1IMAPD.CONF(5)                 File Formats Manual                IMAPD.CONF(5)
2
3
4

NAME

6       imapd.conf - IMAP configuration file
7

DESCRIPTION

9       /etc/imapd.conf  is  the  configuration file for the Cyrus IMAP server.
10       It defines local parameters for IMAP.
11
12       Each line of the /etc/imapd.conf file has the form
13
14              option: value
15
16       where option is the name of the  configuration  option  being  set  and
17       value is the value that the configuration option is being set to.
18
19       Blank lines and lines beginning with ``#'' are ignored.
20
21       For  boolean and enumerated options, the values ``yes'', ``on'', ``t'',
22       ``true'' and ``1'' turn the option  on,  the  values  ``no'',  ``off'',
23       ``f'', ``false'' and ``0'' turn the option off.
24

FIELD DESCRIPTIONS

26       The   sections   below  detail  options  that  can  be  placed  in  the
27       /etc/imapd.conf file, and  show  each  option's  default  value.   Some
28       options  have no default value, these are listed with ``<no default>''.
29       Some options default  to  the  empty  string,  these  are  listed  with
30       ``<none>''.
31
32
33       admins: <empty string>
34            The  list  of  userids  with administrative rights.  Separate each
35            userid with a space.  Sites using Kerberos authentication may  use
36            separate "admin" instances.
37
38       Note  that accounts used by users should not be administrators.  Admin‐
39       istrative accounts should not receive mail.  That is, if user "jbRo" is
40       a  user  reading  mail, he should not also be in the admins line.  Some
41       problems may occur otherwise, most notably the ability  of  administra‐
42       tors  to  create top-level mailboxes visible to users, but not writable
43       by users.
44
45       afspts_localrealms: <none>
46            The list of realms which are to be  treated  as  local,  and  thus
47            stripped   during  identifier  canonicalization  (for  the  AFSPTS
48            ptloader module).  This is different from loginrealms in  that  it
49            occurs  later  in  the  authorization  process  (as the user id is
50            canonified for PTS lookup)
51
52       afspts_mycell: <none>
53            Cell to use for AFS PTS lookups.  Defaults to the local cell.
54
55       allowallsubscribe: 0
56            Allow subscription to nonexistent mailboxes.  This option is typi‐
57            cally  used  on backend servers in a Murder so that users can sub‐
58            scribe to mailboxes that don't  reside  on  their  "home"  server.
59            This  option  can  also  be  used as a workaround for IMAP clients
60            which don't play well with nonexistent or  unselectable  mailboxes
61            (eg.  Microsoft Outlook).
62
63       allowanonymouslogin: 0
64            Permit  logins  by  the user "anonymous" using any password.  Also
65            allows use of the SASL ANONYMOUS mechanism.
66
67       allowapop: 1
68            Allow use of the POP3 APOP authentication command.
69
70       Note that this command requires that SASL is compiled  with  APOP  sup‐
71       port,  that  the  plaintext  passwords  are available in a SASL auxprop
72       backend (eg. sasldb), and that the system can  provide  enough  entropy
73       (eg. from /dev/urandom) to create a challenge in the banner.
74
75       allownewnews: 0
76            Allow use of the NNTP NEWNEWS command.
77
78       Note  that  this is a very expensive command and should only be enabled
79       when absolutely necessary.
80
81       allowplaintext: 0
82            Allow the use of cleartext passwords on the wire.
83
84       allowusermoves: 0
85            Allow moving user accounts (with associated meta-data) via  RENAME
86            or XFER.
87
88       Note  that  measures  should  be taken to make sure that the user being
89       moved is not logged in, and can not login during the move.  Failure  to
90       do  so  may  result in the user's meta-data (seen state, subscriptions,
91       etc) being corrupted or out of date.
92
93       altnamespace: 0
94            Use the alternate IMAP namespace, where personal folders reside at
95            the same level in the hierarchy as INBOX.
96
97       This  option  ONLY  applies  where  interaction  takes  place  with the
98       client/user.  Currently this is limited to the  IMAP  protocol  (imapd)
99       and  Sieve  scripts (lmtpd).  This option does NOT apply to admin tools
100       such as cyradm (admins ONLY), reconstruct, quota,  etc.,  NOR  does  it
101       affect  LMTP  delivery  of  messages  directly  to  mailboxes via plus-
102       addressing.
103
104       annotation_db: skiplist
105            The cyrusdb backend to use for mailbox annotations.
106
107            Allowed values: berkeley, berkeley-hash, skiplist
108
109       anyoneuseracl: 1
110            Should non-admin users be allowed to set  ACLs  for  the  'anyone'
111            user  on  their mailboxes?  In a large organization this can cause
112            support problems, but it's enabled by default.
113
114       auth_mech: unix
115            The authorization mechanism to use.
116
117            Allowed values: unix, pts, krb, krb5
118
119       autocreatequota: 0
120            If nonzero, normal users may create their  own  IMAP  accounts  by
121            creating  the mailbox INBOX.  The user's quota is set to the value
122            if it is positive, otherwise the user has unlimited quota.
123
124       berkeley_cachesize: 512
125            Size (in kilobytes) of the shared memory buffer pool (cache)  used
126            by  the  berkeley  environment.   The minimum allowed value is 20.
127            The maximum allowed value is 4194303 (4GB).
128
129       berkeley_locks_max: 50000
130            Maximum number of locks to be held or requested  in  the  berkeley
131            environment.
132
133       berkeley_txns_max: 100
134            Maximum  number  of  transactions  to be supported in the berkeley
135            environment.
136
137       client_timeout: 10
138            Number of seconds to wait before returning a timeout failure  when
139            performing a client connection (e.g. in a murder environment)
140
141       createonpost: 0
142            If  yes,  when  lmtpd  receives an incoming mail for an INBOX that
143            does not exist, then the INBOX is automatically created by lmtpd.
144
145       autocreateinboxfolders: <none>
146            If a user does not have an INBOX created then the INBOX as well as
147            some  INBOX  subfolders  are created under two conditions.  1. The
148            user logins via the IMAP or the  POP3  protocol.  (autocreatequota
149            option  must  have  a  nonzero value) 2. A message arrives for the
150            user through the LMTPD protocol.(createonpost option must be  yes)
151            autocreateinboxfolders  is  a list of INBOX's subfolders separated
152            by a "|", that are automatically created by the server  under  the
153            previous two situations.
154
155       autosubscribeinboxfolders: <none>
156            A list of folder names, separated by "|", that the users get auto‐
157            matically subscribed to, when their INBOX is created. These folder
158            names must have been included in the autocreateinboxfolders option
159            of the imapd.conf.
160
161       autosubscribesharedfolders: <none>
162            A list of shared folders (bulletin boards), separated by "|", that
163            the  users  get  automatically subscribed to, after their INBOX is
164            created. The shared folder must have been  created  and  the  user
165            must have the required permissions to get subscribed to it. Other‐
166            wise, subscribing to the shared folder fails.
167
168       autosubscribe_all_sharedfolders: 0
169            If set to yes, the user is automatically subscribed to all  shared
170            folders, one has permission to subscribe to.
171
172       autocreate_sieve_script: <none>
173            The  full path of a file that contains a sieve script. This script
174            automatically  becomes  a  user's  initial  default  sieve  filter
175            script.  When  this option is not defined, no default sieve filter
176            is created. The file must be readable by the cyrus daemon.
177
178       autocreate_sieve_compiledscript: <none>
179            The full path of a file that contains a compiled in bytecode sieve
180            script. This script automatically becomes a user's initial default
181            sieve filter script.  If this option  is  not  specified,  or  the
182            filename  doesn't  exist  then  the  script  defined  by  autocre‐
183            ate_sieve_script is compiled on  the  fly  and  installed  as  the
184            user's default sieve script
185
186       generate_compiled_sieve_script: 0
187            If  set to yes and no compiled sieve script file exists, the sieve
188            script which is compiled on the fly will be saved in the file name
189            that  autocreate_sieve_compiledscript option points to. In order a
190            compiled  script  to  be  generated,  autocreate_sieve_script  and
191            autocreate_sieve_compiledscript must have valid values
192
193       autocreate_users: anyone
194            A  space  separated  list  of users and/or groups that are allowed
195            their INBOX to be automatically created.
196
197       configdirectory: <none>
198            The pathname of the IMAP configuration directory.  This  field  is
199            required.
200
201       debug_command: <none>
202            Debug command to be used by processes started with -D option.  The
203            string is a C format string that gets 3 options: the first is  the
204            name  of  the  executable  (without  path).  The second is the pid
205            (integer)  and  the   third   is   the   service   ID.    Example:
206            /usr/local/bin/gdb /usr/cyrus/bin/%s %d
207
208       defaultacl: anyone lrs
209            The Access Control List (ACL) placed on a newly-created (non-user)
210            mailbox that does not have a parent mailbox.
211
212       defaultdomain: <none>
213            The default domain for virtual domain support
214
215       defaultpartition: default
216            The partition name used by default for new mailboxes.
217
218       deleteright: c
219            Deprecated - only used for backwards compatibility  with  existing
220            installations.   Lists  the  old  RFC 2086 right which was used to
221            grant the user the ability to delete a mailbox.   If  a  user  has
222            this right, they will automatically be given the new 'x' right.
223
224       duplicate_db: berkeley-nosync
225            The  cyrusdb backend to use for the duplicate delivery suppression
226            and sieve.
227
228            Allowed values: berkeley, berkeley-nosync,  berkeley-hash,  berke‐
229            ley-hash-nosync, skiplist
230
231       duplicatesuppression: 1
232            If enabled, lmtpd will suppress delivery of a message to a mailbox
233            if a message with the same message-id  (or  resent-message-id)  is
234            recorded as having already been delivered to the mailbox.  Records
235            the mailbox and  message-id/resent-message-id  of  all  successful
236            deliveries.
237
238       expunge_mode: immediate
239            The mode in which messages (and their corresponding cache entries)
240            are expunged.  "Immediate" mode is the default behavior  in  which
241            the  message files and cache entries are purged at the time of the
242            EXPUNGE.  In "delayed" mode, the messages  are  removed  from  the
243            mailbox  index  at  the  time of the EXPUNGE (hiding them from the
244            client), but the message files and cache entries are left  behind,
245            to  be  purged  at a later time by "cyr_expire".  This reduces the
246            amount of I/O that takes place at the time of EXPUNGE  and  should
247            result  in  greater responsiveness for the client, especially when
248            expunging a large number of messages.
249
250            Allowed values: immediate, delayed
251
252       flushseenstate: 0
253            If enabled, changes to the seen state  will  be  flushed  to  disk
254            immediately, otherwise changes will be cached and flushed when the
255            mailbox is closed.  This option may be used to fix the problem  of
256            previously  read messages being marked as unread in Microsoft Out‐
257            look, at the expense of a loss of performance/scalability.
258
259       foolstupidclients: 0
260            If enabled, only list the personal namespace when a  LIST  "*"  is
261            performed.  (it changes the request to a LIST "INBOX*"
262
263       force_sasl_client_mech: <none>
264            Force  preference of a given SASL mechanism for client side opera‐
265            tions (e.g. murder environments).   This  is  separate  from  (and
266            overridden  by)  the  ability  to  use  the <host shortname>_mechs
267            option to set preferred mechanisms for a specific host
268
269       fulldirhash: 0
270            If enabled, uses an improved directory hashing scheme which hashes
271            the  entire username instead of using just the first letter.  This
272            changes hash algorithm used for quota and user directories and  if
273            hashimapspool is enabled, the entire mail spool.
274
275       Note  that this option can NOT be changed on a live system.  The server
276       must be quiesced and then the directories moved with the  rehash  util‐
277       ity.
278
279       hashimapspool: 0
280            If enabled, the partitions will also be hashed, in addition to the
281            hashing done on configuration directories.  This is recommended if
282            one partition has a very bushy mailbox tree.
283
284       hostname_mechs: <none>
285            Force a particular list of SASL mechanisms to be used when authen‐
286            ticating to the backend server hostname  (where  hostname  is  the
287            short  hostname of the server in question). If it is not specified
288            it will query the server for available mechanisms and pick one  to
289            use. - Cyrus Murder
290
291       hostname_password: <none>
292            The password to use for authentication to the backend server host‐
293            name (where hostname is the short hostname of the server) -  Cyrus
294            Murder
295
296       idlesocket: {configdirectory}/socket/idle
297            Unix domain socket that idled listens on.
298
299       ignorereference: 0
300            For  backwards  compatibility  with  Cyrus  1.5.10  and earlier --
301            ignore the reference argument in LIST or LSUB commands.
302
303       imapidlepoll: 60
304            The interval (in seconds) for  polling  for  mailbox  changes  and
305            ALERTs  while  running the IDLE command.  This option is used when
306            idled is not enabled or can not be contacted.  The  minimum  value
307            is 1.  A value of 0 will disable IDLE.
308
309       imapidresponse: 1
310            If  enabled, the server responds to an ID command with a parameter
311            list containing: version,  vendor,  support-url,  os,  os-version,
312            command,  arguments,  environment.   Otherwise  the server returns
313            NIL.
314
315       imapmagicplus: 0
316            Only list  a  restricted  set  of  mailboxes  via  IMAP  by  using
317            userid+namespace  syntax  as  the authentication/authorization id.
318            Using userid+ (with an empty namespace) will list only  subscribed
319            mailboxes.
320
321       implicit_owner_rights: lca
322            The implicit Access Control List (ACL) for the owner of a mailbox.
323
324       @include: <none>
325            Directive which includes the specified file as part of the config‐
326            uration.  If the path to the file is not absolute,  CYRUS_PATH  is
327            prepended.
328
329       improved_mboxlist_sort: 0
330            If enabled, a special comparator will be used which will correctly
331            sort mailbox names that contain characters such as ' ' and '-'.
332
333       Note that this option SHOULD NOT be changed  on  a  live  system.   The
334       mailboxes  database  should  be  dumped  before  the option is changed,
335       removed, and then undumped after changing the option.
336
337       ldap_authz: <none>
338            SASL authorization ID for the LDAP server
339
340       ldap_base: <empty string>
341            Contains the LDAP base dn for the LDAP ptloader module
342
343       ldap_bind_dn: <none>
344            Bind DN for the connection to the LDAP server (simple  bind).   Do
345            not use for anonymous simple binds
346
347       ldap_deref: never
348            Specify how aliases dereferencing is handled during search.
349
350            Allowed values: search, find, always, never
351
352       ldap_filter: (uid=%u)
353            Specify  a  filter  that searches user identifiers.  The following
354            tokens can be used in the filter string:
355
356            %%   = % %u   = user %U   = user portion of %u (%U = test when  %u
357            =  test@domain.tld) %d   = domain portion of %u if available (%d =
358            domain.tld when %u = %test@domain.tld), otherwise same  as  %r  %D
359            =  user  dn.   (use when ldap_member_method: filter) %1-9 = domain
360            tokens (%1 = tld, %2 = domain when %d = domain.tld)
361
362            ldap_filter is not used when ldap_sasl is enabled.
363
364       ldap_group_base: <empty string>
365            LDAP base dn for ldap_group_filter.
366
367       ldap_group_filter: (cn=%u)
368            Specify  a  filter  that  searches  for  group  identifiers.   See
369            ldap_filter for more options.
370
371       ldap_group_scope: sub
372            Specify search scope for ldap_group_filter.
373
374            Allowed values: sub, one, base
375
376       ldap_id: <none>
377            SASL authentication ID for the LDAP server
378
379       ldap_mech: <none>
380            SASL mechanism for LDAP authentication
381
382       ldap_member_attribute: <none>
383            See ldap_member_method.
384
385       ldap_member_base: <empty string>
386            LDAP base dn for ldap_member_filter.
387
388       ldap_member_filter: (member=%D)
389            Specify  a filter for "ldap_member_method: filter".  See ldap_fil‐
390            ter for more options.
391
392       ldap_member_method: attribute
393            Specify a group method.  The "attribute" method  retrieves  groups
394            from a multi-valued attribute specified in ldap_member_attribute.
395
396            The  "filter"  method uses a filter, specified by ldap_member_fil‐
397            ter, to  find  groups;  ldap_member_attribute  is  a  single-value
398            attribute group name.
399
400            Allowed values: attribute, filter
401
402       ldap_member_scope: sub
403            Specify search scope for ldap_member_filter.
404
405            Allowed values: sub, one, base
406
407       ldap_password: <none>
408            Password  for  the  connection to the LDAP server (SASL and simple
409            bind).  Do not use for anonymous simple binds
410
411       ldap_realm: <none>
412            SASL realm for LDAP authentication
413
414       ldap_referrals: 0
415            Specify whether or not the client should follow referrals.
416
417       ldap_restart: 1
418            Specify whether or  not  LDAP  I/O  operations  are  automatically
419            restarted if they abort prematurely.
420
421       ldap_sasl: 1
422            Use SASL for LDAP binds in the LDAP PTS module.
423
424       ldap_sasl_authc: <none>
425            Deprecated.  Use ldap_id
426
427       ldap_sasl_authz: <none>
428            Deprecated.  Use ldap_authz
429
430       ldap_sasl_mech: <none>
431            Deprecated.  Use ldap_mech
432
433       ldap_sasl_password: <none>
434            Deprecated.  User ldap_password
435
436       ldap_sasl_realm: <none>
437            Deprecated.  Use ldap_realm
438
439       ldap_scope: sub
440            Specify search scope.
441
442            Allowed values: sub, one, base
443
444       ldap_servers: ldap://localhost/
445            Deprecated.  Use ldap_uri
446
447       ldap_size_limit: 1
448            Specify a number of entries for a search request to return.
449
450       ldap_start_tls: 0
451            Use  StartTLS extended operation.  Do not use ldaps: ldap_uri when
452            this option is enabled.
453
454       ldap_time_limit: 5
455            Specify a number of seconds for a search request to complete.
456
457       ldap_timeout: 5
458            Specify a number of seconds a search can take before timing out.
459
460       ldap_tls_cacert_dir: <none>
461            Path to directory with CA (Certificate Authority) certificates.
462
463       ldap_tls_cacert_file: <none>
464            File containing CA (Certificate Authority) certificate(s).
465
466       ldap_tls_cert: <none>
467            File containing the client certificate.
468
469       ldap_tls_check_peer: 0
470            Require and verify server certificate.  If this option is yes, you
471            must specify ldap_tls_cacert_file or ldap_tls_cacert_dir.
472
473       ldap_tls_ciphers: <none>
474            List  of  SSL/TLS  ciphers  to allow.  The format of the string is
475            described in ciphers(1).
476
477       ldap_tls_key: <none>
478            File containing the private client key.
479
480       ldap_uri: <none>
481            Contains a list of the URLs of all the LDAP servers when using the
482            LDAP PTS module.
483
484       ldap_version: 3
485            Specify  the  LDAP  protocol  version.   If  ldap_start_tls and/or
486            ldap_use_sasl are enabled, ldap_version will be automatically  set
487            to 3.
488
489       lmtp_downcase_rcpt: 0
490            If  enabled, lmtpd will convert the recipient address to lowercase
491            (up to a '+' character, if present).
492
493       lmtp_fuzzy_mailbox_match: 0
494            If enabled, and the mailbox specified in the detail  part  of  the
495            recipient  (everything  after  the '+') does not exist, lmtpd will
496            try to find the closest match (ignoring case, ignoring whitespace,
497            falling back to parent) to the specified mailbox name.
498
499       lmtp_over_quota_perm_failure: 0
500            If  enabled,  lmtpd returns a permanent failure code when a user's
501            mailbox is over quota.  By  default,  the  failure  is  temporary,
502            causing the MTA to queue the message and retry later.
503
504       lmtp_strict_quota: 0
505            If enabled, lmtpd returns a failure code when the incoming message
506            will cause the user's mailbox to exceed its  quota.   By  default,
507            the failure won't occur until the mailbox is already over quota.
508
509       lmtpsocket: {configdirectory}/socket/lmtp
510            Unix domain socket that lmtpd listens on, used by deliver(8). This
511            should match the path specified in cyrus.conf(5).
512
513       loginrealms: <empty string>
514            The list of remote  realms  whose  users  may  authenticate  using
515            cross-realm  authentication identifiers.  Separate each realm name
516            by a space.  (A cross-realm identity is  considered  any  identity
517            returned by SASL with an "@" in it.).
518
519       loginuseacl: 0
520            If  enabled,  any  authentication identity which has a rights on a
521            user's INBOX may log in as that user.
522
523       logtimestamps: 0
524            Include notations in the protocol telemetry  logs  indicating  the
525            number of seconds since the last command or response.
526
527       mailnotifier: <none>
528            Notifyd(8)  method  to  use for "MAIL" notifications.  If not set,
529            "MAIL" notifications are disabled.
530
531       maxmessagesize: 0
532            Maximum incoming LMTP  message  size.   If  non-zero,  lmtpd  will
533            reject  messages  larger  than maxmessagesize bytes.  If set to 0,
534            this will allow messages of any size (the default).
535
536       mboxkey_db: skiplist
537            The cyrusdb backend to use for mailbox keys.
538
539            Allowed values: berkeley, skiplist
540
541       mboxlist_db: skiplist
542            The cyrusdb backend to use for the mailbox list.
543
544            Allowed values: flat, berkeley, berkeley-hash, skiplist
545
546       metapartition_files: <empty string>
547            Space-separated list of metadata files to be  stored  on  a  meta‐
548            partition  rather  than in the mailbox directory on a spool parti‐
549            tion.
550
551            Allowed values: header, index, cache, expunge, squat
552
553       metapartition-name: <none>
554            The pathname of the  metadata  partition  name,  corresponding  to
555            spool  partition  partition-name.   For  any mailbox residing in a
556            directory on partition-name, the metadata files  listed  in  meta‐
557            partition_files  will  be  stored  in a corresponding directory on
558            metapartition-name.   Note that not every partition-name option is
559            required  to  have  a  corresponding metapartition-name option, so
560            that you can selectively choose which spool partitions  will  have
561            separate metadata partitions.
562
563       mupdate_authname: <none>
564            The SASL username (Authentication Name) to use when authenticating
565            to the mupdate server (if needed).
566
567       mupdate_config: standard
568            The configuration of the mupdate servers in the Cyrus Murder.  The
569            "standard"  config  is  one  in  which there are discreet frontend
570            (proxy) and backend servers.  The "unified" config is one in which
571            a  server  can  be  both a frontend and backend.  The "replicated"
572            config is one in which multiple backend servers all share the same
573            mailspool,  but  each  have  their  own "replicated" copy of mail‐
574            boxes.db.
575
576            Allowed values: standard, unified, replicated
577
578       md5_dir: /var/lib/imap/md5
579            Top level directory for MD5 store manipulated  by  make_md5.  File
580            structure  within  this directory is one file for each user on the
581            system,  hashed  on  the  first  letter  of   the   userid   (e.g:
582            /var/lib/imap/md5/d/dpc22).
583
584       Note:  This  Invoca RPM build uses /var/lib/imap/md5 by default instead
585       of /var/imap/md5 for md5_dir.
586
587       md5_user_map: <none>
588            Map file (cdb) to allow partial make_md5 runs.  Maps  username  to
589            UID
590
591       munge8bit: 1
592            If  enabled,  lmtpd  munges  messages with 8-bit characters in the
593            headers.  The 8-bit characters are changed to `X'.  If  reject8bit
594            is  enabled,  setting munge8bit has no effect.  (A proper solution
595            to non-ASCII characters in headers is offered by RFC 2047 and  its
596            predecessors.)
597
598       mupdate_connections_max: 128
599            The  max  number of connections that a mupdate process will allow,
600            this is related to the number of file descriptors in  the  mupdate
601            process.   Beyond  this  number  connections  will  be immediately
602            issued a BYE response.
603
604       mupdate_password: <none>
605            The SASL password (if needed) to use when  authenticating  to  the
606            mupdate server.
607
608       mupdate_port: 3905
609            The port of the mupdate server for the Cyrus Murder
610
611       mupdate_realm: <none>
612            The  SASL realm (if needed) to use when authenticating to the mup‐
613            date server.
614
615       mupdate_retry_delay: 20
616            The base time to wait between connection retries  to  the  mupdate
617            server.
618
619       mupdate_server: <none>
620            The mupdate server for the Cyrus Murder
621
622       mupdate_username: <empty string>
623            The  SASL username (Authorization Name) to use when authenticating
624            to the mupdate server
625
626       mupdate_workers_max: 50
627            The maximum number of mupdate worker threads (overall)
628
629       mupdate_workers_maxspare: 10
630            The maximum number of idle mupdate worker threads
631
632       mupdate_workers_minspare: 2
633            The minimum number of idle mupdate worker threads
634
635       mupdate_workers_start: 5
636            The number of mupdate worker threads to start
637
638       netscapeurl: <none>
639            If enabled at compile time, this specifies a  URL  to  reply  when
640            Netscape asks the server where the mail administration HTTP server
641            is.  Administrators should set this to a local resource.
642
643       newsmaster: news
644            Userid that is used for checking access  controls  when  executing
645            Usenet  control  messages.   For instance, to allow articles to be
646            automatically deleted by cancel messages, give the "news" user the
647            'd'  right  on  the  desired mailboxes.  To allow newsgroups to be
648            automatically created, deleted and renamed  by  the  corresponding
649            control  messages,  give  the  "news"  user  the  'c' right on the
650            desired mailbox hierarchies.
651
652       newspeer: <none>
653            A list of whitespace-separated news server specifications to which
654            articles  should be fed.  Each server specification is a string of
655            the form [user[:pass]@]host[:port][/wildmat] where 'host'  is  the
656            fully  qualified  hostname  of  the  server, 'port' is the port on
657            which the server is listening, 'user' and 'pass' are the authenti‐
658            cation credentials and 'wildmat' is a pattern that specifies which
659            groups should be fed.  If no 'port'  is  specified,  port  119  is
660            used.   If  no  'wildmat'  is  specified,  all groups are fed.  If
661            'user' is specified (even if empty), then the  NNTP  POST  command
662            will  be  used  to  feed  the article to the server, otherwise the
663            IHAVE command will be used.
664
665            A '@' may be used in place of '!' in the wildmat to prevent  feed‐
666            ing  articles  cross-posted  to  the given group, otherwise cross-
667            posted articles are fed if any part of the wildmat  matches.   For
668            example, the string "peer.example.com:*,!control.*,@local.*" would
669            feed all groups  except  control  messages  and  local  groups  to
670            peer.example.com.   In  the case of cross-posting to local groups,
671            these articles would not be fed.
672
673       newspostuser: <none>
674            Userid used to deliver usenet articles to newsgroup folders  (usu‐
675            ally via lmtp2nntp).  For example, if set to "post", email sent to
676            "post+comp.mail.imap" would be delivered to  the  "comp.mail.imap"
677            folder.
678
679            When  set,  the  Cyrus  NNTP  server will add a To: header to each
680            incoming usenet article.   This  To:  header  will  contain  email
681            delivery  addresses  corresponding  to each newsgroup in the News‐
682            groups: header.  By default, a To: header is not added  to  usenet
683            articles.
684
685       newsprefix: <none>
686            Prefix  to be prepended to newsgroup names to make the correspond‐
687            ing IMAP mailbox names.
688
689       nntptimeout: 3
690            Set the length of the NNTP server's inactivity  autologout  timer,
691            in minutes.  The minimum value is 3, the default.
692
693       notifysocket: {configdirectory}/socket/notify
694            Unix domain socket that the mail notification daemon listens on.
695
696       partition-name: <none>
697            The  pathname  of the partition name.  At least one field, for the
698            partition named in the defaultpartition option, is required.   For
699            example,  if  the  value  of the defaultpartion option is default,
700            then the partition-default field is required.
701
702       plaintextloginpause: 0
703            Number of seconds to pause after  a  successful  plaintext  login.
704            For systems that support strong authentication, this permits users
705            to perceive a cost of using plaintext passwords.  (This  does  not
706            affect the use of PLAIN in SASL authentications.)
707
708       plaintextloginalert: <none>
709            Message to send to client after a successful plaintext login.
710
711       popexpiretime: -1
712            The  number  of days advertised as being the minimum a message may
713            be left on the POP server before it is deleted (via the CAPA  com‐
714            mand,  defined in the POP3 Extension Mechanism, which some clients
715            may support).  "NEVER", the default, may be specified with a nega‐
716            tive  number.  The Cyrus POP3 server never deletes mail, no matter
717            what the value of this parameter is.  However, if  a  site  imple‐
718            ments  a  less  liberal  policy, it needs to change this parameter
719            accordingly.
720
721       popminpoll: 0
722            Set the minimum amount of time the server  forces  users  to  wait
723            between successive POP logins, in minutes.
724
725       popsubfolders: 0
726            Allow  access to subfolders of INBOX via POP3 by using userid+sub‐
727            folder syntax as the authentication/authorization id.
728
729       poppollpadding: 1
730            Create a softer minimum poll restriction.   Allows  poppollpadding
731            connections  before  the  minpoll restriction is triggered.  Addi‐
732            tionally, one padding entry is recovered every popminpoll minutes.
733            This  allows  for  the occasional polling rate faster than popmin‐
734            poll, (i.e. for clients that require a send/receive to send  mail)
735            but still enforces the rate long-term.  Default is 1 (disabled).
736
737            The  easiest  way  to  think of it is a queue of past connections,
738            with one slot being filled for  every  connection,  and  one  slot
739            being  cleared  every  popminpoll minutes. When the queue is full,
740            the user will not be able to check mail  again  until  a  slot  is
741            cleared.  If the user waits a sufficient amount of time, they will
742            get back many or all of the slots.
743
744       poptimeout: 10
745            Set the length of the POP server's inactivity autologout timer, in
746            minutes.  The minimum value is 10, the default.
747
748       popuseacl: 0
749            Enforce  IMAP  ACLs  in  the pop server.  Due to the nature of the
750            POP3 protocol, the only rights which are used by  the  pop  server
751            are  'r'  and  'd'  for  the  owner of the mailbox.  The 'r' right
752            allows the user to open the mailbox  and  list/retrieve  messages.
753            The 'd' right allows the user to delete messages.
754
755       postmaster: postmaster
756            Username that is used as the 'From' address in rejection MDNs pro‐
757            duced by sieve.
758
759       postuser: <empty string>
760            Userid used to deliver messages to shared folders.   For  example,
761            if  set to "bb", email sent to "bb+shared.blah" would be delivered
762            to the "shared.blah" folder.  By  default,  an  email  address  of
763            "+shared.blah" would be used.
764
765       proxy_authname: proxy
766            The  authentication  name  to use when authenticating to a backend
767            server in the Cyrus Murder.
768
769       proxy_password: <none>
770            The default password to  use  when  authenticating  to  a  backend
771            server  in the Cyrus Murder.  May be overridden on a host-specific
772            basis using the hostname_password option.
773
774       proxy_realm: <none>
775            The authentication realm to use when authenticating to  a  backend
776            server in the Cyrus Murder
777
778       proxyd_allow_status_referral: 0
779            Set  to  true  to  allow proxyd to issue referrals to clients that
780            support it when answering the STATUS command.  This is disabled by
781            default  since  some  clients issue many STATUS commands in a row,
782            and do not cache the connections that these referrals would cause,
783            thus  resulting  in a higher authentication load on the respective
784            backend server.
785
786       proxyservers: <none>
787            A list of users and groups that are allowed  to  proxy  for  other
788            users,  separated  by  spaces.   Any  user  listed in this will be
789            allowed to login for any other user: use with caution.
790
791       pts_module: afskrb
792            The PTS module to use.
793
794            Allowed values: afskrb, ldap
795
796       ptloader_sock: <none>
797            Unix domain socket that ptloader listens on.   (defaults  to  con‐
798            figdir/ptclient/ptsock)
799
800       ptscache_db: berkeley
801            The cyrusdb backend to use for the pts cache.
802
803            Allowed values: berkeley, berkeley-hash, skiplist
804
805       ptscache_timeout: 10800
806            The timeout (in seconds) for the PTS cache database when using the
807            auth_krb_pts authorization method (default: 3 hours).
808
809       ptskrb5_convert524: 1
810            When using the AFSKRB ptloader module with Kerberos  5  canonical‐
811            ization,  do  the  final  524 conversion to get a n AFS style name
812            (using '.' instead of '/', and using short names
813
814       ptskrb5_strip_default_realm: 1
815            When using the AFSKRB ptloader module with Kerberos  5  canonical‐
816            ization,  strip  the  default realm from the userid (this does not
817            affect the stripping of realms specified by the afspts_localrealms
818            option)
819
820       quota_db: quotalegacy
821            The cyrusdb backend to use for quotas.
822
823            Allowed  values: flat, berkeley, berkeley-hash, skiplist, quotale‐
824            gacy
825
826       quotawarn: 90
827            The percent of quota utilization over which the  server  generates
828            warnings.
829
830       quotawarnkb: 0
831            The  maximum amount of free space (in kB) in which to give a quota
832            warning (if this value is 0, or if the quota is smaller than  this
833            amount, than warnings are always given).
834
835       reject8bit: 0
836            If  enabled,  lmtpd  rejects messages with 8-bit characters in the
837            headers.
838
839       rfc2046_strict: 0
840            If enabled, imapd will be strict (per RFC 2046) when matching MIME
841            boundary  strings.   This  means  that boundaries containing other
842            boundaries as substrings will  be  treated  as  identical.   Since
843            enabling  this  option  will break some messages created by Eudora
844            5.1 (and earlier), it is recommended  that  it  be  left  disabled
845            unless there is good reason to do otherwise.
846
847       rfc3028_strict: 1
848            If  enabled,  Sieve  will be strict (per RFC 3028) with regards to
849            which headers are allowed to  be  used  in  address  and  envelope
850            tests.   This  means  that only those headers which are defined to
851            contain addresses will be allowed in address tests and  only  "to"
852            and  "from" will be allowed in envelope tests.  When disabled, ANY
853            grammatically correct header will be allowed.
854
855       sasl_auto_transition: 0
856            If enabled, the SASL library will automatically create authentica‐
857            tion  secrets when given a plaintext password.  See the SASL docu‐
858            mentation.
859
860       sasl_maximum_layer: 256
861            Maximum SSF (security strength factor) that the server will  allow
862            a client to negotiate.
863
864       sasl_minimum_layer: 0
865            The  minimum SSF that the server will allow a client to negotiate.
866            A value of 1  requires  integrity  protection;  any  higher  value
867            requires some amount of encryption.
868
869       sasl_option: 0
870            Any  SASL  option  can  be set by preceding it with "sasl_".  This
871            file overrides the SASL configuration file.
872
873       sasl_pwcheck_method: <none>
874            The mechanism used by the server to  verify  plaintext  passwords.
875            Possible values include "auxprop", "saslauthd", and "pwcheck".
876
877       seenstate_db: skiplist
878            The cyrusdb backend to use for the seen state.
879
880            Allowed values: flat, berkeley, berkeley-hash, skiplist
881
882       sendmail: /usr/lib/sendmail
883            The  pathname  of the sendmail executable.  Sieve invokes sendmail
884            for sending rejections, redirects and vacation responses.
885
886       sendsms: /usr/bin/sendsms
887            The pathname of the sendsms executable.  Sieve invokes sendsms for
888            sending SMS notifications.
889
890       servername: <none>
891            This  is the hostname visible in the greeting messages of the POP,
892            IMAP and LMTP daemons. If it is unset, then  the  result  returned
893            from gethostname(2) is used.
894
895       sharedprefix: Shared Folders
896            If  using  the alternate IMAP namespace, the prefix for the shared
897            namespace.   The  hierarchy  delimiter   will   be   automatically
898            appended.
899
900       sieve_allowreferrals: 1
901            If  enabled,  timsieved  will  issue referrals to clients when the
902            user's scripts reside on a remote server (in  a  Murder).   Other‐
903            wise, timsieved will proxy traffic to the remote server.
904
905       sieve_extensions:  fileinto  reject  vacation imapflags notify envelope
906       relational regex subaddress copy
907            Space-separated list of Sieve extensions allowed  to  be  used  in
908            sieve scripts, enforced at submission by timsieved(8).  Any previ‐
909            ously installed script will be unaffected by this option and  will
910            continue  to  execute  regardless  of  the  extensions used.  This
911            option has no effect on options that are disabled at compile  time
912            (e.g. "regex").
913
914            Allowed  values:  fileinto,  reject,  vacation, imapflags, notify,
915            include, envelope, body, relational, regex, subaddress, copy
916
917       sieve_maxscriptsize: 32
918            Maximum size (in kilobytes) any sieve script can be,  enforced  at
919            submission by timsieved(8).
920
921       sieve_maxscripts: 5
922            Maximum  number  of  sieve  scripts any user may have, enforced at
923            submission by timsieved(8).
924
925       sievedir: /usr/sieve
926            If sieveusehomedir is false, this directory is searched for  Sieve
927            scripts.
928
929       sievenotifier: <none>
930            Notifyd(8)  method  to use for "SIEVE" notifications.  If not set,
931            "SIEVE" notifications are disabled.
932
933       This method is only used when no method is specified in the script.
934
935       sieveusehomedir: 0
936            If enabled, lmtpd will look  for  Sieve  scripts  in  user's  home
937            directories: ~user/.sieve.
938
939       anysievefolder: 0
940            It  must be "yes" in order to permit the autocreation of any INBOX
941            subfolder requested by a  sieve  filter,  through  the  "fileinto"
942            action. (default = no)
943
944       autosievefolders: <none>
945            It  is  a  "|"  separated list of subfolders of INBOX that will be
946            automatically created, if requested by a sieve filter, through the
947            "fileinto"  action. (default = null) i.e. autosievefolders: Junk |
948            Spam
949
950       singleinstancestore: 1
951            If enabled, imapd, lmtpd and nntpd attempt to only write one  copy
952            of  a  message per partition and create hard links, resulting in a
953            potentially large disk savings.
954
955       skiplist_unsafe: 0
956            If enabled, this option forces the skiplist cyrusdb backend to not
957            sync writes to the disk.  Enabling this option is NOT RECOMMENDED.
958
959       soft_noauth: 1
960            If  enabled,  lmtpd  returns temporary failures if the client does
961            not successfully authenticate.  Otherwise lmtpd returns  permanent
962            failures (causing the mail to bounce immediately).
963
964       srvtab: <empty string>
965            The  pathname  of srvtab file containing the server's private key.
966            This option is passed  to  the  SASL  library  and  overrides  its
967            default setting.
968
969       submitservers: <none>
970            A   list   of  users  and  groups  that  are  allowed  to  resolve
971            "urlauth=submit+" IMAP URLs, separated by spaces.  Any user listed
972            in  this  will  be  allowed  to  fetch  the  contents of any valid
973            "urlauth=submit+" IMAP URL: use with caution.
974
975       subscription_db: flat
976            The cyrusdb backend to use for the subscriptions list.
977
978            Allowed values: flat, berkeley, berkeley-hash, skiplist
979
980       sync_authname: <none>
981            The authentication name to  use  when  authenticating  to  a  sync
982            server.
983
984       sync_batch_size: 0
985            Maximum  number of messages to upload to a replica at one time.  A
986            batch size of 0, the default, will disable batching (ALL  messages
987            will be sent).
988
989       sync_host: <none>
990            Name  of the host (replica running sync_server(8)) to which repli‐
991            cation actions will be sent by sync_client(8).
992
993       sync_log: 0
994            Enable replication action logging by lmtpd(8), imapd(8), pop3d(8),
995            and  nntpd(8).   The  log  {configdirectory}/sync/log  is  used by
996            sync_client(8) for "rolling" replication.
997
998       sync_machineid: -1
999            Machine ID of this server which must be unique within  a  cluster.
1000            Any  negative  number,  the default, will disable the use of UUIDs
1001            for replication.
1002
1003       sync_password: <none>
1004            The default password to use when authenticating to a sync server.
1005
1006       sync_realm: <none>
1007            The authentication realm to use  when  authenticating  to  a  sync
1008            server.
1009
1010       sync_repeat_interval: 1
1011            Minimum  interval (in seconds) between replication runs in rolling
1012            replication mode. If a replication  run  takes  longer  than  this
1013            time, we repeat immediately.
1014
1015       sync_shutdown_file: <none>
1016            Simple  latch used to tell sync_client(8) that it should shut down
1017            at the next opportunity. Safer than  sending  signals  to  running
1018            processes
1019
1020       syslog_prefix: <none>
1021            String to be prepended to the process name in syslog entries.
1022
1023       temp_path: /tmp
1024            The pathname to store temporary files in
1025
1026       timeout: 30
1027            The  length  of  the IMAP server's inactivity autologout timer, in
1028            minutes.  The minimum value is 30, the default.
1029
1030       tls_ca_file: <none>
1031            File containing one or more Certificate  Authority  (CA)  certifi‐
1032            cates.
1033
1034       tls_ca_path: <none>
1035            Path  to  directory with certificates of CAs.  This directory must
1036            have filenames with the  hashed  value  of  the  certificate  (see
1037            openssl(XXX)).
1038
1039       tlscache_db: berkeley-nosync
1040            The cyrusdb backend to use for the TLS cache.
1041
1042            Allowed  values:  berkeley, berkeley-nosync, berkeley-hash, berke‐
1043            ley-hash-nosync, skiplist
1044
1045       tls_cert_file: <none>
1046            File containing the certificate presented for  server  authentica‐
1047            tion during STARTTLS.  A value of "disabled" will disable SSL/TLS.
1048
1049       tls_cipher_list: DEFAULT
1050            The list of SSL/TLS ciphers to allow.  The format of the string is
1051            described in ciphers(1).
1052
1053       tls_key_file: <none>
1054            File containing the private key belonging to the  server  certifi‐
1055            cate.  A value of "disabled" will disable SSL/TLS.
1056
1057       tls_require_cert: 0
1058            Require  a  client certificate for ALL services (imap, pop3, lmtp,
1059            sieve).
1060
1061       tls_session_timeout: 1440
1062            The length of time (in minutes) that a TLS session will be  cached
1063            for  later  reuse.   The  maximum  value  is  1440 (24 hours), the
1064            default.  A value of 0 will disable session caching.
1065
1066       umask: 077
1067            The umask value used by various Cyrus IMAP programs.
1068
1069       username_tolower: 1
1070            Convert usernames  to  all  lowercase  before  login/authenticate.
1071            This is useful with authentication backends which ignore case dur‐
1072            ing username lookups (such as LDAP).
1073
1074       userprefix: Other Users
1075            If using the alternate IMAP namespace, the prefix  for  the  other
1076            users  namespace.   The  hierarchy delimiter will be automatically
1077            appended.
1078
1079       unix_group_enable: 1
1080            Should we look up groups when using auth_unix (disable this if you
1081            are  not  using  groups  in ACLs for your IMAP server, and you are
1082            using auth_unix with a backend (such as LDAP) that can  make  get‐
1083            grent() calls very slow)
1084
1085       unixhierarchysep: 0
1086            Use  the  UNIX  separator  character  '/' for delimiting levels of
1087            mailbox hierarchy.  The default is to use  the  netnews  separator
1088            character '.'.
1089
1090       virtdomains: off
1091            Enable virtual domain support.  If enabled, the user's domain will
1092            be determined by splitting a fully qualified userid  at  the  last
1093            '@'  or '%' symbol.  If the userid is unqualified, and the virtdo‐
1094            mains option is set to "on", then the domain will be determined by
1095            doing  a  reverse lookup on the IP address of the incoming network
1096            interface, otherwise the user is assumed  to  be  in  the  default
1097            domain (if set).
1098
1099            Allowed values: off, userid, on
1100
1101       normalizeuid: 0
1102            Lowercase  uid and strip leading and trailing blanks. It is recom‐
1103            mended to set this to yes,  especially  if  OpenLDAP  is  used  as
1104            authentication source.
1105
1106

SEE ALSO

1108       imapd(8),  pop3d(8),  nntpd(8), lmtpd(8), timsieved(8), idled(8), noti‐
1109       fyd(8), deliver(8), cyrus-master(8), ciphers(1)
1110
1111
1112
1113
1114CMU                              Project Cyrus                   IMAPD.CONF(5)
Impressum