1IMAPD.CONF(5) File Formats Manual IMAPD.CONF(5)
2
6 imapd.conf - IMAP configuration file
7
9 /etc/imapd.conf is the configuration file for the Cyrus IMAP server.
10 It defines local parameters for IMAP.
11 Each line of the /etc/imapd.conf file has the form
13 option: value
15 where option is the name of the configuration option being set and
17 value is the value that the configuration option is being set to.
18 Blank lines and lines beginning with ``#'' are ignored.
20 For boolean and enumerated options, the values ``yes'', ``on'', ``t'',
22 ``true'' and ``1'' turn the option on, the values ``no'', ``off'',
23 ``f'', ``false'' and ``0'' turn the option off.
24
26 The sections below detail options that can be placed in the
27 /etc/imapd.conf file, and show each option's default value. Some
28 options have no default value, these are listed with ``<no default>''.
29 Some options default to the empty string, these are listed with
30 ``<none>''.
31 admins: <empty string>
34 The list of userids with administrative rights. Separate each
35 userid with a space. Sites using Kerberos authentication may use
36 separate "admin" instances.
37 Note that accounts used by users should not be administrators. Admin‐
39 istrative accounts should not receive mail. That is, if user "jbRo" is
40 a user reading mail, he should not also be in the admins line. Some
41 problems may occur otherwise, most notably the ability of administra‐
42 tors to create top-level mailboxes visible to users, but not writable
43 by users.
44 afspts_localrealms: <none>
46 The list of realms which are to be treated as local, and thus
47 stripped during identifier canonicalization (for the AFSPTS
48 ptloader module). This is different from loginrealms in that it
49 occurs later in the authorization process (as the user id is
50 canonified for PTS lookup)
51 afspts_mycell: <none>
53 Cell to use for AFS PTS lookups. Defaults to the local cell.
54 allowallsubscribe: 0
56 Allow subscription to nonexistent mailboxes. This option is typi‐
57 cally used on backend servers in a Murder so that users can sub‐
58 scribe to mailboxes that don't reside on their "home" server.
59 This option can also be used as a workaround for IMAP clients
60 which don't play well with nonexistent or unselectable mailboxes
61 (eg. Microsoft Outlook).
62 allowanonymouslogin: 0
64 Permit logins by the user "anonymous" using any password. Also
65 allows use of the SASL ANONYMOUS mechanism.
66 allowapop: 1
68 Allow use of the POP3 APOP authentication command.
69 Note that this command requires that SASL is compiled with APOP sup‐
71 port, that the plaintext passwords are available in a SASL auxprop
72 backend (eg. sasldb), and that the system can provide enough entropy
73 (eg. from /dev/urandom) to create a challenge in the banner.
74 allownewnews: 0
76 Allow use of the NNTP NEWNEWS command.
77 Note that this is a very expensive command and should only be enabled
79 when absolutely necessary.
80 allowplaintext: 0
82 Allow the use of cleartext passwords on the wire.
83 allowusermoves: 0
85 Allow moving user accounts (with associated meta-data) via RENAME
86 or XFER.
87 Note that measures should be taken to make sure that the user being
89 moved is not logged in, and can not login during the move. Failure to
90 do so may result in the user's meta-data (seen state, subscriptions,
91 etc) being corrupted or out of date.
92 altnamespace: 0
94 Use the alternate IMAP namespace, where personal folders reside at
95 the same level in the hierarchy as INBOX.
96 This option ONLY applies where interaction takes place with the
98 client/user. Currently this is limited to the IMAP protocol (imapd)
99 and Sieve scripts (lmtpd). This option does NOT apply to admin tools
100 such as cyradm (admins ONLY), reconstruct, quota, etc., NOR does it
101 affect LMTP delivery of messages directly to mailboxes via plus-
102 addressing.
103 annotation_db: skiplist
105 The cyrusdb backend to use for mailbox annotations.
106 Allowed values: berkeley, berkeley-hash, skiplist
108 anyoneuseracl: 1
110 Should non-admin users be allowed to set ACLs for the 'anyone'
111 user on their mailboxes? In a large organization this can cause
112 support problems, but it's enabled by default.
113 auth_mech: unix
115 The authorization mechanism to use.
116 Allowed values: unix, pts, krb, krb5
118 autocreatequota: 0
120 If nonzero, normal users may create their own IMAP accounts by
121 creating the mailbox INBOX. The user's quota is set to the value
122 if it is positive, otherwise the user has unlimited quota.
123 berkeley_cachesize: 512
125 Size (in kilobytes) of the shared memory buffer pool (cache) used
126 by the berkeley environment. The minimum allowed value is 20.
127 The maximum allowed value is 4194303 (4GB).
128 berkeley_locks_max: 50000
130 Maximum number of locks to be held or requested in the berkeley
131 environment.
132 berkeley_txns_max: 100
134 Maximum number of transactions to be supported in the berkeley
135 environment.
136 client_timeout: 10
138 Number of seconds to wait before returning a timeout failure when
139 performing a client connection (e.g. in a murder environment)
140 createonpost: 0
142 If yes, when lmtpd receives an incoming mail for an INBOX that
143 does not exist, then the INBOX is automatically created by lmtpd.
144 autocreateinboxfolders: <none>
146 If a user does not have an INBOX created then the INBOX as well as
147 some INBOX subfolders are created under two conditions. 1. The
148 user logins via the IMAP or the POP3 protocol. (autocreatequota
149 option must have a nonzero value) 2. A message arrives for the
150 user through the LMTPD protocol.(createonpost option must be yes)
151 autocreateinboxfolders is a list of INBOX's subfolders separated
152 by a "|", that are automatically created by the server under the
153 previous two situations.
154 autosubscribeinboxfolders: <none>
156 A list of folder names, separated by "|", that the users get auto‐
157 matically subscribed to, when their INBOX is created. These folder
158 names must have been included in the autocreateinboxfolders option
159 of the imapd.conf.
160 autosubscribesharedfolders: <none>
162 A list of shared folders (bulletin boards), separated by "|", that
163 the users get automatically subscribed to, after their INBOX is
164 created. The shared folder must have been created and the user
165 must have the required permissions to get subscribed to it. Other‐
166 wise, subscribing to the shared folder fails.
167 autosubscribe_all_sharedfolders: 0
169 If set to yes, the user is automatically subscribed to all shared
170 folders, one has permission to subscribe to.
171 autocreate_sieve_script: <none>
173 The full path of a file that contains a sieve script. This script
174 automatically becomes a user's initial default sieve filter
175 script. When this option is not defined, no default sieve filter
176 is created. The file must be readable by the cyrus daemon.
177 autocreate_sieve_compiledscript: <none>
179 The full path of a file that contains a compiled in bytecode sieve
180 script. This script automatically becomes a user's initial default
181 sieve filter script. If this option is not specified, or the
182 filename doesn't exist then the script defined by autocre‐
183 ate_sieve_script is compiled on the fly and installed as the
184 user's default sieve script
185 generate_compiled_sieve_script: 0
187 If set to yes and no compiled sieve script file exists, the sieve
188 script which is compiled on the fly will be saved in the file name
189 that autocreate_sieve_compiledscript option points to. In order a
190 compiled script to be generated, autocreate_sieve_script and
191 autocreate_sieve_compiledscript must have valid values
192 autocreate_users: anyone
194 A space separated list of users and/or groups that are allowed
195 their INBOX to be automatically created.
196 configdirectory: <none>
198 The pathname of the IMAP configuration directory. This field is
199 required.
200 debug_command: <none>
202 Debug command to be used by processes started with -D option. The
203 string is a C format string that gets 3 options: the first is the
204 name of the executable (without path). The second is the pid
205 (integer) and the third is the service ID. Example:
206 /usr/local/bin/gdb /usr/cyrus/bin/%s %d
207 defaultacl: anyone lrs
209 The Access Control List (ACL) placed on a newly-created (non-user)
210 mailbox that does not have a parent mailbox.
211 defaultdomain: <none>
213 The default domain for virtual domain support
214 defaultpartition: default
216 The partition name used by default for new mailboxes.
217 deleteright: c
219 Deprecated - only used for backwards compatibility with existing
220 installations. Lists the old RFC 2086 right which was used to
221 grant the user the ability to delete a mailbox. If a user has
222 this right, they will automatically be given the new 'x' right.
223 duplicate_db: berkeley-nosync
225 The cyrusdb backend to use for the duplicate delivery suppression
226 and sieve.
227 Allowed values: berkeley, berkeley-nosync, berkeley-hash, berke‐
229 ley-hash-nosync, skiplist
230 duplicatesuppression: 1
232 If enabled, lmtpd will suppress delivery of a message to a mailbox
233 if a message with the same message-id (or resent-message-id) is
234 recorded as having already been delivered to the mailbox. Records
235 the mailbox and message-id/resent-message-id of all successful
236 deliveries.
237 expunge_mode: immediate
239 The mode in which messages (and their corresponding cache entries)
240 are expunged. "Immediate" mode is the default behavior in which
241 the message files and cache entries are purged at the time of the
242 EXPUNGE. In "delayed" mode, the messages are removed from the
243 mailbox index at the time of the EXPUNGE (hiding them from the
244 client), but the message files and cache entries are left behind,
245 to be purged at a later time by "cyr_expire". This reduces the
246 amount of I/O that takes place at the time of EXPUNGE and should
247 result in greater responsiveness for the client, especially when
248 expunging a large number of messages.
249 Allowed values: immediate, delayed
251 flushseenstate: 0
253 If enabled, changes to the seen state will be flushed to disk
254 immediately, otherwise changes will be cached and flushed when the
255 mailbox is closed. This option may be used to fix the problem of
256 previously read messages being marked as unread in Microsoft Out‐
257 look, at the expense of a loss of performance/scalability.
258 foolstupidclients: 0
260 If enabled, only list the personal namespace when a LIST "*" is
261 performed. (it changes the request to a LIST "INBOX*"
262 force_sasl_client_mech: <none>
264 Force preference of a given SASL mechanism for client side opera‐
265 tions (e.g. murder environments). This is separate from (and
266 overridden by) the ability to use the <host shortname>_mechs
267 option to set preferred mechanisms for a specific host
268 fulldirhash: 0
270 If enabled, uses an improved directory hashing scheme which hashes
271 the entire username instead of using just the first letter. This
272 changes hash algorithm used for quota and user directories and if
273 hashimapspool is enabled, the entire mail spool.
274 Note that this option can NOT be changed on a live system. The server
276 must be quiesced and then the directories moved with the rehash util‐
277 ity.
278 hashimapspool: 0
280 If enabled, the partitions will also be hashed, in addition to the
281 hashing done on configuration directories. This is recommended if
282 one partition has a very bushy mailbox tree.
283 hostname_mechs: <none>
285 Force a particular list of SASL mechanisms to be used when authen‐
286 ticating to the backend server hostname (where hostname is the
287 short hostname of the server in question). If it is not specified
288 it will query the server for available mechanisms and pick one to
289 use. - Cyrus Murder
290 hostname_password: <none>
292 The password to use for authentication to the backend server host‐
293 name (where hostname is the short hostname of the server) - Cyrus
294 Murder
295 idlesocket: {configdirectory}/socket/idle
297 Unix domain socket that idled listens on.
298 ignorereference: 0
300 For backwards compatibility with Cyrus 1.5.10 and earlier --
301 ignore the reference argument in LIST or LSUB commands.
302 imapidlepoll: 60
304 The interval (in seconds) for polling for mailbox changes and
305 ALERTs while running the IDLE command. This option is used when
306 idled is not enabled or can not be contacted. The minimum value
307 is 1. A value of 0 will disable IDLE.
308 imapidresponse: 1
310 If enabled, the server responds to an ID command with a parameter
311 list containing: version, vendor, support-url, os, os-version,
312 command, arguments, environment. Otherwise the server returns
313 NIL.
314 imapmagicplus: 0
316 Only list a restricted set of mailboxes via IMAP by using
317 userid+namespace syntax as the authentication/authorization id.
318 Using userid+ (with an empty namespace) will list only subscribed
319 mailboxes.
320 implicit_owner_rights: lca
322 The implicit Access Control List (ACL) for the owner of a mailbox.
323 @include: <none>
325 Directive which includes the specified file as part of the config‐
326 uration. If the path to the file is not absolute, CYRUS_PATH is
327 prepended.
328 improved_mboxlist_sort: 0
330 If enabled, a special comparator will be used which will correctly
331 sort mailbox names that contain characters such as ' ' and '-'.
332 Note that this option SHOULD NOT be changed on a live system. The
334 mailboxes database should be dumped before the option is changed,
335 removed, and then undumped after changing the option.
336 ldap_authz: <none>
338 SASL authorization ID for the LDAP server
339 ldap_base: <empty string>
341 Contains the LDAP base dn for the LDAP ptloader module
342 ldap_bind_dn: <none>
344 Bind DN for the connection to the LDAP server (simple bind). Do
345 not use for anonymous simple binds
346 ldap_deref: never
348 Specify how aliases dereferencing is handled during search.
349 Allowed values: search, find, always, never
351 ldap_filter: (uid=%u)
353 Specify a filter that searches user identifiers. The following
354 tokens can be used in the filter string:
355 %% = % %u = user %U = user portion of %u (%U = test when %u
357 = test@domain.tld) %d = domain portion of %u if available (%d =
358 domain.tld when %u = %test@domain.tld), otherwise same as %r %D
359 = user dn. (use when ldap_member_method: filter) %1-9 = domain
360 tokens (%1 = tld, %2 = domain when %d = domain.tld)
361 ldap_filter is not used when ldap_sasl is enabled.
363 ldap_group_base: <empty string>
365 LDAP base dn for ldap_group_filter.
366 ldap_group_filter: (cn=%u)
368 Specify a filter that searches for group identifiers. See
369 ldap_filter for more options.
370 ldap_group_scope: sub
372 Specify search scope for ldap_group_filter.
373 Allowed values: sub, one, base
375 ldap_id: <none>
377 SASL authentication ID for the LDAP server
378 ldap_mech: <none>
380 SASL mechanism for LDAP authentication
381 ldap_member_attribute: <none>
383 See ldap_member_method.
384 ldap_member_base: <empty string>
386 LDAP base dn for ldap_member_filter.
387 ldap_member_filter: (member=%D)
389 Specify a filter for "ldap_member_method: filter". See ldap_fil‐
390 ter for more options.
391 ldap_member_method: attribute
393 Specify a group method. The "attribute" method retrieves groups
394 from a multi-valued attribute specified in ldap_member_attribute.
395 The "filter" method uses a filter, specified by ldap_member_fil‐
397 ter, to find groups; ldap_member_attribute is a single-value
398 attribute group name.
399 Allowed values: attribute, filter
401 ldap_member_scope: sub
403 Specify search scope for ldap_member_filter.
404 Allowed values: sub, one, base
406 ldap_password: <none>
408 Password for the connection to the LDAP server (SASL and simple
409 bind). Do not use for anonymous simple binds
410 ldap_realm: <none>
412 SASL realm for LDAP authentication
413 ldap_referrals: 0
415 Specify whether or not the client should follow referrals.
416 ldap_restart: 1
418 Specify whether or not LDAP I/O operations are automatically
419 restarted if they abort prematurely.
420 ldap_sasl: 1
422 Use SASL for LDAP binds in the LDAP PTS module.
423 ldap_sasl_authc: <none>
425 Deprecated. Use ldap_id
426 ldap_sasl_authz: <none>
428 Deprecated. Use ldap_authz
429 ldap_sasl_mech: <none>
431 Deprecated. Use ldap_mech
432 ldap_sasl_password: <none>
434 Deprecated. User ldap_password
435 ldap_sasl_realm: <none>
437 Deprecated. Use ldap_realm
438 ldap_scope: sub
440 Specify search scope.
441 Allowed values: sub, one, base
443 ldap_servers: ldap://localhost/
445 Deprecated. Use ldap_uri
446 ldap_size_limit: 1
448 Specify a number of entries for a search request to return.
449 ldap_start_tls: 0
451 Use StartTLS extended operation. Do not use ldaps: ldap_uri when
452 this option is enabled.
453 ldap_time_limit: 5
455 Specify a number of seconds for a search request to complete.
456 ldap_timeout: 5
458 Specify a number of seconds a search can take before timing out.
459 ldap_tls_cacert_dir: <none>
461 Path to directory with CA (Certificate Authority) certificates.
462 ldap_tls_cacert_file: <none>
464 File containing CA (Certificate Authority) certificate(s).
465 ldap_tls_cert: <none>
467 File containing the client certificate.
468 ldap_tls_check_peer: 0
470 Require and verify server certificate. If this option is yes, you
471 must specify ldap_tls_cacert_file or ldap_tls_cacert_dir.
472 ldap_tls_ciphers: <none>
474 List of SSL/TLS ciphers to allow. The format of the string is
475 described in ciphers(1).
476 ldap_tls_key: <none>
478 File containing the private client key.
479 ldap_uri: <none>
481 Contains a list of the URLs of all the LDAP servers when using the
482 LDAP PTS module.
483 ldap_version: 3
485 Specify the LDAP protocol version. If ldap_start_tls and/or
486 ldap_use_sasl are enabled, ldap_version will be automatically set
487 to 3.
488 lmtp_downcase_rcpt: 0
490 If enabled, lmtpd will convert the recipient address to lowercase
491 (up to a '+' character, if present).
492 lmtp_fuzzy_mailbox_match: 0
494 If enabled, and the mailbox specified in the detail part of the
495 recipient (everything after the '+') does not exist, lmtpd will
496 try to find the closest match (ignoring case, ignoring whitespace,
497 falling back to parent) to the specified mailbox name.
498 lmtp_over_quota_perm_failure: 0
500 If enabled, lmtpd returns a permanent failure code when a user's
501 mailbox is over quota. By default, the failure is temporary,
502 causing the MTA to queue the message and retry later.
503 lmtp_strict_quota: 0
505 If enabled, lmtpd returns a failure code when the incoming message
506 will cause the user's mailbox to exceed its quota. By default,
507 the failure won't occur until the mailbox is already over quota.
508 lmtpsocket: {configdirectory}/socket/lmtp
510 Unix domain socket that lmtpd listens on, used by deliver(8). This
511 should match the path specified in cyrus.conf(5).
512 loginrealms: <empty string>
514 The list of remote realms whose users may authenticate using
515 cross-realm authentication identifiers. Separate each realm name
516 by a space. (A cross-realm identity is considered any identity
517 returned by SASL with an "@" in it.).
518 loginuseacl: 0
520 If enabled, any authentication identity which has a rights on a
521 user's INBOX may log in as that user.
522 logtimestamps: 0
524 Include notations in the protocol telemetry logs indicating the
525 number of seconds since the last command or response.
526 mailnotifier: <none>
528 Notifyd(8) method to use for "MAIL" notifications. If not set,
529 "MAIL" notifications are disabled.
530 maxmessagesize: 0
532 Maximum incoming LMTP message size. If non-zero, lmtpd will
533 reject messages larger than maxmessagesize bytes. If set to 0,
534 this will allow messages of any size (the default).
535 mboxkey_db: skiplist
537 The cyrusdb backend to use for mailbox keys.
538 Allowed values: berkeley, skiplist
540 mboxlist_db: skiplist
542 The cyrusdb backend to use for the mailbox list.
543 Allowed values: flat, berkeley, berkeley-hash, skiplist
545 metapartition_files: <empty string>
547 Space-separated list of metadata files to be stored on a meta‐
548 partition rather than in the mailbox directory on a spool parti‐
549 tion.
550 Allowed values: header, index, cache, expunge, squat
552 metapartition-name: <none>
554 The pathname of the metadata partition name, corresponding to
555 spool partition partition-name. For any mailbox residing in a
556 directory on partition-name, the metadata files listed in meta‐
557 partition_files will be stored in a corresponding directory on
558 metapartition-name. Note that not every partition-name option is
559 required to have a corresponding metapartition-name option, so
560 that you can selectively choose which spool partitions will have
561 separate metadata partitions.
562 mupdate_authname: <none>
564 The SASL username (Authentication Name) to use when authenticating
565 to the mupdate server (if needed).
566 mupdate_config: standard
568 The configuration of the mupdate servers in the Cyrus Murder. The
569 "standard" config is one in which there are discreet frontend
570 (proxy) and backend servers. The "unified" config is one in which
571 a server can be both a frontend and backend. The "replicated"
572 config is one in which multiple backend servers all share the same
573 mailspool, but each have their own "replicated" copy of mail‐
574 boxes.db.
575 Allowed values: standard, unified, replicated
577 md5_dir: /var/lib/imap/md5
579 Top level directory for MD5 store manipulated by make_md5. File
580 structure within this directory is one file for each user on the
581 system, hashed on the first letter of the userid (e.g:
582 /var/lib/imap/md5/d/dpc22).
583 Note: This Invoca RPM build uses /var/lib/imap/md5 by default instead
585 of /var/imap/md5 for md5_dir.
586 md5_user_map: <none>
588 Map file (cdb) to allow partial make_md5 runs. Maps username to
589 UID
590 munge8bit: 1
592 If enabled, lmtpd munges messages with 8-bit characters in the
593 headers. The 8-bit characters are changed to `X'. If reject8bit
594 is enabled, setting munge8bit has no effect. (A proper solution
595 to non-ASCII characters in headers is offered by RFC 2047 and its
596 predecessors.)
597 mupdate_connections_max: 128
599 The max number of connections that a mupdate process will allow,
600 this is related to the number of file descriptors in the mupdate
601 process. Beyond this number connections will be immediately
602 issued a BYE response.
603 mupdate_password: <none>
605 The SASL password (if needed) to use when authenticating to the
606 mupdate server.
607 mupdate_port: 3905
609 The port of the mupdate server for the Cyrus Murder
610 mupdate_realm: <none>
612 The SASL realm (if needed) to use when authenticating to the mup‐
613 date server.
614 mupdate_retry_delay: 20
616 The base time to wait between connection retries to the mupdate
617 server.
618 mupdate_server: <none>
620 The mupdate server for the Cyrus Murder
621 mupdate_username: <empty string>
623 The SASL username (Authorization Name) to use when authenticating
624 to the mupdate server
625 mupdate_workers_max: 50
627 The maximum number of mupdate worker threads (overall)
628 mupdate_workers_maxspare: 10
630 The maximum number of idle mupdate worker threads
631 mupdate_workers_minspare: 2
633 The minimum number of idle mupdate worker threads
634 mupdate_workers_start: 5
636 The number of mupdate worker threads to start
637 netscapeurl: <none>
639 If enabled at compile time, this specifies a URL to reply when
640 Netscape asks the server where the mail administration HTTP server
641 is. Administrators should set this to a local resource.
642 newsmaster: news
644 Userid that is used for checking access controls when executing
645 Usenet control messages. For instance, to allow articles to be
646 automatically deleted by cancel messages, give the "news" user the
647 'd' right on the desired mailboxes. To allow newsgroups to be
648 automatically created, deleted and renamed by the corresponding
649 control messages, give the "news" user the 'c' right on the
650 desired mailbox hierarchies.
651 newspeer: <none>
653 A list of whitespace-separated news server specifications to which
654 articles should be fed. Each server specification is a string of
655 the form [user[:pass]@]host[:port][/wildmat] where 'host' is the
656 fully qualified hostname of the server, 'port' is the port on
657 which the server is listening, 'user' and 'pass' are the authenti‐
658 cation credentials and 'wildmat' is a pattern that specifies which
659 groups should be fed. If no 'port' is specified, port 119 is
660 used. If no 'wildmat' is specified, all groups are fed. If
661 'user' is specified (even if empty), then the NNTP POST command
662 will be used to feed the article to the server, otherwise the
663 IHAVE command will be used.
664 A '@' may be used in place of '!' in the wildmat to prevent feed‐
666 ing articles cross-posted to the given group, otherwise cross-
667 posted articles are fed if any part of the wildmat matches. For
668 example, the string "peer.example.com:*,!control.*,@local.*" would
669 feed all groups except control messages and local groups to
670 peer.example.com. In the case of cross-posting to local groups,
671 these articles would not be fed.
672 newspostuser: <none>
674 Userid used to deliver usenet articles to newsgroup folders (usu‐
675 ally via lmtp2nntp). For example, if set to "post", email sent to
676 "post+comp.mail.imap" would be delivered to the "comp.mail.imap"
677 folder.
678 When set, the Cyrus NNTP server will add a To: header to each
680 incoming usenet article. This To: header will contain email
681 delivery addresses corresponding to each newsgroup in the News‐
682 groups: header. By default, a To: header is not added to usenet
683 articles.
684 newsprefix: <none>
686 Prefix to be prepended to newsgroup names to make the correspond‐
687 ing IMAP mailbox names.
688 nntptimeout: 3
690 Set the length of the NNTP server's inactivity autologout timer,
691 in minutes. The minimum value is 3, the default.
692 notifysocket: {configdirectory}/socket/notify
694 Unix domain socket that the mail notification daemon listens on.
695 partition-name: <none>
697 The pathname of the partition name. At least one field, for the
698 partition named in the defaultpartition option, is required. For
699 example, if the value of the defaultpartion option is default,
700 then the partition-default field is required.
701 plaintextloginpause: 0
703 Number of seconds to pause after a successful plaintext login.
704 For systems that support strong authentication, this permits users
705 to perceive a cost of using plaintext passwords. (This does not
706 affect the use of PLAIN in SASL authentications.)
707 plaintextloginalert: <none>
709 Message to send to client after a successful plaintext login.
710 popexpiretime: -1
712 The number of days advertised as being the minimum a message may
713 be left on the POP server before it is deleted (via the CAPA com‐
714 mand, defined in the POP3 Extension Mechanism, which some clients
715 may support). "NEVER", the default, may be specified with a nega‐
716 tive number. The Cyrus POP3 server never deletes mail, no matter
717 what the value of this parameter is. However, if a site imple‐
718 ments a less liberal policy, it needs to change this parameter
719 accordingly.
720 popminpoll: 0
722 Set the minimum amount of time the server forces users to wait
723 between successive POP logins, in minutes.
724 popsubfolders: 0
726 Allow access to subfolders of INBOX via POP3 by using userid+sub‐
727 folder syntax as the authentication/authorization id.
728 poppollpadding: 1
730 Create a softer minimum poll restriction. Allows poppollpadding
731 connections before the minpoll restriction is triggered. Addi‐
732 tionally, one padding entry is recovered every popminpoll minutes.
733 This allows for the occasional polling rate faster than popmin‐
734 poll, (i.e. for clients that require a send/receive to send mail)
735 but still enforces the rate long-term. Default is 1 (disabled).
736 The easiest way to think of it is a queue of past connections,
738 with one slot being filled for every connection, and one slot
739 being cleared every popminpoll minutes. When the queue is full,
740 the user will not be able to check mail again until a slot is
741 cleared. If the user waits a sufficient amount of time, they will
742 get back many or all of the slots.
743 poptimeout: 10
745 Set the length of the POP server's inactivity autologout timer, in
746 minutes. The minimum value is 10, the default.
747 popuseacl: 0
749 Enforce IMAP ACLs in the pop server. Due to the nature of the
750 POP3 protocol, the only rights which are used by the pop server
751 are 'r' and 'd' for the owner of the mailbox. The 'r' right
752 allows the user to open the mailbox and list/retrieve messages.
753 The 'd' right allows the user to delete messages.
754 postmaster: postmaster
756 Username that is used as the 'From' address in rejection MDNs pro‐
757 duced by sieve.
758 postuser: <empty string>
760 Userid used to deliver messages to shared folders. For example,
761 if set to "bb", email sent to "bb+shared.blah" would be delivered
762 to the "shared.blah" folder. By default, an email address of
763 "+shared.blah" would be used.
764 proxy_authname: proxy
766 The authentication name to use when authenticating to a backend
767 server in the Cyrus Murder.
768 proxy_password: <none>
770 The default password to use when authenticating to a backend
771 server in the Cyrus Murder. May be overridden on a host-specific
772 basis using the hostname_password option.
773 proxy_realm: <none>
775 The authentication realm to use when authenticating to a backend
776 server in the Cyrus Murder
777 proxyd_allow_status_referral: 0
779 Set to true to allow proxyd to issue referrals to clients that
780 support it when answering the STATUS command. This is disabled by
781 default since some clients issue many STATUS commands in a row,
782 and do not cache the connections that these referrals would cause,
783 thus resulting in a higher authentication load on the respective
784 backend server.
785 proxyservers: <none>
787 A list of users and groups that are allowed to proxy for other
788 users, separated by spaces. Any user listed in this will be
789 allowed to login for any other user: use with caution.
790 pts_module: afskrb
792 The PTS module to use.
793 Allowed values: afskrb, ldap
795 ptloader_sock: <none>
797 Unix domain socket that ptloader listens on. (defaults to con‐
798 figdir/ptclient/ptsock)
799 ptscache_db: berkeley
801 The cyrusdb backend to use for the pts cache.
802 Allowed values: berkeley, berkeley-hash, skiplist
804 ptscache_timeout: 10800
806 The timeout (in seconds) for the PTS cache database when using the
807 auth_krb_pts authorization method (default: 3 hours).
808 ptskrb5_convert524: 1
810 When using the AFSKRB ptloader module with Kerberos 5 canonical‐
811 ization, do the final 524 conversion to get a n AFS style name
812 (using '.' instead of '/', and using short names
813 ptskrb5_strip_default_realm: 1
815 When using the AFSKRB ptloader module with Kerberos 5 canonical‐
816 ization, strip the default realm from the userid (this does not
817 affect the stripping of realms specified by the afspts_localrealms
818 option)
819 quota_db: quotalegacy
821 The cyrusdb backend to use for quotas.
822 Allowed values: flat, berkeley, berkeley-hash, skiplist, quotale‐
824 gacy
825 quotawarn: 90
827 The percent of quota utilization over which the server generates
828 warnings.
829 quotawarnkb: 0
831 The maximum amount of free space (in kB) in which to give a quota
832 warning (if this value is 0, or if the quota is smaller than this
833 amount, than warnings are always given).
834 reject8bit: 0
836 If enabled, lmtpd rejects messages with 8-bit characters in the
837 headers.
838 rfc2046_strict: 0
840 If enabled, imapd will be strict (per RFC 2046) when matching MIME
841 boundary strings. This means that boundaries containing other
842 boundaries as substrings will be treated as identical. Since
843 enabling this option will break some messages created by Eudora
844 5.1 (and earlier), it is recommended that it be left disabled
845 unless there is good reason to do otherwise.
846 rfc3028_strict: 1
848 If enabled, Sieve will be strict (per RFC 3028) with regards to
849 which headers are allowed to be used in address and envelope
850 tests. This means that only those headers which are defined to
851 contain addresses will be allowed in address tests and only "to"
852 and "from" will be allowed in envelope tests. When disabled, ANY
853 grammatically correct header will be allowed.
854 sasl_auto_transition: 0
856 If enabled, the SASL library will automatically create authentica‐
857 tion secrets when given a plaintext password. See the SASL docu‐
858 mentation.
859 sasl_maximum_layer: 256
861 Maximum SSF (security strength factor) that the server will allow
862 a client to negotiate.
863 sasl_minimum_layer: 0
865 The minimum SSF that the server will allow a client to negotiate.
866 A value of 1 requires integrity protection; any higher value
867 requires some amount of encryption.
868 sasl_option: 0
870 Any SASL option can be set by preceding it with "sasl_". This
871 file overrides the SASL configuration file.
872 sasl_pwcheck_method: <none>
874 The mechanism used by the server to verify plaintext passwords.
875 Possible values include "auxprop", "saslauthd", and "pwcheck".
876 seenstate_db: skiplist
878 The cyrusdb backend to use for the seen state.
879 Allowed values: flat, berkeley, berkeley-hash, skiplist
881 sendmail: /usr/lib/sendmail
883 The pathname of the sendmail executable. Sieve invokes sendmail
884 for sending rejections, redirects and vacation responses.
885 sendsms: /usr/bin/sendsms
887 The pathname of the sendsms executable. Sieve invokes sendsms for
888 sending SMS notifications.
889 servername: <none>
891 This is the hostname visible in the greeting messages of the POP,
892 IMAP and LMTP daemons. If it is unset, then the result returned
893 from gethostname(2) is used.
894 sharedprefix: Shared Folders
896 If using the alternate IMAP namespace, the prefix for the shared
897 namespace. The hierarchy delimiter will be automatically
898 appended.
899 sieve_allowreferrals: 1
901 If enabled, timsieved will issue referrals to clients when the
902 user's scripts reside on a remote server (in a Murder). Other‐
903 wise, timsieved will proxy traffic to the remote server.
904 sieve_extensions: fileinto reject vacation imapflags notify envelope
906 relational regex subaddress copy
907 Space-separated list of Sieve extensions allowed to be used in
908 sieve scripts, enforced at submission by timsieved(8). Any previ‐
909 ously installed script will be unaffected by this option and will
910 continue to execute regardless of the extensions used. This
911 option has no effect on options that are disabled at compile time
912 (e.g. "regex").
913 Allowed values: fileinto, reject, vacation, imapflags, notify,
915 include, envelope, body, relational, regex, subaddress, copy
916 sieve_maxscriptsize: 32
918 Maximum size (in kilobytes) any sieve script can be, enforced at
919 submission by timsieved(8).
920 sieve_maxscripts: 5
922 Maximum number of sieve scripts any user may have, enforced at
923 submission by timsieved(8).
924 sievedir: /usr/sieve
926 If sieveusehomedir is false, this directory is searched for Sieve
927 scripts.
928 sievenotifier: <none>
930 Notifyd(8) method to use for "SIEVE" notifications. If not set,
931 "SIEVE" notifications are disabled.
932 This method is only used when no method is specified in the script.
934 sieveusehomedir: 0
936 If enabled, lmtpd will look for Sieve scripts in user's home
937 directories: ~user/.sieve.
938 anysievefolder: 0
940 It must be "yes" in order to permit the autocreation of any INBOX
941 subfolder requested by a sieve filter, through the "fileinto"
942 action. (default = no)
943 autosievefolders: <none>
945 It is a "|" separated list of subfolders of INBOX that will be
946 automatically created, if requested by a sieve filter, through the
947 "fileinto" action. (default = null) i.e. autosievefolders: Junk |
948 Spam
949 singleinstancestore: 1
951 If enabled, imapd, lmtpd and nntpd attempt to only write one copy
952 of a message per partition and create hard links, resulting in a
953 potentially large disk savings.
954 skiplist_unsafe: 0
956 If enabled, this option forces the skiplist cyrusdb backend to not
957 sync writes to the disk. Enabling this option is NOT RECOMMENDED.
958 soft_noauth: 1
960 If enabled, lmtpd returns temporary failures if the client does
961 not successfully authenticate. Otherwise lmtpd returns permanent
962 failures (causing the mail to bounce immediately).
963 srvtab: <empty string>
965 The pathname of srvtab file containing the server's private key.
966 This option is passed to the SASL library and overrides its
967 default setting.
968 submitservers: <none>
970 A list of users and groups that are allowed to resolve
971 "urlauth=submit+" IMAP URLs, separated by spaces. Any user listed
972 in this will be allowed to fetch the contents of any valid
973 "urlauth=submit+" IMAP URL: use with caution.
974 subscription_db: flat
976 The cyrusdb backend to use for the subscriptions list.
977 Allowed values: flat, berkeley, berkeley-hash, skiplist
979 sync_authname: <none>
981 The authentication name to use when authenticating to a sync
982 server.
983 sync_batch_size: 0
985 Maximum number of messages to upload to a replica at one time. A
986 batch size of 0, the default, will disable batching (ALL messages
987 will be sent).
988 sync_host: <none>
990 Name of the host (replica running sync_server(8)) to which repli‐
991 cation actions will be sent by sync_client(8).
992 sync_log: 0
994 Enable replication action logging by lmtpd(8), imapd(8), pop3d(8),
995 and nntpd(8). The log {configdirectory}/sync/log is used by
996 sync_client(8) for "rolling" replication.
997 sync_machineid: -1
999 Machine ID of this server which must be unique within a cluster.
1000 Any negative number, the default, will disable the use of UUIDs
1001 for replication.
1002 sync_password: <none>
1004 The default password to use when authenticating to a sync server.
1005 sync_realm: <none>
1007 The authentication realm to use when authenticating to a sync
1008 server.
1009 sync_repeat_interval: 1
1011 Minimum interval (in seconds) between replication runs in rolling
1012 replication mode. If a replication run takes longer than this
1013 time, we repeat immediately.
1014 sync_shutdown_file: <none>
1016 Simple latch used to tell sync_client(8) that it should shut down
1017 at the next opportunity. Safer than sending signals to running
1018 processes
1019 syslog_prefix: <none>
1021 String to be prepended to the process name in syslog entries.
1022 temp_path: /tmp
1024 The pathname to store temporary files in
1025 timeout: 30
1027 The length of the IMAP server's inactivity autologout timer, in
1028 minutes. The minimum value is 30, the default.
1029 tls_ca_file: <none>
1031 File containing one or more Certificate Authority (CA) certifi‐
1032 cates.
1033 tls_ca_path: <none>
1035 Path to directory with certificates of CAs. This directory must
1036 have filenames with the hashed value of the certificate (see
1037 openssl(XXX)).
1038 tlscache_db: berkeley-nosync
1040 The cyrusdb backend to use for the TLS cache.
1041 Allowed values: berkeley, berkeley-nosync, berkeley-hash, berke‐
1043 ley-hash-nosync, skiplist
1044 tls_cert_file: <none>
1046 File containing the certificate presented for server authentica‐
1047 tion during STARTTLS. A value of "disabled" will disable SSL/TLS.
1048 tls_cipher_list: DEFAULT
1050 The list of SSL/TLS ciphers to allow. The format of the string is
1051 described in ciphers(1).
1052 tls_key_file: <none>
1054 File containing the private key belonging to the server certifi‐
1055 cate. A value of "disabled" will disable SSL/TLS.
1056 tls_require_cert: 0
1058 Require a client certificate for ALL services (imap, pop3, lmtp,
1059 sieve).
1060 tls_session_timeout: 1440
1062 The length of time (in minutes) that a TLS session will be cached
1063 for later reuse. The maximum value is 1440 (24 hours), the
1064 default. A value of 0 will disable session caching.
1065 umask: 077
1067 The umask value used by various Cyrus IMAP programs.
1068 username_tolower: 1
1070 Convert usernames to all lowercase before login/authenticate.
1071 This is useful with authentication backends which ignore case dur‐
1072 ing username lookups (such as LDAP).
1073 userprefix: Other Users
1075 If using the alternate IMAP namespace, the prefix for the other
1076 users namespace. The hierarchy delimiter will be automatically
1077 appended.
1078 unix_group_enable: 1
1080 Should we look up groups when using auth_unix (disable this if you
1081 are not using groups in ACLs for your IMAP server, and you are
1082 using auth_unix with a backend (such as LDAP) that can make get‐
1083 grent() calls very slow)
1084 unixhierarchysep: 0
1086 Use the UNIX separator character '/' for delimiting levels of
1087 mailbox hierarchy. The default is to use the netnews separator
1088 character '.'.
1089 virtdomains: off
1091 Enable virtual domain support. If enabled, the user's domain will
1092 be determined by splitting a fully qualified userid at the last
1093 '@' or '%' symbol. If the userid is unqualified, and the virtdo‐
1094 mains option is set to "on", then the domain will be determined by
1095 doing a reverse lookup on the IP address of the incoming network
1096 interface, otherwise the user is assumed to be in the default
1097 domain (if set).
1098 Allowed values: off, userid, on
1100 normalizeuid: 0
1102 Lowercase uid and strip leading and trailing blanks. It is recom‐
1103 mended to set this to yes, especially if OpenLDAP is used as
1104 authentication source.
1105
1108 imapd(8), pop3d(8), nntpd(8), lmtpd(8), timsieved(8), idled(8), noti‐
1109 fyd(8), deliver(8), cyrus-master(8), ciphers(1)
1110CMU Project Cyrus IMAPD.CONF(5)