1IMAPD.CONF(5) Cyrus IMAP IMAPD.CONF(5)
2
6 imapd.conf - Cyrus IMAP documentation
7 IMAP configuration file
9
11 /etc/imapd.conf is the configuration file for the Cyrus IMAP server.
12 It defines local parameters for IMAP.
13 Each line of the /etc/imapd.conf file has the form
15 option: value
16 where option is the name of the configuration option being set and
18 value is the value that the configuration option is being set to.
19 Although there is no limit to the length of a line, a ``'’ (back‐
21 slash) character may be used as the last character on a line to
22 force it to continue on the next one. No additional whitespace is
23 inserted before or after the ``'’. Note that a line that is split
24 using ``'’ character(s) is still considered a single line.
25 For example
27 option:\
28 value1 value2 \
29 value3
30 is equivalent to
32 option: value1 value2 value3
33 Blank lines and lines beginning with ``#’’ are ignored.
35 For boolean and enumerated options, the values ``yes’‘, ``on’‘,
37 ``t’‘, ``true’’ and ``1’’ turn the option on, the values ``no’‘,
38 ``off’‘, ``f’‘, ``false’’ and ``0’’ turn the option off.
39 Duration options take the form of a number followed by a unit, for
41 example 32m (32 minutes). Units are d (days), h (hours), m (min‐
42 utes) and s (seconds). Multiple units can be combined and will be
43 summed together, for example 1h30m is equivalent to 90m. If no unit
44 is specified, an option-specific backward-compatible default unit is
45 assumed (documented on an option-by-option basis). These are simple
46 time units: 1d=24h, 1h=60m, 1m=60s (daylight savings, timezones,
47 leap adjustments, etc are not considered).
48
50 The sections below detail options that can be placed in the
51 /etc/imapd.conf file, and show each option’s default value. Some
52 options have no default value, these are listed with ``<no de‐
53 fault>’‘. Some options default to the empty string, these are
54 listed with ``<none>’‘.
55 addressbookprefix: #addressbooks
57 The prefix for the addressbook mailboxes hierarchies. The hier‐
58 archy delimiter will be automatically appended. The public ad‐
59 dressbook hierarchy will be at the toplevel of the shared name‐
60 space. A user’s personal addressbook hierarchy will be a child
61 of their Inbox.
62 admins: <empty string>
64 The list of userids with administrative rights. Separate each
65 userid with a space. Sites using Kerberos authentication may
66 use separate “admin” instances.
67 Note that accounts used by users should not be administrators.
69 Administrative accounts should not receive mail. That is, if
70 user “jbRo” is a user reading mail, he should not also be in the
71 admins line. Some problems may occur otherwise, most notably
72 the ability of administrators to create top-level mailboxes vis‐
73 ible to users, but not writable by users.
74 afspts_localrealms: <none>
76 The list of realms which are to be treated as local, and thus
77 stripped during identifier canonicalization (for the AFSPTS pt‐
78 loader module). This is different from loginrealms in that it
79 occurs later in the authorization process (as the user id is
80 canonified for PTS lookup)
81 afspts_mycell: <none>
83 Cell to use for AFS PTS lookups. Defaults to the local cell.
84 allowallsubscribe: 0
86 Allow subscription to nonexistent mailboxes. This option is
87 typically used on backend servers in a Murder so that users can
88 subscribe to mailboxes that don’t reside on their “home” server.
89 This option can also be used as a workaround for IMAP clients
90 which don’t play well with nonexistent or unselectable mailboxes
91 (e.g., Microsoft Outlook).
92 allowanonymouslogin: 0
94 Permit logins by the user “anonymous” using any password. Also
95 allows use of the SASL ANONYMOUS mechanism.
96 allowapop: 1
98 Allow use of the POP3 APOP authentication command.
99 Note that this command requires that SASL is compiled with APOP
101 support, that the plaintext passwords are available in a SASL
102 auxprop backend (e.g., sasldb), and that the system can provide
103 enough entropy (e.g., from /dev/urandom) to create a challenge
104 in the banner.
105 allowdeleted: 0
107 Allow access to deleted and expunged data via vendor.cmu-* ac‐
108 cess
109 allownewnews: 0
111 Allow use of the NNTP NEWNEWS command.
112 Note that this is a very expensive command and should only be
114 enabled when absolutely necessary.
115 allowplaintext: 0
117 If enabled, allows the use of cleartext passwords on the wire.
118 By default, the use of cleartext passwords requires a TLS/SSL
120 encryption layer to be negotiated prior to any cleartext authen‐
121 tication mechanisms being advertised or allowed. To require a
122 TLS/SSL encryption layer to be negotiated prior to ANY authenti‐
123 cation, see the tls_required option.
124 allowsetacl: 1
126 Defaults to enabled. If disabled, disallows the use of the SE‐
127 TACL command at all via IMAP.
128 allowusermoves: 0
130 Allow moving user accounts (with associated meta-data) via RE‐
131 NAME or XFER.
132 Note that measures should be taken to make sure that the user
134 being moved is not logged in, and cannot login during the move.
135 Failure to do so may result in the user’s meta-data (seen state,
136 subscriptions, etc) being corrupted or out of date.
137 altnamespace: 1
139 Use the alternate IMAP namespace, where personal folders reside
140 at the same level in the hierarchy as INBOX.
141 This option ONLY applies where interaction takes place with the
143 client/user. Currently this is limited to the IMAP protocol
144 (imapd) and Sieve scripts (lmtpd). This option does NOT apply
145 to admin tools such as cyradm (admins ONLY), reconstruct, quota,
146 etc., NOR does it affect LMTP delivery of messages directly to
147 mailboxes via plus-addressing. The default changed in 3.0 from
148 off to on.
149 altprefix: Alt Folders
151 Alternative INBOX spellings that can’t be accessed in altnames‐
152 pace otherwise go under here
153 annotation_db: twoskip
155 The cyrusdb backend to use for mailbox annotations.
156 Allowed values: skiplist, twoskip, zeroskip
158 annotation_db_path: <none>
160 The absolute path to the annotations db file. If not specified,
161 will be configdirectory/annotations.db
162 anyoneuseracl: 1
164 Should non-admin users be allowed to set ACLs for the ‘anyone’
165 user on their mailboxes? In a large organization this can cause
166 support problems, but it’s enabled by default.
167 annotation_allow_undefined: 0
169 Allow clients to store values for entries which are not defined
170 either by Cyrus or in the annotations_definitions file.
171 annotation_definitions: <none>
173 File containing external (third-party) annotation definitions.
174 Each line of the file specifies the properties of an annotation
176 and has the following form:
177 name, scope, attrib-type, proxy-type, attrib-names, acl
178 name is the hierarchical name as in RFC 5257 or RFC 5464 (in
180 the latter case, without the leading /shared or /pri‐
181 vate). For example, /vendor/acme/blurdybloop.
182 scope specifies whether the annotation is for the server, a
184 mailbox, or a message.
185 attrib-type
187 specifies the attribute data type, which is used only
188 to check the string value passed by clients when set‐
189 ting annotations. The attrib-type is one of:
190 string any value is accepted.
192 content-type
194 this obsolete data type, which was useful for
195 early drafts of the standard, is accepted but
196 silently translated to string.
197 boolean
199 only the strings “true” or “false” are accepted.
200 Checking is case-insensitive but the value is
201 forced to lowercase.
202 int integers are accepted.
204 uint non-negative integers are accepted.
206 proxy-type
208 specifies whether this attribute is for the backend or
209 proxy servers or both (proxy_and_backend)
210 attrib-names
212 is the space-separated list of available attributes for
213 the annotation. Possible attribute names are
214 value.shared, value.priv, and value (which permits both
215 value.priv and value.shared). The attribute names size,
216 size.shared, and size.priv are accepted but ignored;
217 these attributes are automatically provided by the server
218 if the corresponding value attribute is specified. Some
219 obsolete attributes, which were defined early drafts of
220 the standard, are accepted and ignored with a warning.
221 extra-permissions
223 is the extra ACL permission bits required for setting
224 this annotation, in standard IMAP ACL permission bit
225 string format. Note that this is in addition to the per‐
226 mission bits specified in RFC 5257 and RFC 5464, so leav‐
227 ing this field empty is harmless. Note also that there
228 is no way to specify that an annotation can only be set
229 by an admin user; in particular the a permission bit does
230 not achieve this.
231 Blank lines and lines beginning with ``#’’ are ignored.
233 annotation_callout: <none>
235 The pathname of a callout to be used to automatically add anno‐
236 tations or flags to a message when it is appended to a mailbox.
237 The path can be either an executable (including a script), or a
238 UNIX domain socket.
239 annotation_callout_disable_append: 0
241 Disables annotations on append with xrunannotator
242 annotation_enable_legacy_commands: 0
244 Whether to enable the legacy GETANNOTATION/SETANNOTATION com‐
245 mands. These commands are deprecated and will be removed in the
246 future, but might be useful in the meantime for supporting old
247 clients that do not implement the RFC 5464 IMAP METADATA exten‐
248 sion.
249 aps_topic: <none>
251 Topic for Apple Push Service registration.
252 aps_topic_caldav: <none>
254 Topic for Apple Push Service registration for CalDAV.
255 aps_topic_carddav: <none>
257 Topic for Apple Push Service registration for CardDAV.
258 archive_enabled: 0
260 Is archiving enabled for this server. You also need to have an
261 archivepartition for the mailbox. Archiving allows older email
262 to be stored on slower, cheaper disks - even within the same
263 mailbox, as distinct from partitions.
264 archive_days: <none>
266 Deprecated in favour of archive_after.
267 archive_after: 7d
269 The duration after which to move messages to the archive parti‐
270 tion if archiving is enabled.
271 For backward compatibility, if no unit is specified, days is as‐
273 sumed.
274 archive_maxsize: 1024
276 The size in kilobytes of the largest message that won’t be
277 archived immediately. Default is 1Mb
278 archive_keepflagged: 0
280 If set, messages with the \Flagged system flag won’t be
281 archived, provided they are smaller than archive_maxsize.
282 archivepartition-name: <none>
284 The pathname of the archive partition name, corresponding to
285 spool partition partition-name. For any mailbox residing in a
286 directory on partition-name, the archived messages will be
287 stored in a corresponding directory on archivepartition-name.
288 Note that not every partition-name option is strictly required
289 to have a corresponding archivepartition-name option, but that
290 without one there’s no benefit to enabling archiving.
291 auditlog: 0
293 Should cyrus output log entries for every action taken on a mes‐
294 sage file or mailboxes list entry? It’s noisy so disabled by
295 default, but can be very useful for tracking down what happened
296 if things look strange
297 auth_mech: unix
299 The authorization mechanism to use.
300 Allowed values: unix, pts, krb, krb5
302 autocreateinboxfolders: <none>
304 Deprecated in favor of autocreate_inbox_folders.
305 autocreatequota: 0
307 Deprecated in favor of autocreate_quota.
308 autocreatequotamsg: -1
310 Deprecated in favor of autocreate_quota_messages.
311 autosievefolders: <none>
313 Deprecated in favor of autocreate_sieve_folders.
314 generate_compiled_sieve_script: 0
316 Deprecated in favor of autocreate_sieve_script_compile.
317 autocreate_sieve_compiled_script: <none>
319 Deprecated in favor of autocreate_sieve_script_compiled.
320 autosubscribeinboxfolders: <none>
322 Deprecated in favor of autocreate_subscribe_folders.
323 autosubscribesharedfolders: <none>
325 Deprecated in favor of autocreate_subscribe_sharedfolders.
326 autosubscribe_all_sharedfolders: 0
328 Deprecated in favor of autocreate_subscribe_sharedfolders_all.
329 autocreate_acl: <none>
331 If folders are to be created by autocreate_inbox_folders, this
332 setting can be used to apply additional ACLs to the autocreated
333 folders. The syntax is “autocreate_acl folder identifier
334 rights”, where folder must match one of the autocreate_in‐
335 box_folders folders, identifier must be a valid cyrus identi‐
336 fier, and rights must be a valid cyrus rights string. Multiple
337 identifier|rights pairs can be assigned to a single folder by
338 providing this setting multiple times.
339 For example, “autocreate_acl Plus anyone p” would allow lmtp de‐
341 livery to a folder named “Plus”.
342 autocreate_inbox_folders: <none>
344 If a user does not have an INBOX already, and the INBOX is to be
345 created, create the list of folders in this setting as well.
346 autocreate_inbox_folders is a list of INBOX’s subfolders sepa‐
347 rated by a “|”, that are automatically created by the server un‐
348 der the following two scenarios. Leading and trailing whitespace
349 is stripped, so “Junk | Trash” results in two folders: “Junk”
350 and “Trash”. See also the xlist-flag option, for setting spe‐
351 cial-use flags on autocreated folders.
352 INBOX folders are created under both the following conditions:
354 1. The user logins via the IMAP or the POP3 protocol. autocre‐
356 ate_quota option must have a value of zero or greater.
357 2. A message arrives for the user through the lmtpd(8). au‐
359 tocreate_post option must be enabled.
360 autocreate_post: 0
362 If enabled, when lmtpd(8) receives an incoming mail for an INBOX
363 that does not exist, then the INBOX is automatically created by
364 lmtpd(8) and delivery of the message continues.
365 autocreate_quota: -1
367 If set to a value of zero or higher, users have their INBOX
368 folders created upon a successful login event or upon lmtpd(8)
369 message delivery if autocreate_post is enabled, provided their
370 INBOX did not yet already exist.
371 The user’s quota is set to the value if it is greater than zero,
373 otherwise the user has unlimited quota.
374 Note that quota is specified in kilobytes.
376 autocreate_quota_messages: -1
378 If set to a value of zero or higher, users who have their INBOX
379 folders created upon a successful login event (see autocre‐
380 ate_quota), or upon lmtpd(8) message delivery if autocreate_post
381 is enabled, receive the message quota configured in this option.
382 The default of -1 disables assigning message quota.
384 For consistency with autocreate_quota, a value of zero is
386 treated as unlimited message quota, rather than a message quota
387 of zero.
388 autocreate_sieve_folders: <none>
390 A “|” separated list of subfolders of INBOX that will be auto‐
391 matically created, if requested by a sieve filter, through the
392 “fileinto” action. The default is to create no folders automati‐
393 cally.
394 Leading and trailing whitespace is stripped from each folder, so
396 a setting of “Junk | Trash” will create two folders: “Junk” and
397 “Trash”.
398 autocreate_sieve_script: <none>
400 The full path of a file that contains a sieve script. This
401 script automatically becomes a user’s initial default sieve fil‐
402 ter script.
403 When this option is not defined, no default sieve filter is cre‐
405 ated. The file must be readable by the Cyrus daemon.
406 autocreate_sieve_script_compile: 0
408 If set to yes and no compiled sieve script file exists, the
409 sieve script which is compiled on the fly will be saved in the
410 file name that autocreate_sieve_compiledscript option points to.
411 In order a compiled script to be generated, autocre‐
412 ate_sieve_script and autocreate_sieve_compiledscript must have
413 valid values
414 autocreate_sieve_script_compiled: <none>
416 The full path of a file that contains a compiled in bytecode
417 sieve script. This script automatically becomes a user’s initial
418 default sieve filter script. If this option is not specified,
419 or the filename doesn’t exist then the script defined by au‐
420 tocreate_sieve_script is compiled on the fly and installed as
421 the user’s default sieve script
422 autocreate_subscribe_folders: <none>
424 A list of folder names, separated by “|”, that the users get au‐
425 tomatically subscribed to, when their INBOX is created. These
426 folder names must have been included in the autocreateinboxfold‐
427 ers option of the imapd.conf.
428 autocreate_subscribe_sharedfolders: <none>
430 A list of shared folders (bulletin boards), separated by “|”,
431 that the users get automatically subscribed to, after their IN‐
432 BOX is created. The shared folder must have been created and the
433 user must have the required permissions to get subscribed to it.
434 Otherwise, subscribing to the shared folder fails.
435 autocreate_subscribe_sharedfolders_all: 0
437 If set to yes, the user is automatically subscribed to all
438 shared folders, one has permission to subscribe to.
439 autocreate_users: anyone
441 A space separated list of users and/or groups that are allowed
442 their INBOX to be automatically created.
443 autoexpunge: 0
445 If set to yes, then all Deleted messages will be automatically
446 expunged whenever an index is closed, whether CLOSE, UNSELECT,
447 SELECT or on disconnect
448 backuppartition-name: <none>
450 The pathname of the backup partition name. At least one backup
451 partition pathname MUST be specified if backups are in use.
452 Note that there is no relationship between spool partitions and
453 backup partitions.
454 backup_compact_minsize: 0
456 The minimum size in kilobytes of chunks in each backup. The
457 compact tool will try to combine adjacent chunks that are
458 smaller than this.
459 Setting this value to zero or negative disables combining of
461 chunks.
462 backup_compact_maxsize: 0
464 The maximum size in kilobytes of chunks in each backup. The
465 compact tool will try to split chunks larger than this into
466 smaller chunks.
467 Setting this value to zero or negative disables splitting of
469 chunks.
470 backup_compact_work_threshold: 1
472 The number of chunks that must obviously need compaction before
473 the compact tool will go ahead with the compaction. If set to
474 less than one, the value is treated as being one.
475 backup_staging_path: <none>
477 The absolute path of the backup staging area. If not specified,
478 will be temp_path/backup
479 backup_retention_days: <none>
481 Deprecated in favor of backup_retention.
482 backup_retention: 7d
484 How long to keep content in backup after it has been deleted
485 from the source. If set to a negative value or zero, deleted
486 content will be kept indefinitely.
487 For backward compatibility, if no unit is specified, days is as‐
489 sumed.
490 backup_db: twoskip
492 The cyrusdb backend to use for the backup locations database.
493 Allowed values: skiplist, sql, twoskip, zeroskip
495 backup_db_path: <none>
497 The absolute path to the backup db file. If not specified, will
498 be configdirectory/backups.db
499 backup_keep_previous: 0
501 Whether the ctl_backups compact and ctl_backups reindex commands
502 should preserve the original file. The original file will be
503 named with a timestamped suffix. This is mostly useful for de‐
504 bugging.
505 Note that with this enabled, compacting a backup will actually
507 increase the disk used by it (because there will now be an extra
508 copy: the original version, and the compacted version).
509 boundary_limit: 1000
511 messages are parsed recursively and a deep enough MIME structure
512 can cause a stack overflow. Do not parse deeper than this many
513 layers of MIME structure. The default of 1000 is much higher
514 than any sane message should have.
515 caldav_allowattach: 1
517 Enable managed attachments support on the CalDAV server.
518 caldav_allowcalendaradmin: 0
520 Enable per-user calendar administration web UI on the CalDAV
521 server.
522 caldav_allowscheduling: on
524 Enable calendar scheduling operations. If set to “apple”, the
525 server will emulate Apple CalendarServer behavior as closely as
526 possible. Allowed values: off, on, apple
527 caldav_create_attach: 1
529 Create the ‘Attachments’ collection if it doesn’t already exist
530 caldav_create_default: 1
532 Create the ‘Default’ calendar if it doesn’t already exist
533 caldav_create_sched: 1
535 Create the ‘Inbox’ and ‘Outbox’ calendars if they don’t already
536 exist
537 caldav_historical_age: 7d
539 How long after an occurrence of event or task has concluded that
540 it is considered ‘historical’. Changes to historical occur‐
541 rences of events or tasks WILL NOT have invite or reply messages
542 sent for them. A negative value means that events and tasks are
543 NEVER considered historical.
544 For backward compatibility, if no unit is specified, days is as‐
546 sumed.
547 caldav_maxdatetime: 20380119T031407Z
549 The latest date and time accepted by the server (ISO format).
550 This value is also used for expanding non-terminating recurrence
551 rules.
552 Note that increasing this value will require the DAV databases
554 for calendars to be reconstructed with the dav_reconstruct util‐
555 ity in order to see its effect on serer-side time-based queries.
556 caldav_mindatetime: 19011213T204552Z
558 The earliest date and time accepted by the server (ISO format).
559 caldav_realm: <none>
561 The realm to present for HTTP authentication of CalDAV re‐
562 sources. If not set (the default), the value of the “server‐
563 name” option will be used.
564 calendarprefix: #calendars
566 The prefix for the calendar mailboxes hierarchies. The hierar‐
567 chy delimiter will be automatically appended. The public calen‐
568 dar hierarchy will be at the toplevel of the shared namespace.
569 A user’s personal calendar hierarchy will be a child of their
570 Inbox.
571 calendar_user_address_set: <none>
573 Space-separated list of domains corresponding to calendar user
574 addresses for which the server is responsible. If not set (the
575 default), the value of the “servername” option will be used.
576 calendar_component_set: VEVENT VTODO VJOURNAL VFREEBUSY VAVAILABIL‐
578 ITY VPOLL
579 Space-separated list of iCalendar component types that calendar
580 object resources may contain in a calendar collection. This re‐
581 striction is only set at calendar creation time and only if the
582 CalDAV client hasn’t specified a restriction in the creation re‐
583 quest. Allowed values: VEVENT, VTODO, VJOURNAL, VFREEBUSY,
584 VAVAILABILITY, VPOLL
585 carddav_allowaddmember: 0
587 Enable support for POST add-member on the CardDAV server.
588 carddav_allowaddressbookadmin: 0
590 Enable per-user addressbook administration web UI on the CardDAV
591 server.
592 carddav_realm: <none>
594 The realm to present for HTTP authentication of CardDAV re‐
595 sources. If not set (the default), the value of the “server‐
596 name” option will be used.
597 carddav_repair_vcard: 0
599 If enabled, VCARDs with invalid content are attempted to be re‐
600 paired during creation.
601 chatty: 0
603 If yes, syslog tags and commands for every IMAP command, mail‐
604 boxes for every lmtp connection, every POP3 command, etc
605 client_bind: 0
607 If enabled, a specific IP will be bound when performing a client
608 connection. client_bind_name is used if it is set, otherwise
609 servername is used. This is useful on multi-homed servers where
610 Cyrus should not use other services’ interfaces.
611 If not enabled (the default), no bind will be performed. Client
613 connections will use an IP chosen by the operating system.
614 client_bind_name: <none>
616 IPv4, IPv6 address or hostname to bind for client connections
617 when client_bind is enabled. If not set (the default), server‐
618 name will be used.
619 client_timeout: 10s
621 Time to wait before returning a timeout failure when performing
622 a client connection (e.g. in a murder environment).
623 For backward compatibility, if no unit is specified, seconds is
625 assumed.
626 commandmintimer: <none>
628 Time in seconds. Any imap command that takes longer than this
629 time is logged.
630 configdirectory: <none>
632 The pathname of the IMAP configuration directory. This field is
633 required.
634 createonpost: 0
636 Deprecated in favor of autocreate_post.
637 conversations: 0
639 Enable the XCONVERSATIONS extensions. Extract conversation
640 tracking information from incoming messages and track them in
641 per-user databases.
642 conversations_counted_flags: <none>
644 space-separated list of flags for which per-conversation counts
645 will be kept. Note that you need to reconstruct the conversa‐
646 tions database with ctl_conversationsdb if you change this op‐
647 tion on a running server, or the counts will be wrong.
648 conversations_db: skiplist
650 The cyrusdb backend to use for the per-user conversations data‐
651 base.
652 Allowed values: skiplist, sql, twoskip, zeroskip
654 conversations_expire_days: <none>
656 Deprecated in favor of conversations_expire_after.
657 conversations_expire_after: 90d
659 How long the conversations database keeps the message tracking
660 information needed for receiving new messages in existing con‐
661 versations.
662 For backward compatibility, if no unit is specified, days is as‐
664 sumed.
665 conversations_max_thread: 100
667 maximum size for a single thread. Threads will split if they
668 have this many * messages in them and another message arrives
669 crossdomains: 0
671 Enable cross domain sharing. This works best with alt namespace
672 and unix hierarchy separators on, so you get Other
673 Users/foo@example.com/…
674 crossdomains_onlyother: 0
676 only show the domain for users in other domains than your own
677 (for backwards compatibility if you’re already sharing
678 cyrus_group: <none>
680 The name of the group Cyrus services will run as. If not con‐
681 figured, the primary group of cyrus_user will be used. Can be
682 further overridden by setting the $CYRUS_GROUP environment vari‐
683 able.
684 cyrus_user: <none>
686 The username to use as the ‘cyrus’ user. If not configured, the
687 compile time default will be used. Can be further overridden by
688 setting the $CYRUS_USER environment variable.
689 davdriveprefix: #drive
691 The prefix for the DAV storage mailboxes hierarchies. The hier‐
692 archy delimiter will be automatically appended. The public
693 storage hierarchy will be at the toplevel of the shared name‐
694 space. A user’s personal storage hierarchy will be a child of
695 their Inbox.
696 davnotificationsprefix: #notifications
698 The prefix for the DAV notifications hierarchy. The hierarchy
699 delimiter will be automatically appended. The public notifica‐
700 tions hierarchy will be at the toplevel of the shared namespace.
701 A user’s personal notifications hierarchy will be a child of
702 their Inbox.
703 dav_realm: <none>
705 The realm to present for HTTP authentication of generic DAV re‐
706 sources (principals). If not set (the default), the value of
707 the “servername” option will be used.
708 dav_lock_timeout: 20s
710 The maximum time to wait for a write lock on the per-user DAV
711 database before timeout. For HTTP requests, the HTTP status code
712 503 is returned if the lock can not be obtained within this
713 time.
714 For backward compatibility, if no unit is specified, seconds is
716 assumed.
717 debug_command: <none>
719 Debug command to be used by processes started with -D option.
720 The string is a C format string that gets 3 options: the first
721 is the name of the executable (as specified in the cmd parameter
722 in cyrus.conf). The second is the pid (integer) and the third is
723 the service ID. Example: /usr/local/bin/gdb /usr/cyrus/bin/%s
724 %d
725 defaultacl: anyone lrs
727 The Access Control List (ACL) placed on a newly-created
728 (non-user) mailbox that does not have a parent mailbox.
729 defaultdomain: internal
731 The default domain for virtual domain support
732 defaultpartition: <none>
734 The partition name used by default for new mailboxes. If not
735 specified, the partition with the most free space will be used
736 for new mailboxes.
737 Note that the partition specified by this option must also be
739 specified as partition-name, where you substitute ‘name’ for the
740 alphanumeric string you set defaultpartition to.
741 defaultsearchtier: <empty string>
743 Name of the default tier that messages will be indexed to.
744 Search indexes can be organized in tiers to allow index storage
745 in different directories and physical media. See the man page of
746 squatter for details. The default search tier also requires the
747 definition of an according searchtierpartition-name entry.
748 This option MUST be specified for xapian search.
750 defaultserver: <none>
752 The backend server name used by default for new mailboxes. If
753 not specified, the server with the most free space will be used
754 for new mailboxes.
755 deletedprefix: DELETED
757 With delete_mode set to delayed, the deletedprefix setting de‐
758 fines the prefix for the hierarchy of deleted mailboxes.
759 The hierarchy delimiter will be automatically appended.
761 delete_mode: delayed
763 The manner in which mailboxes are deleted. In the default de‐
764 layed mode, mailboxes that are being deleted are renamed to a
765 special mailbox hierarchy under the deletedprefix, to be removed
766 later by cyr_expire(8).
767 In immediate mode, the mailbox is removed from the filesystem
769 immediately.
770 Allowed values: immediate, delayed
772 delete_unsubscribe: 0
774 Whether to also unsubscribe from mailboxes when they are
775 deleted. Note that this behaviour contravenes RFC 3501 section
776 6.3.9, but may be useful for avoiding user/client software con‐
777 fusion. The default is ‘no’.
778 deleteright: c
780 Deprecated - only used for backwards compatibility with existing
781 installations. Lists the old RFC 2086 right which was used to
782 grant the user the ability to delete a mailbox. If a user has
783 this right, they will automatically be given the new ‘x’ right.
784 disable_user_namespace: 0
786 Preclude list command on user namespace. If set to ‘yes’, the
787 LIST response will never include any other user’s mailbox. Ad‐
788 min users will always see all mailboxes. The default is ‘no’
789 disable_shared_namespace: 0
791 Preclude list command on shared namespace. If set to ‘yes’, the
792 LIST response will never include any non-user mailboxes. Admin
793 users will always see all mailboxes. The default is ‘no’
794 disconnect_on_vanished_mailbox: 0
796 If enabled, IMAP/POP3/NNTP clients will be disconnected by the
797 server if the currently selected mailbox is (re)moved by another
798 session. Otherwise, the missing mailbox is treated as empty
799 while in use by the client.
800 ischedule_dkim_domain: <none>
802 The domain to be reported as doing iSchedule DKIM signing.
803 ischedule_dkim_key_file: <none>
805 File containing the private key for iSchedule DKIM signing.
806 ischedule_dkim_required: 1
808 A DKIM signature is required on received iSchedule requests.
809 ischedule_dkim_selector: <none>
811 Name of the selector subdividing the domain namespace. This
812 specifies the actual key used for iSchedule DKIM signing within
813 the domain.
814 duplicate_db: twoskip
816 The cyrusdb backend to use for the duplicate delivery suppres‐
817 sion and sieve. Allowed values: skiplist, sql, twoskip, ze‐
818 roskip
819 duplicate_db_path: <none>
821 The absolute path to the duplicate db file. If not specified,
822 will be configdirectory/deliver.db
823 duplicatesuppression: 1
825 If enabled, lmtpd will suppress delivery of a message to a mail‐
826 box if a message with the same message-id (or resent-message-id)
827 is recorded as having already been delivered to the mailbox.
828 Records the mailbox and message-id/resent-message-id of all suc‐
829 cessful deliveries.
830 event_content_inclusion_mode: standard
832 The mode in which message content may be included with Mes‐
833 sageAppend and MessageNew. “standard” mode is the default behav‐
834 ior in which message is included up to a size with the notifica‐
835 tion. In “message” mode, the message is included and may be
836 truncated to a size. In “header” mode, it includes headers trun‐
837 cated to a size. In “body” mode, it includes body truncated to a
838 size. In “headerbody” mode, it includes full headers and body
839 truncated to a size Allowed values: standard, message, header,
840 body, headerbody
841 event_content_size: 0
843 Truncate the message content that may be included with Mes‐
844 sageAppend and MessageNew. Set 0 to include the entire message
845 itself
846 event_exclude_flags: <none>
848 Don’t send event notification for given IMAP flag(s)
849 event_exclude_specialuse: \Junk
851 Don’t send event notification for folder with given special-use
852 attributes. Set ALL for any folder
853 event_extra_params: timestamp
855 Space-separated list of extra parameters to add to any appropri‐
856 ated event.
857 Allowed values: bodyStructure, clientAddress, diskUsed,
859 flagNames, messageContent, messageSize, messages, modseq, ser‐
860 vice, timestamp, uidnext, vnd.cmu.midset, vnd.cmu.unseenMes‐
861 sages, vnd.cmu.envelope, vnd.cmu.sessionId, vnd.cmu.mailboxACL,
862 vnd.cmu.mbtype, vnd.cmu.davFilename, vnd.cmu.davUid, vnd.fast‐
863 mail.clientId, vnd.fastmail.sessionId, vnd.fastmail.convExists,
864 vnd.fastmail.convUnseen, vnd.fastmail.cid, vnd.fastmail.coun‐
865 ters, vnd.cmu.emailid, vnd.cmu.threadid
866 event_groups: message mailbox
868 Space-separated list of groups of related events to turn on no‐
869 tification
870 Allowed values: message, quota, flags, access, mailbox, sub‐
872 scription, calendar, applepushservice
873 event_notifier: <none>
875 Notifyd(8) method to use for “EVENT” notifications which are
876 based on the RFC 5423. If not set, “EVENT” notifications are
877 disabled.
878 expunge_mode: delayed
880 The mode in which messages (and their corresponding cache en‐
881 tries) are expunged. “semidelayed” mode is the old behavior in
882 which the message files are purged at the time of the EXPUNGE,
883 but index and cache records are retained to facilitate QRESYNC.
884 In “delayed” mode, which is the default since Cyrus 2.5.0, the
885 message files are also retained, allowing unexpunge to rescue
886 them. In “immediate” mode, both the message files and the index
887 records are removed as soon as possible. In all cases, nothing
888 will be finally purged until all other processes have closed the
889 mailbox to ensure they never see data disappear under them. In
890 “semidelayed” or “delayed” mode, a later run of “cyr_expire”
891 will clean out the retained records (and possibly message
892 files). This reduces the amount of I/O that takes place at the
893 time of EXPUNGE and should result in greater responsiveness for
894 the client, especially when expunging a large number of mes‐
895 sages. Allowed values: immediate, semidelayed, delayed
896 failedloginpause: 3s
898 Time to pause after a failed login.
899 For backward compatibility, if no unit is specified, seconds is
901 assumed.
902 flushseenstate: 1
904 Deprecated. No longer used
905 foolstupidclients: 0
907 If enabled, only list the personal namespace when a LIST “*” is
908 performed (it changes the request to a LIST “INBOX*”).
909 force_sasl_client_mech: <none>
911 Force preference of a given SASL mechanism for client side oper‐
912 ations (e.g., murder environments). This is separate from (and
913 overridden by) the ability to use the <host shortname>_mechs op‐
914 tion to set preferred mechanisms for a specific host
915 fulldirhash: 0
917 If enabled, uses an improved directory hashing scheme which
918 hashes on the entire username instead of using just the first
919 letter as the hash. This changes hash algorithm used for quota
920 and user directories and if hashimapspool is enabled, the entire
921 mail spool.
922 Note that this option CANNOT be changed on a live system. The
924 server must be quiesced and then the directories moved with the
925 rehash utility.
926 hashimapspool: 0
928 If enabled, the partitions will also be hashed, in addition to
929 the hashing done on configuration directories. This is recom‐
930 mended if one partition has a very bushy mailbox tree.
931 debug: 0
933 If enabled, allow syslog() to pass LOG_DEBUG messages.
934 hostname_mechs: <none>
936 Force a particular list of SASL mechanisms to be used when au‐
937 thenticating to the backend server hostname (where hostname is
938 the short hostname of the server in question). If it is not
939 specified it will query the server for available mechanisms and
940 pick one to use. - Cyrus Murder
941 hostname_password: <none>
943 The password to use for authentication to the backend server
944 hostname (where hostname is the short hostname of the server) -
945 Cyrus Murder
946 httpallowcompress: 1
948 If enabled, the server will compress response payloads if the
949 client indicates that it can accept them. Note that the com‐
950 pressed data will appear in telemetry logs, leaving only the re‐
951 sponse headers as human-readable.
952 httpallowcors: <none>
954 A wildmat pattern specifying a list of origin URIs ( scheme
955 “://” host [ “:” port ] ) that are allowed to make Cross-Origin
956 Resource Sharing (CORS) requests on the server. By default,
957 CORS requests are disabled.
958 Note that the scheme and host should both be lowercase, the port
960 should be omitted if using the default for the scheme (80 for
961 http, 443 for https), and there should be no trailing ‘/’ (e.g.:
962 “http://www.example.com:8080”, “https://example.org”).
963 httpallowtrace: 0
965 Allow use of the TRACE method.
966 Note that sensitive data might be disclosed by the response.
968 httpallowedurls: <none>
970 Space-separated list of relative URLs (paths) rooted at “http‐
971 docroot” (see below) to be served by httpd. If set, this option
972 will limit served static content to only those paths specified
973 (returning “404 Not Found” to any other client requested URLs).
974 Otherwise, httpd will serve any content found in “httpdocroot”.
975 Note that any path specified by “rss_feedlist_template” is an
977 exception to this rule.
978 httpcontentmd5: 0
980 If enabled, HTTP responses will include a Content-MD5 header for
981 the purpose of providing an end-to-end message integrity check
982 (MIC) of the payload body. Note that enabling this option will
983 use additional CPU to generate the MD5 digest, which may be ig‐
984 nored by clients anyways.
985 httpdocroot: <none>
987 If set, http will serve the static content (html/text/jpeg/gif
988 files, etc) rooted at this directory. Otherwise, httpd will not
989 serve any static content.
990 httpkeepalive: 20s
992 Set the length of the HTTP server’s keepalive heartbeat. The
993 default is 20 seconds. The minimum value is 0, which will dis‐
994 able the keepalive heartbeat. When enabled, if a request takes
995 longer than httpkeepalive to process, the server will send the
996 client provisional responses every httpkeepalive until the final
997 response can be sent.
998 For backward compatibility, if no unit is specified, seconds is
1000 assumed.
1001 httpmodules: <empty string>
1003 Space-separated list of HTTP modules that will be enabled in
1004 httpd(8). This option has no effect on modules that are dis‐
1005 abled at compile time due to missing dependencies (e.g. libi‐
1006 cal).
1007 Note that “domainkey” depends on “ischedule” being enabled, and
1009 that both “freebusy” and “ischedule” depend on “caldav” being
1010 enabled. Allowed values: admin, caldav, carddav, cgi, do‐
1011 mainkey, freebusy, ischedule, jmap, prometheus, rss, tzdist,
1012 webdav
1013 httpprettytelemetry: 0
1015 If enabled, HTTP response payloads including server-generated
1016 markup languages (HTML, XML) will utilize line breaks and inden‐
1017 tation to promote better human-readability in telemetry logs.
1018 Note that enabling this option will increase the amount of data
1019 sent across the wire.
1020 httptimeout: 5m
1022 Set the length of the HTTP server’s inactivity autologout timer.
1023 The default is 5 minutes. The minimum value is 0, which will
1024 disable persistent connections.
1025 For backwards compatibility, if no unit is specified, minutes is
1027 assumed.
1028 idlesocket: {configdirectory}/socket/idle
1030 Unix domain socket that idled listens on.
1031 ignorereference: 0
1033 For backwards compatibility with Cyrus 1.5.10 and earlier – ig‐
1034 nore the reference argument in LIST or LSUB commands.
1035 imapidlepoll: 60s
1037 The interval for polling for mailbox changes and ALERTs while
1038 running the IDLE command. This option is used when idled is not
1039 enabled or cannot be contacted. The minimum value is 1 second.
1040 A value of 0 will disable IDLE.
1041 For backward compatibility, if no unit is specified, seconds is
1043 assumed.
1044 imapidresponse: 1
1046 If enabled, the server responds to an ID command with a parame‐
1047 ter list containing: version, vendor, support-url, os, os-ver‐
1048 sion, command, arguments, environment. Otherwise the server re‐
1049 turns NIL.
1050 imapmagicplus: 0
1052 Only list a restricted set of mailboxes via IMAP by using
1053 userid+namespace syntax as the authentication/authorization id.
1054 Using userid+ (with an empty namespace) will list only sub‐
1055 scribed mailboxes.
1056 imipnotifier: <none>
1058 Notifyd(8) method to use for “IMIP” notifications which are
1059 based on the RFC 6047. If not set, “IMIP” notifications are
1060 disabled.
1061 implicit_owner_rights: lkxan
1063 The implicit Access Control List (ACL) for the owner of a mail‐
1064 box.
1065 @include: <none>
1067 Directive which includes the specified file as part of the con‐
1068 figuration. If the path to the file is not absolute, CYRUS_PATH
1069 is prepended.
1070 improved_mboxlist_sort: 0
1072 If enabled, a special comparator will be used which will cor‐
1073 rectly sort mailbox names that contain characters such as ‘ ‘
1074 and ‘-‘.
1075 Note that this option SHOULD NOT be changed on a live system.
1077 The mailboxes database should be dumped (ctl_mboxlist) before
1078 the option is changed, removed, and then undumped after changing
1079 the option. When not using flat files for the subscriptions
1080 databases the same has to be done (cyr_dbtool) for each sub‐
1081 scription database See improved_mboxlist_sort.html.
1082 jmap_emailsearch_db_path: <none>
1084 The absolute path to the JMAP email search cache file. If not
1085 specified, JMAP Email/query and Email/queryChanges will not
1086 cache email search results.
1087 jmap_preview_annot: <none>
1089 The name of the per-message annotation, if any, to store message
1090 previews.
1091 jmap_imagesize_annot: <none>
1093 The name of the per-message annotation, if any, that stores a
1094 JSON object, mapping message part numbers of MIME image types to
1095 an array of their image dimensions. The array must have at least
1096 two entries, where the first entry denotes the width and the
1097 second entry the height of the image. Any additional values are
1098 ignored.
1099 For example, if message part 1.2 contains an image of width 300
1101 and height 200, then the value of this annotation would be:
1102 { “1.2” : [ 300, 200 ] }
1104 jmap_inlinedcids_annot: <none>
1106 The name of the per-message annotation, if any, that stores a
1107 JSON object, mapping RFC 2392 Content-IDs referenced in HTML
1108 bodies to the respective HTML body part number.
1109 For example, if message part 1.2 contains HTML and references an
1111 inlined image at “cid:foo”, then the value of this annotation
1112 would be:
1113 { “<foo>” : “1.2” }
1115 Note that the Content-ID key must be URL-unescaped and enclosed
1117 in angular brackets, as defined in RFC 2392.
1118 jmap_preview_length: 64
1120 The maximum byte length of dynamically generated message pre‐
1121 views. Previews stored in jmap_preview_annot take precedence.
1122 jmap_max_size_upload: 1048576
1124 The maximum size (in kilobytes) that the JMAP API accepts for
1125 blob uploads. Returned as the maxSizeUpload property value of
1126 the JMAP “urn:ietf:params:jmap:core” capabilities object. De‐
1127 fault is 1Gb.
1128 jmap_max_concurrent_upload: 5
1130 The value to return for the maxConcurrentUpload property of the
1131 JMAP “urn:ietf:params:jmap:core” capabilities object. The Cyrus
1132 JMAP implementation does not enforce this rate-limit.
1133 jmap_max_size_request: 10240
1135 The maximum size (in kilobytes) that the JMAP API accepts for
1136 requests at the API endpoint. Returned as the maxSizeRequest
1137 property value of the JMAP “urn:ietf:params:jmap:core” capabili‐
1138 ties object. Default is 10Mb.
1139 jmap_max_concurrent_requests: 5
1141 The value to return for the maxConcurrentRequests property of
1142 the JMAP “urn:ietf:params:jmap:core” capabilities object. The
1143 Cyrus JMAP implementation does not enforce this rate-limit.
1144 jmap_max_calls_in_request: 50
1146 The maximum number of calls per JMAP request object. Returned
1147 as the maxCallsInRequest property value of the JMAP “‐
1148 urn:ietf:params:jmap:core” capabilities object.
1149 jmap_max_delayed_send: 512d
1151 The value to return for the maxDelayedSend property of the JMAP
1152 “urn:ietf:params:jmap:emailsubmission” capabilities object. The
1153 Cyrus JMAP implementation does not enforce this limit.
1154 For backward compatibility, if no unit is specified, seconds is
1156 assumed.
1157 jmap_max_objects_in_get: 4096
1159 The maximum number of ids that a JMAP client may request in a
1160 single “/get” type method call. The actual number of returned
1161 objects in the response may exceed this number if the JMAP ob‐
1162 ject type supports unbounded “/get” calls. Returned as the
1163 maxObjectsInGet property value of the JMAP “‐
1164 urn:ietf:params:jmap:core” capabilities object.
1165 jmap_max_objects_in_set: 4096
1167 The maximum number of objects a JMAP client may send to create,
1168 update or destroy in a single /set type method call. Returned
1169 as the maxObjectsInSet property value of the JMAP “‐
1170 urn:ietf:params:jmap:core” capabilities object.
1171 jmap_mail_max_size_attachments_per_email: 10240
1173 The value (in kilobytes) to return for the maxSizeAttach‐
1174 mentsPerEmail property of the JMAP “urn:ietf:params:jmap:mail”
1175 capabilities object. The Cyrus JMAP implementation does not en‐
1176 force this size limit. Default is 10 Mb.
1177 jmap_nonstandard_extensions: 0
1179 If enabled, support non-standard JMAP extensions. If not en‐
1180 abled, only IETF standard JMAP functionality is supported.
1181 jmap_set_has_attachment: 1
1183 If enabled, the $hasAttachment flag is determined and set for
1184 new messages created with the JMAP Email/set or Email/import
1185 methods. This option should typically be enabled, but installa‐
1186 tions using Cyrus-external message annatotors to determine the
1187 $hasAttachment flag might want to disable it.
1188 jmap_vacation: 1
1190 If enabled, support the JMAP vacation extension
1191 jmapuploadfolder: #jmap
1193 the name of the folder for JMAP uploads (#jmap)
1194 jmapsubmission_deleteonsend: 1
1196 If enabled (the default) then delete the EmailSubmission as soon
1197 as the email * has been sent
1198 jmapsubmissionfolder: #jmapsubmission
1200 the name of the folder for JMAP Submissions (#jmapsubmission)
1201 jmappushsubscriptionfolder: #jmappushsubscription
1203 the name of the folder for JMAP Push Subscriptions (#jmappush‐
1204 subscription)
1205 iolog: 0
1207 Should cyrus output I/O log entries
1208 ldap_authz: <none>
1210 SASL authorization ID for the LDAP server
1211 ldap_base: <empty string>
1213 Contains the LDAP base dn for the LDAP ptloader module
1214 ldap_bind_dn: <none>
1216 Bind DN for the connection to the LDAP server (simple bind). Do
1217 not use for anonymous simple binds
1218 ldap_deref: never
1220 Specify how aliases dereferencing is handled during search.
1221 Allowed values: search, find, always, never
1223 ldap_domain_base_dn: <empty string>
1225 Base DN to search for domain name spaces.
1226 ldap_domain_filter: (&(objectclass=domainrelatedobject)(associated‐
1228 domain=%s))
1229 Filter to use searching for domains
1230 ldap_domain_name_attribute: associateddomain
1232 The attribute name for domains.
1233 ldap_domain_scope: sub
1235 Search scope
1236 Allowed values: sub, one, base
1238 ldap_domain_result_attribute: inetdomainbasedn
1240 Result attribute
1241 ldap_filter: (uid=%u)
1243 Specify a filter that searches user identifiers. The following
1244 tokens can be used in the filter string:
1245 %% = % %u = user %U = user portion of %u (%U = test when
1247 %u = test@domain.tld) %d = domain portion of %u if available
1248 (%d = domain.tld when %u = test@domain.tld), otherwise same as
1249 %R %R = domain portion of %u starting with @ (%R = @domain.tld
1250 when %u = test@domain.tld) %D = user dn. (use when ldap_mem‐
1251 ber_method: filter) %1-9 = domain tokens (%1 = tld, %2 = domain
1252 when %d = domain.tld)
1253 ldap_filter is not used when ldap_sasl is enabled.
1255 ldap_group_base: <empty string>
1257 LDAP base dn for ldap_group_filter.
1258 ldap_group_filter: (cn=%u)
1260 Specify a filter that searches for group identifiers. See
1261 ldap_filter for more options.
1262 ldap_group_scope: sub
1264 Specify search scope for ldap_group_filter.
1265 Allowed values: sub, one, base
1267 ldap_id: <none>
1269 SASL authentication ID for the LDAP server
1270 ldap_mech: <none>
1272 SASL mechanism for LDAP authentication
1273 ldap_user_attribute: <none>
1275 Specify LDAP attribute to use as canonical user id
1276 ldap_member_attribute: <none>
1278 See ldap_member_method.
1279 ldap_member_base: <empty string>
1281 LDAP base dn for ldap_member_filter.
1282 ldap_member_filter: (member=%D)
1284 Specify a filter for “ldap_member_method: filter”. See
1285 ldap_filter for more options.
1286 ldap_member_method: attribute
1288 Specify a group method. The “attribute” method retrieves groups
1289 from a multi-valued attribute specified in ldap_member_attri‐
1290 bute.
1291 The “filter” method uses a filter, specified by ldap_member_fil‐
1293 ter, to find groups; ldap_member_attribute is a single-value at‐
1294 tribute group name. Allowed values: attribute, filter
1295 ldap_member_scope: sub
1297 Specify search scope for ldap_member_filter.
1298 Allowed values: sub, one, base
1300 ldap_password: <none>
1302 Password for the connection to the LDAP server (SASL and simple
1303 bind). Do not use for anonymous simple binds
1304 ldap_realm: <none>
1306 SASL realm for LDAP authentication
1307 ldap_referrals: 0
1309 Specify whether or not the client should follow referrals.
1310 ldap_restart: 1
1312 Specify whether or not LDAP I/O operations are automatically
1313 restarted if they abort prematurely.
1314 ldap_sasl: 1
1316 Use SASL for LDAP binds in the LDAP PTS module.
1317 ldap_sasl_authc: <none>
1319 Deprecated. Use ldap_id
1320 ldap_sasl_authz: <none>
1322 Deprecated. Use ldap_authz
1323 ldap_sasl_mech: <none>
1325 Deprecated. Use ldap_mech
1326 ldap_sasl_password: <none>
1328 Deprecated. User ldap_password
1329 ldap_sasl_realm: <none>
1331 Deprecated. Use ldap_realm
1332 ldap_scope: sub
1334 Specify search scope.
1335 Allowed values: sub, one, base
1337 ldap_servers: ldap://localhost/
1339 Deprecated. Use ldap_uri
1340 ldap_size_limit: 1
1342 Specify a number of entries for a search request to return.
1343 ldap_start_tls: 0
1345 Use transport layer security for ldap:// using STARTTLS. Do not
1346 use ldaps:// in ‘ldap_uri’ with this option enabled.
1347 ldap_time_limit: 5s
1349 How long to wait for a search request to complete.
1350 For backward compatibility, if no unit is specified, seconds is
1352 assumed.
1353 ldap_timeout: 5s
1355 How long a search can take before timing out.
1356 For backward compatibility, if no unit is specified, seconds is
1358 assumed.
1359 ldap_ca_dir: <none>
1361 Path to a directory with CA (Certificate Authority) certifi‐
1362 cates.
1363 ldap_ca_file: <none>
1365 Path to a file containing CA (Certificate Authority) certifi‐
1366 cate(s).
1367 ldap_ciphers: <none>
1369 List of SSL/TLS ciphers to allow. The format of the string is
1370 described in ciphers(1).
1371 ldap_client_cert: <none>
1373 File containing the client certificate.
1374 ldap_client_key: <none>
1376 File containing the private client key.
1377 ldap_verify_peer: 0
1379 Require and verify server certificate. If this option is yes,
1380 you must specify ldap_ca_file or ldap_ca_dir.
1381 ldap_tls_cacert_dir: <none>
1383 Deprecated in favor of ldap_ca_dir.
1384 ldap_tls_cacert_file: <none>
1386 Deprecated in favor of ldap_ca_file.
1387 ldap_tls_cert: <none>
1389 Deprecated in favor of ldap_client_cert.
1390 ldap_tls_key: <none>
1392 Deprecated in favor of ldap_client_key.
1393 ldap_tls_check_peer: 0
1395 Deprecated in favor of ldap_verify_peer.
1396 ldap_tls_ciphers: <none>
1398 Deprecated in favor of ldap_ciphers.
1399 ldap_uri: <none>
1401 Contains a list of the URLs of all the LDAP servers when using
1402 the LDAP PTS module.
1403 ldap_version: 3
1405 Specify the LDAP protocol version. If ldap_start_tls and/or
1406 ldap_use_sasl are enabled, ldap_version will be automatically
1407 set to 3.
1408 literalminus: 0
1410 if enabled, CAPABILITIES will reply with LITERAL- rather than
1411 LITERAL+ (RFC 7888). Doesn’t actually size-restrict uploads
1412 though
1413 lmtp_downcase_rcpt: 1
1415 If enabled, lmtpd will convert the recipient addresses to lower‐
1416 case (up to a ‘+’ character, if present).
1417 lmtp_exclude_specialuse: \Snoozed
1419 Don’t allow delivery to folders with given special-use at‐
1420 tributes.
1421 Note that “snoozing” of emails can currently only be done via
1423 the JMAP protocol, so delivery directly to the Snoozed mailbox
1424 is prohibited by default as it will not be moved back into INBOX
1425 automatically.
1426 lmtp_fuzzy_mailbox_match: 0
1428 If enabled, and the mailbox specified in the detail part of the
1429 recipient (everything after the ‘+’) does not exist, lmtpd will
1430 try to find the closest match (ignoring case, ignoring white‐
1431 space, falling back to parent) to the specified mailbox name.
1432 lmtp_over_quota_perm_failure: 0
1434 If enabled, lmtpd returns a permanent failure code when a user’s
1435 mailbox is over quota. By default, the failure is temporary,
1436 causing the MTA to queue the message and retry later.
1437 lmtp_strict_quota: 0
1439 If enabled, lmtpd returns a failure code when the incoming mes‐
1440 sage will cause the user’s mailbox to exceed its quota. By de‐
1441 fault, the failure won’t occur until the mailbox is already over
1442 quota.
1443 lmtp_strict_rfc2821: 1
1445 By default, lmtpd will be strict (per RFC 2821) with regards to
1446 which envelope addresses are allowed. If this option is set to
1447 false, 8bit characters in the local-part of envelope addresses
1448 are changed to ‘X’ instead. This is useful to avoid generating
1449 backscatter with certain MTAs like Postfix or Exim which accept
1450 such messages.
1451 lmtpsocket: {configdirectory}/socket/lmtp
1453 Unix domain socket that lmtpd listens on, used by deliver(8).
1454 This should match the path specified in cyrus.conf(5).
1455 lmtptxn_timeout: 5m
1457 Timeout used during a lmtp transaction to a remote backend (e.g.
1458 in a murder environment). Can be used to prevent hung lmtpds on
1459 proxy hosts when a backend server becomes unresponsive during a
1460 lmtp transaction. The default is 5 minutes - change to zero for
1461 infinite.
1462 For backward compatibility, if no unit is specified, seconds is
1464 assumed.
1465 lock_debugtime: <none>
1467 A floating point number of seconds. If set, time how long we
1468 wait for any lock, and syslog the filename and time if it’s
1469 longer than this value. The default of NULL means not to time
1470 locks.
1471 loginrealms: <empty string>
1473 The list of remote realms whose users may authenticate using
1474 cross-realm authentication identifiers. Separate each realm
1475 name by a space. (A cross-realm identity is considered any
1476 identity returned by SASL with an “@” in it.).
1477 loginuseacl: 0
1479 If enabled, any authentication identity which has a rights on a
1480 user’s INBOX may log in as that user.
1481 logtimestamps: 0
1483 Include notations in the protocol telemetry logs indicating the
1484 number of seconds since the last command or response.
1485 mailbox_default_options: 0
1487 Default “options” field for the mailbox on create. You’ll want
1488 to know what you’re doing before setting this, but it can apply
1489 some default annotations like duplicate suppression
1490 mailbox_initial_flags: <none>
1492 space-separated list of permanent flags which will be pre-set in
1493 every newly created mailbox. If you know you will require par‐
1494 ticular flag names then this avoids a possible race condition
1495 against a client that fills the entire 128 available slots. De‐
1496 fault is NULL, which is no flags. Example: $Label1 $Label2 $La‐
1497 bel3 NotSpam Spam
1498 mailnotifier: <none>
1500 Notifyd(8) method to use for “MAIL” notifications. If not set,
1501 “MAIL” notifications are disabled.
1502 master_bind_errors_fatal: 0
1504 If enabled, failure to bind a port during startup is treated as
1505 a fatal error, causing master to shut down immediately. The de‐
1506 fault is to keep running, with the affected service disabled un‐
1507 til the next SIGHUP causes it to retry.
1508 Note that this only applies during startup. New services that
1510 fail to come up in response to a reconfig+SIGHUP will just be
1511 logged and disabled like the default behaviour, without causing
1512 master to exit.
1513 maxheaderlines: 1000
1515 Maximum number of lines of header that will be processed into
1516 cache records. Default 1000. If set to zero, it is unlimited.
1517 If a message hits the limit, an error will be logged and the
1518 rest of the lines in the header will be skipped. This is to
1519 avoid malformed messages causing giant cache records
1520 maxlogins_per_host: 0
1522 Maximum number of logged in sessions allowed per host, zero
1523 means no limit
1524 maxlogins_per_user: 0
1526 Maximum number of logged in sessions allowed per user, zero
1527 means no limit
1528 maxmessagesize: 0
1530 Maximum incoming LMTP message size. If non-zero, lmtpd will re‐
1531 ject messages larger than maxmessagesize bytes. If set to 0,
1532 this will allow messages of any size (the default).
1533 maxquoted: 131072
1535 Maximum size of a single quoted string for the parser. Default
1536 128k
1537 maxword: 131072
1539 Maximum size of a single word for the parser. Default 128k
1540 mboxkey_db: twoskip
1542 The cyrusdb backend to use for mailbox keys.
1543 Allowed values: skiplist, twoskip, zeroskip
1545 mboxlist_db: twoskip
1547 The cyrusdb backend to use for the mailbox list.
1548 Allowed values: flat, skiplist, sql, twoskip, zeroskip
1550 mboxlist_db_path: <none>
1552 The absolute path to the mailboxes db file. If not specified
1553 will be configdirectory/mailboxes.db
1554 mboxname_lockpath: <none>
1556 Path to mailbox name lock files (default $conf/lock)
1557 metapartition_files: <empty string>
1559 Space-separated list of metadata files to be stored on a meta‐
1560 partition rather than in the mailbox directory on a spool parti‐
1561 tion. Allowed values: header, index, cache, expunge, squat, an‐
1562 notations, lock, dav, archivecache
1563 metapartition-name: <none>
1565 The pathname of the metadata partition name, corresponding to
1566 spool partition partition-name. For any mailbox residing in a
1567 directory on partition-name, the metadata files listed in meta‐
1568 partition_files will be stored in a corresponding directory on
1569 metapartition-name. Note that not every partition-name option
1570 is required to have a corresponding metapartition-name option,
1571 so that you can selectively choose which spool partitions will
1572 have separate metadata partitions.
1573 mupdate_authname: <none>
1575 The SASL username (Authentication Name) to use when authenticat‐
1576 ing to the mupdate server (if needed).
1577 mupdate_config: standard
1579 The configuration of the mupdate servers in the Cyrus Murder.
1580 The “standard” config is one in which there are discreet front‐
1581 end (proxy) and backend servers. The “unified” config is one in
1582 which a server can be both a frontend and backend. The “repli‐
1583 cated” config is one in which multiple backend servers all share
1584 the same mailspool, but each have their own “replicated” copy of
1585 mailboxes.db. Allowed values: standard, unified, replicated
1586 munge8bit: 1
1588 If enabled, lmtpd munges messages with 8-bit characters in the
1589 headers. The 8-bit characters are changed to `X’. If re‐
1590 ject8bit is enabled, setting munge8bit has no effect. (A proper
1591 solution to non-ASCII characters in headers is offered by RFC
1592 2047 and its predecessors.)
1593 mupdate_connections_max: 128
1595 The max number of connections that a mupdate process will allow,
1596 this is related to the number of file descriptors in the mupdate
1597 process. Beyond this number connections will be immediately is‐
1598 sued a BYE response.
1599 mupdate_password: <none>
1601 The SASL password (if needed) to use when authenticating to the
1602 mupdate server.
1603 mupdate_port: 3905
1605 The port of the mupdate server for the Cyrus Murder
1606 mupdate_realm: <none>
1608 The SASL realm (if needed) to use when authenticating to the
1609 mupdate server.
1610 mupdate_retry_delay: 20
1612 The base time to wait between connection retries to the mupdate
1613 server.
1614 mupdate_server: <none>
1616 The mupdate server for the Cyrus Murder
1617 mupdate_username: <empty string>
1619 The SASL username (Authorization Name) to use when authenticat‐
1620 ing to the mupdate server
1621 mupdate_workers_max: 50
1623 The maximum number of mupdate worker threads (overall)
1624 mupdate_workers_maxspare: 10
1626 The maximum number of idle mupdate worker threads
1627 mupdate_workers_minspare: 2
1629 The minimum number of idle mupdate worker threads
1630 mupdate_workers_start: 5
1632 The number of mupdate worker threads to start
1633 netscapeurl: <none>
1635 If enabled at compile time, this specifies a URL to reply when
1636 Netscape asks the server where the mail administration HTTP
1637 server is. Administrators should set this to a local resource.
1638 newsaddheaders: to
1640 Space-separated list of headers to be added to incoming usenet
1641 articles. Added To: headers will contain email delivery ad‐
1642 dresses corresponding to each newsgroup in the Newsgroups:
1643 header. Added Reply-To: headers will contain email delivery ad‐
1644 dresses corresponding to each newsgroup in the Followup-To: or
1645 Newsgroups: header. If the specified header(s) already exist in
1646 an article, the email delivery addresses will be appended to the
1647 original header body(s).
1648 This option applies if and only if the newspostuser option is
1650 set. Allowed values: to, replyto
1651 newsgroups: *
1653 A wildmat pattern specifying which mailbox hierarchies should be
1654 treated as newsgroups. Only mailboxes matching the wildmat will
1655 accept and/or serve articles via NNTP. If not set, a default
1656 wildmat of “*” (ALL shared mailboxes) will be used. If the
1657 newsprefix option is also set, the default wildmat will be
1658 translated to “<newsprefix>.*”
1659 newsmaster: news
1661 Userid that is used for checking access controls when executing
1662 Usenet control messages. For instance, to allow articles to be
1663 automatically deleted by cancel messages, give the “news” user
1664 the ‘d’ right on the desired mailboxes. To allow newsgroups to
1665 be automatically created, deleted and renamed by the correspond‐
1666 ing control messages, give the “news” user the ‘c’ right on the
1667 desired mailbox hierarchies.
1668 newspeer: <none>
1670 A list of whitespace-separated news server specifications to
1671 which articles should be fed. Each server specification is a
1672 string of the form [user[:pass]@]host[:port][/wildmat] where
1673 ‘host’ is the fully qualified hostname of the server, ‘port’ is
1674 the port on which the server is listening, ‘user’ and ‘pass’ are
1675 the authentication credentials and ‘wildmat’ is a pattern that
1676 specifies which groups should be fed. If no ‘port’ is speci‐
1677 fied, port 119 is used. If no ‘wildmat’ is specified, all
1678 groups are fed. If ‘user’ is specified (even if empty), then
1679 the NNTP POST command will be used to feed the article to the
1680 server, otherwise the IHAVE command will be used.
1681 A ‘@’ may be used in place of ‘!’ in the wildmat to prevent
1683 feeding articles cross-posted to the given group, otherwise
1684 cross-posted articles are fed if any part of the wildmat
1685 matches. For example, the string “peer.example.com:*,!con‐
1686 trol.*,@local.*” would feed all groups except control messages
1687 and local groups to peer.example.com. In the case of
1688 cross-posting to local groups, these articles would not be fed.
1689 newspostuser: <none>
1691 Userid used to deliver usenet articles to newsgroup folders
1692 (usually via lmtp2nntp). For example, if set to “post”, email
1693 sent to “post+comp.mail.imap” would be delivered to the
1694 “comp.mail.imap” folder.
1695 When set, the Cyrus NNTP server will add the header(s) specified
1697 in the newsaddheaders option to each incoming usenet article.
1698 The added header(s) will contain email delivery addresses corre‐
1699 sponding to each relevant newsgroup. If not set, no headers are
1700 added to usenet articles.
1701 newsprefix: <none>
1703 Prefix to be prepended to newsgroup names to make the corre‐
1704 sponding IMAP mailbox names.
1705 newsrc_db_path: <none>
1707 The absolute path to the newsrc db file. If not specified, will
1708 be configdirectory/fetchnews.db
1709 nntptimeout: 3m
1711 Set the length of the NNTP server’s inactivity autologout timer.
1712 The minimum value is 3 minutes, also the default.
1713 For backward compatibility, if no unit is specified, minutes is
1715 assumed.
1716 notesmailbox: <none>
1718 The top level mailbox in each user’s account which is used to
1719 store * Apple-style Notes. Default is blank (disabled)
1720 notifysocket: {configdirectory}/socket/notify
1722 Unix domain socket that the mail notification daemon listens on.
1723 notify_external: <none>
1725 Path to the external program that notifyd(8) will call to send
1726 mail notifications.
1727 The external program will be called with the following command
1729 line options:
1730 -c class
1732 -p priority
1734 -u user
1736 -m mailbox
1738 And the notification message will be available on stdin.
1740 partition-name: <none>
1742 The pathname of the partition name. At least one partition
1743 pathname MUST be specified. If the defaultpartition option is
1744 used, then its pathname MUST be specified. For example, if the
1745 value of the defaultpartion option is part1, then the parti‐
1746 tion-part1 field is required.
1747 partition_select_mode: freespace-most
1749 Partition selection mode.
1750 random (pseudo-)random selection
1752 freespace-most
1754 partition with the most free space (KiB)
1755 freespace-percent-most
1757 partition with the most free space (%)
1758 freespace-percent-weighted
1760 each partition is weighted according to its free space
1761 (%); the more free space the partition has, the more
1762 chances it has to be selected
1763 freespace-percent-weighted-delta
1765 each partition is weighted according to its difference of
1766 free space (%) compared to the most used partition; the
1767 more the partition is lagging behind the most used parti‐
1768 tion, the more chances it has to be selected
1769 Note that actually even the most used partition has a few
1771 chances to be selected, and those chances increase when
1772 other partitions get closer
1773 Allowed values: random, freespace-most, freespace-per‐
1775 cent-most, freespace-percent-weighted, freespace-per‐
1776 cent-weighted-delta
1777 partition_select_exclude: <none>
1779 List of partitions to exclude from selection mode.
1780 partition_select_usage_reinit: 0
1782 For a given session, number of operations (e.g. partition selec‐
1783 tion) for which partitions usage data are cached.
1784 partition_select_soft_usage_limit: 0
1786 Limit of partition usage (%): if a partition is over that limit,
1787 it is automatically excluded from selection mode.
1788 If all partitions are over that limit, this feature is not used
1790 anymore.
1791 plaintextloginpause: <none>
1793 Time to pause after a successful plaintext login. For systems
1794 that support strong authentication, this permits users to per‐
1795 ceive a cost of using plaintext passwords. (This does not af‐
1796 fect the use of PLAIN in SASL authentications.)
1797 For backward compatibility, if no unit is specified, seconds is
1799 assumed.
1800 plaintextloginalert: <none>
1802 Message to send to client after a successful plaintext login.
1803 popexpiretime: -1
1805 The duration advertised as being the minimum a message may be
1806 left on the POP server before it is deleted (via the CAPA com‐
1807 mand, defined in the POP3 Extension Mechanism, which some
1808 clients may support). This duration has a granularity of whole
1809 days, with partial days truncated (so e.g. “45m” is effectively
1810 “0d”). “NEVER”, the default, may be specified with a negative
1811 number.
1812 The Cyrus POP3 server never deletes mail, no matter what the
1814 value of this parameter is. However, if a site implements a
1815 less liberal policy, it needs to change this parameter accord‐
1816 ingly.
1817 For backward compatibility, if no unit is specified, days is as‐
1819 sumed.
1820 popminpoll: <none>
1822 Set the minimum amount of time the server forces users to wait
1823 between successive POP logins.
1824 For backward compatibility, if no unit is specified, minutes is
1826 assumed.
1827 popsubfolders: 0
1829 Allow access to subfolders of INBOX via POP3 by using
1830 userid+subfolder syntax as the authentication/authorization id.
1831 poppollpadding: 1
1833 Create a softer minimum poll restriction. Allows poppollpadding
1834 connections before the minpoll restriction is triggered. Addi‐
1835 tionally, one padding entry is recovered every popminpoll min‐
1836 utes. This allows for the occasional polling rate faster than
1837 popminpoll, (i.e., for clients that require a send/receive to
1838 send mail) but still enforces the rate long-term. Default is 1
1839 (disabled).
1840 The easiest way to think of it is a queue of past connections,
1842 with one slot being filled for every connection, and one slot
1843 being cleared every popminpoll minutes. When the queue is full,
1844 the user will not be able to check mail again until a slot is
1845 cleared. If the user waits a sufficient amount of time, they
1846 will get back many or all of the slots.
1847 poptimeout: 10m
1849 Set the length of the POP server’s inactivity autologout timer.
1850 The minimum value is 10 minutes, the default.
1851 For backward compatibility, if no unit is specified, minutes is
1853 assumed.
1854 popuseacl: 0
1856 Enforce IMAP ACLs in the pop server. Due to the nature of the
1857 POP3 protocol, the only rights which are used by the pop server
1858 are ‘r’, ‘t’, and ‘s’ for the owner of the mailbox. The ‘r’
1859 right allows the user to open the mailbox and list/retrieve mes‐
1860 sages. The ‘t’ right allows the user to delete messages. The
1861 ‘s’ right allows messages retrieved by the user to have the
1862 \Seen flag set (only if popuseimapflags is also enabled).
1863 popuseimapflags: 0
1865 If enabled, the pop server will set and obey IMAP flags. Mes‐
1866 sages having the \Deleted flag are ignored as if they do not ex‐
1867 ist. Messages that are retrieved by the client will have the
1868 \Seen flag set. All messages will have the \Recent flag unset.
1869 postmaster: postmaster
1871 Username that is used as the ‘From’ address in rejection MDNs
1872 produced by sieve.
1873 postuser: <empty string>
1875 Userid used to deliver messages to shared folders. For example,
1876 if set to “bb”, email sent to “bb+shared.blah” would be deliv‐
1877 ered to the “shared.blah” folder. By default, an email address
1878 of “+shared.blah” would be used.
1879 proc_path: <none>
1881 Path to proc directory. Default is NULL - must be an absolute
1882 path if specified. If not specified, the path $configdirec‐
1883 tory/proc/ will be used.
1884 prometheus_enabled: 0
1886 Whether tracking of service metrics for Prometheus is enabled.
1887 prometheus_need_auth: admin
1889 Authentication level required to fetch Prometheus metrics.
1890 Allowed values: none, user, admin
1892 prometheus_update_freq: 10s
1894 Frequency in at which promstatsd should re-collate its statis‐
1895 tics report. The minimum value is 1 second, the default is 10
1896 seconds.
1897 For backward compatibility, if no unit is specified, seconds is
1899 assumed.
1900 prometheus_stats_dir: <none>
1902 Directory to use for gathering prometheus statistics. If speci‐
1903 fied, must be an absolute path. If not specified, the default
1904 path $configdirectory/stats/ will be used. It may be advanta‐
1905 geous to locate this directory on ephemeral storage.
1906 proxy_authname: proxy
1908 The authentication name to use when authenticating to a backend
1909 server in the Cyrus Murder.
1910 proxy_compress: 0
1912 Try to enable protocol-specific compression when performing a
1913 client connection to a backend server in the Cyrus Murder.
1914 Note that this should only be necessary over slow network con‐
1916 nections. Also note that currently only IMAP and MUPDATE sup‐
1917 port compression.
1918 proxy_password: <none>
1920 The default password to use when authenticating to a backend
1921 server in the Cyrus Murder. May be overridden on a host-spe‐
1922 cific basis using the hostname_password option.
1923 proxy_realm: <none>
1925 The authentication realm to use when authenticating to a backend
1926 server in the Cyrus Murder
1927 proxyd_allow_status_referral: 0
1929 Set to true to allow proxyd to issue referrals to clients that
1930 support it when answering the STATUS command. This is disabled
1931 by default since some clients issue many STATUS commands in a
1932 row, and do not cache the connections that these referrals would
1933 cause, thus resulting in a higher authentication load on the re‐
1934 spective backend server.
1935 proxyd_disable_mailbox_referrals: 0
1937 Set to true to disable the use of mailbox-referrals on the proxy
1938 servers.
1939 proxyservers: <none>
1941 A list of users and groups that are allowed to proxy for other
1942 users, separated by spaces. Any user listed in this will be al‐
1943 lowed to login for any other user: use with caution. In a stan‐
1944 dard murder this option should ONLY be set on backends. DO NOT
1945 SET on frontends or things won’t work properly.
1946 pts_module: afskrb
1948 The PTS module to use.
1949 Allowed values: afskrb, ldap
1951 ptloader_sock: <none>
1953 Unix domain socket that ptloader listens on. (defaults to con‐
1954 figdirectory/ptclient/ptsock)
1955 ptscache_db: twoskip
1957 The cyrusdb backend to use for the pts cache.
1958 Allowed values: skiplist, twoskip, zeroskip
1960 ptscache_db_path: <none>
1962 The absolute path to the ptscache db file. If not specified,
1963 will be configdirectory/ptscache.db
1964 ptscache_timeout: 3h
1966 The timeout for the PTS cache database when using the
1967 auth_krb_pts authorization method (default: 3 hours).
1968 For backward compatibility, if no unit is specified, seconds is
1970 assumed.
1971 ptskrb5_convert524: 1
1973 When using the AFSKRB ptloader module with Kerberos 5 canonical‐
1974 ization, do the final 524 conversion to get a n AFS style name
1975 (using ‘.’ instead of ‘/’, and using short names
1976 ptskrb5_strip_default_realm: 1
1978 When using the AFSKRB ptloader module with Kerberos 5 canonical‐
1979 ization, strip the default realm from the userid (this does not
1980 affect the stripping of realms specified by the afspts_local‐
1981 realms option)
1982 qosmarking: cs0
1984 This specifies the Class Selector or Differentiated Services
1985 Code Point designation on IP headers (in the ToS field). Al‐
1986 lowed values: cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11,
1987 af12, af13, af21, af22, af23, af31, af32, af33, af41, af42,
1988 af43, ef
1989 quota_db: quotalegacy
1991 The cyrusdb backend to use for quotas.
1992 Allowed values: flat, skiplist, sql, quotalegacy, twoskip, ze‐
1994 roskip
1995 quota_db_path: <none>
1997 The absolute path for the quota database (if you choose a sin‐
1998 gle-file quota DB type - or the base path if you choose quotale‐
1999 gacy). If not specified will be configdirectory/quotas.db or
2000 configdirectory/quota/
2001 quotawarn: 90
2003 The percent of quota utilization over which the server generates
2004 warnings.
2005 quotawarnkb: 0
2007 The maximum amount of free space (in kB) at which to give a
2008 quota warning (if this value is 0, or if the quota is smaller
2009 than this amount, then warnings are always given).
2010 quotawarnmsg: 0
2012 The maximum amount of messages at which to give a quota warning
2013 (if this value is 0, or if the quota is smaller than this
2014 amount, then warnings are always given).
2015 reject8bit: 0
2017 If enabled, lmtpd rejects messages with 8-bit characters in the
2018 headers.
2019 restore_authname: <none>
2021 The authentication used by the restore tool when authenticating
2022 to an IMAP/sync server.
2023 restore_password: <none>
2025 The password used by the restore tool when authenticating to an
2026 IMAP/sync server.
2027 restore_realm: <none>
2029 The authentication realm used by the restore tool when authenti‐
2030 cating to an IMAP/sync server.
2031 reverseacls: 0
2033 At startup time, ctl_cyrusdb -r will check this value and it
2034 will either add or remove reverse ACL pointers from mailboxes.db
2035 rfc2046_strict: 0
2037 If enabled, imapd will be strict (per RFC 2046) when matching
2038 MIME boundary strings. This means that boundaries containing
2039 other boundaries as substrings will be treated as identical.
2040 Since enabling this option will break some messages created by
2041 Eudora 5.1 (and earlier), it is recommended that it be left dis‐
2042 abled unless there is good reason to do otherwise.
2043 rfc2047_utf8: 0
2045 If enabled, imapd will parse any non-encoded character sequence
2046 in MIME header values as UTF8. This is useful for installations
2047 that either advertise the UTF8SMTP (RFC 5335) extension or re‐
2048 ceive mails with improperly escaped UTF-8 byte sequences. It is
2049 recommended that this option is left disabled unless there is
2050 good reason to do otherwise.
2051 rfc3028_strict: 1
2053 If enabled, Sieve will be strict (per RFC 3028) with regards to
2054 which headers are allowed to be used in address and envelope
2055 tests. This means that only those headers which are defined to
2056 contain addresses will be allowed in address tests and only “to”
2057 and “from” will be allowed in envelope tests. When disabled,
2058 ANY grammatically correct header will be allowed.
2059 rss_feedlist_template: <none>
2061 File containing HTML that will be used as a template for dis‐
2062 playing the list of available RSS feeds. A single instance of
2063 the variable %RSS_FEEDLIST% should appear in the file, which
2064 will be replaced by a nested unordered list of feeds. The
2065 toplevel unordered list will be tagged with an id of “feed” (<ul
2066 id=’feed’>) which can be used by stylesheet(s) in your template.
2067 The dynamically created list of feeds based on the HTML template
2068 will be accessible at the “/rss” URL on the server.
2069 rss_feeds: *
2071 A wildmat pattern specifying which mailbox hierarchies should be
2072 treated as RSS feeds. Only mailboxes matching the wildmat will
2073 have their messages available via RSS. If not set, a default
2074 wildmat of “*” (ALL mailboxes) will be used.
2075 rss_maxage: <none>
2077 Maximum age of items to display in an RSS channel. If non-zero,
2078 httpd will only display items received within this time period.
2079 If set to 0, all available items will be displayed (the de‐
2080 fault).
2081 For backward compatibility, if no unit is specified, days is as‐
2083 sumed.
2084 rss_maxitems: 0
2086 Maximum number of items to display in an RSS channel. If
2087 non-zero, httpd will display no more than the rss_maxitems most
2088 recent items. If set to 0, all available items will be dis‐
2089 played (the default).
2090 rss_maxsynopsis: 0
2092 Maximum RSS item synopsis length. If non-zero, httpd will dis‐
2093 play no more than the first rss_maxsynopsis characters of an
2094 item’s synopsis. If set to 0, the entire synopsis will be dis‐
2095 played (the default).
2096 rss_realm: <none>
2098 The realm to present for HTTP authentication of RSS feeds. If
2099 not set (the default), the value of the “servername” option will
2100 be used.
2101 sasl_auto_transition: 0
2103 If enabled, the SASL library will automatically create authenti‐
2104 cation secrets when given a plaintext password. See the SASL
2105 documentation.
2106 sasl_maximum_layer: 256
2108 Maximum SSF (security strength factor) that the server will al‐
2109 low a client to negotiate.
2110 sasl_minimum_layer: 0
2112 The minimum SSF that the server will allow a client to negoti‐
2113 ate. A value of 1 requires integrity protection; any higher
2114 value requires some amount of encryption.
2115 sasl_option: 0
2117 Any SASL option can be set by preceding it with sasl_. This
2118 file overrides the SASL configuration file.
2119 sasl_pwcheck_method: <none>
2121 The mechanism used by the server to verify plaintext passwords.
2122 Possible values include “auxprop”, “saslauthd”, and “pwcheck”.
2123 search_batchsize: 20
2125 The number of messages to be indexed in one batch (default 20).
2126 Note that long batches may delay user commands or mail delivery.
2127 search_attachment_extractor_url: <none>
2129 Reserved for future use.
2130 search_index_language: 0
2132 Reserved for future use.
2133 search_index_parts: 0
2135 Deprecated. No longer used.
2136 search_query_language: 0
2138 Reserved for future use.
2139 search_normalisation_max: 1000
2141 A resource bound for the combinatorial explosion of search ex‐
2142 pression tree complexity caused by normalising expressions with
2143 many OR nodes. These can use more CPU time to optimise than
2144 they save IO time in scanning folders.
2145 search_engine: none
2147 The indexing engine used to speed up searching.
2148 Allowed values: none, squat, xapian
2150 search_fuzzy_always: 0
2152 Whether to enable RFC 6203 FUZZY search for all IMAP SEARCH. If
2153 turned on, search attributes will be searched using FUZZY search
2154 by default. If turned off, clients have to explicitly use the
2155 FUZZY search key to enable fuzzy search for regular SEARCH com‐
2156 mands.
2157 search_index_headers: 1
2159 Whether to index headers other than From, To, Cc, Bcc, and Sub‐
2160 ject. Experiment shows that some headers such as Received and
2161 DKIM-Signature can contribute up to 2/3rds of the index size but
2162 almost nothing to the utility of searching. Note that if header
2163 indexing is disabled, headers can still be searched, the
2164 searches will just be slower.
2165 search_indexed_db: twoskip
2167 The cyrusdb backend to use for the search latest indexed uid
2168 state. Xapian only.
2169 Allowed values: flat, skiplist, twoskip, zeroskip
2171 search_maxtime: <none>
2173 The maximum number of seconds to run a search for before abort‐
2174 ing. Default of no value means search “forever” until other
2175 timeouts.
2176 search_queryscan: 5000
2178 The minimum number of records require to do a direct scan of all
2179 G keys * rather than indexed lookups. A value of 0 means always
2180 do indexed lookups.
2181 search_skipdiacrit: 1
2183 When searching, should diacriticals be stripped from the search
2184 terms. The default is “true”, a search for “hav” will match
2185 “Håvard”. This is not RFC 5051 compliant, but it backwards com‐
2186 patible, and may be preferred by some sites.
2187 search_skiphtml: 0
2189 If enabled, HTML parts of messages are skipped, i.e. not indexed
2190 and not searchable. Otherwise, they’re indexed.
2191 search_whitespace: merge
2193 When searching, how whitespace should be handled. Options are:
2194 “skip” (default in 2.3 and earlier series) - where a search for
2195 “equi” would match “the quick brown fox”. “merge” - the de‐
2196 fault, where “he qu” would match “the quick brownfox”, and
2197 “keep”, where whitespace must match exactly. The default of
2198 “merge” is recommended for most cases - it’s a good compromise
2199 which keeps words separate. Allowed values: skip, merge, keep
2200 search_snippet_length: 255
2202 The maximum byte length of a snippet generated by the XSNIPPETS
2203 command. Only supported by the Xapian search backend, which at‐
2204 tempts to always fill search_snippet_length bytes in the gener‐
2205 ated snippet.
2206 search_stopword_path: <none>
2208 The absolute base path to the search stopword lists. If not
2209 specified, no stopwords will be taken into account during search
2210 indexing. Currently, the only supported and default stop word
2211 file is english.txt.
2212 searchpartition-name: <none>
2214 The pathname where to store the xapian search indexes of
2215 searchtier for mailboxes of partition name. This must be config‐
2216 ured for the defaultsearchtier and any additional search tier
2217 (see squatter for details).
2218 For example: if defaultpartition is defined as part1 and de‐
2220 faultsearchtier as tier1 then the configuration must contain an
2221 entry tier1searchpartition-part1 that defines the path where to
2222 store this tier1’s search index for the part1 partition.
2223 This option MUST be specified for xapian search.
2225 seenstate_db: twoskip
2227 The cyrusdb backend to use for the seen state.
2228 Allowed values: flat, skiplist, twoskip, zeroskip
2230 sendmail: /usr/lib/sendmail
2232 The pathname of the sendmail executable. Sieve invokes sendmail
2233 for sending rejections, redirects and vacation responses.
2234 sendmail_auth_id: CYRUS_SENDMAIL_AUTH_ID
2236 The name of an environment variable to set when invoking send‐
2237 mail. The value of this environment variable will contain the
2238 user id of the currently authenticated user. If no user is au‐
2239 thenticated the environment variable is not set.
2240 serverlist: <none>
2242 Whitespace separated list of backend server names. Used for
2243 finding server with the most available free space for proxying
2244 CREATE.
2245 serverlist_select_mode: freespace-most
2247 Server selection mode.
2248 random (pseudo-)random selection
2250 freespace-most
2252 backend with the most (total) free space (KiB)
2253 freespace-percent-most
2255 backend whose partition has the most free space (%)
2256 freespace-percent-weighted
2258 same as for partition selection, comparing the free space
2259 (%) of the least used partition of each backend
2260 freespace-percent-weighted-delta
2262 same as for partition selection, comparing the free space
2263 (%) of the least used partition of each backend.
2264 Allowed values: random, freespace-most, freespace-per‐
2266 cent-most, freespace-percent-weighted, freespace-per‐
2267 cent-weighted-delta
2268 serverlist_select_usage_reinit: 0
2270 For a given session, number of operations (e.g. backend selec‐
2271 tion) for which backend usage data are cached.
2272 serverlist_select_soft_usage_limit: 0
2274 Limit of backend usage (%): if a backend is over that limit, it
2275 is automatically excluded from selection mode.
2276 If all backends are over that limit, this feature is not used
2278 anymore.
2279 servername: <none>
2281 This is the hostname visible in the greeting messages of the
2282 POP, IMAP and LMTP daemons. If it is unset, then the result re‐
2283 turned from gethostname(2) is used. This is also the value used
2284 by murder clusters to identify the host name. It should be re‐
2285 solvable by DNS to the correct host, and unique within an active
2286 cluster. If you are using low level replication (e.g. drbd)
2287 then it should be the same on each copy and the DNS name should
2288 also be moved to the new master on failover.
2289 serverinfo: on
2291 The server information to display in the greeting and capability
2292 responses. Information is displayed as follows:
2293 “off” = no server information in the greeting or capabilities
2294 “min” = servername in the greeting; no server information in
2296 the capabilities
2297 “on” = servername and product version in the greeting; prod‐
2299 uct version in the capabilities
2300 Allowed values: off, min, on
2302 sharedprefix: Shared Folders
2304 If using the alternate IMAP namespace, the prefix for the shared
2305 namespace. The hierarchy delimiter will be automatically ap‐
2306 pended.
2307 sieve_allowreferrals: 1
2309 If enabled, timsieved will issue referrals to clients when the
2310 user’s scripts reside on a remote server (in a Murder). Other‐
2311 wise, timsieved will proxy traffic to the remote server.
2312 sieve_duplicate_max_expiration: 90d
2314 Maximum expiration time for duplicate message tracking records.
2315 For backward compatibility, if no unit is specified, seconds is
2317 assumed.
2318 sieve_extensions: fileinto reject vacation vacation-seconds
2320 imapflags notify include envelope environment body relational regex
2321 subaddress copy date index imap4flags mailbox mboxmetadata server‐
2322 metadata variables editheader extlists duplicate ihave fcc spe‐
2323 cial-use redirect-dsn redirect-deliverby mailboxid x-cyrus-log
2324 x-cyrus-jmapquery x-cyrus-snooze
2325 Space-separated list of Sieve extensions allowed to be used in
2326 sieve scripts, enforced at submission by timsieved(8). Any pre‐
2327 viously installed script will be unaffected by this option and
2328 will continue to execute regardless of the extensions used.
2329 This option has no effect on options that are disabled at com‐
2330 pile time (e.g., “regex”). Allowed values: fileinto, reject,
2331 vacation, vacation-seconds, imapflags, notify, include, enve‐
2332 lope, environment, body, relational, regex, subaddress, copy,
2333 date, index, imap4flags, mailbox, mboxmetadata, servermetadata,
2334 variables, editheader, extlists, duplicate, ihave, fcc, spe‐
2335 cial-use, redirect-dsn, redirect-deliverby, mailboxid,
2336 x-cyrus-log, x-cyrus-jmapquery, x-cyrus-snooze
2337 sieve_maxscriptsize: 32
2339 Maximum size (in kilobytes) any sieve script can be, enforced at
2340 submission by timsieved(8).
2341 sieve_maxscripts: 5
2343 Maximum number of sieve scripts any user may have, enforced at
2344 submission by timsieved(8).
2345 sieve_utf8fileinto: 0
2347 If enabled, the sieve engine expects folder names for the
2348 fileinto action in scripts to use UTF8 encoding. Otherwise,
2349 modified UTF7 encoding should be used.
2350 sieve_sasl_send_unsolicited_capability: 0
2352 If enabled, timsieved will emit a capability response after a
2353 successful SASL authentication, per draft-martin-manage‐
2354 sieve-12.txt .
2355 sieve_use_lmtp_reject: 1
2357 Enabled by default. If reject can be done via LMTP, then return
2358 a 550 rather than generating the bounce message in Cyrus.
2359 sieve_vacation_min_response: 3d
2361 Minimum time interval between consecutive vacation responses,
2362 per draft-ietf-vacation-seconds.txt. The default is 3 days.
2363 For backward compatibility, if no unit is specified, seconds is
2365 assumed.
2366 sieve_vacation_max_response: 90d
2368 Maximum time interval between consecutive vacation responses,
2369 per draft-ietf-vacation-seconds.txt. The default is 90 days.
2370 The minimum is 7 days.
2371 For backward compatibility, if no unit is specified, seconds is
2373 assumed.
2374 sievedir: /usr/sieve
2376 If sieveusehomedir is false, this directory is searched for
2377 Sieve scripts.
2378 sievenotifier: <none>
2380 Notifyd(8) method to use for “SIEVE” notifications. If not set,
2381 “SIEVE” notifications are disabled.
2382 This method is only used when no method is specified in the
2384 script.
2385 sieveusehomedir: 0
2387 If enabled, lmtpd will look for Sieve scripts in user’s home di‐
2388 rectories: ~user/.sieve.
2389 anysievefolder: 0
2391 It must be “yes” in order to permit the autocreation of any IN‐
2392 BOX subfolder requested by a sieve filter, through the
2393 “fileinto” action. (default = no)
2394 singleinstancestore: 1
2396 If enabled, imapd, lmtpd and nntpd attempt to only write one
2397 copy of a message per partition and create hard links, resulting
2398 in a potentially large disk savings.
2399 skiplist_always_checkpoint: 1
2401 If enabled, this option forces the skiplist cyrusdb backend to
2402 always checkpoint when doing a recovery. This causes slightly
2403 more IO, but on the other hand leads to more efficient data‐
2404 bases, and the entire file is already “hot”.
2405 skiplist_unsafe: 0
2407 If enabled, this option forces the skiplist cyrusdb backend to
2408 not sync writes to the disk. Enabling this option is NOT RECOM‐
2409 MENDED.
2410 smtp_backend: sendmail
2412 The SMTP backend to use for sending email.
2413 The “host” backend sends message submissions via a TCP socket to
2415 the SMTP host defined in the config option smtp_host.
2416 The “sendmail” backend forks the Cyrus process into the exe‐
2418 cutable defined in the config option sendmail. The executable
2419 must accept “-bs” as command line argument, read from stdin and
2420 must implement the minimum SMTP protocol as defined in section
2421 4.5.1 of RFC 5321.
2422 If the SMTP EHLO command reports AUTH (RFC 4954) as a supported
2424 extension, then the MAIL FROM command includes the AUTH parame‐
2425 ter, with its value set to the name of any authenticated user
2426 which triggered the email. The AUTH parameter is omitted if the
2427 user is unknown to the calling process.
2428 If the directory configdirectory/log/smtpclient.smtp_backend ex‐
2430 ists, then telemetry logs for outgoing SMTP sessions will be
2431 created in this directory.
2432 Allowed values: host, sendmail
2434 smtp_host: localhost:587
2436 The SMTP host to use for sending mail (also see the smtp_backend
2437 option). The value of this option must the name or IP address of
2438 a TCP host, followed optionally by a colon and the port or ser‐
2439 vice to use. The default port is 587. TLS may be activated by
2440 appending “/tls” to the value. Authentication is enabled if
2441 smtp_auth_authname is set. Authentication can be explicitly dis‐
2442 abled by appending “/noauth” to the host address.
2443 smtp_auth_authname: <none>
2445 The authentication name to use when authenticating to the SMTP
2446 server defined in smtp_host.
2447 smtp_auth_password: <none>
2449 The password to use when authenticating to the SMTP server de‐
2450 fined in smtp_host.
2451 smtp_auth_realm: <none>
2453 The authentication SASL realm to use when authenticating to a
2454 SMTP server.
2455 soft_noauth: 1
2457 If enabled, lmtpd returns temporary failures if the client does
2458 not successfully authenticate. Otherwise lmtpd returns perma‐
2459 nent failures (causing the mail to bounce immediately).
2460 sortcache_db: twoskip
2462 The cyrusdb backend to use for caching sort results (currently
2463 only used for xconvmultisort) Allowed values: skiplist, twoskip,
2464 zeroskip
2465 specialuse_extra: <none>
2467 Whitespace separated list of extra special-use attributes that
2468 can be set on a mailbox. RFC 6154 currently lists what spe‐
2469 cial-use attributes can be set. This allows extending that list
2470 in the future or adding your own if needed.
2471 specialuse_protect: \Archive \Drafts \Important \Junk \Sent \Trash
2473 Whitespace separated list of special-use attributes to protect
2474 the mailboxes for. If set, don’t allow mailboxes with these
2475 special use attributes to be deleted or renamed to have a dif‐
2476 ferent parent. Default is the built-in list
2477 specialusealways: 1
2479 If enabled, this option causes LIST and LSUB output to always
2480 include the XLIST “special-use” flags
2481 sql_database: <none>
2483 Name of the database which contains the cyrusdb table(s).
2484 sql_engine: <none>
2486 Name of the SQL engine to use.
2487 Allowed values: mysql, pgsql, sqlite
2489 sql_hostnames: <empty string>
2491 Comma separated list of SQL servers (in host[:port] format).
2492 sql_passwd: <none>
2494 Password to use for authentication to the SQL server.
2495 sql_user: <none>
2497 Username to use for authentication to the SQL server.
2498 sql_usessl: 0
2500 If enabled, a secure connection will be made to the SQL server.
2501 srs_alwaysrewrite: 0
2503 If true, perform SRS rewriting for ALL forwarding, even when not
2504 required.
2505 srs_domain: <none>
2507 The domain to use in rewritten addresses. This must point only
2508 to machines which know the encoding secret used by this system.
2509 When present, SRS is enabled.
2510 srs_hashlength: 0
2512 The hash length to generate in a rewritten address.
2513 srs_secrets: <none>
2515 A list of secrets with which to generate addresses.
2516 srs_separator: <none>
2518 The separator to appear immediately after SRS[01] in rewritten
2519 addresses.
2520 srvtab: <empty string>
2522 The pathname of srvtab file containing the server’s private key.
2523 This option is passed to the SASL library and overrides its de‐
2524 fault setting.
2525 submitservers: <none>
2527 A list of users and groups that are allowed to resolve
2528 “urlauth=submit+” IMAP URLs, separated by spaces. Any user
2529 listed in this will be allowed to fetch the contents of any
2530 valid “urlauth=submit+” IMAP URL: use with caution.
2531 subscription_db: flat
2533 The cyrusdb backend to use for the subscriptions list.
2534 Allowed values: flat, skiplist, twoskip, zeroskip
2536 suppress_capabilities: <none>
2538 Suppress the named capabilities from any capability response.
2539 Use the exact case as it appears in the response, e.g. “sup‐
2540 press_capabilities: ESEARCH QRESYNC WITHIN XLIST LIST-EXTENDED”
2541 if you have a murder with 2.3.x backends and don’t want clients
2542 being confused by new capabilities that some backends don’t sup‐
2543 port.
2544 statuscache: 0
2546 Enable/disable the imap status cache.
2547 statuscache_db: twoskip
2549 The cyrusdb backend to use for the imap status cache.
2550 Allowed values: skiplist, sql, twoskip, zeroskip
2552 statuscache_db_path: <none>
2554 The absolute path to the statuscache db file. If not specified,
2555 will be configdirectory/statuscache.db
2556 sync_authname: <none>
2558 The authentication name to use when authenticating to a sync
2559 server. Prefix with a channel name to only apply for that chan‐
2560 nel
2561 sync_batchsize: 8192
2563 the number of messages to upload in a single mailbox replica‐
2564 tion. Default is 8192. If there are more than this many mes‐
2565 sages appended to the mailbox, generate a synthetic partial
2566 state and send that.
2567 sync_host: <none>
2569 Name of the host (replica running sync_server(8)) to which
2570 replication actions will be sent by sync_client(8). Prefix with
2571 a channel name to only apply for that channel
2572 sync_log: 0
2574 Enable replication action logging by lmtpd(8), imapd(8),
2575 pop3d(8), and nntpd(8). The log {configdirectory}/sync/log is
2576 used by sync_client(8) for “rolling” replication.
2577 sync_log_chain: 0
2579 Enable replication action logging by sync_server as well, allow‐
2580 ing chaining of replicas. Use this on ‘B’ for A => B => C
2581 replication layout
2582 sync_log_channels: <none>
2584 If specified, log all events to multiple log files in directo‐
2585 ries specified by each “channel”. Each channel can then be pro‐
2586 cessed separately, such as by multiple sync_client(8)s in a mesh
2587 replication scheme, or by squatter(8) for rolling search index
2588 updates.
2589 You can use “” (the two-character string U+22 U+22) to mean the
2591 default sync channel.
2592 sync_log_unsuppressable_channels: squatter
2594 If specified, the named channels are exempt from the effect of
2595 setting sync_log_chain:off, i.e. they are always logged to by
2596 the sync_server process. This is only really useful to allow
2597 rolling search indexing on a replica.
2598 sync_password: <none>
2600 The default password to use when authenticating to a sync
2601 server. Prefix with a channel name to only apply for that chan‐
2602 nel
2603 sync_port: <none>
2605 Name of the service (or port number) of the replication service
2606 on replica host. Prefix with a channel name to only apply for
2607 that channel. If not specified, and if sync_try_imap is set to
2608 “yes” (the default), then the replication client will first try
2609 “imap” (port 143) to check if imapd supports replication. oth‐
2610 erwise it will default to “csync” (usually port 2005).
2611 sync_realm: <none>
2613 The authentication realm to use when authenticating to a sync
2614 server. Prefix with a channel name to only apply for that chan‐
2615 nel
2616 sync_repeat_interval: 1s
2618 Minimum interval between replication runs in rolling replication
2619 mode. If a replication run takes longer than this time, we re‐
2620 peat immediately. Prefix with a channel name to only apply for
2621 that channel.
2622 For backward compatibility, if no unit is specified, seconds is
2624 assumed.
2625 sync_shutdown_file: <none>
2627 Simple latch used to tell sync_client(8) that it should shut
2628 down at the next opportunity. Safer than sending signals to run‐
2629 ning processes. Prefix with a channel name to only apply for
2630 that channel
2631 sync_timeout: 30m
2633 How long to wait for a response before returning a timeout fail‐
2634 ure when talking to a replication peer (client or server). The
2635 minimum duration is 3 seconds, the default is 30 minutes.
2636 For backward compatibility, if no unit is specified, seconds is
2638 assumed.
2639 sync_try_imap: 1
2641 Whether sync_client should try to perform an IMAP connection be‐
2642 fore falling back to csync. If this is set to “no”, sync_client
2643 will only use csync. Prefix with a channel name to apply only
2644 for that channel
2645 syslog_prefix: <none>
2647 String to be prepended to the process name in syslog entries.
2648 Can be further overridden by setting the $CYRUS_SYSLOG_PREFIX
2649 environment variable.
2650 Using the $CYRUS_SYSLOG_PREFIX environment variable has the ad‐
2652 ditional advantage that it can be set before the imapd.conf is
2653 read, so errors while reading the config file can be syslogged
2654 with the correct prefix.
2655 syslog_facility: <none>
2657 Configure a syslog facility. The default is whatever is com‐
2658 piled in. Allowed values are: DAEMON, MAIL, NEWS, USER, and LO‐
2659 CAL0 through to LOCAL7
2660 tcp_keepalive: 0
2662 Enable keepalive on TCP connections
2663 tcp_keepalive_cnt: 0
2665 Number of TCP keepalive probes to send before declaring the con‐
2666 nection dead (0 == system default)
2667 tcp_keepalive_idle: 0
2669 How long a connection must be idle before keepalive probes are
2670 sent (0 == system default).
2671 For backward compatibility, if no unit is specified, seconds is
2673 assumed.
2674 tcp_keepalive_intvl: 0
2676 Time between keepalive probes (0 == system default).
2677 For backward compatibility, if no unit is specified, seconds is
2679 assumed.
2680 temp_path: /tmp
2682 The pathname to store temporary files in
2683 telemetry_bysessionid: 0
2685 If true, log by sessionid instead of PID for telemetry
2686 timeout: 32m
2688 The length of the IMAP server’s inactivity autologout timer.
2689 The minimum value is 30 minutes. The default is 32 minutes, to
2690 allow a bit of leeway for clients that try to NOOP every 30 min‐
2691 utes.
2692 For backward compatibility, if no unit is specified, minutes is
2694 assumed.
2695 imapidletimeout: <none>
2697 Timeout for idling clients (RFC 2177). If not set (the de‐
2698 fault), the value of “timeout” will be used instead.
2699 For backward compatibility, if no unit is specified, minutes is
2701 assumed.
2702 tls_ca_file: <none>
2704 Deprecated in favor of tls_client_ca_file.
2705 tls_ca_path: <none>
2707 Deprecated in favor of tls_client_ca_dir.
2708 tlscache_db: twoskip
2710 Deprecated in favor of tls_sessions_db.
2711 tlscache_db_path: <none>
2713 Deprecated in favor of tls_sessions_db_path.
2714 tls_cert_file: <none>
2716 Deprecated in favor of tls_server_cert.
2717 tls_cipher_list: DEFAULT
2719 Deprecated in favor of tls_ciphers.
2720 tls_ciphers: DEFAULT
2722 The list of SSL/TLS ciphers to allow. The format of the string
2723 (and definition of “DEFAULT”) is described in ciphers(1).
2724 See also Mozilla’s server-side TLS recommendations:
2726 https://wiki.mozilla.org/Security/Server_Side_TLS
2728 tls_crl_file: <none>
2730 Path to a file containing the Certificate Revocation List
2731 tls_client_ca_dir: <none>
2733 Path to a directory containing the CA certificates used to ver‐
2734 ify client SSL certificates used for authentication.
2735 tls_client_ca_file: <none>
2737 Path to a file containing the CA certificate(s) used to verify
2738 client SSL certificates used for authentication.
2739 tls_client_cert: <none>
2741 File containing the certificate presented to a server for au‐
2742 thentication during STARTTLS. A value of “disabled” will disable
2743 this server’s use of certificate-based authentication.
2744 tls_client_certs: optional
2746 Disable (“off”), allow (“optional”, default) or require (“re‐
2747 quire”) the use of SSL certificates by clients to authenticate
2748 themselves. Allowed values: off, optional, require
2749 tls_client_key: <none>
2751 File containing the private key belonging to the tls_client_cert
2752 certificate. A value of “disabled” will disable this server’s
2753 use of certificate-based authentication.
2754 tls_eccurve: prime256v1
2756 The elliptic curve used for ECDHE. Default is NIST Suite B
2757 prime256. See ‘openssl ecparam -list_curves’ for possible val‐
2758 ues.
2759 tls_key_file: <none>
2761 Deprecated in favor of tls_server_key.
2762 tls_required: 0
2764 If enabled, require a TLS/SSL encryption layer to be negotiated
2765 prior to ANY authentication mechanisms being advertised or al‐
2766 lowed.
2767 tls_prefer_server_ciphers: 0
2769 Prefer the ciphers on the server side instead of client side.
2770 tls_server_ca_dir: <none>
2772 Path to a directory with CA certificates used to verify certifi‐
2773 cates offered by the server, when cyrus acts as client. This di‐
2774 rectory must have filenames with the hashed value of the cer‐
2775 tificates (see openssl(1)).
2776 tls_server_ca_file: <none>
2778 Path to a file containing CA certificates used to verify cer‐
2779 tificates offered by the server, when cyrus acts as client.
2780 tls_server_cert: <none>
2782 File containing the certificate, including the full chain, pre‐
2783 sented to clients. Two certificates can be set, e.g RSA and EC,
2784 if the filenames are separated with comma without spaces.
2785 tls_server_dhparam: <none>
2787 File containing the DH parameters belonging to the certificate
2788 in tls_server_cert.
2789 tls_server_key: <none>
2791 File containing the private key belonging to the certificate in
2792 tls_server_cert. If not set, tls_server_cert must contain both
2793 private and public key. Two files with keys can be set, if two
2794 certificates are used, in which case the files must be separated
2795 with comma without spaces
2796 tls_sessions_db: twoskip
2798 The cyrusdb backend to use for the TLS cache.
2799 Allowed values: skiplist, sql, twoskip, zeroskip
2801 tls_sessions_db_path: <none>
2803 The absolute path to the TLS sessions db file. If not specified,
2804 will be configdirectory/tls_sessions.db
2805 tls_session_timeout: 24h
2807 The length of time that a TLS session will be cached for later
2808 reuse. The maximum value is 24 hours, also the default. A
2809 value of 0 will disable session caching.
2810 For backward compatibility, if no unit is specified, minutes is
2812 assumed.
2813 tls_versions: tls1_0 tls1_1 tls1_2 tls1_3
2815 A list of SSL/TLS versions to not disable. Cyrus IMAP SSL/TLS
2816 starts with all protocols, and subtracts protocols not in this
2817 list. Newer versions of SSL/TLS will need to be added here to
2818 allow them to get disabled.
2819 uidl_format: cyrus
2821 Choose the format for UIDLs in pop3. Possible values are
2822 “uidonly”, “cyrus”, “dovecot” and “courier”. “uidonly” forces
2823 the old default of UID, “cyrus” is UIDVALIDITY.UID. Dovecot is
2824 8 digits of leading hex (lower case) each UID UIDVALIDITY.
2825 Courier is UIDVALIDITY-UID. Allowed values: uidonly, cyrus,
2826 dovecot, courier
2827 umask: 077
2829 The umask value used by various Cyrus IMAP programs.
2830 userdeny_db: flat
2832 The cyrusdb backend to use for the user access list.
2833 Allowed values: flat, skiplist, sql, twoskip, zeroskip
2835 userdeny_db_path: <none>
2837 The absolute path to the userdeny db file. If not specified,
2838 will be configdirectory/user_deny.db
2839 username_tolower: 1
2841 Convert usernames to all lowercase before login/authentication.
2842 This is useful with authentication backends which ignore case
2843 during username lookups (such as LDAP).
2844 userprefix: Other Users
2846 If using the alternate IMAP namespace, the prefix for the other
2847 users namespace. The hierarchy delimiter will be automatically
2848 appended.
2849 unix_group_enable: 1
2851 Should we look up groups when using auth_unix (disable this if
2852 you are not using groups in ACLs for your IMAP server, and you
2853 are using auth_unix with a backend (such as LDAP) that can make
2854 getgrent() calls very slow)
2855 unixhierarchysep: 1
2857 Use the UNIX separator character ‘/’ for delimiting levels of
2858 mailbox hierarchy. Turn off to use the netnews separator char‐
2859 acter ‘.’. Note that with the newnews separator, no dots may oc‐
2860 cur in mailbox names. The default switched in 3.0 from off to
2861 on.
2862 virtdomains: off
2864 Configure virtual domain support.
2865 off Cyrus does not know or care about domains. Only the local
2867 part of email addresses is ever considered. This is not
2868 recommended for any deployment, but is currently the de‐
2869 fault.
2870 userid The user’s domain is determined by splitting a fully
2872 qualified userid at the last ‘@’ or ‘%’ symbol. If the
2873 userid is unqualified, the defaultdomain will be used.
2874 This is the recommended configuration for all deploy‐
2875 ments. If you wish to provide calendaring services you
2876 must use this configuration.
2877 on Fully qualified userids are respected, as per “userid”.
2879 Unqualified userids will have their domain determined by
2880 doing a reverse lookup on the IP address of the incoming
2881 network interface, or if no record is found, the default‐
2882 domain will be used.
2883 Allowed values: off, userid, on
2885 virusscan_notification_subject: Automatically deleted mail
2887 The text used in the subject of email notifications created by
2888 cyr_virusscan(8) when deleting infected mail.
2889 virusscan_notification_template: <none>
2891 The absolute path to a file containing a template to use to de‐
2892 scribe infected messages that have been deleted by cyr_viruss‐
2893 can(8). See cyr_virusscan(8) for specification of the format of
2894 this file. If not specified, the builtin default template will
2895 be used.
2896 xbackup_enabled: 0
2898 Enable support for the XBACKUP command in imapd. If enabled,
2899 admin users can use this command to provoke a replication of
2900 specified users to the named backup channel.
2901 xlist-flag: <none>
2903 Set the special-use flag flag on the specified folder when it is
2904 autocreated (see the autocreate_inbox_folders option). For ex‐
2905 ample, if xlist-junk: Spam is set, and the folder Spam is au‐
2906 tocreated, the special-use flag \Junk will be set on it.
2907 (This option is so named for backward compatibility with old
2909 config files.)
2910 lmtp_catchall_mailbox: <none>
2912 Mail sent to mailboxes which do not exist, will be delivered to
2913 this user. NOTE: This must be an existing local user name with
2914 an INBOX, NOT an email address!
2915 zoneinfo_db: twoskip
2917 The cyrusdb backend to use for zoneinfo. This database is used
2918 by the “tzdist” httpmodules, and is managed by ctl_zoneinfo(8).
2919 Allowed values: flat, skiplist, twoskip, zeroskip
2920 zoneinfo_db_path: <none>
2922 The absolute path to the zoneinfo db file. If not specified,
2923 will be configdirectory/zoneinfo.db
2924 zoneinfo_dir: <none>
2926 The absolute path to the zoneinfo directory, containing timezone
2927 definitions as generated by the vzic tool. If not specified,
2928 whatever definitions libical finds will be used.
2929 If you are providing a Time Zone Data Distribution Service (i.e.
2931 you have “tzdist” listed in httpmodules), then this configura‐
2932 tion option MUST be specified.
2933 object_storage_enabled: 0
2935 Is Object storage enabled for this server. You also need to
2936 have archiving enabled and archivepartition for the mailbox.
2937 Only email files will be stored on object Storage archive parti‐
2938 tion will be used to store any other files
2939 object_storage_dummy_spool: <none>
2941 Dummy object storage spool; this is for test only. Spool where
2942 user directory (container) will be created to store all emails
2943 in a flat structure
2944 openio_namespace: <none>
2946 The OpenIO namespace used to store archived email messages. A
2947 namespace identifies the physical platform cyrus must contact.
2948 This directive is used by the OpenIO’s SDK to locate its plat‐
2949 form entry point.
2950 openio_account: <none>
2952 The OpenIO account used to account for stored emails. Accounts
2953 are unique in their namespace. They provides virtual partitions,
2954 with quotas and QoS features.
2955 openio_rawx_timeout: 30s
2957 The OpenIO timeout to query to the RAWX services (default 30
2958 sec).
2959 openio_proxy_timeout: 5s
2961 The OpenIO timeout to query to the PROXY services (default 5
2962 sec).
2963 openio_autocreate: 0
2965 Allow the OpenIO SDK to autocreate containers. Mainly destined
2966 to be turned on development environments. In production, the
2967 container should have been provisioned with the mailboxes.
2968 openio_verbosity: <none>
2970 Sets the logging verbosity of the OpenIO’s internal behavior.
2971 Admissible values are: “warning”, “notice”, “info”, “debug”,
2972 “trace”, “quiet”. The default verbosity is “warning”. Set to
2973 “notice” for a few lines on a per-client basis. Set to “info”
2974 for a few lines on a per-request basis. Set to “debug” Set to
2975 “trace” to activate the underlying libcurl debug output. En‐
2976 abling a verbosity higher to equal than “debug” requires the
2977 cyrus to be set in debug mode. The special “quiet” value dis‐
2978 ables all kinds of logging at the GLib level.
2979 caringo_hostname: <none>
2981 The Caringo hostname used to store archived email messages. A
2982 hostname identifies the physical platform cyrus must contact.
2983 This directive is used by the Caringo’s SDK (CastorSDK: Caringo
2984 Simple Content Storage Protocol (SCSP) on HTTP 1.1 using a REST‐
2985 ful architecture
2986 caringo_port: 80
2988 The port of the caringo server (caringo_hostname); default is
2989 80.
2990 fastmailsharing: 0
2992 If enabled, use FastMail style sharing (oldschool full server
2993 paths)
2994
2996 imapd(8), pop3d(8), nntpd(8), lmtpd(8), httpd(8), timsieved(8),
2997 idled(8), notifyd(8), deliver(8), master(8), ciphers(1)
2998
3000 The Cyrus Team
3001
3003 1993-2018, The Cyrus Team
30043.2.8 September 01, 2021 IMAPD.CONF(5)