1IMAPD.CONF(5) Cyrus IMAP IMAPD.CONF(5)
2
6 imapd.conf - Cyrus IMAP documentation
7 IMAP configuration file
9
11 /etc/imapd.conf is the configuration file for the Cyrus IMAP server.
12 It defines local parameters for IMAP.
13 Each line of the /etc/imapd.conf file has the form
15 option: value
16 where option is the name of the configuration option being set and
18 value is the value that the configuration option is being set to.
19 Although there is no limit to the length of a line, a ``\'' (back‐
21 slash) character may be used as the last character on a line to
22 force it to continue on the next one. No additional whitespace is
23 inserted before or after the ``\''. Note that a line that is split
24 using ``\'' character(s) is still considered a single line.
25 For example
27 option:\
28 value1 value2 \
29 value3
30 is equivalent to
32 option: value1 value2 value3
33 Blank lines and lines beginning with ``#'' are ignored.
35 For boolean and enumerated options, the values ``yes'', ``on'',
37 ``t'', ``true'' and ``1'' turn the option on, the values ``no'',
38 ``off'', ``f'', ``false'' and ``0'' turn the option off.
39
41 The sections below detail options that can be placed in the
42 /etc/imapd.conf file, and show each option's default value. Some
43 options have no default value, these are listed with ``<no
44 default>''. Some options default to the empty string, these are
45 listed with ``<none>''.
46 addressbookprefix: #addressbooks
48 The prefix for the addressbook mailboxes hierarchies. The hier‐
49 archy delimiter will be automatically appended. The public
50 addressbook hierarchy will be at the toplevel of the shared
51 namespace. A user's personal addressbook hierarchy will be a
52 child of their Inbox.
53 admins: <empty string>
55 The list of userids with administrative rights. Separate each
56 userid with a space. Sites using Kerberos authentication may
57 use separate "admin" instances.
58 Note that accounts used by users should not be administrators.
60 Administrative accounts should not receive mail. That is, if
61 user "jbRo" is a user reading mail, he should not also be in the
62 admins line. Some problems may occur otherwise, most notably
63 the ability of administrators to create top-level mailboxes vis‐
64 ible to users, but not writable by users.
65 afspts_localrealms: <none>
67 The list of realms which are to be treated as local, and thus
68 stripped during identifier canonicalization (for the AFSPTS
69 ptloader module). This is different from loginrealms in that it
70 occurs later in the authorization process (as the user id is
71 canonified for PTS lookup)
72 afspts_mycell: <none>
74 Cell to use for AFS PTS lookups. Defaults to the local cell.
75 allowallsubscribe: 0
77 Allow subscription to nonexistent mailboxes. This option is
78 typically used on backend servers in a Murder so that users can
79 subscribe to mailboxes that don't reside on their "home" server.
80 This option can also be used as a workaround for IMAP clients
81 which don't play well with nonexistent or unselectable mailboxes
82 (e.g., Microsoft Outlook).
83 allowanonymouslogin: 0
85 Permit logins by the user "anonymous" using any password. Also
86 allows use of the SASL ANONYMOUS mechanism.
87 allowapop: 1
89 Allow use of the POP3 APOP authentication command.
90 Note that this command requires that SASL is compiled with APOP
92 support, that the plaintext passwords are available in a SASL
93 auxprop backend (e.g., sasldb), and that the system can provide
94 enough entropy (e.g., from /dev/urandom) to create a challenge
95 in the banner.
96 allownewnews: 0
98 Allow use of the NNTP NEWNEWS command.
99 Note that this is a very expensive command and should only be
101 enabled when absolutely necessary.
102 allowplaintext: 0
104 If enabled, allows the use of cleartext passwords on the wire.
105 By default, the use of cleartext passwords requires a TLS/SSL
107 encryption layer to be negotiated prior to any cleartext authen‐
108 tication mechanisms being advertised or allowed. To require a
109 TLS/SSL encryption layer to be negotiated prior to ANY authenti‐
110 cation, see the tls_required option.
111 allowusermoves: 0
113 Allow moving user accounts (with associated meta-data) via
114 RENAME or XFER.
115 Note that measures should be taken to make sure that the user
117 being moved is not logged in, and cannot login during the move.
118 Failure to do so may result in the user's meta-data (seen state,
119 subscriptions, etc) being corrupted or out of date.
120 altnamespace: 1
122 Use the alternate IMAP namespace, where personal folders reside
123 at the same level in the hierarchy as INBOX.
124 This option ONLY applies where interaction takes place with the
126 client/user. Currently this is limited to the IMAP protocol
127 (imapd) and Sieve scripts (lmtpd). This option does NOT apply
128 to admin tools such as cyradm (admins ONLY), reconstruct, quota,
129 etc., NOR does it affect LMTP delivery of messages directly to
130 mailboxes via plus-addressing. The default changed in 3.0 from
131 off to on.
132 altprefix: Alt Folders
134 Alternative INBOX spellings that can't be accessed in altnames‐
135 pace otherwise go under here
136 annotation_db: twoskip
138 The cyrusdb backend to use for mailbox annotations.
139 Allowed values: skiplist, twoskip, lmdb
141 annotation_db_path: <none>
143 The absolute path to the annotations db file. If not specified,
144 will be configdirectory/annotations.db
145 anyoneuseracl: 1
147 Should non-admin users be allowed to set ACLs for the 'anyone'
148 user on their mailboxes? In a large organization this can cause
149 support problems, but it's enabled by default.
150 annotation_allow_undefined: 0
152 Allow clients to store values for entries which are not defined
153 either by Cyrus or in the annotations_definitions file.
154 annotation_definitions: <none>
156 File containing external (third-party) annotation definitions.
157 Each line of the file specifies the properties of an annotation
159 and has the following form:
160 name, scope, attrib-type, proxy-type, attrib-names, acl
161 name is the hierarchical name as in RFC 5257 or RFC 5464 (in
163 the latter case, without the leading /shared or /pri‐
164 vate). For example, /vendor/acme/blurdybloop.
165 scope specifies whether the annotation is for the server, a
167 mailbox, or a message.
168 attrib-type
170 specifies the attribute data type, which is used only
171 to check the string value passed by clients when set‐
172 ting annotations. The attrib-type is one of:
173 string any value is accepted.
175 content-type
177 this obsolete data type, which was useful for
178 early drafts of the standard, is accepted but
179 silently translated to string.
180 boolean
182 only the strings "true" or "false" are accepted.
183 Checking is case-insensitive but the value is
184 forced to lowercase.
185 int integers are accepted.
187 uint non-negative integers are accepted.
189 proxy-type
191 specifies whether this attribute is for the backend or
192 proxy servers or both (proxy_and_backend)
193 attrib-names
195 is the space-separated list of available attributes for
196 the annotation. Possible attribute names are
197 value.shared, value.priv, and value (which permits both
198 value.priv and value.shared). The attribute names size,
199 size.shared, and size.priv are accepted but ignored;
200 these attributes are automatically provided by the server
201 if the corresponding value attribute is specified. Some
202 obsolete attributes, which were defined early drafts of
203 the standard, are accepted and ignored with a warning.
204 extra-permissions
206 is the extra ACL permission bits required for setting
207 this annotation, in standard IMAP ACL permission bit
208 string format. Note that this is in addition to the per‐
209 mission bits specified in RFC 5257 and RFC 5464, so leav‐
210 ing this field empty is harmless. Note also that there
211 is no way to specify that an annotation can only be set
212 by an admin user; in particular the a permission bit does
213 not achieve this.
214 Blank lines and lines beginning with ``#'' are ignored.
216 annotation_callout: <none>
218 The pathname of a callout to be used to automatically add anno‐
219 tations or flags to a message when it is appended to a mailbox.
220 The path can be either an executable (including a script), or a
221 UNIX domain socket.
222 aps_topic: <none>
224 Topic for Apple Push Service registration.
225 aps_topic_caldav: <none>
227 Topic for Apple Push Service registration for CalDAV.
228 aps_topic_carddav: <none>
230 Topic for Apple Push Service registration for CardDAV.
231 archive_enabled: 0
233 Is archiving enabled for this server. You also need to have an
234 archivepartition for the mailbox. Archiving allows older email
235 to be stored on slower, cheaper disks - even within the same
236 mailbox, as distinct from partitions.
237 archive_days: 7
239 The number of days after which to move messages to the archive
240 partition if archiving is enabled
241 archive_maxsize: 1024
243 The size in kilobytes of the largest message that won't be
244 archived immediately. Default is 1Mb
245 archive_keepflagged: 0
247 If set, messages with the \Flagged system flag won't be
248 archived, provided they are smaller than archive_maxsize.
249 archivepartition-name: <none>
251 The pathname of the archive partition name, corresponding to
252 spool partition partition-name. For any mailbox residing in a
253 directory on partition-name, the archived messages will be
254 stored in a corresponding directory on archivepartition-name.
255 Note that not every partition-name option is strictly required
256 to have a corresponding archivepartition-name option, but that
257 without one there's no benefit to enabling archiving.
258 auditlog: 0
260 Should cyrus output log entries for every action taken on a mes‐
261 sage file or mailboxes list entry? It's noisy so disabled by
262 default, but can be very useful for tracking down what happened
263 if things look strange
264 auth_mech: unix
266 The authorization mechanism to use.
267 Allowed values: unix, pts, krb, krb5
269 autocreateinboxfolders: <none>
271 Deprecated in favor of autocreate_inbox_folders.
272 autocreatequota: 0
274 Deprecated in favor of autocreate_quota.
275 autocreatequotamsg: -1
277 Deprecated in favor of autocreate_quota_messages.
278 autosievefolders: <none>
280 Deprecated in favor of autocreate_sieve_folders.
281 generate_compiled_sieve_script: 0
283 Deprecated in favor of autocreate_sieve_script_compile.
284 autocreate_sieve_compiled_script: <none>
286 Deprecated in favor of autocreate_sieve_script_compiled.
287 autosubscribeinboxfolders: <none>
289 Deprecated in favor of autocreate_subscribe_folders.
290 autosubscribesharedfolders: <none>
292 Deprecated in favor of autocreate_subscribe_sharedfolders.
293 autosubscribe_all_sharedfolders: 0
295 Deprecated in favor of autocreate_subscribe_sharedfolders_all.
296 autocreate_inbox_folders: <none>
298 If a user does not have an INBOX already, and the INBOX is to be
299 created, create the list of folders in this setting as well.
300 autocreate_inbox_folders is a list of INBOX's subfolders sepa‐
301 rated by a "|", that are automatically created by the server
302 under the following two scenarios. Leading and trailing white‐
303 space is stripped, so "Junk | Trash" results in two folders:
304 "Junk" and "Trash". See also the xlist-flag option, for setting
305 special-use flags on autocreated folders.
306 INBOX folders are created under both the following conditions:
308 1. The user logins via the IMAP or the POP3 protocol. autocre‐
310 ate_quota option must have a value of zero or greater.
311 2. A message arrives for the user through the lmtpd(8).
313 autocreate_post option must be enabled.
314 autocreate_post: 0
316 If enabled, when lmtpd(8) receives an incoming mail for an INBOX
317 that does not exist, then the INBOX is automatically created by
318 lmtpd(8) and delivery of the message continues.
319 autocreate_quota: -1
321 If set to a value of zero or higher, users have their INBOX
322 folders created upon a successful login event or upon lmtpd(8)
323 message delivery if autocreate_post is enabled, provided their
324 INBOX did not yet already exist.
325 The user's quota is set to the value if it is greater than zero,
327 otherwise the user has unlimited quota.
328 Note that quota is specified in kilobytes.
330 autocreate_quota_messages: -1
332 If set to a value of zero or higher, users who have their INBOX
333 folders created upon a successful login event (see autocre‐
334 ate_quota), or upon lmtpd(8) message delivery if autocreate_post
335 is enabled, receive the message quota configured in this option.
336 The default of -1 disables assigning message quota.
338 For consistency with autocreate_quota, a value of zero is
340 treated as unlimited message quota, rather than a message quota
341 of zero.
342 autocreate_sieve_folders: <none>
344 A "|" separated list of subfolders of INBOX that will be auto‐
345 matically created, if requested by a sieve filter, through the
346 "fileinto" action. The default is to create no folders automati‐
347 cally.
348 Leading and trailing whitespace is stripped from each folder, so
350 a setting of "Junk | Trash" will create two folders: "Junk" and
351 "Trash".
352 autocreate_sieve_script: <none>
354 The full path of a file that contains a sieve script. This
355 script automatically becomes a user's initial default sieve fil‐
356 ter script.
357 When this option is not defined, no default sieve filter is cre‐
359 ated. The file must be readable by the Cyrus daemon.
360 autocreate_sieve_script_compile: 0
362 If set to yes and no compiled sieve script file exists, the
363 sieve script which is compiled on the fly will be saved in the
364 file name that autocreate_sieve_compiledscript option points to.
365 In order a compiled script to be generated, autocre‐
366 ate_sieve_script and autocreate_sieve_compiledscript must have
367 valid values
368 autocreate_sieve_script_compiled: <none>
370 The full path of a file that contains a compiled in bytecode
371 sieve script. This script automatically becomes a user's initial
372 default sieve filter script. If this option is not specified,
373 or the filename doesn't exist then the script defined by
374 autocreate_sieve_script is compiled on the fly and installed as
375 the user's default sieve script
376 autocreate_subscribe_folders: <none>
378 A list of folder names, separated by "|", that the users get
379 automatically subscribed to, when their INBOX is created. These
380 folder names must have been included in the autocreateinboxfold‐
381 ers option of the imapd.conf.
382 autocreate_subscribe_sharedfolders: <none>
384 A list of shared folders (bulletin boards), separated by "|",
385 that the users get automatically subscribed to, after their
386 INBOX is created. The shared folder must have been created and
387 the user must have the required permissions to get subscribed to
388 it. Otherwise, subscribing to the shared folder fails.
389 autocreate_subscribe_sharedfolders_all: 0
391 If set to yes, the user is automatically subscribed to all
392 shared folders, one has permission to subscribe to.
393 autocreate_users: anyone
395 A space separated list of users and/or groups that are allowed
396 their INBOX to be automatically created.
397 backuppartition-name: <none>
399 The pathname of the backup partition name. At least one backup
400 partition pathname MUST be specified if backups are in use.
401 Note that there is no relationship between spool partitions and
402 backup partitions.
403 backup_compact_minsize: 0
405 The minimum size in kilobytes of chunks in each backup. The
406 compact tool will try to combine adjacent chunks that are
407 smaller than this.
408 Setting this value to zero or negative disables combining of
410 chunks.
411 backup_compact_maxsize: 0
413 The maximum size in kilobytes of chunks in each backup. The
414 compact tool will try to split chunks larger than this into
415 smaller chunks.
416 Setting this value to zero or negative disables splitting of
418 chunks.
419 backup_compact_work_threshold: 1
421 The number of chunks that must obviously need compaction before
422 the compact tool will go ahead with the compaction. If set to
423 less than one, the value is treated as being one.
424 backup_staging_path: <none>
426 The absolute path of the backup staging area. If not specified,
427 will be temp_path/backup
428 backup_retention_days: 7
430 The number of days to keep content in backup after it has been
431 deleted from the source. If set to a negative value or zero,
432 deleted content will be kept indefinitely.
433 backup_db: twoskip
435 The cyrusdb backend to use for the backup locations database.
436 Allowed values: skiplist, sql, twoskip, lmdb
438 backup_db_path: <none>
440 The absolute path to the backup db file. If not specified, will
441 be configdirectory/backups.db
442 backup_keep_previous: 0
444 Whether the ctl_backups compact and ctl_backups reindex commands
445 should preserve the original file. The original file will be
446 named with a timestamped suffix. This is mostly useful for
447 debugging.
448 Note that with this enabled, compacting a backup will actually
450 increase the disk used by it (because there will now be an extra
451 copy: the original version, and the compacted version).
452 boundary_limit: 1000
454 messages are parsed recursively and a deep enough MIME structure
455 can cause a stack overflow. Do not parse deeper than this many
456 layers of MIME structure. The default of 1000 is much higher
457 than any sane message should have.
458 caldav_allowattach: 1
460 Enable managed attachments support on the caldav server.
461 caldav_allowscheduling: on
463 Enable calendar scheduling operations. If set to "apple", the
464 server will emulate Apple CalendarServer behavior as closely as
465 possible. Allowed values: off, on, apple
466 caldav_create_attach: 1
468 Create the 'Attachments' calendar if it doesn't already exist
469 caldav_create_default: 1
471 Create the 'Default' calendar if it doesn't already exist
472 caldav_create_sched: 1
474 Create the 'Inbox' and 'Outbox' calendars if they don't already
475 exist
476 caldav_maxdatetime: 20380119T031407Z
478 The latest date and time accepted by the server (ISO format).
479 This value is also used for expanding non-terminating recurrence
480 rules.
481 Note that increasing this value will require the DAV databases
483 for calendars to be reconstructed with the dav_reconstruct util‐
484 ity in order to see its effect on serer-side time-based queries.
485 caldav_mindatetime: 19011213T204552Z
487 The earliest date and time accepted by the server (ISO format).
488 caldav_realm: <none>
490 The realm to present for HTTP authentication of CalDAV
491 resources. If not set (the default), the value of the "server‐
492 name" option will be used.
493 calendarprefix: #calendars
495 The prefix for the calendar mailboxes hierarchies. The hierar‐
496 chy delimiter will be automatically appended. The public calen‐
497 dar hierarchy will be at the toplevel of the shared namespace.
498 A user's personal calendar hierarchy will be a child of their
499 Inbox.
500 calendar_user_address_set: <none>
502 Space-separated list of domains corresponding to calendar user
503 addresses for which the server is responsible. If not set (the
504 default), the value of the "servername" option will be used.
505 carddav_realm: <none>
507 The realm to present for HTTP authentication of CardDAV
508 resources. If not set (the default), the value of the "server‐
509 name" option will be used.
510 carddav_repair_vcard: 0
512 If enabled, VCARDs with invalid content are attempted to be
513 repaired during creation.
514 chatty: 0
516 If yes, syslog tags and commands for every IMAP command, mail‐
517 boxes for every lmtp connection, every POP3 command, etc
518 client_bind: 0
520 If enabled, a specific IP will be bound when performing a client
521 connection. client_bind_name is used if it is set, otherwise
522 servername is used. This is useful on multi-homed servers where
523 Cyrus should not use other services' interfaces.
524 If not enabled (the default), no bind will be performed. Client
526 connections will use an IP chosen by the operating system.
527 client_bind_name: <none>
529 IPv4, IPv6 address or hostname to bind for client connections
530 when client_bind is enabled. If not set (the default), server‐
531 name will be used.
532 client_timeout: 10
534 Number of seconds to wait before returning a timeout failure
535 when performing a client connection (e.g., in a murder environ‐
536 ment)
537 commandmintimer: <none>
539 Time in seconds. Any imap command that takes longer than this
540 time is logged.
541 configdirectory: <none>
543 The pathname of the IMAP configuration directory. This field is
544 required.
545 createonpost: 0
547 Deprecated in favor of autocreate_post.
548 conversations: 0
550 Enable the XCONVERSATIONS extensions. Extract conversation
551 tracking information from incoming messages and track them in
552 per-user databases.
553 conversations_counted_flags: <none>
555 space-separated list of flags for which per-conversation counts
556 will be kept. Note that you need to reconstruct the conversa‐
557 tions database with ctl_conversationsdb if you change this
558 option on a running server, or the counts will be wrong.
559 conversations_db: skiplist
561 The cyrusdb backend to use for the per-user conversations data‐
562 base.
563 Allowed values: skiplist, sql, twoskip, lmdb
565 conversations_expire_days: 90
567 How long the conversations database keeps the message tracking
568 information needed for receiving new messages in existing con‐
569 versations, in days.
570 crossdomains: 0
572 Enable cross domain sharing. This works best with alt namespace
573 and unix hierarchy separators on, so you get Other
574 Users/foo@example.com/...
575 crossdomains_onlyother: 0
577 only show the domain for users in other domains than your own
578 (for backwards compatibility if you're already sharing
579 cyrus_group: <none>
581 The name of the group Cyrus services will run as. If not con‐
582 figured, the primary group of cyrus_user will be used. Can be
583 further overridden by setting the $CYRUS_GROUP environment vari‐
584 able.
585 cyrus_user: <none>
587 The username to use as the 'cyrus' user. If not configured, the
588 compile time default will be used. Can be further overridden by
589 setting the $CYRUS_USER environment variable.
590 davdriveprefix: #drive
592 The prefix for the DAV storage mailboxes hierarchies. The hier‐
593 archy delimiter will be automatically appended. The public
594 storage hierarchy will be at the toplevel of the shared names‐
595 pace. A user's personal storage hierarchy will be a child of
596 their Inbox.
597 davnotificationsprefix: #notifications
599 The prefix for the DAV notifications hierarchy. The hierarchy
600 delimiter will be automatically appended. The public notifica‐
601 tions hierarchy will be at the toplevel of the shared namespace.
602 A user's personal notifications hierarchy will be a child of
603 their Inbox.
604 dav_realm: <none>
606 The realm to present for HTTP authentication of generic DAV
607 resources (principals). If not set (the default), the value of
608 the "servername" option will be used.
609 debug_command: <none>
611 Debug command to be used by processes started with -D option.
612 The string is a C format string that gets 3 options: the first
613 is the name of the executable (without path). The second is the
614 pid (integer) and the third is the service ID. Example:
615 /usr/local/bin/gdb /usr/cyrus/bin/%s %d
616 defaultacl: anyone lrs
618 The Access Control List (ACL) placed on a newly-created
619 (non-user) mailbox that does not have a parent mailbox.
620 defaultdomain: internal
622 The default domain for virtual domain support
623 defaultpartition: <none>
625 The partition name used by default for new mailboxes. If not
626 specified, the partition with the most free space will be used
627 for new mailboxes.
628 Note that the partition specified by this option must also be
630 specified as partition-name, where you substitute 'name' for the
631 alphanumeric string you set defaultpartition to.
632 defaultsearchtier: <empty string>
634 Name of the default tier that messages will be indexed to.
635 Search indexes can be organized in tiers to allow index storage
636 in different directories and physical media. See the man page of
637 squatter for details. The default search tier also requires the
638 definition of an according searchtierpartition-name entry.
639 This option MUST be specified for xapian search.
641 defaultserver: <none>
643 The backend server name used by default for new mailboxes. If
644 not specified, the server with the most free space will be used
645 for new mailboxes.
646 deletedprefix: DELETED
648 With delete_mode set to delayed, the deletedprefix setting
649 defines the prefix for the hierarchy of deleted mailboxes.
650 The hierarchy delimiter will be automatically appended.
652 delete_mode: delayed
654 The manner in which mailboxes are deleted. In the default
655 delayed mode, mailboxes that are being deleted are renamed to a
656 special mailbox hierarchy under the deletedprefix, to be removed
657 later by cyr_expire(8).
658 In immediate mode, the mailbox is removed from the filesystem
660 immediately.
661 Allowed values: immediate, delayed
663 delete_unsubscribe: 0
665 Whether to also unsubscribe from mailboxes when they are
666 deleted. Note that this behaviour contravenes RFC 3501 section
667 6.3.9, but may be useful for avoiding user/client software con‐
668 fusion. The default is 'no'.
669 deleteright: c
671 Deprecated - only used for backwards compatibility with existing
672 installations. Lists the old RFC 2086 right which was used to
673 grant the user the ability to delete a mailbox. If a user has
674 this right, they will automatically be given the new 'x' right.
675 disable_user_namespace: 0
677 Preclude list command on user namespace. If set to 'yes', the
678 LIST response will never include any other user's mailbox.
679 Admin users will always see all mailboxes. The default is 'no'
680 disable_shared_namespace: 0
682 Preclude list command on shared namespace. If set to 'yes', the
683 LIST response will never include any non-user mailboxes. Admin
684 users will always see all mailboxes. The default is 'no'
685 disconnect_on_vanished_mailbox: 0
687 If enabled, IMAP/POP3/NNTP clients will be disconnected by the
688 server if the currently selected mailbox is (re)moved by another
689 session. Otherwise, the missing mailbox is treated as empty
690 while in use by the client.
691 ischedule_dkim_domain: <none>
693 The domain to be reported as doing iSchedule DKIM signing.
694 ischedule_dkim_key_file: <none>
696 File containing the private key for iSchedule DKIM signing.
697 ischedule_dkim_selector: <none>
699 Name of the selector subdividing the domain namespace. This
700 specifies the actual key used for iSchedule DKIM signing within
701 the domain.
702 duplicate_db: twoskip
704 The cyrusdb backend to use for the duplicate delivery suppres‐
705 sion and sieve. Allowed values: skiplist, sql, twoskip, lmdb
706 duplicate_db_path: <none>
708 The absolute path to the duplicate db file. If not specified,
709 will be configdirectory/deliver.db
710 duplicatesuppression: 1
712 If enabled, lmtpd will suppress delivery of a message to a mail‐
713 box if a message with the same message-id (or resent-message-id)
714 is recorded as having already been delivered to the mailbox.
715 Records the mailbox and message-id/resent-message-id of all suc‐
716 cessful deliveries.
717 event_content_inclusion_mode: standard
719 The mode in which message content may be included with Mes‐
720 sageAppend and MessageNew. "standard" mode is the default behav‐
721 ior in which message is included up to a size with the notifica‐
722 tion. In "message" mode, the message is included and may be
723 truncated to a size. In "header" mode, it includes headers trun‐
724 cated to a size. In "body" mode, it includes body truncated to a
725 size. In "headerbody" mode, it includes full headers and body
726 truncated to a size Allowed values: standard, message, header,
727 body, headerbody
728 event_content_size: 0
730 Truncate the message content that may be included with Mes‐
731 sageAppend and MessageNew. Set 0 to include the entire message
732 itself
733 event_exclude_flags: <none>
735 Don't send event notification for given IMAP flag(s)
736 event_exclude_specialuse: \Junk
738 Don't send event notification for folder with given special-use
739 attributes. Set ALL for any folder
740 event_extra_params: timestamp
742 Space-separated list of extra parameters to add to any appropri‐
743 ated event.
744 Allowed values: bodyStructure, clientAddress, diskUsed,
746 flagNames, messageContent, messageSize, messages, modseq, ser‐
747 vice, timestamp, uidnext, vnd.cmu.midset, vnd.cmu.unseenMes‐
748 sages, vnd.cmu.envelope, vnd.cmu.sessionId, vnd.cmu.mailboxACL,
749 vnd.cmu.mbtype, vnd.cmu.davFilename, vnd.cmu.davUid, vnd.fast‐
750 mail.clientId, vnd.fastmail.sessionId, vnd.fastmail.convExists,
751 vnd.fastmail.convUnseen, vnd.fastmail.cid, vnd.fastmail.counters
752 event_groups: message mailbox
754 Space-separated list of groups of related events to turn on
755 notification
756 Allowed values: message, quota, flags, access, mailbox, sub‐
758 scription, calendar, applepushservice
759 event_notifier: <none>
761 Notifyd(8) method to use for "EVENT" notifications which are
762 based on the RFC 5423. If not set, "EVENT" notifications are
763 disabled.
764 expunge_mode: delayed
766 The mode in which messages (and their corresponding cache
767 entries) are expunged. "default" mode is the old behavior in
768 which the message files are purged at the time of the EXPUNGE,
769 but index and cache records are retained to facilitate QRESYNC.
770 (Note that this behaviour is no longer the default, but is so
771 named for historical reasons.) In "delayed" mode, which is the
772 default since Cyrus 2.5.0, the message files are also retained,
773 allowing unexpunge to rescue them. In "immediate" mode, both
774 the message files and the index records are removed as soon as
775 possible. In all cases, nothing will be finally purged until
776 all other processes have closed the mailbox to ensure they never
777 see data disappear under them. In "default" or "delayed" mode,
778 a later run of "cyr_expire" will clean out the retained records
779 (and possibly message files). This reduces the amount of I/O
780 that takes place at the time of EXPUNGE and should result in
781 greater responsiveness for the client, especially when expunging
782 a large number of messages. Allowed values: default, immediate,
783 delayed
784 failedloginpause: 3
786 Number of seconds to pause after a failed login.
787 flushseenstate: 1
789 Deprecated. No longer used
790 foolstupidclients: 0
792 If enabled, only list the personal namespace when a LIST "*" is
793 performed (it changes the request to a LIST "INBOX*").
794 force_sasl_client_mech: <none>
796 Force preference of a given SASL mechanism for client side oper‐
797 ations (e.g., murder environments). This is separate from (and
798 overridden by) the ability to use the <host shortname>_mechs
799 option to set preferred mechanisms for a specific host
800 fulldirhash: 0
802 If enabled, uses an improved directory hashing scheme which
803 hashes on the entire username instead of using just the first
804 letter as the hash. This changes hash algorithm used for quota
805 and user directories and if hashimapspool is enabled, the entire
806 mail spool.
807 Note that this option CANNOT be changed on a live system. The
809 server must be quiesced and then the directories moved with the
810 rehash utility.
811 hashimapspool: 0
813 If enabled, the partitions will also be hashed, in addition to
814 the hashing done on configuration directories. This is recom‐
815 mended if one partition has a very bushy mailbox tree.
816 debug: 0
818 If enabled, allow syslog() to pass LOG_DEBUG messages.
819 hostname_mechs: <none>
821 Force a particular list of SASL mechanisms to be used when
822 authenticating to the backend server hostname (where hostname is
823 the short hostname of the server in question). If it is not
824 specified it will query the server for available mechanisms and
825 pick one to use. - Cyrus Murder
826 hostname_password: <none>
828 The password to use for authentication to the backend server
829 hostname (where hostname is the short hostname of the server) -
830 Cyrus Murder
831 httpallowcompress: 1
833 If enabled, the server will compress response payloads if the
834 client indicates that it can accept them. Note that the com‐
835 pressed data will appear in telemetry logs, leaving only the
836 response headers as human-readable.
837 httpallowcors: <none>
839 A wildmat pattern specifying a list of origin URIs ( scheme
840 "://" host [ ":" port ] ) that are allowed to make Cross-Origin
841 Resource Sharing (CORS) requests on the server. By default,
842 CORS requests are disabled.
843 Note that the scheme and host should both be lowercase, the port
845 should be omitted if using the default for the scheme (80 for
846 http, 443 for https), and there should be no trailing '/' (e.g.:
847 "http://www.example.com:8080", "https://example.org").
848 httpallowtrace: 0
850 Allow use of the TRACE method.
851 Note that sensitive data might be disclosed by the response.
853 httpallowedurls: <none>
855 Space-separated list of relative URLs (paths) rooted at "http‐
856 docroot" (see below) to be served by httpd. If set, this option
857 will limit served static content to only those paths specified
858 (returning "404 Not Found" to any other client requested URLs).
859 Otherwise, httpd will serve any content found in "httpdocroot".
860 Note that any path specified by "rss_feedlist_template" is an
862 exception to this rule.
863 httpcontentmd5: 0
865 If enabled, HTTP responses will include a Content-MD5 header for
866 the purpose of providing an end-to-end message integrity check
867 (MIC) of the payload body. Note that enabling this option will
868 use additional CPU to generate the MD5 digest, which may be
869 ignored by clients anyways.
870 httpdocroot: <none>
872 If set, http will serve the static content (html/text/jpeg/gif
873 files, etc) rooted at this directory. Otherwise, httpd will not
874 serve any static content.
875 httpkeepalive: 20
877 Set the length of the HTTP server's keepalive heartbeat in sec‐
878 onds. The default is 20. The minimum value is 0, which will
879 disable the keepalive heartbeat. When enabled, if a request
880 takes longer than httpkeepalive seconds to process, the server
881 will send the client provisional responses every httpkeepalive
882 seconds until the final response can be sent
883 httpmodules: <empty string>
885 Space-separated list of HTTP modules that will be enabled in
886 httpd(8). This option has no effect on modules that are dis‐
887 abled at compile time due to missing dependencies (e.g. libi‐
888 cal).
889 Note that "domainkey" depends on "ischedule" being enabled, and
891 that both "freebusy" and "ischedule" depend on "caldav" being
892 enabled. Allowed values: admin, caldav, carddav, domainkey,
893 freebusy, ischedule, rss, tzdist, webdav
894 httpprettytelemetry: 0
896 If enabled, HTTP response payloads including server-generated
897 markup languages (HTML, XML) will utilize line breaks and inden‐
898 tation to promote better human-readability in telemetry logs.
899 Note that enabling this option will increase the amount of data
900 sent across the wire.
901 httptimeout: 5
903 Set the length of the HTTP server's inactivity autologout timer,
904 in minutes. The default is 5. The minimum value is 0, which
905 will disable persistent connections.
906 idlesocket: {configdirectory}/socket/idle
908 Unix domain socket that idled listens on.
909 ignorereference: 0
911 For backwards compatibility with Cyrus 1.5.10 and earlier --
912 ignore the reference argument in LIST or LSUB commands.
913 imapidlepoll: 60
915 The interval (in seconds) for polling for mailbox changes and
916 ALERTs while running the IDLE command. This option is used when
917 idled is not enabled or cannot be contacted. The minimum value
918 is 1. A value of 0 will disable IDLE.
919 imapidresponse: 1
921 If enabled, the server responds to an ID command with a parame‐
922 ter list containing: version, vendor, support-url, os, os-ver‐
923 sion, command, arguments, environment. Otherwise the server
924 returns NIL.
925 imapmagicplus: 0
927 Only list a restricted set of mailboxes via IMAP by using
928 userid+namespace syntax as the authentication/authorization id.
929 Using userid+ (with an empty namespace) will list only sub‐
930 scribed mailboxes.
931 imipnotifier: <none>
933 Notifyd(8) method to use for "IMIP" notifications which are
934 based on the RFC 6047. If not set, "IMIP" notifications are
935 disabled.
936 implicit_owner_rights: lkxa
938 The implicit Access Control List (ACL) for the owner of a mail‐
939 box.
940 @include: <none>
942 Directive which includes the specified file as part of the con‐
943 figuration. If the path to the file is not absolute, CYRUS_PATH
944 is prepended.
945 improved_mboxlist_sort: 0
947 If enabled, a special comparator will be used which will cor‐
948 rectly sort mailbox names that contain characters such as ' '
949 and '-'.
950 Note that this option SHOULD NOT be changed on a live system.
952 The mailboxes database should be dumped (ctl_mboxlist) before
953 the option is changed, removed, and then undumped after changing
954 the option. When not using flat files for the subscriptions
955 databases the same has to be done (cyr_dbtool) for each sub‐
956 scription database See improved_mboxlist_sort.html.
957 internaldate_heuristic: standard
959 Mechanism to determine email internaldates on delivery/recon‐
960 struct. "standard" uses time() when delivering a message, mtime
961 on reconstruct. "receivedheader" looks at the top most Received
962 header or time/mtime otherwise Allowed values: standard,
963 receivedheader
964 iolog: 0
966 Should cyrus output I/O log entries
967 ldap_authz: <none>
969 SASL authorization ID for the LDAP server
970 ldap_base: <empty string>
972 Contains the LDAP base dn for the LDAP ptloader module
973 ldap_bind_dn: <none>
975 Bind DN for the connection to the LDAP server (simple bind). Do
976 not use for anonymous simple binds
977 ldap_deref: never
979 Specify how aliases dereferencing is handled during search.
980 Allowed values: search, find, always, never
982 ldap_domain_base_dn: <empty string>
984 Base DN to search for domain name spaces.
985 ldap_domain_filter: (&(objectclass=domainrelatedobject)(associated‐
987 domain=%s))
988 Filter to use searching for domains
989 ldap_domain_name_attribute: associateddomain
991 The attribute name for domains.
992 ldap_domain_scope: sub
994 Search scope
995 Allowed values: sub, one, base
997 ldap_domain_result_attribute: inetdomainbasedn
999 Result attribute
1000 ldap_filter: (uid=%u)
1002 Specify a filter that searches user identifiers. The following
1003 tokens can be used in the filter string:
1004 %% = % %u = user %U = user portion of %u (%U = test when
1006 %u = test@domain.tld) %d = domain portion of %u if available
1007 (%d = domain.tld when %u = %test@domain.tld), otherwise same as
1008 %r %D = user dn. (use when ldap_member_method: filter) %1-9 =
1009 domain tokens (%1 = tld, %2 = domain when %d = domain.tld)
1010 ldap_filter is not used when ldap_sasl is enabled.
1012 ldap_group_base: <empty string>
1014 LDAP base dn for ldap_group_filter.
1015 ldap_group_filter: (cn=%u)
1017 Specify a filter that searches for group identifiers. See
1018 ldap_filter for more options.
1019 ldap_group_scope: sub
1021 Specify search scope for ldap_group_filter.
1022 Allowed values: sub, one, base
1024 ldap_id: <none>
1026 SASL authentication ID for the LDAP server
1027 ldap_mech: <none>
1029 SASL mechanism for LDAP authentication
1030 ldap_user_attribute: <none>
1032 Specify LDAP attribute to use as canonical user id
1033 ldap_member_attribute: <none>
1035 See ldap_member_method.
1036 ldap_member_base: <empty string>
1038 LDAP base dn for ldap_member_filter.
1039 ldap_member_filter: (member=%D)
1041 Specify a filter for "ldap_member_method: filter". See
1042 ldap_filter for more options.
1043 ldap_member_method: attribute
1045 Specify a group method. The "attribute" method retrieves groups
1046 from a multi-valued attribute specified in ldap_mem‐
1047 ber_attribute.
1048 The "filter" method uses a filter, specified by ldap_member_fil‐
1050 ter, to find groups; ldap_member_attribute is a single-value
1051 attribute group name. Allowed values: attribute, filter
1052 ldap_member_scope: sub
1054 Specify search scope for ldap_member_filter.
1055 Allowed values: sub, one, base
1057 ldap_password: <none>
1059 Password for the connection to the LDAP server (SASL and simple
1060 bind). Do not use for anonymous simple binds
1061 ldap_realm: <none>
1063 SASL realm for LDAP authentication
1064 ldap_referrals: 0
1066 Specify whether or not the client should follow referrals.
1067 ldap_restart: 1
1069 Specify whether or not LDAP I/O operations are automatically
1070 restarted if they abort prematurely.
1071 ldap_sasl: 1
1073 Use SASL for LDAP binds in the LDAP PTS module.
1074 ldap_sasl_authc: <none>
1076 Deprecated. Use ldap_id
1077 ldap_sasl_authz: <none>
1079 Deprecated. Use ldap_authz
1080 ldap_sasl_mech: <none>
1082 Deprecated. Use ldap_mech
1083 ldap_sasl_password: <none>
1085 Deprecated. User ldap_password
1086 ldap_sasl_realm: <none>
1088 Deprecated. Use ldap_realm
1089 ldap_scope: sub
1091 Specify search scope.
1092 Allowed values: sub, one, base
1094 ldap_servers: ldap://localhost/
1096 Deprecated. Use ldap_uri
1097 ldap_size_limit: 1
1099 Specify a number of entries for a search request to return.
1100 ldap_start_tls: 0
1102 Use transport layer security for ldap:// using STARTTLS. Do not
1103 use ldaps:// in 'ldap_uri' with this option enabled.
1104 ldap_time_limit: 5
1106 Specify a number of seconds for a search request to complete.
1107 ldap_timeout: 5
1109 Specify a number of seconds a search can take before timing out.
1110 ldap_ca_dir: <none>
1112 Path to a directory with CA (Certificate Authority) certifi‐
1113 cates.
1114 ldap_ca_file: <none>
1116 Patch to a file containing CA (Certificate Authority) certifi‐
1117 cate(s).
1118 ldap_ciphers: <none>
1120 List of SSL/TLS ciphers to allow. The format of the string is
1121 described in ciphers(1).
1122 ldap_client_cert: <none>
1124 File containing the client certificate.
1125 ldap_client_key: <none>
1127 File containing the private client key.
1128 ldap_verify_peer: 0
1130 Require and verify server certificate. If this option is yes,
1131 you must specify ldap_ca_file or ldap_ca_dir.
1132 ldap_tls_cacert_dir: <none>
1134 Deprecated in favor of ldap_ca_dir.
1135 ldap_tls_cacert_file: <none>
1137 Deprecated in favor of ldap_ca_file.
1138 ldap_tls_cert: <none>
1140 Deprecated in favor of ldap_client_cert.
1141 ldap_tls_key: <none>
1143 Deprecated in favor of ldap_client_key.
1144 ldap_tls_check_peer: 0
1146 Deprecated in favor of ldap_verify_peer.
1147 ldap_tls_ciphers: <none>
1149 Deprecated in favor of ldap_ciphers.
1150 ldap_uri: <none>
1152 Contains a list of the URLs of all the LDAP servers when using
1153 the LDAP PTS module.
1154 ldap_version: 3
1156 Specify the LDAP protocol version. If ldap_start_tls and/or
1157 ldap_use_sasl are enabled, ldap_version will be automatically
1158 set to 3.
1159 literalminus: 0
1161 if enabled, CAPABILITIES will reply with LITERAL- rather than
1162 LITERAL+ (RFC 7888). Doesn't actually size-restrict uploads
1163 though
1164 lmtp_downcase_rcpt: 1
1166 If enabled, lmtpd will convert the recipient addresses to lower‐
1167 case (up to a '+' character, if present).
1168 lmtp_fuzzy_mailbox_match: 0
1170 If enabled, and the mailbox specified in the detail part of the
1171 recipient (everything after the '+') does not exist, lmtpd will
1172 try to find the closest match (ignoring case, ignoring white‐
1173 space, falling back to parent) to the specified mailbox name.
1174 lmtp_over_quota_perm_failure: 0
1176 If enabled, lmtpd returns a permanent failure code when a user's
1177 mailbox is over quota. By default, the failure is temporary,
1178 causing the MTA to queue the message and retry later.
1179 lmtp_strict_quota: 0
1181 If enabled, lmtpd returns a failure code when the incoming mes‐
1182 sage will cause the user's mailbox to exceed its quota. By
1183 default, the failure won't occur until the mailbox is already
1184 over quota.
1185 lmtp_strict_rfc2821: 1
1187 By default, lmtpd will be strict (per RFC 2821) with regards to
1188 which envelope addresses are allowed. If this option is set to
1189 false, 8bit characters in the local-part of envelope addresses
1190 are changed to 'X' instead. This is useful to avoid generating
1191 backscatter with certain MTAs like Postfix or Exim which accept
1192 such messages.
1193 lmtpsocket: {configdirectory}/socket/lmtp
1195 Unix domain socket that lmtpd listens on, used by deliver(8).
1196 This should match the path specified in cyrus.conf(5).
1197 lmtptxn_timeout: 300
1199 Timeout (in seconds) used during a lmtp transaction to a remote
1200 backend (e.g. in a murder environment). Can be used to prevent
1201 hung lmtpds on proxy hosts when a backend server becomes unre‐
1202 sponsive during a lmtp transaction. The default is 300 - change
1203 to zero for infinite.
1204 loginrealms: <empty string>
1206 The list of remote realms whose users may authenticate using
1207 cross-realm authentication identifiers. Separate each realm
1208 name by a space. (A cross-realm identity is considered any
1209 identity returned by SASL with an "@" in it.).
1210 loginuseacl: 0
1212 If enabled, any authentication identity which has a rights on a
1213 user's INBOX may log in as that user.
1214 logtimestamps: 0
1216 Include notations in the protocol telemetry logs indicating the
1217 number of seconds since the last command or response.
1218 mailbox_default_options: 0
1220 Default "options" field for the mailbox on create. You'll want
1221 to know what you're doing before setting this, but it can apply
1222 some default annotations like duplicate suppression
1223 mailbox_initial_flags: <none>
1225 space-separated list of permanent flags which will be pre-set in
1226 every newly created mailbox. If you know you will require par‐
1227 ticular flag names then this avoids a possible race condition
1228 against a client that fills the entire 128 available slots.
1229 Default is NULL, which is no flags. Example: $Label1 $Label2
1230 $Label3 NotSpam Spam
1231 mailnotifier: <none>
1233 Notifyd(8) method to use for "MAIL" notifications. If not set,
1234 "MAIL" notifications are disabled.
1235 maxheaderlines: 1000
1237 Maximum number of lines of header that will be processed into
1238 cache records. Default 1000. If set to zero, it is unlimited.
1239 If a message hits the limit, an error will be logged and the
1240 rest of the lines in the header will be skipped. This is to
1241 avoid malformed messages causing giant cache records
1242 maxlogins_per_host: 0
1244 Maximum number of logged in sessions allowed per host, zero
1245 means no limit
1246 maxlogins_per_user: 0
1248 Maximum number of logged in sessions allowed per user, zero
1249 means no limit
1250 maxmessagesize: 0
1252 Maximum incoming LMTP message size. If non-zero, lmtpd will
1253 reject messages larger than maxmessagesize bytes. If set to 0,
1254 this will allow messages of any size (the default).
1255 maxquoted: 131072
1257 Maximum size of a single quoted string for the parser. Default
1258 128k
1259 maxword: 131072
1261 Maximum size of a single word for the parser. Default 128k
1262 mboxkey_db: twoskip
1264 The cyrusdb backend to use for mailbox keys.
1265 Allowed values: skiplist, twoskip, lmdb
1267 mboxlist_db: twoskip
1269 The cyrusdb backend to use for the mailbox list.
1270 Allowed values: flat, skiplist, sql, twoskip, lmdb
1272 mboxlist_db_path: <none>
1274 The absolute path to the mailboxes db file. If not specified
1275 will be configdirectory/mailboxes.db
1276 mboxname_lockpath: <none>
1278 Path to mailbox name lock files (default $conf/lock)
1279 metapartition_files: <empty string>
1281 Space-separated list of metadata files to be stored on a meta‐
1282 partition rather than in the mailbox directory on a spool parti‐
1283 tion. Allowed values: header, index, cache, expunge, squat,
1284 annotations, lock, dav, archivecache
1285 metapartition-name: <none>
1287 The pathname of the metadata partition name, corresponding to
1288 spool partition partition-name. For any mailbox residing in a
1289 directory on partition-name, the metadata files listed in meta‐
1290 partition_files will be stored in a corresponding directory on
1291 metapartition-name. Note that not every partition-name option
1292 is required to have a corresponding metapartition-name option,
1293 so that you can selectively choose which spool partitions will
1294 have separate metadata partitions.
1295 mupdate_authname: <none>
1297 The SASL username (Authentication Name) to use when authenticat‐
1298 ing to the mupdate server (if needed).
1299 mupdate_config: standard
1301 The configuration of the mupdate servers in the Cyrus Murder.
1302 The "standard" config is one in which there are discreet fron‐
1303 tend (proxy) and backend servers. The "unified" config is one
1304 in which a server can be both a frontend and backend. The
1305 "replicated" config is one in which multiple backend servers all
1306 share the same mailspool, but each have their own "replicated"
1307 copy of mailboxes.db. Allowed values: standard, unified, repli‐
1308 cated
1309 munge8bit: 1
1311 If enabled, lmtpd munges messages with 8-bit characters in the
1312 headers. The 8-bit characters are changed to `X'. If
1313 reject8bit is enabled, setting munge8bit has no effect. (A
1314 proper solution to non-ASCII characters in headers is offered by
1315 RFC 2047 and its predecessors.)
1316 mupdate_connections_max: 128
1318 The max number of connections that a mupdate process will allow,
1319 this is related to the number of file descriptors in the mupdate
1320 process. Beyond this number connections will be immediately
1321 issued a BYE response.
1322 mupdate_password: <none>
1324 The SASL password (if needed) to use when authenticating to the
1325 mupdate server.
1326 mupdate_port: 3905
1328 The port of the mupdate server for the Cyrus Murder
1329 mupdate_realm: <none>
1331 The SASL realm (if needed) to use when authenticating to the
1332 mupdate server.
1333 mupdate_retry_delay: 20
1335 The base time to wait between connection retries to the mupdate
1336 server.
1337 mupdate_server: <none>
1339 The mupdate server for the Cyrus Murder
1340 mupdate_username: <empty string>
1342 The SASL username (Authorization Name) to use when authenticat‐
1343 ing to the mupdate server
1344 mupdate_workers_max: 50
1346 The maximum number of mupdate worker threads (overall)
1347 mupdate_workers_maxspare: 10
1349 The maximum number of idle mupdate worker threads
1350 mupdate_workers_minspare: 2
1352 The minimum number of idle mupdate worker threads
1353 mupdate_workers_start: 5
1355 The number of mupdate worker threads to start
1356 netscapeurl: <none>
1358 If enabled at compile time, this specifies a URL to reply when
1359 Netscape asks the server where the mail administration HTTP
1360 server is. Administrators should set this to a local resource.
1361 newsaddheaders: to
1363 Space-separated list of headers to be added to incoming usenet
1364 articles. Added To: headers will contain email delivery
1365 addresses corresponding to each newsgroup in the Newsgroups:
1366 header. Added Reply-To: headers will contain email delivery
1367 addresses corresponding to each newsgroup in the Followup-To: or
1368 Newsgroups: header. If the specified header(s) already exist in
1369 an article, the email delivery addresses will be appended to the
1370 original header body(s).
1371 This option applies if and only if the newspostuser option is
1373 set. Allowed values: to, replyto
1374 newsgroups: *
1376 A wildmat pattern specifying which mailbox hierarchies should be
1377 treated as newsgroups. Only mailboxes matching the wildmat will
1378 accept and/or serve articles via NNTP. If not set, a default
1379 wildmat of "*" (ALL shared mailboxes) will be used. If the
1380 newsprefix option is also set, the default wildmat will be
1381 translated to "<newsprefix>.*"
1382 newsmaster: news
1384 Userid that is used for checking access controls when executing
1385 Usenet control messages. For instance, to allow articles to be
1386 automatically deleted by cancel messages, give the "news" user
1387 the 'd' right on the desired mailboxes. To allow newsgroups to
1388 be automatically created, deleted and renamed by the correspond‐
1389 ing control messages, give the "news" user the 'c' right on the
1390 desired mailbox hierarchies.
1391 newspeer: <none>
1393 A list of whitespace-separated news server specifications to
1394 which articles should be fed. Each server specification is a
1395 string of the form [user[:pass]@]host[:port][/wildmat] where
1396 'host' is the fully qualified hostname of the server, 'port' is
1397 the port on which the server is listening, 'user' and 'pass' are
1398 the authentication credentials and 'wildmat' is a pattern that
1399 specifies which groups should be fed. If no 'port' is speci‐
1400 fied, port 119 is used. If no 'wildmat' is specified, all
1401 groups are fed. If 'user' is specified (even if empty), then
1402 the NNTP POST command will be used to feed the article to the
1403 server, otherwise the IHAVE command will be used.
1404 A '@' may be used in place of '!' in the wildmat to prevent
1406 feeding articles cross-posted to the given group, otherwise
1407 cross-posted articles are fed if any part of the wildmat
1408 matches. For example, the string "peer.example.com:*,!con‐
1409 trol.*,@local.*" would feed all groups except control messages
1410 and local groups to peer.example.com. In the case of
1411 cross-posting to local groups, these articles would not be fed.
1412 newspostuser: <none>
1414 Userid used to deliver usenet articles to newsgroup folders
1415 (usually via lmtp2nntp). For example, if set to "post", email
1416 sent to "post+comp.mail.imap" would be delivered to the
1417 "comp.mail.imap" folder.
1418 When set, the Cyrus NNTP server will add the header(s) specified
1420 in the newsaddheaders option to each incoming usenet article.
1421 The added header(s) will contain email delivery addresses corre‐
1422 sponding to each relevant newsgroup. If not set, no headers are
1423 added to usenet articles.
1424 newsprefix: <none>
1426 Prefix to be prepended to newsgroup names to make the corre‐
1427 sponding IMAP mailbox names.
1428 newsrc_db_path: <none>
1430 The absolute path to the newsrc db file. If not specified, will
1431 be configdirectory/fetchnews.db
1432 nntptimeout: 3
1434 Set the length of the NNTP server's inactivity autologout timer,
1435 in minutes. The minimum value is 3, the default.
1436 notesmailbox: <none>
1438 The top level mailbox in each user's account which is used to
1439 store * Apple-style Notes. Default is blank (disabled)
1440 notifysocket: {configdirectory}/socket/notify
1442 Unix domain socket that the mail notification daemon listens on.
1443 notify_external: <none>
1445 Path to the external program that notifyd(8) will call to send
1446 mail notifications.
1447 The external program will be called with the following command
1449 line options:
1450 -c class
1452 -p priority
1454 -u user
1456 -m mailbox
1458 And the notification message will be available on stdin.
1460 partition-name: <none>
1462 The pathname of the partition name. At least one partition
1463 pathname MUST be specified. If the defaultpartition option is
1464 used, then its pathname MUST be specified. For example, if the
1465 value of the defaultpartion option is part1, then the parti‐
1466 tion-part1 field is required.
1467 outbox_sendlater: 0
1469 If enabled, any message with a Draft flag will be sent at the
1470 time of its INTERNALDATE
1471 partition_select_mode: freespace-most
1473 Partition selection mode.
1474 random (pseudo-)random selection
1476 freespace-most
1478 partition with the most free space (KiB)
1479 freespace-percent-most
1481 partition with the most free space (%)
1482 freespace-percent-weighted
1484 each partition is weighted according to its free space
1485 (%); the more free space the partition has, the more
1486 chances it has to be selected
1487 freespace-percent-weighted-delta
1489 each partition is weighted according to its difference of
1490 free space (%) compared to the most used partition; the
1491 more the partition is lagging behind the most used parti‐
1492 tion, the more chances it has to be selected
1493 Note that actually even the most used partition has a few
1495 chances to be selected, and those chances increase when
1496 other partitions get closer
1497 Allowed values: random, freespace-most, freespace-per‐
1499 cent-most, freespace-percent-weighted, freespace-per‐
1500 cent-weighted-delta
1501 partition_select_exclude: <none>
1503 List of partitions to exclude from selection mode.
1504 partition_select_usage_reinit: 0
1506 For a given session, number of operations (e.g. partition selec‐
1507 tion) for which partitions usage data are cached.
1508 partition_select_soft_usage_limit: 0
1510 Limit of partition usage (%): if a partition is over that limit,
1511 it is automatically excluded from selection mode.
1512 If all partitions are over that limit, this feature is not used
1514 anymore.
1515 plaintextloginpause: 0
1517 Number of seconds to pause after a successful plaintext login.
1518 For systems that support strong authentication, this permits
1519 users to perceive a cost of using plaintext passwords. (This
1520 does not affect the use of PLAIN in SASL authentications.)
1521 plaintextloginalert: <none>
1523 Message to send to client after a successful plaintext login.
1524 popexpiretime: -1
1526 The number of days advertised as being the minimum a message may
1527 be left on the POP server before it is deleted (via the CAPA
1528 command, defined in the POP3 Extension Mechanism, which some
1529 clients may support). "NEVER", the default, may be specified
1530 with a negative number. The Cyrus POP3 server never deletes
1531 mail, no matter what the value of this parameter is. However,
1532 if a site implements a less liberal policy, it needs to change
1533 this parameter accordingly.
1534 popminpoll: 0
1536 Set the minimum amount of time the server forces users to wait
1537 between successive POP logins, in minutes.
1538 popsubfolders: 0
1540 Allow access to subfolders of INBOX via POP3 by using
1541 userid+subfolder syntax as the authentication/authorization id.
1542 poppollpadding: 1
1544 Create a softer minimum poll restriction. Allows poppollpadding
1545 connections before the minpoll restriction is triggered. Addi‐
1546 tionally, one padding entry is recovered every popminpoll min‐
1547 utes. This allows for the occasional polling rate faster than
1548 popminpoll, (i.e., for clients that require a send/receive to
1549 send mail) but still enforces the rate long-term. Default is 1
1550 (disabled).
1551 The easiest way to think of it is a queue of past connections,
1553 with one slot being filled for every connection, and one slot
1554 being cleared every popminpoll minutes. When the queue is full,
1555 the user will not be able to check mail again until a slot is
1556 cleared. If the user waits a sufficient amount of time, they
1557 will get back many or all of the slots.
1558 poptimeout: 10
1560 Set the length of the POP server's inactivity autologout timer,
1561 in minutes. The minimum value is 10, the default.
1562 popuseacl: 0
1564 Enforce IMAP ACLs in the pop server. Due to the nature of the
1565 POP3 protocol, the only rights which are used by the pop server
1566 are 'r', 't', and 's' for the owner of the mailbox. The 'r'
1567 right allows the user to open the mailbox and list/retrieve mes‐
1568 sages. The 't' right allows the user to delete messages. The
1569 's' right allows messages retrieved by the user to have the
1570 \Seen flag set (only if popuseimapflags is also enabled).
1571 popuseimapflags: 0
1573 If enabled, the pop server will set and obey IMAP flags. Mes‐
1574 sages having the \Deleted flag are ignored as if they do not
1575 exist. Messages that are retrieved by the client will have the
1576 \Seen flag set. All messages will have the \Recent flag unset.
1577 postmaster: postmaster
1579 Username that is used as the 'From' address in rejection MDNs
1580 produced by sieve.
1581 postuser: <empty string>
1583 Userid used to deliver messages to shared folders. For example,
1584 if set to "bb", email sent to "bb+shared.blah" would be deliv‐
1585 ered to the "shared.blah" folder. By default, an email address
1586 of "+shared.blah" would be used.
1587 proc_path: <none>
1589 Path to proc directory. Default is NULL - must be an absolute
1590 path if specified. If not specified, the path $configdirec‐
1591 tory/proc/ will be used.
1592 proxy_authname: proxy
1594 The authentication name to use when authenticating to a backend
1595 server in the Cyrus Murder.
1596 proxy_compress: 0
1598 Try to enable protocol-specific compression when performing a
1599 client connection to a backend server in the Cyrus Murder.
1600 Note that this should only be necessary over slow network con‐
1602 nections. Also note that currently only IMAP and MUPDATE sup‐
1603 port compression.
1604 proxy_password: <none>
1606 The default password to use when authenticating to a backend
1607 server in the Cyrus Murder. May be overridden on a host-spe‐
1608 cific basis using the hostname_password option.
1609 proxy_realm: <none>
1611 The authentication realm to use when authenticating to a backend
1612 server in the Cyrus Murder
1613 proxyd_allow_status_referral: 0
1615 Set to true to allow proxyd to issue referrals to clients that
1616 support it when answering the STATUS command. This is disabled
1617 by default since some clients issue many STATUS commands in a
1618 row, and do not cache the connections that these referrals would
1619 cause, thus resulting in a higher authentication load on the
1620 respective backend server.
1621 proxyd_disable_mailbox_referrals: 0
1623 Set to true to disable the use of mailbox-referrals on the proxy
1624 servers.
1625 proxyservers: <none>
1627 A list of users and groups that are allowed to proxy for other
1628 users, separated by spaces. Any user listed in this will be
1629 allowed to login for any other user: use with caution. In a
1630 standard murder this option should ONLY be set on backends. DO
1631 NOT SET on frontends or things won't work properly.
1632 pts_module: afskrb
1634 The PTS module to use.
1635 Allowed values: afskrb, ldap
1637 ptloader_sock: <none>
1639 Unix domain socket that ptloader listens on. (defaults to con‐
1640 figdirectory/ptclient/ptsock)
1641 ptscache_db: twoskip
1643 The cyrusdb backend to use for the pts cache.
1644 Allowed values: skiplist, twoskip, lmdb
1646 ptscache_db_path: <none>
1648 The absolute path to the ptscache db file. If not specified,
1649 will be configdirectory/ptscache.db
1650 ptscache_timeout: 10800
1652 The timeout (in seconds) for the PTS cache database when using
1653 the auth_krb_pts authorization method (default: 3 hours).
1654 ptskrb5_convert524: 1
1656 When using the AFSKRB ptloader module with Kerberos 5 canonical‐
1657 ization, do the final 524 conversion to get a n AFS style name
1658 (using '.' instead of '/', and using short names
1659 ptskrb5_strip_default_realm: 1
1661 When using the AFSKRB ptloader module with Kerberos 5 canonical‐
1662 ization, strip the default realm from the userid (this does not
1663 affect the stripping of realms specified by the afspts_local‐
1664 realms option)
1665 qosmarking: cs0
1667 This specifies the Class Selector or Differentiated Services
1668 Code Point designation on IP headers (in the ToS field).
1669 Allowed values: cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11,
1670 af12, af13, af21, af22, af23, af31, af32, af33, af41, af42,
1671 af43, ef
1672 quota_db: quotalegacy
1674 The cyrusdb backend to use for quotas.
1675 Allowed values: flat, skiplist, sql, quotalegacy, twoskip, lmdb
1677 quota_db_path: <none>
1679 The absolute path for the quota database (if you choose a sin‐
1680 gle-file quota DB type - or the base path if you choose quotale‐
1681 gacy). If not specified will be configdirectory/quotas.db or
1682 configdirectory/quota/
1683 quotawarn: 90
1685 The percent of quota utilization over which the server generates
1686 warnings.
1687 quotawarnkb: 0
1689 The maximum amount of free space (in kB) at which to give a
1690 quota warning (if this value is 0, or if the quota is smaller
1691 than this amount, then warnings are always given).
1692 quotawarnmsg: 0
1694 The maximum amount of messages at which to give a quota warning
1695 (if this value is 0, or if the quota is smaller than this
1696 amount, then warnings are always given).
1697 reject8bit: 0
1699 If enabled, lmtpd rejects messages with 8-bit characters in the
1700 headers.
1701 restore_authname: <none>
1703 The authentication used by the restore tool when authenticating
1704 to an IMAP/sync server.
1705 restore_password: <none>
1707 The password used by the restore tool when authenticating to an
1708 IMAP/sync server.
1709 restore_realm: <none>
1711 The authentication realm used by the restore tool when authenti‐
1712 cating to an IMAP/sync server.
1713 reverseacls: 0
1715 At startup time, ctl_cyrusdb -r will check this value and it
1716 will either add or remove reverse ACL pointers from mailboxes.db
1717 rfc2046_strict: 0
1719 If enabled, imapd will be strict (per RFC 2046) when matching
1720 MIME boundary strings. This means that boundaries containing
1721 other boundaries as substrings will be treated as identical.
1722 Since enabling this option will break some messages created by
1723 Eudora 5.1 (and earlier), it is recommended that it be left dis‐
1724 abled unless there is good reason to do otherwise.
1725 rfc2047_utf8: 0
1727 If enabled, imapd will parse any non-encoded character sequence
1728 in MIME header values as UTF8. This is useful for installations
1729 that either advertise the UTF8SMTP (RFC 5335) extension or
1730 receive mails with improperly escaped UTF-8 byte sequences. It
1731 is recommended that this option is left disabled unless there is
1732 good reason to do otherwise.
1733 rfc3028_strict: 1
1735 If enabled, Sieve will be strict (per RFC 3028) with regards to
1736 which headers are allowed to be used in address and envelope
1737 tests. This means that only those headers which are defined to
1738 contain addresses will be allowed in address tests and only "to"
1739 and "from" will be allowed in envelope tests. When disabled,
1740 ANY grammatically correct header will be allowed.
1741 rss_feedlist_template: <none>
1743 File containing HTML that will be used as a template for dis‐
1744 playing the list of available RSS feeds. A single instance of
1745 the variable %RSS_FEEDLIST% should appear in the file, which
1746 will be replaced by a nested unordered list of feeds. The
1747 toplevel unordered list will be tagged with an id of "feed" (<ul
1748 id='feed'>) which can be used by stylesheet(s) in your template.
1749 The dynamically created list of feeds based on the HTML template
1750 will be accessible at the "/rss" URL on the server.
1751 rss_feeds: *
1753 A wildmat pattern specifying which mailbox hierarchies should be
1754 treated as RSS feeds. Only mailboxes matching the wildmat will
1755 have their messages available via RSS. If not set, a default
1756 wildmat of "*" (ALL mailboxes) will be used.
1757 rss_maxage: 0
1759 Maximum age (in days) of items to display in an RSS channel. If
1760 non-zero, httpd will only display items received within the last
1761 rss_maxage days. If set to 0, all available items will be dis‐
1762 played (the default).
1763 rss_maxitems: 0
1765 Maximum number of items to display in an RSS channel. If
1766 non-zero, httpd will display no more than the rss_maxitems most
1767 recent items. If set to 0, all available items will be dis‐
1768 played (the default).
1769 rss_maxsynopsis: 0
1771 Maximum RSS item synopsis length. If non-zero, httpd will dis‐
1772 play no more than the first rss_maxsynopsis characters of an
1773 item's synopsis. If set to 0, the entire synopsis will be dis‐
1774 played (the default).
1775 rss_realm: <none>
1777 The realm to present for HTTP authentication of RSS feeds. If
1778 not set (the default), the value of the "servername" option will
1779 be used.
1780 sasl_auto_transition: 0
1782 If enabled, the SASL library will automatically create authenti‐
1783 cation secrets when given a plaintext password. See the SASL
1784 documentation.
1785 sasl_maximum_layer: 256
1787 Maximum SSF (security strength factor) that the server will
1788 allow a client to negotiate.
1789 sasl_minimum_layer: 0
1791 The minimum SSF that the server will allow a client to negoti‐
1792 ate. A value of 1 requires integrity protection; any higher
1793 value requires some amount of encryption.
1794 sasl_option: 0
1796 Any SASL option can be set by preceding it with sasl_. This
1797 file overrides the SASL configuration file.
1798 sasl_pwcheck_method: <none>
1800 The mechanism used by the server to verify plaintext passwords.
1801 Possible values include "auxprop", "saslauthd", and "pwcheck".
1802 search_batchsize: 20
1804 The number of messages to be indexed in one batch (default 20).
1805 Note that long batches may delay user commands or mail delivery.
1806 search_normalisation_max: 1000
1808 A resource bound for the combinatorial explosion of search
1809 expression tree complexity caused by normalising expressions
1810 with many OR nodes. These can use more CPU time to optimise
1811 than they save IO time in scanning folders.
1812 search_engine: none
1814 The indexing engine used to speed up searching.
1815 Allowed values: none, squat, sphinx, xapian
1817 search_fuzzy_always: 0
1819 Whether to enable RFC 6203 FUZZY search for all IMAP SEARCH. If
1820 turned on, search attributes will be searched using FUZZY search
1821 by default. If turned off, clients have to explicitly use the
1822 FUZZY search key to enable fuzzy search for regular SEARCH com‐
1823 mands.
1824 search_index_headers: 1
1826 Whether to index headers other than From, To, Cc, Bcc, and Sub‐
1827 ject. Experiment shows that some headers such as Received and
1828 DKIM-Signature can contribute up to 2/3rds of the index size but
1829 almost nothing to the utility of searching. Note that is header
1830 indexing is disabled, headers can still be searched, the
1831 searches will just be slower.
1832 search_indexed_db: twoskip
1834 The cyrusdb backend to use for the search latest indexed uid
1835 state.
1836 Allowed values: flat, skiplist, twoskip, lmdb
1838 search_maxtime: <none>
1840 The maximum number of seconds to run a search for before abort‐
1841 ing. Default of no value means search "forever" until other
1842 timeouts.
1843 search_skipdiacrit: 1
1845 When searching, should diacriticals be stripped from the search
1846 terms. The default is "true", a search for "hav" will match
1847 "Håvard". This is not RFC 5051 compliant, but it backwards com‐
1848 patible, and may be preferred by some sites.
1849 search_skiphtml: 0
1851 If enabled, HTML parts of messages are skipped, i.e. not indexed
1852 and not searchable. Otherwise, they're indexed.
1853 search_whitespace: merge
1855 When searching, how whitespace should be handled. Options are:
1856 "skip" (default in 2.3 and earlier series) - where a search for
1857 "equi" would match "the quick brown fox". "merge" - the
1858 default, where "he qu" would match "the quick brownfox", and
1859 "keep", where whitespace must match exactly. The default of
1860 "merge" is recommended for most cases - it's a good compromise
1861 which keeps words separate. Allowed values: skip, merge, keep
1862 search_snippet_length: 255
1864 The maximum byte length of a snippet generated by the XSNIPPETS
1865 command. Only supported by the Xapian search backend, which
1866 attempts to always fill search_snippet_length bytes in the gen‐
1867 erated snippet.
1868 search_stopword_path: <none>
1870 The absolute base path to the search stopword lists. If not
1871 specified, no stopwords will be taken into account during search
1872 indexing. Currently, the only supported and default stop word
1873 file is english.list.
1874 searchpartition-name: <none>
1876 The pathname where to store the xapian search indexes of
1877 searchtier for mailboxes of partition name. This must be config‐
1878 ured for the defaultsearchtier and any additional search tier
1879 (see squatter for details).
1880 For example: if defaultpartition is defined as part1 and
1882 defaultsearchtier as tier1 then the configuration must contain
1883 an entry tier1searchpartition-part1 that defines the path where
1884 to store this tier1's search index for the part1 partition.
1885 This option MUST be specified for xapian search.
1887 seenstate_db: twoskip
1889 The cyrusdb backend to use for the seen state.
1890 Allowed values: flat, skiplist, twoskip, lmdb
1892 sendmail: /usr/lib/sendmail
1894 The pathname of the sendmail executable. Sieve invokes sendmail
1895 for sending rejections, redirects and vacation responses.
1896 serverlist: <none>
1898 Whitespace separated list of backend server names. Used for
1899 finding server with the most available free space for proxying
1900 CREATE.
1901 serverlist_select_mode: freespace-most
1903 Server selection mode.
1904 random (pseudo-)random selection
1906 freespace-most
1908 backend with the most (total) free space (KiB)
1909 freespace-percent-most
1911 backend whose partition has the most free space (%)
1912 freespace-percent-weighted
1914 same as for partition selection, comparing the free space
1915 (%) of the least used partition of each backend
1916 freespace-percent-weighted-delta
1918 same as for partition selection, comparing the free space
1919 (%) of the least used partition of each backend.
1920 Allowed values: random, freespace-most, freespace-per‐
1922 cent-most, freespace-percent-weighted, freespace-per‐
1923 cent-weighted-delta
1924 serverlist_select_usage_reinit: 0
1926 For a given session, number of operations (e.g. backend selec‐
1927 tion) for which backend usage data are cached.
1928 serverlist_select_soft_usage_limit: 0
1930 Limit of backend usage (%): if a backend is over that limit, it
1931 is automatically excluded from selection mode.
1932 If all backends are over that limit, this feature is not used
1934 anymore.
1935 servername: <none>
1937 This is the hostname visible in the greeting messages of the
1938 POP, IMAP and LMTP daemons. If it is unset, then the result
1939 returned from gethostname(2) is used. This is also the value
1940 used by murder clusters to identify the host name. It should be
1941 resolvable by DNS to the correct host, and unique within an
1942 active cluster. If you are using low level replication (e.g.
1943 drbd) then it should be the same on each copy and the DNS name
1944 should also be moved to the new master on failover.
1945 serverinfo: on
1947 The server information to display in the greeting and capability
1948 responses. Information is displayed as follows:
1949 "off" = no server information in the greeting or capabilities
1950 "min" = servername in the greeting; no server information in
1952 the capabilities
1953 "on" = servername and product version in the greeting; prod‐
1955 uct version in the capabilities
1956 Allowed values: off, min, on
1958 sharedprefix: Shared Folders
1960 If using the alternate IMAP namespace, the prefix for the shared
1961 namespace. The hierarchy delimiter will be automatically
1962 appended.
1963 sieve_allowreferrals: 1
1965 If enabled, timsieved will issue referrals to clients when the
1966 user's scripts reside on a remote server (in a Murder). Other‐
1967 wise, timsieved will proxy traffic to the remote server.
1968 sieve_extensions: fileinto reject vacation vacation-seconds
1970 imapflags notify envelope relational regex subaddress copy date
1971 index imap4flags mailbox mboxmetadata servermetadata variables
1972 Space-separated list of Sieve extensions allowed to be used in
1973 sieve scripts, enforced at submission by timsieved(8). Any pre‐
1974 viously installed script will be unaffected by this option and
1975 will continue to execute regardless of the extensions used.
1976 This option has no effect on options that are disabled at com‐
1977 pile time (e.g., "regex"). Allowed values: fileinto, reject,
1978 vacation, vacation-seconds, imapflags, notify, include, enve‐
1979 lope, body, relational, regex, subaddress, copy, date, index,
1980 imap4flags, mailbox, mboxmetadata, servermetadata, variables
1981 sieve_maxscriptsize: 32
1983 Maximum size (in kilobytes) any sieve script can be, enforced at
1984 submission by timsieved(8).
1985 sieve_maxscripts: 5
1987 Maximum number of sieve scripts any user may have, enforced at
1988 submission by timsieved(8).
1989 sieve_utf8fileinto: 0
1991 If enabled, the sieve engine expects folder names for the
1992 fileinto action in scripts to use UTF8 encoding. Otherwise,
1993 modified UTF7 encoding should be used.
1994 sieve_sasl_send_unsolicited_capability: 0
1996 If enabled, timsieved will emit a capability response after a
1997 successful SASL authentication, per draft-martin-manage‐
1998 sieve-12.txt .
1999 sieve_vacation_min_response: 259200 /* 3 days */
2001 Minimum time interval (in seconds) between consecutive vacation
2002 responses, per draft-ietf-vacation-seconds.txt .
2003 sieve_vacation_max_response: 7776000 /* 90 days */
2005 Maximum time interval (in seconds) between consecutive vacation
2006 responses, per draft-ietf-vacation-seconds.txt .
2007 sievedir: /usr/sieve
2009 If sieveusehomedir is false, this directory is searched for
2010 Sieve scripts.
2011 sievenotifier: <none>
2013 Notifyd(8) method to use for "SIEVE" notifications. If not set,
2014 "SIEVE" notifications are disabled.
2015 This method is only used when no method is specified in the
2017 script.
2018 sieveusehomedir: 0
2020 If enabled, lmtpd will look for Sieve scripts in user's home
2021 directories: ~user/.sieve.
2022 anysievefolder: 0
2024 It must be "yes" in order to permit the autocreation of any
2025 INBOX subfolder requested by a sieve filter, through the
2026 "fileinto" action. (default = no)
2027 singleinstancestore: 1
2029 If enabled, imapd, lmtpd and nntpd attempt to only write one
2030 copy of a message per partition and create hard links, resulting
2031 in a potentially large disk savings.
2032 skiplist_always_checkpoint: 1
2034 If enabled, this option forces the skiplist cyrusdb backend to
2035 always checkpoint when doing a recovery. This causes slightly
2036 more IO, but on the other hand leads to more efficient data‐
2037 bases, and the entire file is already "hot".
2038 skiplist_unsafe: 0
2040 If enabled, this option forces the skiplist cyrusdb backend to
2041 not sync writes to the disk. Enabling this option is NOT RECOM‐
2042 MENDED.
2043 soft_noauth: 1
2045 If enabled, lmtpd returns temporary failures if the client does
2046 not successfully authenticate. Otherwise lmtpd returns perma‐
2047 nent failures (causing the mail to bounce immediately).
2048 sortcache_db: twoskip
2050 The cyrusdb backend to use for caching sort results (currently
2051 only used for xconvmultisort) Allowed values: skiplist, twoskip,
2052 lmdb
2053 specialuse_extra: <none>
2055 Whitespace separated list of extra special-use attributes that
2056 can be set on a mailbox. RFC 6154 currently lists what spe‐
2057 cial-use attributes can be set. This allows extending that list
2058 in the future or adding your own if needed.
2059 specialusealways: 0
2061 If enabled, this option causes LIST and LSUB output to always
2062 include the XLIST "special-use" flags
2063 sphinx_text_excludes_odd_headers: 0
2065 If enabled, Sphinx will perform a TEXT search as if it matches
2066 FROM, TO, CC, BCC or SUBJECT but not any other headers. This is
2067 contrary to the RFC but a more useful behaviour for most users.
2068 Default: disabled.
2069 sphinx_socket: {configdirectory}/socket/sphinx
2071 Unix domain socket that the Sphinx searchd daemons listens on.
2072 sphinx_pidfile: /var/run/sphinx.pid
2074 File where the Sphinx searchd daemon writes its pid.
2075 sql_database: <none>
2077 Name of the database which contains the cyrusdb table(s).
2078 sql_engine: <none>
2080 Name of the SQL engine to use.
2081 Allowed values: mysql, pgsql, sqlite
2083 sql_hostnames: <empty string>
2085 Comma separated list of SQL servers (in host[:port] format).
2086 sql_passwd: <none>
2088 Password to use for authentication to the SQL server.
2089 sql_user: <none>
2091 Username to use for authentication to the SQL server.
2092 sql_usessl: 0
2094 If enabled, a secure connection will be made to the SQL server.
2095 srvtab: <empty string>
2097 The pathname of srvtab file containing the server's private key.
2098 This option is passed to the SASL library and overrides its
2099 default setting.
2100 submitservers: <none>
2102 A list of users and groups that are allowed to resolve
2103 "urlauth=submit+" IMAP URLs, separated by spaces. Any user
2104 listed in this will be allowed to fetch the contents of any
2105 valid "urlauth=submit+" IMAP URL: use with caution.
2106 subscription_db: flat
2108 The cyrusdb backend to use for the subscriptions list.
2109 Allowed values: flat, skiplist, twoskip, lmdb
2111 suppress_capabilities: <none>
2113 Suppress the named capabilities from any capability response.
2114 Use the exact case as it appears in the response, e.g. "sup‐
2115 press_capabilities: ESEARCH QRESYNC WITHIN XLIST LIST-EXTENDED"
2116 if you have a murder with 2.3.x backends and don't want clients
2117 being confused by new capabilities that some backends don't sup‐
2118 port.
2119 statuscache: 0
2121 Enable/disable the imap status cache.
2122 statuscache_db: twoskip
2124 The cyrusdb backend to use for the imap status cache.
2125 Allowed values: skiplist, sql, twoskip, lmdb
2127 statuscache_db_path: <none>
2129 The absolute path to the statuscache db file. If not specified,
2130 will be configdirectory/statuscache.db
2131 sync_authname: <none>
2133 The authentication name to use when authenticating to a sync
2134 server. Prefix with a channel name to only apply for that chan‐
2135 nel
2136 sync_batchsize: 8192
2138 the number of messages to upload in a single mailbox replica‐
2139 tion. Default is 8192. If there are more than this many mes‐
2140 sages appended to the mailbox, generate a synthetic partial
2141 state and send that.
2142 sync_host: <none>
2144 Name of the host (replica running sync_server(8)) to which
2145 replication actions will be sent by sync_client(8). Prefix with
2146 a channel name to only apply for that channel
2147 sync_log: 0
2149 Enable replication action logging by lmtpd(8), imapd(8),
2150 pop3d(8), and nntpd(8). The log {configdirectory}/sync/log is
2151 used by sync_client(8) for "rolling" replication.
2152 sync_log_chain: 0
2154 Enable replication action logging by sync_server as well, allow‐
2155 ing chaining of replicas. Use this on 'B' for A => B => C
2156 replication layout
2157 sync_log_channels: <none>
2159 If specified, log all events to multiple log files in directo‐
2160 ries specified by each "channel". Each channel can then be pro‐
2161 cessed separately, such as by multiple sync_client(8)s in a mesh
2162 replication scheme, or by squatter(8) for rolling search index
2163 updates.
2164 You can use "" (the two-character string U+22 U+22) to mean the
2166 default sync channel.
2167 sync_log_unsuppressable_channels: squatter
2169 If specified, the named channels are exempt from the effect of
2170 setting sync_log_chain:off, i.e. they are always logged to by
2171 the sync_server process. This is only really useful to allow
2172 rolling search indexing on a replica.
2173 sync_password: <none>
2175 The default password to use when authenticating to a sync
2176 server. Prefix with a channel name to only apply for that chan‐
2177 nel
2178 sync_port: <none>
2180 Name of the service (or port number) of the replication service
2181 on replica host. Prefix with a channel name to only apply for
2182 that channel. If not specified, and if sync_try_imap is set to
2183 "yes" (the default), then the replication client will first try
2184 "imap" (port 143) to check if imapd supports replication. oth‐
2185 erwise it will default to "csync" (usually port 2005).
2186 sync_realm: <none>
2188 The authentication realm to use when authenticating to a sync
2189 server. Prefix with a channel name to only apply for that chan‐
2190 nel
2191 sync_repeat_interval: 1
2193 Minimum interval (in seconds) between replication runs in
2194 rolling replication mode. If a replication run takes longer than
2195 this time, we repeat immediately. Prefix with a channel name to
2196 only apply for that channel
2197 sync_shutdown_file: <none>
2199 Simple latch used to tell sync_client(8) that it should shut
2200 down at the next opportunity. Safer than sending signals to run‐
2201 ning processes. Prefix with a channel name to only apply for
2202 that channel
2203 sync_timeout: 1800
2205 Number of seconds to wait for a response before returning a
2206 timeout failure when talking to a replication peer (client or
2207 server).
2208 sync_try_imap: 1
2210 Whether sync_client should try to perform an IMAP connection
2211 before falling back to csync. If this is set to "no",
2212 sync_client will only use csync. Prefix with a channel name to
2213 apply only for that channel
2214 syslog_prefix: <none>
2216 String to be prepended to the process name in syslog entries.
2217 syslog_facility: <none>
2219 Configure a syslog facility. The default is whatever is com‐
2220 piled in. Allowed values are: DAEMON, MAIL, NEWS, USER, and
2221 LOCAL0 through to LOCAL7
2222 tcp_keepalive: 0
2224 Enable keepalive on TCP connections
2225 tcp_keepalive_cnt: 0
2227 Number of TCP keepalive probes to send before declaring the con‐
2228 nection dead (0 == system default)
2229 tcp_keepalive_idle: 0
2231 Number of seconds a connection must be idle before keepalive
2232 probes are sent (0 == system default)
2233 tcp_keepalive_intvl: 0
2235 Number of seconds between keepalive probes (0 == system default)
2236 temp_path: /tmp
2238 The pathname to store temporary files in
2239 telemetry_bysessionid: 0
2241 If true, log by sessionid instead of PID for telemetry
2242 timeout: 32
2244 The length of the IMAP server's inactivity autologout timer, in
2245 minutes. The minimum value is 30. The default is 32 to allow a
2246 bit of leeway for clients that try to NOOP every 30 minutes.
2247 imapidletimeout: 0
2249 Timeout for idling clients (RFC 2177) in minutes. If set to zero
2250 (the default) or less, the value of "timeout" will be used
2251 instead.
2252 tls_ca_file: <none>
2254 Deprecated in favor of tls_client_ca_file.
2255 tls_ca_path: <none>
2257 Deprecated in favor of tls_client_ca_dir.
2258 tlscache_db: twoskip
2260 Deprecated in favor of tls_sessions_db.
2261 tlscache_db_path: <none>
2263 Deprecated in favor of tls_sessions_db_path.
2264 tls_cert_file: <none>
2266 Deprecated in favor of tls_server_cert.
2267 tls_cipher_list: DEFAULT
2269 Deprecated in favor of tls_ciphers.
2270 tls_ciphers: DEFAULT
2272 The list of SSL/TLS ciphers to allow. The format of the string
2273 (and definition of "DEFAULT") is described in ciphers(1).
2274 See also Mozilla's server-side TLS recommendations:
2276 https://wiki.mozilla.org/Security/Server_Side_TLS
2278 tls_client_ca_dir: <none>
2280 Path to a directory containing the CA certificates used to ver‐
2281 ify client SSL certificates used for authentication.
2282 tls_client_ca_file: <none>
2284 Path to a file containing the CA certificate(s) used to verify
2285 client SSL certificates used for authentication.
2286 tls_client_cert: <none>
2288 File containing the certificate presented to a server for
2289 authentication during STARTTLS. A value of "disabled" will dis‐
2290 able this server's use of certificate-based authentication.
2291 tls_client_certs: optional
2293 Disable ("off"), allow ("optional", default) or require
2294 ("require") the use of SSL certificates by clients to authenti‐
2295 cate themselves. Allowed values: off, optional, require
2296 tls_client_key: <none>
2298 File containing the private key belonging to the tls_client_cert
2299 certificate. A value of "disabled" will disable this server's
2300 use of certificate-based authentication.
2301 tls_eccurve: prime256v1
2303 The elliptic curve used for ECDHE. Default is NIST Suite B
2304 prime256. See 'openssl ecparam -list_curves' for possible val‐
2305 ues.
2306 tls_key_file: <none>
2308 Deprecated in favor of tls_server_key.
2309 tls_required: 0
2311 If enabled, require a TLS/SSL encryption layer to be negotiated
2312 prior to ANY authentication mechanisms being advertised or
2313 allowed.
2314 tls_prefer_server_ciphers: 0
2316 Prefer the ciphers on the server side instead of client side.
2317 tls_server_ca_dir: <none>
2319 Path to a directory with CA certificates used to verify certifi‐
2320 cates offered by the server, when cyrus acts as client. This
2321 directory must have filenames with the hashed value of the cer‐
2322 tificates (see openssl(1)).
2323 tls_server_ca_file: <none>
2325 Path to a file containing CA certificates used to verify cer‐
2326 tificates offered by the server, when cyrus acts as client.
2327 tls_server_cert: <none>
2329 File containing the certificate, including the full chain, pre‐
2330 sented to clients.
2331 tls_server_key: <none>
2333 File containing the private key belonging to the certificate in
2334 tls_server_cert.
2335 tls_sessions_db: twoskip
2337 The cyrusdb backend to use for the TLS cache.
2338 Allowed values: skiplist, sql, twoskip, lmdb
2340 tls_sessions_db_path: <none>
2342 The absolute path to the TLS sessions db file. If not specified,
2343 will be configdirectory/tls_sessions.db
2344 tls_session_timeout: 1440
2346 The length of time (in minutes) that a TLS session will be
2347 cached for later reuse. The maximum value is 1440 (24 hours),
2348 the default. A value of 0 will disable session caching.
2349 tls_versions: tls1_0 tls1_1 tls1_2 tls1_3
2351 A list of SSL/TLS versions to not disable. Cyrus IMAP SSL/TLS
2352 starts with all protocols, and subtracts protocols not in this
2353 list. Newer versions of SSL/TLS will need to be added here to
2354 allow them to get disabled.
2355 uidl_format: cyrus
2357 Choose the format for UIDLs in pop3. Possible values are
2358 "uidonly", "cyrus", "dovecot" and "courier". "uidonly" forces
2359 the old default of UID, "cyrus" is UIDVALIDITY.UID. Dovecot is
2360 8 digits of leading hex (lower case) each UID UIDVALIDITY.
2361 Courier is UIDVALIDITY-UID. Allowed values: uidonly, cyrus,
2362 dovecot, courier
2363 umask: 077
2365 The umask value used by various Cyrus IMAP programs.
2366 userdeny_db: flat
2368 The cyrusdb backend to use for the user access list.
2369 Allowed values: flat, skiplist, sql, twoskip, lmdb
2371 userdeny_db_path: <none>
2373 The absolute path to the userdeny db file. If not specified,
2374 will be configdirectory/user_deny.db
2375 username_tolower: 1
2377 Convert usernames to all lowercase before login/authentication.
2378 This is useful with authentication backends which ignore case
2379 during username lookups (such as LDAP).
2380 userprefix: Other Users
2382 If using the alternate IMAP namespace, the prefix for the other
2383 users namespace. The hierarchy delimiter will be automatically
2384 appended.
2385 unix_group_enable: 1
2387 Should we look up groups when using auth_unix (disable this if
2388 you are not using groups in ACLs for your IMAP server, and you
2389 are using auth_unix with a backend (such as LDAP) that can make
2390 getgrent() calls very slow)
2391 unixhierarchysep: 1
2393 Use the UNIX separator character '/' for delimiting levels of
2394 mailbox hierarchy. Turn off to use the netnews separator char‐
2395 acter '.'. Note that with the newnews separator, no dots may
2396 occur in mailbox names. The default switched in 3.0 from off to
2397 on.
2398 virtdomains: off
2400 Configure virtual domain support.
2401 off Cyrus does not know or care about domains. Only the local
2403 part of email addresses is ever considered. This is not
2404 recommended for any deployment, but is currently the
2405 default.
2406 userid The user's domain is determined by splitting a fully
2408 qualified userid at the last '@' or '%' symbol. If the
2409 userid is unqualified, the defaultdomain will be used.
2410 This is the recommended configuration for all deploy‐
2411 ments. If you wish to provide calendaring services you
2412 must use this configuration.
2413 on Fully qualified userids are respected, as per "userid".
2415 Unqualified userids will have their domain determined by
2416 doing a reverse lookup on the IP address of the incoming
2417 network interface, or if no record is found, the default‐
2418 domain will be used.
2419 Allowed values: off, userid, on
2421 xbackup_enabled: 0
2423 Enable support for the XBACKUP command in imapd. If enabled,
2424 admin users can use this command to provoke a replication of
2425 specified users to the named backup channel.
2426 xlist-flag: <none>
2428 Set the special-use flag flag on the specified folder when it is
2429 autocreated (see the autocreate_inbox_folders option). For
2430 example, if xlist-junk: Spam is set, and the folder Spam is
2431 autocreated, the special-use flag \Junk will be set on it.
2432 (This option is so named for backward compatibility with old
2434 config files.)
2435 lmtp_catchall_mailbox: <none>
2437 Mail sent to mailboxes which do not exist, will be delivered to
2438 this user. NOTE: This must be an existing local user name with
2439 an INBOX, NOT an email address!
2440 zoneinfo_db: twoskip
2442 The cyrusdb backend to use for zoneinfo.
2443 Allowed values: flat, skiplist, twoskip, lmdb
2445 zoneinfo_db_path: <none>
2447 The absolute path to the zoneinfo db file. If not specified,
2448 will be configdirectory/zoneinfo.db
2449 object_storage_enabled: 0
2451 Is Object storage enabled for this server. You also need to
2452 have archiving enabled and archivepartition for the mailbox.
2453 Only email files will be stored on object Storage archive parti‐
2454 tion will be used to store any other files
2455 object_storage_dummy_spool: <none>
2457 Dummy object storage spool; this is for test only. Spool where
2458 user directory (container) will be created to store all emails
2459 in a flat structure
2460 openio_namespace: <none>
2462 The OpenIO namespace used to store archived email messages. A
2463 namespace identifies the physical platform cyrus must contact.
2464 This directive is used by the OpenIO's SDK to locate its plat‐
2465 form entry point.
2466 openio_account: <none>
2468 The OpenIO account used to account for stored emails. Accounts
2469 are unique in their namespace. They provides virtual partitions,
2470 with quotas and QoS features.
2471 openio_rawx_timeout: 30
2473 The OpenIO timeout to query to the RAWX services (default 30
2474 sec).
2475 openio_proxy_timeout: 5
2477 The OpenIO timeout to query to the PROXY services (default 5
2478 sec).
2479 openio_autocreate: 0
2481 Allow the OpenIO SDK to autocreate containers. Mainly destined
2482 to be turned on development environments. In production, the
2483 container should have been provisioned with the mailboxes.
2484 openio_verbosity: <none>
2486 Sets the logging verbosity of the OpenIO's internal behavior.
2487 Admissible values are: "warning", "notice", "info", "debug",
2488 "trace", "quiet". The default verbosity is "warning". Set to
2489 "notice" for a few lines on a per-client basis. Set to "info"
2490 for a few lines on a per-request basis. Set to "debug" Set to
2491 "trace" to activate the underlying libcurl debug output.
2492 Enabling a verbosity higher to equal than "debug" requires the
2493 cyrus to be set in debug mode. The special "quiet" value dis‐
2494 ables all kinds of logging at the GLib level.
2495 caringo_hostname: <none>
2497 The Caringo hostname used to store archived email messages. A
2498 hostname identifies the physical platform cyrus must contact.
2499 This directive is used by the Caringo's SDK (CastorSDK: Caringo
2500 Simple Content Storage Protocol (SCSP) on HTTP 1.1 using a REST‐
2501 ful architecture
2502 caringo_port: 80
2504 The port of the caringo server (caringo_hostname); default is
2505 80.
2506 fastmailsharing: 0
2508 If enabled, use FastMail style sharing (oldschool full server
2509 paths)
2510
2512 imapd(8), pop3d(8), nntpd(8), lmtpd(8), httpd(8), timsieved(8),
2513 idled(8), notifyd(8), deliver(8), master(8), ciphers(1)
2514
2516 The Cyrus Team
2517
2519 1993-2017, The Cyrus Team
25203.0.13 December 16, 2019 IMAPD.CONF(5)