1IMAPD.CONF(5) File Formats Manual IMAPD.CONF(5)
2*
6
9 imapd.conf - IMAP configuration file
10
12 /etc/imapd.conf is the configuration file for the Cyrus IMAP server.
13 It defines local parameters for IMAP.
14 Each line of the /etc/imapd.conf file has the form
16 option: value
18 where option is the name of the configuration option being set and
20 value is the value that the configuration option is being set to.
21 Although there is no limit to the length of a line, a ``\'' (backslash)
23 character may be used as the last character on a line to force it to
24 continue on the next one. No additional whitespace is inserted before
25 or after the ``\''. Note that a line that is split using ``\'' charac‐
26 ter(s) is still considered a single line. For example
27 option:\
29 value1 value2 \
30 value3
31 is equivalent to
33 option: value1 value2 value3
35 Blank lines and lines beginning with ``#'' are ignored.
37 For boolean and enumerated options, the values ``yes'', ``on'', ``t'',
39 ``true'' and ``1'' turn the option on, the values ``no'', ``off'',
40 ``f'', ``false'' and ``0'' turn the option off.
41
43 The sections below detail options that can be placed in the
44 /etc/imapd.conf file, and show each option's default value. Some
45 options have no default value, these are listed with ``<no default>''.
46 Some options default to the empty string, these are listed with
47 ``<none>''.
48 admins: <empty string>
51 The list of userids with administrative rights. Separate each
52 userid with a space. Sites using Kerberos authentication may use
53 separate "admin" instances.
54 Note that accounts used by users should not be administrators. Admin‐
56 istrative accounts should not receive mail. That is, if user "jbRo" is
57 a user reading mail, he should not also be in the admins line. Some
58 problems may occur otherwise, most notably the ability of administra‐
59 tors to create top-level mailboxes visible to users, but not writable
60 by users.
61 afspts_localrealms: <none>
63 The list of realms which are to be treated as local, and thus
64 stripped during identifier canonicalization (for the AFSPTS
65 ptloader module). This is different from loginrealms in that it
66 occurs later in the authorization process (as the user id is
67 canonified for PTS lookup)
68 afspts_mycell: <none>
70 Cell to use for AFS PTS lookups. Defaults to the local cell.
71 allowallsubscribe: 0
73 Allow subscription to nonexistent mailboxes. This option is typi‐
74 cally used on backend servers in a Murder so that users can sub‐
75 scribe to mailboxes that don't reside on their "home" server.
76 This option can also be used as a workaround for IMAP clients
77 which don't play well with nonexistent or unselectable mailboxes
78 (e.g., Microsoft Outlook).
79 allowanonymouslogin: 0
81 Permit logins by the user "anonymous" using any password. Also
82 allows use of the SASL ANONYMOUS mechanism.
83 allowapop: 1
85 Allow use of the POP3 APOP authentication command.
86 Note that this command requires that SASL is compiled with APOP sup‐
88 port, that the plaintext passwords are available in a SASL auxprop
89 backend (e.g., sasldb), and that the system can provide enough entropy
90 (e.g., from /dev/urandom) to create a challenge in the banner.
91 allownewnews: 0
93 Allow use of the NNTP NEWNEWS command.
94 Note that this is a very expensive command and should only be enabled
96 when absolutely necessary.
97 allowplaintext: 0
99 Allow the use of cleartext passwords on the wire.
100 allowusermoves: 0
102 Allow moving user accounts (with associated meta-data) via RENAME
103 or XFER.
104 Note that measures should be taken to make sure that the user being
106 moved is not logged in, and cannot login during the move. Failure to
107 do so may result in the user's meta-data (seen state, subscriptions,
108 etc) being corrupted or out of date.
109 altnamespace: 0
111 Use the alternate IMAP namespace, where personal folders reside at
112 the same level in the hierarchy as INBOX.
113 This option ONLY applies where interaction takes place with the
115 client/user. Currently this is limited to the IMAP protocol (imapd)
116 and Sieve scripts (lmtpd). This option does NOT apply to admin tools
117 such as cyradm (admins ONLY), reconstruct, quota, etc., NOR does it
118 affect LMTP delivery of messages directly to mailboxes via plus-
119 addressing.
120 annotation_db: skiplist
122 The cyrusdb backend to use for mailbox annotations.
123 Allowed values: berkeley, berkeley-hash, skiplist
125 anyoneuseracl: 1
127 Should non-admin users be allowed to set ACLs for the 'anyone'
128 user on their mailboxes? In a large organization this can cause
129 support problems, but it's enabled by default.
130 annotation_definitions: <none>
132 File containing external (third-party) annotation definitions.
133 Each line of the file specifies the properties of an annotation and has
135 the following form:
136 name, scope, attrib-type, proxy-type, attrib-names, acl
138 name is the hierarchical name as in the draft standard, typically of
140 the form /vendor/acme/blurdybloop
141 scope
143 specifies whether the annotation is for the server or a mailbox
144 attrib-type
146 specifies the attribute data type which is one of: string, bool‐
147 ean, int, uint, or content-type
148 proxy-type
150 specifies whether this attribute is for the backend or proxy
151 servers or both (proxy_and_backend)
152 attrib-names
154 is the space-separated list of available attributes for the anno‐
155 tation. Possible attribute names are (where the suffixless foo
156 permits both foo.priv and foo.shared): alue, value.shared,
157 value.priv, size, size.shared, size.priv, modifiedsince, modi‐
158 fiedsince.shared, modifiedsince.priv, content-type, content-
159 type.shared, content-type.priv
160 acl is the extra ACL requirements for setting annotations. This is the
162 standard IMAP ACL permission bit string format. Particularly use‐
163 ful is the a right to require admin privileges. Note that some ACL
164 requirements (read and write on the mailbox) are hard-wired in the
165 server
166 Blank lines and lines beginning with ``#'' are ignored.
168 auth_mech: unix
171 The authorization mechanism to use.
172 Allowed values: unix, pts, krb, krb5
174 autocreatequota: 0
176 If nonzero, normal users may create their own IMAP accounts by
177 creating the mailbox INBOX. The user's quota is set to the value
178 if it is positive, otherwise the user has unlimited quota.
179 berkeley_cachesize: 512
181 Size (in kilobytes) of the shared memory buffer pool (cache) used
182 by the berkeley environment. The minimum allowed value is 20.
183 The maximum allowed value is 4194303 (4GB).
184 berkeley_locks_max: 50000
186 Maximum number of locks to be held or requested in the berkeley
187 environment.
188 berkeley_txns_max: 100
190 Maximum number of transactions to be supported in the berkeley
191 environment.
192 client_timeout: 10
194 Number of seconds to wait before returning a timeout failure when
195 performing a client connection (e.g., in a murder environment)
196 createonpost: 0
198 If yes, when lmtpd receives an incoming mail for an INBOX that
199 does not exist, then the INBOX is automatically created by lmtpd.
200 autocreateinboxfolders: <none>
202 If a user does not have an INBOX created then the INBOX as well as
203 some INBOX subfolders are created under two conditions. 1. The
204 user logins via the IMAP or the POP3 protocol. (autocreatequota
205 option must have a nonzero value) 2. A message arrives for the
206 user through the LMTPD protocol.(createonpost option must be yes)
207 autocreateinboxfolders is a list of INBOX's subfolders separated
208 by a "|", that are automatically created by the server under the
209 previous two situations.
210 autosubscribeinboxfolders: <none>
212 A list of folder names, separated by "|", that the users get auto‐
213 matically subscribed to, when their INBOX is created. These folder
214 names must have been included in the autocreateinboxfolders option
215 of the imapd.conf.
216 autosubscribesharedfolders: <none>
218 A list of shared folders (bulletin boards), separated by "|", that
219 the users get automatically subscribed to, after their INBOX is
220 created. The shared folder must have been created and the user
221 must have the required permissions to get subscribed to it. Other‐
222 wise, subscribing to the shared folder fails.
223 autosubscribe_all_sharedfolders: 0
225 If set to yes, the user is automatically subscribed to all shared
226 folders, one has permission to subscribe to.
227 autocreate_sieve_script: <none>
229 The full path of a file that contains a sieve script. This script
230 automatically becomes a user's initial default sieve filter
231 script. When this option is not defined, no default sieve filter
232 is created. The file must be readable by the cyrus daemon.
233 autocreate_sieve_compiledscript: <none>
235 The full path of a file that contains a compiled in bytecode sieve
236 script. This script automatically becomes a user's initial default
237 sieve filter script. If this option is not specified, or the
238 filename doesn't exist then the script defined by autocre‐
239 ate_sieve_script is compiled on the fly and installed as the
240 user's default sieve script
241 generate_compiled_sieve_script: 0
243 If set to yes and no compiled sieve script file exists, the sieve
244 script which is compiled on the fly will be saved in the file name
245 that autocreate_sieve_compiledscript option points to. In order a
246 compiled script to be generated, autocreate_sieve_script and
247 autocreate_sieve_compiledscript must have valid values
248 autocreate_users: anyone
250 A space separated list of users and/or groups that are allowed
251 their INBOX to be automatically created.
252 configdirectory: <none>
254 The pathname of the IMAP configuration directory. This field is
255 required.
256 debug_command: <none>
258 Debug command to be used by processes started with -D option. The
259 string is a C format string that gets 3 options: the first is the
260 name of the executable (without path). The second is the pid
261 (integer) and the third is the service ID. Example:
262 /usr/local/bin/gdb /usr/cyrus/bin/%s %d
263 defaultacl: anyone lrs
265 The Access Control List (ACL) placed on a newly-created (non-user)
266 mailbox that does not have a parent mailbox.
267 defaultdomain: <none>
269 The default domain for virtual domain support
270 defaultpartition: <none>
272 The partition name used by default for new mailboxes. If not
273 specified, the partition with the most free space will be used for
274 new mailboxes.
275 defaultserver: <none>
277 The backend server name used by default for new mailboxes. If not
278 specified, the server with the most free space will be used for
279 new mailboxes.
280 deletedprefix: DELETED
282 If "delete_mode" set to be "delayed", the prefix for the deleted
283 mailboxes hierarchy. The hierarchy delimiter will be automati‐
284 cally appended.
285 delete_mode: immediate
287 The manner in which mailboxes are deleted. "Immediate" mode is the
288 default behavior in which mailboxes are removed immediately. In
289 "delayed" mode, mailboxes are renamed to a special hiearchy
290 defined by the "deletedprefix" option to be removed later by
291 cyr_expire.
292 Allowed values: immediate, delayed
295 deleteright: c
297 Deprecated - only used for backwards compatibility with existing
298 installations. Lists the old RFC 2086 right which was used to
299 grant the user the ability to delete a mailbox. If a user has
300 this right, they will automatically be given the new 'x' right.
301 disconnect_on_vanished_mailbox: 0
303 If enabled, IMAP/POP3/NNTP clients will be disconnected by the
304 server if the currently selected mailbox is (re)moved by another
305 session. Otherwise, the missing mailbox is treated as empty while
306 in use by the client.
307 duplicate_db: berkeley-nosync
309 The cyrusdb backend to use for the duplicate delivery suppression
310 and sieve.
311 Allowed values: berkeley, berkeley-nosync, berkeley-hash, berke‐
313 ley-hash-nosync, skiplist, sql
314 duplicatesuppression: 1
316 If enabled, lmtpd will suppress delivery of a message to a mailbox
317 if a message with the same message-id (or resent-message-id) is
318 recorded as having already been delivered to the mailbox. Records
319 the mailbox and message-id/resent-message-id of all successful
320 deliveries.
321 expunge_mode: immediate
323 The mode in which messages (and their corresponding cache entries)
324 are expunged. "Immediate" mode is the default behavior in which
325 the message files and cache entries are purged at the time of the
326 EXPUNGE. In "delayed" mode, the messages are removed from the
327 mailbox index at the time of the EXPUNGE (hiding them from the
328 client), but the message files and cache entries are left behind,
329 to be purged at a later time by "cyr_expire". This reduces the
330 amount of I/O that takes place at the time of EXPUNGE and should
331 result in greater responsiveness for the client, especially when
332 expunging a large number of messages.
333 Allowed values: immediate, delayed
335 flushseenstate: 0
337 If enabled, changes to the seen state will be flushed to disk
338 immediately, otherwise changes will be cached and flushed when the
339 mailbox is closed. This option may be used to fix the problem of
340 previously read messages being marked as unread in Microsoft Out‐
341 look, at the expense of a loss of performance/scalability.
342 foolstupidclients: 0
344 If enabled, only list the personal namespace when a LIST "*" is
345 performed (it changes the request to a LIST "INBOX*").
346 force_sasl_client_mech: <none>
348 Force preference of a given SASL mechanism for client side opera‐
349 tions (e.g., murder environments). This is separate from (and
350 overridden by) the ability to use the <host shortname>_mechs
351 option to set preferred mechanisms for a specific host
352 fulldirhash: 0
354 If enabled, uses an improved directory hashing scheme which hashes
355 on the entire username instead of using just the first letter as
356 the hash. This changes hash algorithm used for quota and user
357 directories and if hashimapspool is enabled, the entire mail
358 spool.
359 Note that this option CANNOT be changed on a live system. The server
361 must be quiesced and then the directories moved with the rehash util‐
362 ity.
363 guid_mode: off
365 The method used to calculate Globally Unique IDentifiers of mes‐
366 sages (used by the replication engine). The "sha1" method calcu‐
367 lates a SHA1 hash of the entire message
368 Allowed values: off, sha1
370 hashimapspool: 0
372 If enabled, the partitions will also be hashed, in addition to the
373 hashing done on configuration directories. This is recommended if
374 one partition has a very bushy mailbox tree.
375 hostname_mechs: <none>
377 Force a particular list of SASL mechanisms to be used when authen‐
378 ticating to the backend server hostname (where hostname is the
379 short hostname of the server in question). If it is not specified
380 it will query the server for available mechanisms and pick one to
381 use. - Cyrus Murder
382 hostname_password: <none>
384 The password to use for authentication to the backend server host‐
385 name (where hostname is the short hostname of the server) - Cyrus
386 Murder
387 idlesocket: {configdirectory}/socket/idle
389 Unix domain socket that idled listens on.
390 ignorereference: 0
392 For backwards compatibility with Cyrus 1.5.10 and earlier --
393 ignore the reference argument in LIST or LSUB commands.
394 imapidlepoll: 60
396 The interval (in seconds) for polling for mailbox changes and
397 ALERTs while running the IDLE command. This option is used when
398 idled is not enabled or cannot be contacted. The minimum value is
399 1. A value of 0 will disable IDLE.
400 imapidresponse: 1
402 If enabled, the server responds to an ID command with a parameter
403 list containing: version, vendor, support-url, os, os-version,
404 command, arguments, environment. Otherwise the server returns
405 NIL.
406 imapmagicplus: 0
408 Only list a restricted set of mailboxes via IMAP by using
409 userid+namespace syntax as the authentication/authorization id.
410 Using userid+ (with an empty namespace) will list only subscribed
411 mailboxes.
412 implicit_owner_rights: lkxa
414 The implicit Access Control List (ACL) for the owner of a mailbox.
415 @include: <none>
417 Directive which includes the specified file as part of the config‐
418 uration. If the path to the file is not absolute, CYRUS_PATH is
419 prepended.
420 improved_mboxlist_sort: 0
422 If enabled, a special comparator will be used which will correctly
423 sort mailbox names that contain characters such as ' ' and '-'.
424 Note that this option SHOULD NOT be changed on a live system. The
426 mailboxes database should be dumped before the option is changed,
427 removed, and then undumped after changing the option.
428 ldap_authz: <none>
430 SASL authorization ID for the LDAP server
431 ldap_base: <empty string>
433 Contains the LDAP base dn for the LDAP ptloader module
434 ldap_bind_dn: <none>
436 Bind DN for the connection to the LDAP server (simple bind). Do
437 not use for anonymous simple binds
438 ldap_deref: never
440 Specify how aliases dereferencing is handled during search.
441 Allowed values: search, find, always, never
443 ldap_filter: (uid=%u)
445 Specify a filter that searches user identifiers. The following
446 tokens can be used in the filter string:
447 %% = % %u = user %U = user portion of %u (%U = test when %u
449 = test@domain.tld) %d = domain portion of %u if available (%d =
450 domain.tld when %u = %test@domain.tld), otherwise same as %r %D
451 = user dn. (use when ldap_member_method: filter) %1-9 = domain
452 tokens (%1 = tld, %2 = domain when %d = domain.tld)
453 ldap_filter is not used when ldap_sasl is enabled.
455 ldap_group_base: <empty string>
457 LDAP base dn for ldap_group_filter.
458 ldap_group_filter: (cn=%u)
460 Specify a filter that searches for group identifiers. See
461 ldap_filter for more options.
462 ldap_group_scope: sub
464 Specify search scope for ldap_group_filter.
465 Allowed values: sub, one, base
467 ldap_id: <none>
469 SASL authentication ID for the LDAP server
470 ldap_mech: <none>
472 SASL mechanism for LDAP authentication
473 ldap_member_attribute: <none>
475 See ldap_member_method.
476 ldap_member_base: <empty string>
478 LDAP base dn for ldap_member_filter.
479 ldap_member_filter: (member=%D)
481 Specify a filter for "ldap_member_method: filter". See ldap_fil‐
482 ter for more options.
483 ldap_member_method: attribute
485 Specify a group method. The "attribute" method retrieves groups
486 from a multi-valued attribute specified in ldap_member_attribute.
487 The "filter" method uses a filter, specified by ldap_member_fil‐
489 ter, to find groups; ldap_member_attribute is a single-value
490 attribute group name.
491 Allowed values: attribute, filter
493 ldap_member_scope: sub
495 Specify search scope for ldap_member_filter.
496 Allowed values: sub, one, base
498 ldap_password: <none>
500 Password for the connection to the LDAP server (SASL and simple
501 bind). Do not use for anonymous simple binds
502 ldap_realm: <none>
504 SASL realm for LDAP authentication
505 ldap_referrals: 0
507 Specify whether or not the client should follow referrals.
508 ldap_restart: 1
510 Specify whether or not LDAP I/O operations are automatically
511 restarted if they abort prematurely.
512 ldap_sasl: 1
514 Use SASL for LDAP binds in the LDAP PTS module.
515 ldap_sasl_authc: <none>
517 Deprecated. Use ldap_id
518 ldap_sasl_authz: <none>
520 Deprecated. Use ldap_authz
521 ldap_sasl_mech: <none>
523 Deprecated. Use ldap_mech
524 ldap_sasl_password: <none>
526 Deprecated. User ldap_password
527 ldap_sasl_realm: <none>
529 Deprecated. Use ldap_realm
530 ldap_scope: sub
532 Specify search scope.
533 Allowed values: sub, one, base
535 ldap_servers: ldap://localhost/
537 Deprecated. Use ldap_uri
538 ldap_size_limit: 1
540 Specify a number of entries for a search request to return.
541 ldap_start_tls: 0
543 Use StartTLS extended operation. Do not use ldaps: ldap_uri when
544 this option is enabled.
545 ldap_time_limit: 5
547 Specify a number of seconds for a search request to complete.
548 ldap_timeout: 5
550 Specify a number of seconds a search can take before timing out.
551 ldap_tls_cacert_dir: <none>
553 Path to directory with CA (Certificate Authority) certificates.
554 ldap_tls_cacert_file: <none>
556 File containing CA (Certificate Authority) certificate(s).
557 ldap_tls_cert: <none>
559 File containing the client certificate.
560 ldap_tls_check_peer: 0
562 Require and verify server certificate. If this option is yes, you
563 must specify ldap_tls_cacert_file or ldap_tls_cacert_dir.
564 ldap_tls_ciphers: <none>
566 List of SSL/TLS ciphers to allow. The format of the string is
567 described in ciphers(1).
568 ldap_tls_key: <none>
570 File containing the private client key.
571 ldap_uri: <none>
573 Contains a list of the URLs of all the LDAP servers when using the
574 LDAP PTS module.
575 ldap_version: 3
577 Specify the LDAP protocol version. If ldap_start_tls and/or
578 ldap_use_sasl are enabled, ldap_version will be automatically set
579 to 3.
580 lmtp_downcase_rcpt: 0
582 If enabled, lmtpd will convert the recipient addresses to lower‐
583 case (up to a '+' character, if present).
584 lmtp_fuzzy_mailbox_match: 0
586 If enabled, and the mailbox specified in the detail part of the
587 recipient (everything after the '+') does not exist, lmtpd will
588 try to find the closest match (ignoring case, ignoring whitespace,
589 falling back to parent) to the specified mailbox name.
590 lmtp_over_quota_perm_failure: 0
592 If enabled, lmtpd returns a permanent failure code when a user's
593 mailbox is over quota. By default, the failure is temporary,
594 causing the MTA to queue the message and retry later.
595 lmtp_strict_quota: 0
597 If enabled, lmtpd returns a failure code when the incoming message
598 will cause the user's mailbox to exceed its quota. By default,
599 the failure won't occur until the mailbox is already over quota.
600 lmtpsocket: {configdirectory}/socket/lmtp
602 Unix domain socket that lmtpd listens on, used by deliver(8). This
603 should match the path specified in cyrus.conf(5).
604 loginrealms: <empty string>
606 The list of remote realms whose users may authenticate using
607 cross-realm authentication identifiers. Separate each realm name
608 by a space. (A cross-realm identity is considered any identity
609 returned by SASL with an "@" in it.).
610 loginuseacl: 0
612 If enabled, any authentication identity which has a rights on a
613 user's INBOX may log in as that user.
614 logtimestamps: 0
616 Include notations in the protocol telemetry logs indicating the
617 number of seconds since the last command or response.
618 mailbox_default_options: 0
620 Default "options" field for the mailbox on create. You'll want to
621 know what you're doing before setting this, but it can apply some
622 default annotations like condstore or duplicate supression
623 mailnotifier: <none>
625 Notifyd(8) method to use for "MAIL" notifications. If not set,
626 "MAIL" notifications are disabled.
627 maxheaderlines: 1000
629 Maximum number of lines of header that will be processed into
630 cache records. Default 1000. If set to zero, it is unlimited.
631 If a message hits the limit, an error will be logged and the rest
632 of the lines in the header will be skipped. This is to avoid mal‐
633 formed messages causing giant cache records
634 maxmessagesize: 0
636 Maximum incoming LMTP message size. If non-zero, lmtpd will
637 reject messages larger than maxmessagesize bytes. If set to 0,
638 this will allow messages of any size (the default).
639 maxquoted: 131072
641 Maximum size of a single quoted string for the parser. Default
642 128k
643 maxword: 131072
645 Maximum size of a single word for the parser. Default 128k
646 mboxkey_db: skiplist
648 The cyrusdb backend to use for mailbox keys.
649 Allowed values: berkeley, skiplist
651 mboxlist_db: skiplist
653 The cyrusdb backend to use for the mailbox list.
654 Allowed values: flat, berkeley, berkeley-hash, skiplist
656 metapartition_files: <empty string>
658 Space-separated list of metadata files to be stored on a meta‐
659 partition rather than in the mailbox directory on a spool parti‐
660 tion.
661 Allowed values: header, index, cache, expunge, squat
663 metapartition-name: <none>
665 The pathname of the metadata partition name, corresponding to
666 spool partition partition-name. For any mailbox residing in a
667 directory on partition-name, the metadata files listed in meta‐
668 partition_files will be stored in a corresponding directory on
669 metapartition-name. Note that not every partition-name option is
670 required to have a corresponding metapartition-name option, so
671 that you can selectively choose which spool partitions will have
672 separate metadata partitions.
673 mupdate_authname: <none>
675 The SASL username (Authentication Name) to use when authenticating
676 to the mupdate server (if needed).
677 mupdate_config: standard
679 The configuration of the mupdate servers in the Cyrus Murder. The
680 "standard" config is one in which there are discreet frontend
681 (proxy) and backend servers. The "unified" config is one in which
682 a server can be both a frontend and backend. The "replicated"
683 config is one in which multiple backend servers all share the same
684 mailspool, but each have their own "replicated" copy of mail‐
685 boxes.db.
686 Allowed values: standard, unified, replicated
688 md5_dir: /var/lib/imap/md5
690 Top level directory for MD5 store manipulated by make_md5. File
691 structure within this directory is one file for each user on the
692 system, hashed on the first letter of the userid (e.g.,
693 /var/imap/md5/d/dpc22).
694 Note: This Invoca RPM build uses /var/lib/imap/md5 by default instead
696 of /var/imap/md5 for md5_dir.
697 md5_user_map: <none>
699 Map file (cdb) to allow partial make_md5 runs. Maps username to
700 UID
701 munge8bit: 1
703 If enabled, lmtpd munges messages with 8-bit characters in the
704 headers. The 8-bit characters are changed to `X'. If reject8bit
705 is enabled, setting munge8bit has no effect. (A proper solution
706 to non-ASCII characters in headers is offered by RFC 2047 and its
707 predecessors.)
708 mupdate_connections_max: 128
710 The max number of connections that a mupdate process will allow,
711 this is related to the number of file descriptors in the mupdate
712 process. Beyond this number connections will be immediately
713 issued a BYE response.
714 mupdate_password: <none>
716 The SASL password (if needed) to use when authenticating to the
717 mupdate server.
718 mupdate_port: 3905
720 The port of the mupdate server for the Cyrus Murder
721 mupdate_realm: <none>
723 The SASL realm (if needed) to use when authenticating to the mup‐
724 date server.
725 mupdate_retry_delay: 20
727 The base time to wait between connection retries to the mupdate
728 server.
729 mupdate_server: <none>
731 The mupdate server for the Cyrus Murder
732 mupdate_username: <empty string>
734 The SASL username (Authorization Name) to use when authenticating
735 to the mupdate server
736 mupdate_workers_max: 50
738 The maximum number of mupdate worker threads (overall)
739 mupdate_workers_maxspare: 10
741 The maximum number of idle mupdate worker threads
742 mupdate_workers_minspare: 2
744 The minimum number of idle mupdate worker threads
745 mupdate_workers_start: 5
747 The number of mupdate worker threads to start
748 netscapeurl: <none>
750 If enabled at compile time, this specifies a URL to reply when
751 Netscape asks the server where the mail administration HTTP server
752 is. Administrators should set this to a local resource.
753 newsmaster: news
755 Userid that is used for checking access controls when executing
756 Usenet control messages. For instance, to allow articles to be
757 automatically deleted by cancel messages, give the "news" user the
758 'd' right on the desired mailboxes. To allow newsgroups to be
759 automatically created, deleted and renamed by the corresponding
760 control messages, give the "news" user the 'c' right on the
761 desired mailbox hierarchies.
762 newspeer: <none>
764 A list of whitespace-separated news server specifications to which
765 articles should be fed. Each server specification is a string of
766 the form [user[:pass]@]host[:port][/wildmat] where 'host' is the
767 fully qualified hostname of the server, 'port' is the port on
768 which the server is listening, 'user' and 'pass' are the authenti‐
769 cation credentials and 'wildmat' is a pattern that specifies which
770 groups should be fed. If no 'port' is specified, port 119 is
771 used. If no 'wildmat' is specified, all groups are fed. If
772 'user' is specified (even if empty), then the NNTP POST command
773 will be used to feed the article to the server, otherwise the
774 IHAVE command will be used.
775 A '@' may be used in place of '!' in the wildmat to prevent feed‐
777 ing articles cross-posted to the given group, otherwise cross-
778 posted articles are fed if any part of the wildmat matches. For
779 example, the string "peer.example.com:*,!control.*,@local.*" would
780 feed all groups except control messages and local groups to
781 peer.example.com. In the case of cross-posting to local groups,
782 these articles would not be fed.
783 newspostuser: <none>
785 Userid used to deliver usenet articles to newsgroup folders (usu‐
786 ally via lmtp2nntp). For example, if set to "post", email sent to
787 "post+comp.mail.imap" would be delivered to the "comp.mail.imap"
788 folder.
789 When set, the Cyrus NNTP server will add a To: header to each
791 incoming usenet article. This To: header will contain email
792 delivery addresses corresponding to each newsgroup in the News‐
793 groups: header. By default, a To: header is not added to usenet
794 articles.
795 newsprefix: <none>
797 Prefix to be prepended to newsgroup names to make the correspond‐
798 ing IMAP mailbox names.
799 nntptimeout: 3
801 Set the length of the NNTP server's inactivity autologout timer,
802 in minutes. The minimum value is 3, the default.
803 notifysocket: {configdirectory}/socket/notify
805 Unix domain socket that the mail notification daemon listens on.
806 partition-name: <none>
808 The pathname of the partition name. At least one partition path‐
809 name MUST be specified. If the defaultpartition option is used,
810 then its pathname MUST be specified. For example, if the value of
811 the defaultpartion option is default, then the partition-default
812 field is required.
813 plaintextloginpause: 0
815 Number of seconds to pause after a successful plaintext login.
816 For systems that support strong authentication, this permits users
817 to perceive a cost of using plaintext passwords. (This does not
818 affect the use of PLAIN in SASL authentications.)
819 plaintextloginalert: <none>
821 Message to send to client after a successful plaintext login.
822 popexpiretime: -1
824 The number of days advertised as being the minimum a message may
825 be left on the POP server before it is deleted (via the CAPA com‐
826 mand, defined in the POP3 Extension Mechanism, which some clients
827 may support). "NEVER", the default, may be specified with a nega‐
828 tive number. The Cyrus POP3 server never deletes mail, no matter
829 what the value of this parameter is. However, if a site imple‐
830 ments a less liberal policy, it needs to change this parameter
831 accordingly.
832 popminpoll: 0
834 Set the minimum amount of time the server forces users to wait
835 between successive POP logins, in minutes.
836 popsubfolders: 0
838 Allow access to subfolders of INBOX via POP3 by using userid+sub‐
839 folder syntax as the authentication/authorization id.
840 poppollpadding: 1
842 Create a softer minimum poll restriction. Allows poppollpadding
843 connections before the minpoll restriction is triggered. Addi‐
844 tionally, one padding entry is recovered every popminpoll minutes.
845 This allows for the occasional polling rate faster than popmin‐
846 poll, (i.e., for clients that require a send/receive to send mail)
847 but still enforces the rate long-term. Default is 1 (disabled).
848 The easiest way to think of it is a queue of past connections,
850 with one slot being filled for every connection, and one slot
851 being cleared every popminpoll minutes. When the queue is full,
852 the user will not be able to check mail again until a slot is
853 cleared. If the user waits a sufficient amount of time, they will
854 get back many or all of the slots.
855 poptimeout: 10
857 Set the length of the POP server's inactivity autologout timer, in
858 minutes. The minimum value is 10, the default.
859 popuseacl: 0
861 Enforce IMAP ACLs in the pop server. Due to the nature of the
862 POP3 protocol, the only rights which are used by the pop server
863 are 'r', 't', and 's' for the owner of the mailbox. The 'r' right
864 allows the user to open the mailbox and list/retrieve messages.
865 The 't' right allows the user to delete messages. The 's' right
866 allows messages retrieved by the user to have the seen flag set
867 (only if popuseimapflags is also enabled).
868 popuseimapflags: 0
870 If enabled, the pop server will set and obey IMAP flags. Messages
871 having the deleted flag are ignored as if they do not exist. Mes‐
872 sages that are retrieved by the client will have the seen flag
873 set. All messages will have the recent flag unset.
874 postmaster: postmaster
876 Username that is used as the 'From' address in rejection MDNs pro‐
877 duced by sieve.
878 postuser: <empty string>
880 Userid used to deliver messages to shared folders. For example,
881 if set to "bb", email sent to "bb+shared.blah" would be delivered
882 to the "shared.blah" folder. By default, an email address of
883 "+shared.blah" would be used.
884 proxy_authname: proxy
886 The authentication name to use when authenticating to a backend
887 server in the Cyrus Murder.
888 proxy_compress: 0
890 Try to enable protocol-specific compression when performing a
891 client connection to a backend server in the Cyrus Murder.
892 Note that this should only be necessary over slow network connections.
894 Also note that currently only IMAP and MUPDATE support compression.
895 proxy_password: <none>
897 The default password to use when authenticating to a backend
898 server in the Cyrus Murder. May be overridden on a host-specific
899 basis using the hostname_password option.
900 proxy_realm: <none>
902 The authentication realm to use when authenticating to a backend
903 server in the Cyrus Murder
904 proxyd_allow_status_referral: 0
906 Set to true to allow proxyd to issue referrals to clients that
907 support it when answering the STATUS command. This is disabled by
908 default since some clients issue many STATUS commands in a row,
909 and do not cache the connections that these referrals would cause,
910 thus resulting in a higher authentication load on the respective
911 backend server.
912 proxyd_disable_mailbox_referrals: 0
914 Set to true to disable the use of mailbox-referrals on the proxy
915 servers.
916 proxyservers: <none>
918 A list of users and groups that are allowed to proxy for other
919 users, separated by spaces. Any user listed in this will be
920 allowed to login for any other user: use with caution.
921 pts_module: afskrb
923 The PTS module to use.
924 Allowed values: afskrb, ldap
926 ptloader_sock: <none>
928 Unix domain socket that ptloader listens on. (defaults to con‐
929 figdir/ptclient/ptsock)
930 ptscache_db: berkeley
932 The cyrusdb backend to use for the pts cache.
933 Allowed values: berkeley, berkeley-hash, skiplist
935 ptscache_timeout: 10800
937 The timeout (in seconds) for the PTS cache database when using the
938 auth_krb_pts authorization method (default: 3 hours).
939 ptskrb5_convert524: 1
941 When using the AFSKRB ptloader module with Kerberos 5 canonical‐
942 ization, do the final 524 conversion to get a n AFS style name
943 (using '.' instead of '/', and using short names
944 ptskrb5_strip_default_realm: 1
946 When using the AFSKRB ptloader module with Kerberos 5 canonical‐
947 ization, strip the default realm from the userid (this does not
948 affect the stripping of realms specified by the afspts_localrealms
949 option)
950 qosmarking: cs0
952 This specifies the Class Selector or Differentiated Services Code
953 Point designation on IP headers (in the ToS field).
954 Allowed values: cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11,
956 af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43,
957 ef
958 quota_db: quotalegacy
960 The cyrusdb backend to use for quotas.
961 Allowed values: flat, berkeley, berkeley-hash, skiplist, sql, quo‐
963 talegacy
964 quotawarn: 90
966 The percent of quota utilization over which the server generates
967 warnings.
968 quotawarnkb: 0
970 The maximum amount of free space (in kB) at which to give a quota
971 warning (if this value is 0, or if the quota is smaller than this
972 amount, than warnings are always given).
973 reject8bit: 0
975 If enabled, lmtpd rejects messages with 8-bit characters in the
976 headers.
977 rfc2046_strict: 0
979 If enabled, imapd will be strict (per RFC 2046) when matching MIME
980 boundary strings. This means that boundaries containing other
981 boundaries as substrings will be treated as identical. Since
982 enabling this option will break some messages created by Eudora
983 5.1 (and earlier), it is recommended that it be left disabled
984 unless there is good reason to do otherwise.
985 rfc3028_strict: 1
987 If enabled, Sieve will be strict (per RFC 3028) with regards to
988 which headers are allowed to be used in address and envelope
989 tests. This means that only those headers which are defined to
990 contain addresses will be allowed in address tests and only "to"
991 and "from" will be allowed in envelope tests. When disabled, ANY
992 grammatically correct header will be allowed.
993 sasl_auto_transition: 0
995 If enabled, the SASL library will automatically create authentica‐
996 tion secrets when given a plaintext password. See the SASL docu‐
997 mentation.
998 sasl_maximum_layer: 256
1000 Maximum SSF (security strength factor) that the server will allow
1001 a client to negotiate.
1002 sasl_minimum_layer: 0
1004 The minimum SSF that the server will allow a client to negotiate.
1005 A value of 1 requires integrity protection; any higher value
1006 requires some amount of encryption.
1007 sasl_option: 0
1009 Any SASL option can be set by preceding it with "sasl_". This
1010 file overrides the SASL configuration file.
1011 sasl_pwcheck_method: <none>
1013 The mechanism used by the server to verify plaintext passwords.
1014 Possible values include "auxprop", "saslauthd", and "pwcheck".
1015 seenstate_db: skiplist
1017 The cyrusdb backend to use for the seen state.
1018 Allowed values: flat, berkeley, berkeley-hash, skiplist
1020 sendmail: /usr/lib/sendmail
1022 The pathname of the sendmail executable. Sieve invokes sendmail
1023 for sending rejections, redirects and vacation responses.
1024 serverlist: <none>
1026 Whitespace separated list of backend server names. Used for find‐
1027 ing server with the most available free space for proxying CREATE.
1028 servername: <none>
1030 This is the hostname visible in the greeting messages of the POP,
1031 IMAP and LMTP daemons. If it is unset, then the result returned
1032 from gethostname(2) is used.
1033 serverinfo: on
1035 The server information to display in the greeting and capability
1036 responses. Information is displayed as follows:
1037 "off" = no server information in the greeting or capabilities
1039 "min" = servername in the greeting; no server information in the
1040 capabilities
1041 "on" = servername and product version in the greeting; product
1042 version in the capabilities
1043 Allowed values: off, min, on
1045 sha1_dir: <none>
1047 Top level directory for SHA1 store manipulated by make_sha1. File
1048 structure within this directory is one file for each user on the
1049 system, hashed on the first letter of the userid (e.g:
1050 /var/imap/sha1/d/dpc22).
1051 sharedprefix: Shared Folders
1053 If using the alternate IMAP namespace, the prefix for the shared
1054 namespace. The hierarchy delimiter will be automatically
1055 appended.
1056 sieve_allowreferrals: 1
1058 If enabled, timsieved will issue referrals to clients when the
1059 user's scripts reside on a remote server (in a Murder). Other‐
1060 wise, timsieved will proxy traffic to the remote server.
1061 sieve_extensions: fileinto reject vacation imapflags notify envelope
1063 relational regex subaddress copy
1064 Space-separated list of Sieve extensions allowed to be used in
1065 sieve scripts, enforced at submission by timsieved(8). Any previ‐
1066 ously installed script will be unaffected by this option and will
1067 continue to execute regardless of the extensions used. This
1068 option has no effect on options that are disabled at compile time
1069 (e.g., "regex").
1070 Allowed values: fileinto, reject, vacation, imapflags, notify,
1072 include, envelope, body, relational, regex, subaddress, copy
1073 sieve_maxscriptsize: 32
1075 Maximum size (in kilobytes) any sieve script can be, enforced at
1076 submission by timsieved(8).
1077 sieve_maxscripts: 5
1079 Maximum number of sieve scripts any user may have, enforced at
1080 submission by timsieved(8).
1081 sieve_utf8fileinto: 0
1083 If enabled, the sieve engine expects folder names for the fileinto
1084 action in scripts to use UTF8 encoding. Otherwise, modified UTF7
1085 encoding should be used.
1086 sieve_sasl_send_unsolicited_capability: 0
1088 If enabled, timsieved will emit a capability response after a suc‐
1089 cessful SASL authentication, per draft-martin-managesieve-12.txt .
1090 sievedir: /usr/sieve
1092 If sieveusehomedir is false, this directory is searched for Sieve
1093 scripts.
1094 sievenotifier: <none>
1096 Notifyd(8) method to use for "SIEVE" notifications. If not set,
1097 "SIEVE" notifications are disabled.
1098 This method is only used when no method is specified in the script.
1100 sieveusehomedir: 0
1102 If enabled, lmtpd will look for Sieve scripts in user's home
1103 directories: ~user/.sieve.
1104 anysievefolder: 0
1106 It must be "yes" in order to permit the autocreation of any INBOX
1107 subfolder requested by a sieve filter, through the "fileinto"
1108 action. (default = no)
1109 autosievefolders: <none>
1111 It is a "|" separated list of subfolders of INBOX that will be
1112 automatically created, if requested by a sieve filter, through the
1113 "fileinto" action. (default = null) i.e. autosievefolders: Junk |
1114 Spam
1115 singleinstancestore: 1
1117 If enabled, imapd, lmtpd and nntpd attempt to only write one copy
1118 of a message per partition and create hard links, resulting in a
1119 potentially large disk savings.
1120 skiplist_always_checkpoint: 1
1122 If enabled, this option forces the skiplist cyrusdb backend to
1123 always checkpoint when doing a recovery. This causes slightly
1124 more IO, but on the other hand leads to more efficient databases,
1125 and the entire file is already "hot".
1126 skiplist_unsafe: 0
1128 If enabled, this option forces the skiplist cyrusdb backend to not
1129 sync writes to the disk. Enabling this option is NOT RECOMMENDED.
1130 soft_noauth: 1
1132 If enabled, lmtpd returns temporary failures if the client does
1133 not successfully authenticate. Otherwise lmtpd returns permanent
1134 failures (causing the mail to bounce immediately).
1135 sql_database: <none>
1137 Name of the database which contains the cyrusdb table(s).
1138 sql_engine: <none>
1140 Name of the SQL engine to use.
1141 Allowed values: mysql, pgsql, sqlite
1143 sql_hostnames: <empty string>
1145 Comma separated list of SQL servers (in host[:port] format).
1146 sql_passwd: <none>
1148 Password to use for authentication to the SQL server.
1149 sql_user: <none>
1151 Username to use for authentication to the SQL server.
1152 sql_usessl: 0
1154 If enabled, a secure connection will be made to the SQL server.
1155 srvtab: <empty string>
1157 The pathname of srvtab file containing the server's private key.
1158 This option is passed to the SASL library and overrides its
1159 default setting.
1160 submitservers: <none>
1162 A list of users and groups that are allowed to resolve
1163 "urlauth=submit+" IMAP URLs, separated by spaces. Any user listed
1164 in this will be allowed to fetch the contents of any valid
1165 "urlauth=submit+" IMAP URL: use with caution.
1166 subscription_db: flat
1168 The cyrusdb backend to use for the subscriptions list.
1169 Allowed values: flat, berkeley, berkeley-hash, skiplist
1171 statuscache: 0
1173 Enable/disable the imap status cache.
1174 statuscache_db: berkeley-nosync
1176 The cyrusdb backend to use for the imap status cache.
1177 Allowed values: berkeley, berkeley-nosync, berkeley-hash, berke‐
1179 ley-hash-nosync, skiplist
1180 sync_authname: <none>
1182 The authentication name to use when authenticating to a sync
1183 server.
1184 sync_batch_size: 0
1186 Maximum number of messages to upload to a replica at one time. A
1187 batch size of 0, the default, will disable batching (ALL messages
1188 will be sent).
1189 sync_compress: 0
1191 Enable compression on replication traffic
1192 sync_host: <none>
1194 Name of the host (replica running sync_server(8)) to which repli‐
1195 cation actions will be sent by sync_client(8).
1196 sync_log: 0
1198 Enable replication action logging by lmtpd(8), imapd(8), pop3d(8),
1199 and nntpd(8). The log {configdirectory}/sync/log is used by
1200 sync_client(8) for "rolling" replication.
1201 sync_password: <none>
1203 The default password to use when authenticating to a sync server.
1204 sync_realm: <none>
1206 The authentication realm to use when authenticating to a sync
1207 server.
1208 sync_repeat_interval: 1
1210 Minimum interval (in seconds) between replication runs in rolling
1211 replication mode. If a replication run takes longer than this
1212 time, we repeat immediately.
1213 sync_shutdown_file: <none>
1215 Simple latch used to tell sync_client(8) that it should shut down
1216 at the next opportunity. Safer than sending signals to running
1217 processes
1218 syslog_prefix: <none>
1220 String to be prepended to the process name in syslog entries.
1221 temp_path: /tmp
1223 The pathname to store temporary files in
1224 timeout: 30
1226 The length of the IMAP server's inactivity autologout timer, in
1227 minutes. The minimum value is 30, the default.
1228 tls_ca_file: <none>
1230 File containing one or more Certificate Authority (CA) certifi‐
1231 cates.
1232 tls_ca_path: <none>
1234 Path to directory with certificates of CAs. This directory must
1235 have filenames with the hashed value of the certificates (see
1236 openssl(XXX)).
1237 tlscache_db: berkeley-nosync
1239 The cyrusdb backend to use for the TLS cache.
1240 Allowed values: berkeley, berkeley-nosync, berkeley-hash, berke‐
1242 ley-hash-nosync, skiplist, sql
1243 tls_cert_file: <none>
1245 File containing the certificate presented for server authentica‐
1246 tion during STARTTLS. A value of "disabled" will disable SSL/TLS.
1247 tls_cipher_list: DEFAULT
1249 The list of SSL/TLS ciphers to allow. The format of the string is
1250 described in ciphers(1).
1251 tls_key_file: <none>
1253 File containing the private key belonging to the server certifi‐
1254 cate. A value of "disabled" will disable SSL/TLS.
1255 tls_require_cert: 0
1257 Require a client certificate for ALL services (imap, pop3, lmtp,
1258 sieve).
1259 tls_session_timeout: 1440
1261 The length of time (in minutes) that a TLS session will be cached
1262 for later reuse. The maximum value is 1440 (24 hours), the
1263 default. A value of 0 will disable session caching.
1264 umask: 077
1266 The umask value used by various Cyrus IMAP programs.
1267 userdeny_db: flat
1269 The cyrusdb backend to use for the user access list.
1270 Allowed values: flat, berkeley, berkeley-hash, skiplist, sql
1272 user_folder_limit: 0
1274 Limit the number of folders a user can create in their INBOX. Set
1275 to 0 (default) for no limit. Only affects folders in user.
1276 username_tolower: 1
1278 Convert usernames to all lowercase before login/authentication.
1279 This is useful with authentication backends which ignore case dur‐
1280 ing username lookups (such as LDAP).
1281 userprefix: Other Users
1283 If using the alternate IMAP namespace, the prefix for the other
1284 users namespace. The hierarchy delimiter will be automatically
1285 appended.
1286 unix_group_enable: 1
1288 Should we look up groups when using auth_unix (disable this if you
1289 are not using groups in ACLs for your IMAP server, and you are
1290 using auth_unix with a backend (such as LDAP) that can make get‐
1291 grent() calls very slow)
1292 unixhierarchysep: 0
1294 Use the UNIX separator character '/' for delimiting levels of
1295 mailbox hierarchy. The default is to use the netnews separator
1296 character '.'.
1297 virtdomains: off
1299 Enable virtual domain support. If enabled, the user's domain will
1300 be determined by splitting a fully qualified userid at the last
1301 '@' or '%' symbol. If the userid is unqualified, and the virtdo‐
1302 mains option is set to "on", then the domain will be determined by
1303 doing a reverse lookup on the IP address of the incoming network
1304 interface, otherwise the user is assumed to be in the default
1305 domain (if set).
1306 Allowed values: off, userid, on
1308 normalizeuid: 0
1310 Lowercase uid and strip leading and trailing blanks. It is recom‐
1311 mended to set this to yes, especially if OpenLDAP is used as
1312 authentication source.
1313 tls_prefer_server_ciphers: 0
1315 Prefer the ciphers on the server side instead of client side
1316 tls_versions: ssl2 ssl3 tls1_0 tls1_1 tls1_2
1318 A list of SSL/TLS versions to not disable. Cyrus IMAP SSL/TLS
1319 starts with all protocols, and substracts protocols not in this
1320 list. Newer versions of SSL/TLS will need to be added here to
1321 allow them to get disabled.
1322
1325 imapd(8), pop3d(8), nntpd(8), lmtpd(8), timsieved(8), idled(8), noti‐
1326 fyd(8), deliver(8), cyrus-cyrus-master(8), ciphers(1)
1327CMU Project Cyrus IMAPD.CONF(5)