if the "user"
121 keyword has previously been given.
122 Example:
124 pattern write sensor/%u/data
126 Allow access for bridge connection messages:
128 pattern write $SYS/broker/connection/%c/state
130 If the first character of a line of the ACL file is a # it is
132 treated as a comment.
133 If per_listener_settings is true, this option applies to the
135 current listener being configured only. If per_listener_settings is
136 false, this option applies to all listeners.
137 Reloaded on reload signal. The currently loaded ACLs will be freed
139 and reloaded. Existing subscriptions will be affected after the
140 reload.
141 allow_anonymous [ true | false ]
143 Boolean value that determines whether clients that connect without
144 providing a username are allowed to connect. If set to false then
145 another means of connection should be created to control
146 authenticated client access.
147 Defaults to true if no other security options are set. If
149 password_file or psk_file is set, or if an authentication plugin is
150 loaded which implements username/password or TLS-PSK checks, then
151 allow_anonymous defaults to false.
152 If per_listener_settings is true, this option applies to the
154 current listener being configured only. If per_listener_settings is
155 false, this option applies to all listeners.
156 Reloaded on reload signal.
158 allow_duplicate_messages [ true | false ]
160 If a client is subscribed to multiple subscriptions that overlap,
161 e.g. foo/# and foo/+/baz , then MQTT expects that when the broker
162 receives a message on a topic that matches both subscriptions, such
163 as foo/bar/baz, then the client should only receive the message
164 once.
165 Mosquitto keeps track of which clients a message has been sent to
167 in order to meet this requirement. This option allows this
168 behaviour to be disabled, which may be useful if you have a large
169 number of clients subscribed to the same set of topics and want to
170 minimise memory usage.
171 It can be safely set to true if you know in advance that your
173 clients will never have overlapping subscriptions, otherwise your
174 clients must be able to correctly deal with duplicate messages even
175 when then have QoS=2.
176 Defaults to true.
178 This option applies globally.
180 Reloaded on reload signal.
182 allow_zero_length_clientid [ true | false ]
184 MQTT 3.1.1 and MQTT 5 allow clients to connect with a zero length
185 client id and have the broker generate a client id for them. Use
186 this option to allow/disallow this behaviour. Defaults to true.
187 See also the auto_id_prefix option.
189 If per_listener_settings is true, this option applies to the
191 current listener being configured only. If per_listener_settings is
192 false, this option applies to all listeners.
193 Reloaded on reload signal.
195 auth_opt_* value
197 Options to be passed to the auth plugin. See the specific plugin
198 instructions.
199 Applies to the current authentication plugin being configured.
201 auth_plugin file path
203 Specify an external module to use for authentication and access
204 control. This allows custom username/password and access control
205 functions to be created.
206 Can be specified multiple times to load multiple plugins. The
208 plugins will be processed in the order that they are specified.
209 If password_file, or acl_file are used in the config file alongsize
211 auth_plugin, the plugin checks will run after the built in checks.
212 Not currently reloaded on reload signal.
214 auth_plugin_deny_special_chars [ true | false ]
216 If true then before an ACL check is made, the username/client id of
217 the client needing the check is searched for the presence of either
218 a '+' or '#' character. If either of these characters is found in
219 either the username or client id, then the ACL check is denied
220 before it is sent to the plugin.
221 This check prevents the case where a malicious user could
223 circumvent an ACL check by using one of these characters as their
224 username or client id. This is the same issue as was reported with
225 mosquitto itself as CVE-2017-7650.
226 If you are entirely sure that the plugin you are using is not
228 vulnerable to this attack (i.e. if you never use usernames or
229 client ids in topics) then you can disable this extra check and
230 hence have all ACL checks delivered to your plugin by setting this
231 option to false.
232 Defaults to true.
234 Applies to the current authentication plugin being configured.
236 Not currently reloaded on reload signal.
238 auto_id_prefix prefix
240 If allow_zero_length_clientid is true, this option allows you to
241 set a string that will be prefixed to the automatically generated
242 client ids to aid visibility in logs. Defaults to auto-.
243 If per_listener_settings is true, this option applies to the
245 current listener being configured only. If per_listener_settings is
246 false, this option applies to all listeners.
247 Reloaded on reload signal.
249 autosave_interval seconds
251 The number of seconds that mosquitto will wait between each time it
252 saves the in-memory database to disk. If set to 0, the in-memory
253 database will only be saved when mosquitto exits or when receiving
254 the SIGUSR1 signal. Note that this setting only has an effect if
255 persistence is enabled. Defaults to 1800 seconds (30 minutes).
256 This option applies globally.
258 Reloaded on reload signal.
260 autosave_on_changes [ true | false ]
262 If true, mosquitto will count the number of subscription changes,
263 retained messages received and queued messages and if the total
264 exceeds autosave_interval then the in-memory database will be saved
265 to disk. If false, mosquitto will save the in-memory database to
266 disk by treating autosave_interval as a time in seconds.
267 This option applies globally.
269 Reloaded on reload signal.
271 check_retain_source [ true | false ]
273 This option affects the scenario when a client subscribes to a
274 topic that has retained messages. It is possible that the client
275 that published the retained message to the topic had access at the
276 time they published, but that access has been subsequently removed.
277 If check_retain_source is set to true, the default, the source of a
278 retained message will be checked for access rights before it is
279 republished. When set to false, no check will be made and the
280 retained message will always be published.
281 This option applies globally, regardless of the
283 per_listener_settings option.
284 clientid_prefixes prefix
286 If defined, only clients that have a clientid with a prefix that
287 matches clientid_prefixes will be allowed to connect to the broker.
288 For example, setting "secure-" here would mean a client
289 "secure-client" could connect but another with clientid "mqtt"
290 couldn't. By default, all client ids are valid.
291 This option applies globally.
293 Reloaded on reload signal. Note that currently connected clients
295 will be unaffected by any changes.
296 connection_messages [ true | false ]
298 If set to true, the log will include entries when clients connect
299 and disconnect. If set to false, these entries will not appear.
300 This option applies globally.
302 Reloaded on reload signal.
304 include_dir dir
306 External configuration files may be included by using the
307 include_dir option. This defines a directory that will be searched
308 for config files. All files that end in '.conf' will be loaded as a
309 configuration file. It is best to have this as the last option in
310 the main file. This option will only be processed from the main
311 configuration file. The directory specified must not contain the
312 main configuration file.
313 The configuration files in include_dir are loaded in case sensitive
315 alphabetical order, with the upper case of each letter ordered
316 before the lower case of the same letter.
317 Example Load Order for include_dir. Given the files b.conf,
319 A.conf, 01.conf, a.conf, B.conf, and 00.conf inside include_dir,
320 the config files would be loaded in this order:
321 00.conf
323 01.conf
324 A.conf
325 a.conf
326 B.conf
327 b.conf
328 If this option is used multiple times, then each include_dir option
330 is processed completely in the order that they are written in the
331 main configuration file.
332 Example Load Order for Multiple include_dir. Assuming a directory
334 one.d containing files B.conf and C.conf, and a second directory
335 two.d containing files A.conf and D.conf, and a config:
336 include_dir one.d
338 include_dir two.d
339 Then the config files would be loaded in this order:
341 # files from one.d
343 B.conf
344 C.conf
345 # files from two.d
346 A.conf
347 D.conf
348 log_dest destinations
350 Send log messages to a particular destination. Possible
351 destinations are: stdout stderr syslog topic.
352 stdout and stderr log to the console on the named output.
354 syslog uses the userspace syslog facility which usually ends up in
356 /var/log/messages or similar and topic logs to the broker topic
357 '$SYS/broker/log/<severity>', where severity is one of D, E, W, N,
358 I, M which are debug, error, warning, notice, information and
359 message. Message type severity is used by the subscribe and
360 unsubscribe log_type options and publishes log messages at
361 $SYS/broker/log/M/subscribe and $SYS/broker/log/M/unsubscribe.
362 The file destination requires an additional parameter which is the
364 file to be logged to, e.g. "log_dest file /var/log/mosquitto.log".
365 The file will be closed and reopened when the broker receives a HUP
366 signal. Only a single file destination may be configured.
367 Use "log_dest none" if you wish to disable logging. Defaults to
369 stderr. This option may be specified multiple times.
370 Note that if the broker is running as a Windows service it will
372 default to "log_dest none" and neither stdout nor stderr logging is
373 available.
374 Reloaded on reload signal.
376 log_facility local facility
378 If using syslog logging (not on Windows), messages will be logged
379 to the "daemon" facility by default. Use the log_facility option to
380 choose which of local0 to local7 to log to instead. The option
381 value should be an integer value, e.g. "log_facility 5" to use
382 local5.
383 log_timestamp [ true | false ]
385 Boolean value, if set to true a timestamp value will be added to
386 each log entry. The default is true.
387 Reloaded on reload signal.
389 log_timestamp_format format
391 Set the format of the log timestamp. If left unset, this is the
392 number of seconds since the Unix epoch. This option is a free text
393 string which will be passed to the strftime function as the format
394 specifier. To get an ISO 8601 datetime, for example:
395 log_timestamp_format %Y-%m-%dT%H:%M:%S
397 Reloaded on reload signal.
400 log_type types
402 Choose types of messages to log. Possible types are: debug, error,
403 warning, notice, information, subscribe, unsubscribe, websockets,
404 none, all.
405 Defaults to error, warning, notice and information. This option may
407 be specified multiple times. Note that the debug type (used for
408 decoding incoming/outgoing network packets) is never logged in
409 topics.
410 Reloaded on reload signal.
412 max_inflight_bytes count
414 Outgoing QoS 1 and 2 messages will be allowed in flight until this
415 byte limit is reached. This allows control of outgoing message rate
416 based on message size rather than message count. If the limit is
417 set to 100, messages of over 100 bytes are still allowed, but only
418 a single message can be in flight at once. Defaults to 0. (No
419 limit).
420 See also the max_inflight_messages option.
422 This option applies globally.
424 Reloaded on reload signal.
426 max_inflight_messages count
428 The maximum number of outgoing QoS 1 or 2 messages that can be in
429 the process of being transmitted simultaneously. This includes
430 messages currently going through handshakes and messages that are
431 being retried. Defaults to 20. Set to 0 for no maximum. If set to
432 1, this will guarantee in-order delivery of messages.
433 This option applies globally.
435 Reloaded on reload signal.
437 max_keepalive value
439 For MQTT v5 clients, it is possible to have the server send a
440 "server keepalive" value that will override the keepalive value set
441 by the client. This is intended to be used as a mechanism to say
442 that the server will disconnect the client earlier than it
443 anticipated, and that the client should use the new keepalive
444 value. The max_keepalive option allows you to specify that clients
445 may only connect with keepalive less than or equal to this value,
446 otherwise they will be sent a server keepalive telling them to use
447 max_keepalive. This only applies to MQTT v5 clients. The maximum
448 value allowable, and default value, is 65535. Do not set below 10
449 seconds.
450 This option applies globally.
452 Reloaded on reload signal.
454 max_packet_size value
456 For MQTT v5 clients, it is possible to have the server send a
457 "maximum packet size" value that will instruct the client it will
458 not accept MQTT packets with size greater than value bytes. This
459 applies to the full MQTT packet, not just the payload. Setting this
460 option to a positive value will set the maximum packet size to that
461 number of bytes. If a client sends a packet which is larger than
462 this value, it will be disconnected. This applies to all clients
463 regardless of the protocol version they are using, but v3.1.1 and
464 earlier clients will of course not have received the maximum packet
465 size information. Defaults to no limit.
466 This option applies to all clients, not just those using MQTT v5,
468 but it is not possible to notify clients using MQTT v3.1.1 or MQTT
469 v3.1 of the limit.
470 Setting below 20 bytes is forbidden because it is likely to
472 interfere with normal client operation even with small payloads.
473 This option applies globally.
475 Reloaded on reload signal.
477 max_queued_bytes count
479 The number of outgoing QoS 1 and 2 messages above those currently
480 in-flight will be queued (per client) by the broker. Once this
481 limit has been reached, subsequent messages will be silently
482 dropped. This is an important option if you are sending messages at
483 a high rate and/or have clients who are slow to respond or may be
484 offline for extended periods of time. Defaults to 0. (No maximum).
485 See also the max_queued_messages option. If both
487 max_queued_messages and max_queued_bytes are specified, packets
488 will be queued until the first limit is reached.
489 This option applies globally.
491 Reloaded on reload signal.
493 max_queued_messages count
495 The maximum number of QoS 1 or 2 messages to hold in the queue (per
496 client) above those messages that are currently in flight. Defaults
497 to 100. Set to 0 for no maximum (not recommended). See also the
498 queue_qos0_messages and max_queued_bytes options.
499 This option applies globally.
501 Reloaded on reload signal.
503 memory_limit limit
505 This option sets the maximum number of heap memory bytes that the
506 broker will allocate, and hence sets a hard limit on memory use by
507 the broker. Memory requests that exceed this value will be denied.
508 The effect will vary depending on what has been denied. If an
509 incoming message is being processed, then the message will be
510 dropped and the publishing client will be disconnected. If an
511 outgoing message is being sent, then the individual message will be
512 dropped and the receiving client will be disconnected. Defaults to
513 no limit.
514 This option is only available if memory tracking support is
516 compiled in.
517 Reloaded on reload signal. Setting to a lower value and reloading
519 will not result in memory being freed.
520 message_size_limit limit
522 This option sets the maximum publish payload size that the broker
523 will allow. Received messages that exceed this size will not be
524 accepted by the broker. This means that the message will not be
525 forwarded on to subscribing clients, but the QoS flow will be
526 completed for QoS 1 or QoS 2 messages. MQTT v5 clients using QoS 1
527 or QoS 2 will receive a PUBACK or PUBREC with the "implementation
528 specific error" reason code.
529 The default value is 0, which means that all valid MQTT messages
531 are accepted. MQTT imposes a maximum payload size of 268435455
532 bytes.
533 This option applies globally.
535 Reloaded on reload signal.
537 password_file file path
539 Set the path to a password file. If defined, the contents of the
540 file are used to control client access to the broker. The file can
541 be created using the mosquitto_passwd(1) utility. If mosquitto is
542 compiled without TLS support (it is recommended that TLS support is
543 included), then the password file should be a text file with each
544 line in the format "username:password", where the colon and
545 password are optional but recommended. If allow_anonymous is set to
546 false, only users defined in this file will be able to connect.
547 Setting allow_anonymous to true when password_fileis defined is
548 valid and could be used with acl_file to have e.g. read only
549 guest/anonymous accounts and defined users that can publish.
550 If per_listener_settings is true, this option applies to the
552 current listener being configured only. If per_listener_settings is
553 false, this option applies to all listeners.
554 Reloaded on reload signal. The currently loaded username and
556 password data will be freed and reloaded. Clients that are already
557 connected will not be affected.
558 See also mosquitto_passwd(1).
560 per_listener_settings [ true | false ]
562 If true, then authentication and access control settings will be
563 controlled on a per-listener basis. The following options are
564 affected:
565 password_file, acl_file, psk_file, allow_anonymous,
567 allow_zero_length_clientid, auth_plugin, auth_opt_*,
568 auto_id_prefix.
569 Note that if set to true, then a durable client (i.e. with clean
571 session set to false) that has disconnected will use the ACL
572 settings defined for the listener that it was most recently
573 connected to.
574 The default behaviour is for this to be set to false, which
576 maintains the settings behaviour from previous versions of
577 mosquitto.
578 Reloaded on reload signal.
580 persistence [ true | false ]
582 If true, connection, subscription and message data will be written
583 to the disk in mosquitto.db at the location dictated by
584 persistence_location. When mosquitto is restarted, it will reload
585 the information stored in mosquitto.db. The data will be written to
586 disk when mosquitto closes and also at periodic intervals as
587 defined by autosave_interval. Writing of the persistence database
588 may also be forced by sending mosquitto the SIGUSR1 signal. If
589 false, the data will be stored in memory only. Defaults to false.
590 The persistence file may change its format in a new version. The
592 broker can currently read all old formats, but will only save in
593 the latest format. It should always be safe to upgrade, but
594 cautious users may wish to take a copy of the persistence file
595 before installing a new version so that they can roll back to an
596 earlier version if necessary.
597 This option applies globally.
599 Reloaded on reload signal.
601 persistence_file file name
603 The filename to use for the persistent database. Defaults to
604 mosquitto.db.
605 This option applies globally.
607 Reloaded on reload signal.
609 persistence_location path
611 The path where the persistence database should be stored. Must end
612 in a trailing slash. If not given, then the current directory is
613 used.
614 This option applies globally.
616 Reloaded on reload signal.
618 persistent_client_expiration duration
620 This option allows persistent clients (those with clean session set
621 to false) to be removed if they do not reconnect within a certain
622 time frame. This is a non-standard option. As far as the MQTT spec
623 is concerned, persistent clients persist forever.
624 Badly designed clients may set clean session to false whilst using
626 a randomly generated client id. This leads to persistent clients
627 that will never reconnect. This option allows these clients to be
628 removed.
629 The expiration period should be an integer followed by one of h d w
631 m y for hour, day, week, month and year respectively. For example:
632 · persistent_client_expiration 2m
634 · persistent_client_expiration 14d
636 · persistent_client_expiration 1y
638 As this is a non-standard option, the default if not set is to
640 never expire persistent clients.
641 This option applies globally.
643 Reloaded on reload signal.
645 pid_file file path
647 Write a pid file to the file specified. If not given (the default),
648 no pid file will be written. If the pid file cannot be written,
649 mosquitto will exit. This option only has an effect is mosquitto is
650 run in daemon mode.
651 If mosquitto is being automatically started by an init script it
653 will usually be required to write a pid file. This should then be
654 configured as e.g. /var/run/mosquitto.pid
655 Not reloaded on reload signal.
657 psk_file file path
659 Set the path to a pre-shared-key file. This option requires a
660 listener to be have PSK support enabled. If defined, the contents
661 of the file are used to control client access to the broker. Each
662 line should be in the format "identity:key", where the key is a
663 hexadecimal string with no leading "0x". A client connecting to a
664 listener that has PSK support enabled must provide a matching
665 identity and PSK to allow the encrypted connection to proceed.
666 If per_listener_settings is true, this option applies to the
668 current listener being configured only. If per_listener_settings is
669 false, this option applies to all listeners.
670 Reloaded on reload signal. The currently loaded identity and key
672 data will be freed and reloaded. Clients that are already connected
673 will not be affected.
674 queue_qos0_messages [ true | false ]
676 Set to true to queue messages with QoS 0 when a persistent client
677 is disconnected. These messages are included in the limit imposed
678 by max_queued_messages. Defaults to false.
679 Note that the MQTT v3.1.1 spec states that only QoS 1 and 2
681 messages should be saved in this situation so this is a
682 non-standard option.
683 This option applies globally.
685 Reloaded on reload signal.
687 retain_available [ true | false ]
689 If set to false, then retained messages are not supported. Clients
690 that send a message with the retain bit will be disconnected if
691 this option is set to false. Defaults to true.
692 This option applies globally.
694 Reloaded on reload signal.
696 retained_persistence [ true | false ]
698 This is a synonym of the persistence option.
699 Reloaded on reload signal.
701 set_tcp_nodelay [ true | false ]
703 If set to true, the TCP_NODELAY option will be set on client
704 sockets to disable Nagle's algorithm. This has the effect of
705 reducing latency of some messages at potentially increasing the
706 number of TCP packets being sent. Defaults to false.
707 This option applies globally.
709 Reloaded on reload signal.
711 sys_interval seconds
713 The integer number of seconds between updates of the $SYS
714 subscription hierarchy, which provides status information about the
715 broker. If unset, defaults to 10 seconds.
716 Set to 0 to disable publishing the $SYS hierarchy completely.
718 This option applies globally.
720 Reloaded on reload signal.
722 upgrade_outgoing_qos [ true | false ]
724 The MQTT specification requires that the QoS of a message delivered
725 to a subscriber is never upgraded to match the QoS of the
726 subscription. Enabling this option changes this behaviour. If
727 upgrade_outgoing_qos is set true, messages sent to a subscriber
728 will always match the QoS of its subscription. This is a
729 non-standard option not provided for by the spec. Defaults to
730 false.
731 This option applies globally.
733 Reloaded on reload signal.
735 user username
737 When run as root, change to this user and its primary group on
738 startup. If mosquitto is unable to change to this user and group,
739 it will exit with an error. The user specified must have read/write
740 access to the persistence database if it is to be written, and read
741 access to certificate, password, and ACL files. If run as a
742 non-root user, this setting has no effect. Defaults to mosquitto.
743 This setting has no effect on Windows and so you should run
745 mosquitto as the user you wish it to run as.
746 Not reloaded on reload signal.
748
750 The network ports that mosquitto listens on can be controlled using
751 listeners. The default listener options can be overridden and further
752 listeners can be created.
753 General Options
755 bind_address address
756 Listen for incoming network connections on the specified IP
757 address/hostname only. This is useful to restrict access to certain
758 network interfaces. To restrict access to mosquitto to the local
759 host only, use "bind_address localhost". This only applies to the
760 default listener. Use the listener option to control other
761 listeners.
762 It is recommended to use an explicit listener rather than rely on
764 the implicit default listener options like this.
765 Not reloaded on reload signal.
767 bind_interface device
769 Listen for incoming network connections only on the specified
770 interface. This is similar to the bind_address option but is useful
771 when an interface has multiple addresses or the address may change.
772 It is valid to use this option together with bind_address for the
774 default listener, or the bind address/host part of the listener
775 definition. Care should be taken to ensure that the address being
776 bound to is on the interface being bound to. If you set the
777 bind_interface to be eth0, and bind_address to 127.0.0.1, then the
778 broker will start correctly but you will be unable to connect.
779 This option is currently only available on Linux, and requires
781 elevated privileges.
782 Not reloaded on reload signal.
784 http_dir directory
786 When a listener is using the websockets protocol, it is possible to
787 serve http data as well. Set http_dir to a directory which contains
788 the files you wish to serve. If this option is not specified, then
789 no normal http connections will be possible.
790 Not reloaded on reload signal.
792 listener port [bind address/host]
794 Listen for incoming network connection on the specified port. A
795 second optional argument allows the listener to be bound to a
796 specific ip address/hostname. If this variable is used and neither
797 the global bind_address nor port options are used then the default
798 listener will not be started.
799 The bind address/host option allows this listener to be bound to a
801 specific IP address by passing an IP address or hostname. For
802 websockets listeners, it is only possible to pass an IP address
803 here.
804 This option may be specified multiple times. See also the
806 mount_point option.
807 Not reloaded on reload signal.
809 max_connections count
811 Limit the total number of clients connected for the current
812 listener. Set to -1 to have "unlimited" connections. Note that
813 other limits may be imposed that are outside the control of
814 mosquitto. See e.g. limits.conf(5).
815 Not reloaded on reload signal.
817 maximum_qos count
819 Limit the QoS value allowed for clients connecting to this
820 listener. Defaults to 2, which means any QoS can be used. Set to 0
821 or 1 to limit to those QoS values. This makes use of an MQTT v5
822 feature to notify clients of the limitation. MQTT v3.1.1 clients
823 will not be aware of the limitation. Clients publshing to this
824 listener with a too-high QoS will be disconnected.
825 Not reloaded on reload signal.
827 max_topic_alias number
829 This option sets the maximum number topic aliases that an MQTT v5
830 client is allowed to create. This option applies per listener.
831 Defaults to 10. Set to 0 to disallow topic aliases. The maximum
832 value possible is 65535.
833 Not reloaded on reload signal.
835 mount_point topic prefix
837 This option is used with the listener option to isolate groups of
838 clients. When a client connects to a listener which uses this
839 option, the string argument is attached to the start of all topics
840 for this client. This prefix is removed when any messages are sent
841 to the client. This means a client connected to a listener with
842 mount point example can only see messages that are published in the
843 topic hierarchy example and below.
844 Not reloaded on reload signal.
846 port port number
848 Set the network port for the default listener to listen on.
849 Defaults to 1883.
850 Not reloaded on reload signal.
852 It is recommended to use an explicit listener rather than rely on
854 the implicit default listener options like this.
855 protocol value
857 Set the protocol to accept for the current listener. Can be mqtt,
858 the default, or websockets if available.
859 Websockets support is currently disabled by default at compile
861 time. Certificate based TLS may be used with websockets, except
862 that only the cafile, certfile, keyfile and ciphers options are
863 supported.
864 Not reloaded on reload signal.
866 socket_domain [ ipv4 | ipv6 ]
868 By default, a listener will attempt to listen on all supported IP
869 protocol versions. If you do not have an IPv4 or IPv6 interface you
870 may wish to disable support for either of those protocol versions.
871 In particular, note that due to the limitations of the websockets
872 library, it will only ever attempt to open IPv6 sockets if IPv6
873 support is compiled in, and so will fail if IPv6 is not available.
874 Set to ipv4 to force the listener to only use IPv4, or set to ipv6
876 to force the listener to only use IPv6. If you want support for
877 both IPv4 and IPv6, then do not use the socket_domain option.
878 Not reloaded on reload signal.
880 use_username_as_clientid [ true | false ]
882 Set use_username_as_clientid to true to replace the clientid that a
883 client connected with with its username. This allows authentication
884 to be tied to the clientid, which means that it is possible to
885 prevent one client disconnecting another by using the same
886 clientid. Defaults to false.
887 If a client connects with no username it will be disconnected as
889 not authorised when this option is set to true. Do not use in
890 conjunction with clientid_prefixes.
891 See also use_identity_as_username.
893 Not reloaded on reload signal.
895 websockets_log_level level
897 Change the websockets logging level. This is a global option, it is
898 not possible to set per listener. This is an integer that is
899 interpreted by libwebsockets as a bit mask for its lws_log_levels
900 enum. See the libwebsockets documentation for more details.
901 To use this option, log_type websockets must also be enabled.
903 Defaults to 0.
904 websockets_headers_size size
906 Change the websockets headers size. This is a global option, it is
907 not possible to set per listener. This option sets the size of the
908 buffer used in the libwebsockets library when reading HTTP headers.
909 If you are passing large header data such as cookies then you may
910 need to increase this value. If left unset, or set to 0, then the
911 default of 1024 bytes will be used.
912 Certificate based SSL/TLS Support
914 The following options are available for all listeners to configure
915 certificate based SSL support. See also "Pre-shared-key based SSL/TLS
916 support".
917 cafile file path
919 At least one of cafile or capath must be provided to enable SSL
920 support.
921 cafile is used to define the path to a file containing the PEM
923 encoded CA certificates that are trusted.
924 capath directory path
926 At least one of cafile or capath must be provided to enable SSL
927 support.
928 capath is used to define a directory that contains PEM encoded CA
930 certificates that are trusted. For capath to work correctly, the
931 certificates files must have ".pem" as the file ending and you must
932 run "openssl rehash <path to capath>" each time you add/remove a
933 certificate.
934 certfile file path
936 Path to the PEM encoded server certificate.
937 ciphers cipher:list
939 The list of allowed ciphers, each separated with a colon. Available
940 ciphers can be obtained using the "openssl ciphers" command.
941 crlfile file path
943 If you have require_certificate set to true, you can create a
944 certificate revocation list file to revoke access to particular
945 client certificates. If you have done this, use crlfile to point to
946 the PEM encoded revocation file.
947 dhparamfile file path
949 To allow the use of ephemeral DH key exchange, which provides
950 forward security, the listener must load DH parameters. This can be
951 specified with the dhparamfile option. The dhparamfile can be
952 generated with the command e.g.
953 openssl dhparam -out dhparam.pem 2048
955 keyfile file path
957 Path to the PEM encoded keyfile.
958 require_certificate [ true | false ]
960 By default an SSL/TLS enabled listener will operate in a similar
961 fashion to a https enabled web server, in that the server has a
962 certificate signed by a CA and the client will verify that it is a
963 trusted certificate. The overall aim is encryption of the network
964 traffic. By setting require_certificate to true, a client
965 connecting to this listener must provide a valid certificate in
966 order for the network connection to proceed. This allows access to
967 the broker to be controlled outside of the mechanisms provided by
968 MQTT.
969 tls_engine engine
971 A valid openssl engine id. These can be listed with openssl engine
972 command.
973 tls_engine_kpass_sha1 engine_kpass_sha1
975 SHA1 of the private key password when using an TLS engine. Some TLS
976 engines such as the TPM engine may require the use of a password in
977 order to be accessed. This option allows a hex encoded SHA1 hash of
978 the password to the engine directly, instead of the user being
979 prompted for the password.
980 tls_keyform [ pem | engine ]
982 Specifies the type of private key in use when making TLS
983 connections.. This can be "pem" or "engine". This parameter is
984 useful when a TPM module is being used and the private key has been
985 created with it. Defaults to "pem", which means normal private key
986 files are used.
987 tls_version version
989 Configure the version of the TLS protocol to be used for this
990 listener. Possible values are tlsv1.3, tlsv1.2 and tlsv1.1. If left
991 unset, the default of allowing all of TLS v1.3, v1.2 and v1.1 is
992 used.
993 use_identity_as_username [ true | false ]
995 If require_certificate is true, you may set
996 use_identity_as_username to true to use the CN value from the
997 client certificate as a username. If this is true, the
998 password_file option will not be used for this listener.
999 This takes priority over use_subject_as_username if both are set to
1001 true.
1002 See also use_subject_as_username
1004 use_subject_as_username [ true | false ]
1006 If require_certificate is true, you may set use_subject_as_username
1007 to true to use the complete subject value from the client
1008 certificate as a username. If this is true, the password_file
1009 option will not be used for this listener.
1010 The subject will be generated in a form similar to CN=test
1012 client,OU=Production,O=Server,L=Nottingham,ST=Nottinghamshire,C=GB.
1013 See also use_identity_as_username
1015 Pre-shared-key based SSL/TLS Support
1017 The following options are available for all listeners to configure
1018 pre-shared-key based SSL support. See also "Certificate based SSL/TLS
1019 support".
1020 ciphers cipher:list
1022 When using PSK, the encryption ciphers used will be chosen from the
1023 list of available PSK ciphers. If you want to control which ciphers
1024 are available, use this option. The list of available ciphers can
1025 be optained using the "openssl ciphers" command and should be
1026 provided in the same format as the output of that command.
1027 psk_hint hint
1029 The psk_hint option enables pre-shared-key support for this
1030 listener and also acts as an identifier for this listener. The hint
1031 is sent to clients and may be used locally to aid authentication.
1032 The hint is a free form string that doesn't have much meaning in
1033 itself, so feel free to be creative.
1034 If this option is provided, see psk_file to define the pre-shared
1036 keys to be used or create a security plugin to handle them.
1037 tls_version version
1039 Configure the version of the TLS protocol to be used for this
1040 listener. Possible values are tlsv1.3, tlsv1.2 and tlsv1.1. If left
1041 unset, the default of allowing all of TLS v1.3, v1.2 and v1.1 is
1042 used.
1043 use_identity_as_username [ true | false ]
1045 Set use_identity_as_username to have the psk identity sent by the
1046 client used as its username. The username will be checked as
1047 normal, so password_file or another means of authentication
1048 checking must be used. No password will be used.
1049
1051 Multiple bridges (connections to other brokers) can be configured using
1052 the following variables.
1053 Bridges cannot currently be reloaded on reload signal.
1055 address address[:port] [address[:port]], addresses address[:port]
1057 [address[:port]]
1058 Specify the address and optionally the port of the bridge to
1059 connect to. This must be given for each bridge connection. If the
1060 port is not specified, the default of 1883 is used.
1061 If you use an IPv6 address, then the port is not optional.
1063 Multiple host addresses can be specified on the address config. See
1065 the round_robin option for more details on the behaviour of bridges
1066 with multiple addresses.
1067 bridge_attempt_unsubscribe [ true | false ]
1069 If a bridge has topics that have "out" direction, the default
1070 behaviour is to send an unsubscribe request to the remote broker on
1071 that topic. This means that changing a topic direction from "in" to
1072 "out" will not keep receiving incoming messages. Sending these
1073 unsubscribe requests is not always desirable, setting
1074 bridge_attempt_unsubscribe to false will disable sending the
1075 unsubscribe request. Defaults to true.
1076 bridge_protocol_version version
1078 Set the version of the MQTT protocol to use with for this bridge.
1079 Can be one of mqttv31 or mqttv311. Defaults to mqttv31.
1080 cleansession [ true | false ]
1082 Set the clean session option for this bridge. Setting to false (the
1083 default), means that all subscriptions on the remote broker are
1084 kept in case of the network connection dropping. If set to true,
1085 all subscriptions and messages on the remote broker will be cleaned
1086 up if the connection drops. Note that setting to true may cause a
1087 large amount of retained messages to be sent each time the bridge
1088 reconnects.
1089 If you are using bridges with cleansession set to false (the
1091 default), then you may get unexpected behaviour from incoming
1092 topics if you change what topics you are subscribing to. This is
1093 because the remote broker keeps the subscription for the old topic.
1094 If you have this problem, connect your bridge with cleansession set
1095 to true, then reconnect with cleansession set to false as normal.
1096 connection name
1098 This variable marks the start of a new bridge connection. It is
1099 also used to give the bridge a name which is used as the client id
1100 on the remote broker.
1101 keepalive_interval seconds
1103 Set the number of seconds after which the bridge should send a ping
1104 if no other traffic has occurred. Defaults to 60. A minimum value
1105 of 5 seconds is allowed.
1106 idle_timeout seconds
1108 Set the amount of time a bridge using the lazy start type must be
1109 idle before it will be stopped. Defaults to 60 seconds.
1110 local_clientid id
1112 Set the clientid to use on the local broker. If not defined, this
1113 defaults to local.<remote_clientid>. If you are bridging a broker
1114 to itself, it is important that local_clientid and remote_clientid
1115 do not match.
1116 local_password password
1118 Configure the password to be used when connecting this bridge to
1119 the local broker. This may be important when authentication and
1120 ACLs are being used.
1121 local_username username
1123 Configure the username to be used when connecting this bridge to
1124 the local broker. This may be important when authentication and
1125 ACLs are being used.
1126 notifications [ true | false ]
1128 If set to true, publish notification messages to the local and
1129 remote brokers giving information about the state of the bridge
1130 connection. Retained messages are published to the topic
1131 $SYS/broker/connection/<remote_clientid>/state unless otherwise set
1132 with notification_topics. If the message is 1 then the connection
1133 is active, or 0 if the connection has failed. Defaults to true.
1134 This uses the Last Will and Testament (LWT) feature.
1136 notifications_local_only [ true | false ]
1138 If set to true, only publish notification messages to the local
1139 broker giving information about the state of the bridge connection.
1140 Defaults to false.
1141 notification_topic topic
1143 Choose the topic on which notifications will be published for this
1144 bridge. If not set the messages will be sent on the topic
1145 $SYS/broker/connection/<remote_clientid>/state.
1146 remote_clientid id
1148 Set the client id for this bridge connection. If not defined, this
1149 defaults to 'name.hostname', where name is the connection name and
1150 hostname is the hostname of this computer.
1151 This replaces the old "clientid" option to avoid confusion with
1153 local/remote sides of the bridge. "clientid" remains valid for the
1154 time being.
1155 remote_password value
1157 Configure a password for the bridge. This is used for
1158 authentication purposes when connecting to a broker that supports
1159 MQTT v3.1 and up and requires a username and/or password to
1160 connect. This option is only valid if a remote_username is also
1161 supplied.
1162 This replaces the old "password" option to avoid confusion with
1164 local/remote sides of the bridge. "password" remains valid for the
1165 time being.
1166 remote_username name
1168 Configure a username for the bridge. This is used for
1169 authentication purposes when connecting to a broker that supports
1170 MQTT v3.1 and up and requires a username and/or password to
1171 connect. See also the remote_password option.
1172 This replaces the old "username" option to avoid confusion with
1174 local/remote sides of the bridge. "username" remains valid for the
1175 time being.
1176 restart_timeout base cap, restart_timeout constant
1178 Set the amount of time a bridge using the automatic start type will
1179 wait until attempting to reconnect.
1180 This option can be configured to use a constant delay time in
1182 seconds, or to use a backoff mechanism based on "Decorrelated
1183 Jitter", which adds a degree of randomness to when the restart
1184 occurs, starting at the base and increasing up to the cap. Set a
1185 constant timeout of 20 seconds:
1186 restart_timeout 20
1188 Set backoff with a base (start value) of 10 seconds and a cap
1190 (upper limit) of 60 seconds:
1191 restart_timeout 10 30
1193 Defaults to jitter with a base of 5 seconds and cap of 30 seconds.
1195 round_robin [ true | false ]
1197 If the bridge has more than one address given in the
1198 address/addresses configuration, the round_robin option defines the
1199 behaviour of the bridge on a failure of the bridge connection. If
1200 round_robin is false, the default value, then the first address is
1201 treated as the main bridge connection. If the connection fails, the
1202 other secondary addresses will be attempted in turn. Whilst
1203 connected to a secondary bridge, the bridge will periodically
1204 attempt to reconnect to the main bridge until successful.
1205 If round_robin is true, then all addresses are treated as equals.
1207 If a connection fails, the next address will be tried and if
1208 successful will remain connected until it fails.
1209 start_type [ automatic | lazy | once ]
1211 Set the start type of the bridge. This controls how the bridge
1212 starts and can be one of three types: automatic, lazy and once.
1213 Note that RSMB provides a fourth start type "manual" which isn't
1214 currently supported by mosquitto.
1215 automatic is the default start type and means that the bridge
1217 connection will be started automatically when the broker starts and
1218 also restarted after a short delay (30 seconds) if the connection
1219 fails.
1220 Bridges using the lazy start type will be started automatically
1222 when the number of queued messages exceeds the number set with the
1223 threshold option. It will be stopped automatically after the time
1224 set by the idle_timeout parameter. Use this start type if you wish
1225 the connection to only be active when it is needed.
1226 A bridge using the once start type will be started automatically
1228 when the broker starts but will not be restarted if the connection
1229 fails.
1230 threshold count
1232 Set the number of messages that need to be queued for a bridge with
1233 lazy start type to be restarted. Defaults to 10 messages.
1234 topic pattern [[[ out | in | both ] qos-level] local-prefix
1236 remote-prefix]
1237 Define a topic pattern to be shared between the two brokers. Any
1238 topics matching the pattern (which may include wildcards) are
1239 shared. The second parameter defines the direction that the
1240 messages will be shared in, so it is possible to import messages
1241 from a remote broker using in, export messages to a remote broker
1242 using out or share messages in both directions. If this parameter
1243 is not defined, the default of out is used. The QoS level defines
1244 the publish/subscribe QoS level used for this topic and defaults to
1245 0.
1246 The local-prefix and remote-prefix options allow topics to be
1248 remapped when publishing to and receiving from remote brokers. This
1249 allows a topic tree from the local broker to be inserted into the
1250 topic tree of the remote broker at an appropriate place.
1251 For incoming topics, the bridge will prepend the pattern with the
1253 remote prefix and subscribe to the resulting topic on the remote
1254 broker. When a matching incoming message is received, the remote
1255 prefix will be removed from the topic and then the local prefix
1256 added.
1257 For outgoing topics, the bridge will prepend the pattern with the
1259 local prefix and subscribe to the resulting topic on the local
1260 broker. When an outgoing message is processed, the local prefix
1261 will be removed from the topic then the remote prefix added.
1262 When using topic mapping, an empty prefix can be defined using the
1264 place marker "". Using the empty marker for the topic itself is
1265 also valid. The table below defines what combination of empty or
1266 value is valid. The Full Local Topic and Full Remote Topic show the
1267 resulting topics that would be used on the local and remote ends of
1268 the bridge. For example, for the first table row if you publish to
1269 L/topic on the local broker, then the remote broker will receive a
1270 message on the topic R/topic.
1271 ┌────────┬────────┬────────┬─────────────┬────────────┬─────────────┐
1273 │Pattern │ Local │ Remote │ Validity │ Full Local │ Full Remote │
1274 │ │ Prefix │ Prefix │ │ Topic │ Topic │
1275 ├────────┼────────┼────────┼─────────────┼────────────┼─────────────┤
1276 │pattern │ L/ │ R/ │ valid │ L/pattern │ R/pattern │
1277 ├────────┼────────┼────────┼─────────────┼────────────┼─────────────┤
1278 │pattern │ L/ │ "" │ valid │ L/pattern │ pattern │
1279 ├────────┼────────┼────────┼─────────────┼────────────┼─────────────┤
1280 │pattern │ "" │ R/ │ valid │ pattern │ R/pattern │
1281 ├────────┼────────┼────────┼─────────────┼────────────┼─────────────┤
1282 │pattern │ "" │ "" │ valid (no │ pattern │ pattern │
1283 │ │ │ │ remapping) │ │ │
1284 ├────────┼────────┼────────┼─────────────┼────────────┼─────────────┤
1285 │"" │ local │ remote │ valid │ local │ remote │
1286 │ │ │ │ (remap │ │ │
1287 │ │ │ │ single │ │ │
1288 │ │ │ │ local topic │ │ │
1289 │ │ │ │ to remote) │ │ │
1290 ├────────┼────────┼────────┼─────────────┼────────────┼─────────────┤
1291 │"" │ local │ "" │ invalid │ │ │
1292 ├────────┼────────┼────────┼─────────────┼────────────┼─────────────┤
1293 │"" │ "" │ remote │ invalid │ │ │
1294 ├────────┼────────┼────────┼─────────────┼────────────┼─────────────┤
1295 │"" │ "" │ "" │ invalid │ │ │
1296 └────────┴────────┴────────┴─────────────┴────────────┴─────────────┘
1297 To remap an entire topic tree, use e.g.:
1298 topic # both 2 local/topic/ remote/topic/
1300 This option can be specified multiple times per bridge.
1302 Care must be taken to ensure that loops are not created with this
1304 option. If you are experiencing high CPU load from a broker, it is
1305 possible that you have a loop where each broker is forever
1306 forwarding each other the same messages.
1307 See also the cleansession option if you have messages arriving on
1309 unexpected topics when using incoming topics.
1310 Example Bridge Topic Remapping. The configuration below connects a
1312 bridge to the broker at test.mosquitto.org. It subscribes to the
1313 remote topic $SYS/broker/clients/total and republishes the messages
1314 received to the local topic test/mosquitto/org/clients/total
1315 connection test-mosquitto-org
1317 address test.mosquitto.org
1318 cleansession true
1319 topic clients/total in 0 test/mosquitto/org $SYS/broker/
1320 try_private [ true | false ]
1322 If try_private is set to true, the bridge will attempt to indicate
1323 to the remote broker that it is a bridge not an ordinary client. If
1324 successful, this means that loop detection will be more effective
1325 and that retained messages will be propagated correctly. Not all
1326 brokers support this feature so it may be necessary to set
1327 try_private to false if your bridge does not connect properly.
1328 Defaults to true.
1330 SSL/TLS Support
1332 The following options are available for all bridges to configure
1333 SSL/TLS support.
1334 bridge_alpn alpn
1336 Configure the application layer protocol negotiation option for the
1337 TLS session. Useful for brokers that support both websockets and
1338 MQTT on the same port.
1339 bridge_cafile file path
1341 One of bridge_cafile or bridge_capath must be provided to allow
1342 SSL/TLS support.
1343 bridge_cafile is used to define the path to a file containing the
1345 PEM encoded CA certificates that have signed the certificate for
1346 the remote broker.
1347 bridge_capath file path
1349 One of bridge_capath or bridge_cafile must be provided to allow
1350 SSL/TLS support.
1351 bridge_capath is used to define the path to a directory containing
1353 the PEM encoded CA certificates that have signed the certificate
1354 for the remote broker. For bridge_capath to work correctly, the
1355 certificate files must have ".crt" as the file ending and you must
1356 run "openssl rehash <path to bridge_capath>" each time you
1357 add/remove a certificate.
1358 bridge_certfile file path
1360 Path to the PEM encoded client certificate for this bridge, if
1361 required by the remote broker.
1362 bridge_identity identity
1364 Pre-shared-key encryption provides an alternative to certificate
1365 based encryption. A bridge can be configured to use PSK with the
1366 bridge_identity and bridge_psk options. This is the client identity
1367 used with PSK encryption. Only one of certificate and PSK based
1368 encryption can be used on one bridge at once.
1369 bridge_insecure [ true | false ]
1371 When using certificate based TLS, the bridge will attempt to verify
1372 the hostname provided in the remote certificate matches the
1373 host/address being connected to. This may cause problems in testing
1374 scenarios, so bridge_insecure may be set to false to disable the
1375 hostname verification.
1376 Setting this option to true means that a malicious third party
1378 could potentially inpersonate your server, so it should always be
1379 set to false in production environments.
1380 bridge_keyfile file path
1382 Path to the PEM encoded private key for this bridge, if required by
1383 the remote broker.
1384 bridge_psk key
1386 Pre-shared-key encryption provides an alternative to certificate
1387 based encryption. A bridge can be configured to use PSK with the
1388 bridge_identity and bridge_psk options. This is the pre-shared-key
1389 in hexadecimal format with no "0x". Only one of certificate and PSK
1390 based encryption can be used on one bridge at once.
1391 bridge_require_ocsp [ true | false ]
1393 When set to true, the bridge requires OCSP on the TLS connection it
1394 opens as client.
1395 bridge_tls_version version
1397 Configure the version of the TLS protocol to be used for this
1398 bridge. Possible values are tlsv1.3, tlsv1.2 and tlsv1.1. Defaults
1399 to tlsv1.2. The remote broker must support the same version of TLS
1400 for the connection to succeed.
1401
1403 mosquitto.conf
1404
1406 mosquitto bug information can be found at
1407 https://github.com/eclipse/mosquitto/issues
1408
1410 mosquitto(8), mosquitto_passwd(1), mosquitto-tls(7), mqtt(7),
1411 limits.conf(5)
1412
1414 Roger Light <roger@atchoo.org>
1415Mosquitto Project 11/28/2019 MOSQUITTO.CONF(5)