1IMAPD.CONF(5) File Formats Manual IMAPD.CONF(5)
2
3
4
5*
6
7
9 imapd.conf - IMAP configuration file
10
12 /etc/imapd.conf is the configuration file for the Cyrus IMAP server.
13 It defines local parameters for IMAP.
14
15 Each line of the /etc/imapd.conf file has the form
16
17 option: value
18
19 where option is the name of the configuration option being set and
20 value is the value that the configuration option is being set to.
21
22 Although there is no limit to the length of a line, a ``\'' (backslash)
23 character may be used as the last character on a line to force it to
24 continue on the next one. No additional whitespace is inserted before
25 or after the ``\''. Note that a line that is split using ``\'' charac‐
26 ter(s) is still considered a single line. For example
27
28 option:\
29 value1 value2 \
30 value3
31
32 is equivalent to
33
34 option: value1 value2 value3
35
36 Blank lines and lines beginning with ``#'' are ignored.
37
38 For boolean and enumerated options, the values ``yes'', ``on'', ``t'',
39 ``true'' and ``1'' turn the option on, the values ``no'', ``off'',
40 ``f'', ``false'' and ``0'' turn the option off.
41
43 The sections below detail options that can be placed in the
44 /etc/imapd.conf file, and show each option's default value. Some
45 options have no default value, these are listed with ``<no default>''.
46 Some options default to the empty string, these are listed with
47 ``<none>''.
48
49
50 admins: <empty string>
51 The list of userids with administrative rights. Separate each
52 userid with a space. Sites using Kerberos authentication may use
53 separate "admin" instances.
54
55 Note that accounts used by users should not be administrators. Admin‐
56 istrative accounts should not receive mail. That is, if user "jbRo" is
57 a user reading mail, he should not also be in the admins line. Some
58 problems may occur otherwise, most notably the ability of administra‐
59 tors to create top-level mailboxes visible to users, but not writable
60 by users.
61
62 afspts_localrealms: <none>
63 The list of realms which are to be treated as local, and thus
64 stripped during identifier canonicalization (for the AFSPTS
65 ptloader module). This is different from loginrealms in that it
66 occurs later in the authorization process (as the user id is
67 canonified for PTS lookup)
68
69 afspts_mycell: <none>
70 Cell to use for AFS PTS lookups. Defaults to the local cell.
71
72 allowallsubscribe: 0
73 Allow subscription to nonexistent mailboxes. This option is typi‐
74 cally used on backend servers in a Murder so that users can sub‐
75 scribe to mailboxes that don't reside on their "home" server.
76 This option can also be used as a workaround for IMAP clients
77 which don't play well with nonexistent or unselectable mailboxes
78 (e.g., Microsoft Outlook).
79
80 allowanonymouslogin: 0
81 Permit logins by the user "anonymous" using any password. Also
82 allows use of the SASL ANONYMOUS mechanism.
83
84 allowapop: 1
85 Allow use of the POP3 APOP authentication command.
86
87 Note that this command requires that SASL is compiled with APOP sup‐
88 port, that the plaintext passwords are available in a SASL auxprop
89 backend (e.g., sasldb), and that the system can provide enough entropy
90 (e.g., from /dev/urandom) to create a challenge in the banner.
91
92 allownewnews: 0
93 Allow use of the NNTP NEWNEWS command.
94
95 Note that this is a very expensive command and should only be enabled
96 when absolutely necessary.
97
98 allowplaintext: 0
99 Allow the use of cleartext passwords on the wire.
100
101 allowusermoves: 0
102 Allow moving user accounts (with associated meta-data) via RENAME
103 or XFER.
104
105 Note that measures should be taken to make sure that the user being
106 moved is not logged in, and cannot login during the move. Failure to
107 do so may result in the user's meta-data (seen state, subscriptions,
108 etc) being corrupted or out of date.
109
110 altnamespace: 0
111 Use the alternate IMAP namespace, where personal folders reside at
112 the same level in the hierarchy as INBOX.
113
114 This option ONLY applies where interaction takes place with the
115 client/user. Currently this is limited to the IMAP protocol (imapd)
116 and Sieve scripts (lmtpd). This option does NOT apply to admin tools
117 such as cyradm (admins ONLY), reconstruct, quota, etc., NOR does it
118 affect LMTP delivery of messages directly to mailboxes via plus-
119 addressing.
120
121 annotation_db: skiplist
122 The cyrusdb backend to use for mailbox annotations.
123
124 Allowed values: berkeley, berkeley-hash, skiplist
125
126 annotation_db_path: <none>
127 The absolute path to the annotations db file. If not specified,
128 will be confdir/annotations.db
129
130 anyoneuseracl: 1
131 Should non-admin users be allowed to set ACLs for the 'anyone'
132 user on their mailboxes? In a large organization this can cause
133 support problems, but it's enabled by default.
134
135 annotation_definitions: <none>
136 File containing external (third-party) annotation definitions.
137
138 Each line of the file specifies the properties of an annotation and has
139 the following form:
140
141 name, scope, attrib-type, proxy-type, attrib-names, acl
142
143 name is the hierarchical name as in the draft standard, typically of
144 the form /vendor/acme/blurdybloop
145
146 scope
147 specifies whether the annotation is for the server or a mailbox
148
149 attrib-type
150 specifies the attribute data type which is one of: string, bool‐
151 ean, int, uint, or content-type
152
153 proxy-type
154 specifies whether this attribute is for the backend or proxy
155 servers or both (proxy_and_backend)
156
157 attrib-names
158 is the space-separated list of available attributes for the anno‐
159 tation. Possible attribute names are (where the suffixless foo
160 permits both foo.priv and foo.shared): alue, value.shared,
161 value.priv, size, size.shared, size.priv, modifiedsince, modi‐
162 fiedsince.shared, modifiedsince.priv, content-type, content-
163 type.shared, content-type.priv
164
165 acl is the extra ACL requirements for setting annotations. This is the
166 standard IMAP ACL permission bit string format. Particularly use‐
167 ful is the a right to require admin privileges. Note that some ACL
168 requirements (read and write on the mailbox) are hard-wired in the
169 server
170
171 Blank lines and lines beginning with ``#'' are ignored.
172
173
174 auditlog: 0
175 Should cyrus output log entries for every action taken on a mes‐
176 sage file or mailboxes list entry? It's noisy so disabled by
177 default, but can be very useful for tracking down what happened if
178 things look strange
179
180 auth_mech: unix
181 The authorization mechanism to use.
182
183 Allowed values: unix, pts, krb, krb5
184
185 autocreatequota: 0
186 If nonzero, normal users may create their own IMAP accounts by
187 creating the mailbox INBOX. The user's quota is set to the value
188 if it is positive, otherwise the user has unlimited quota.
189
190 berkeley_cachesize: 512
191 Size (in kilobytes) of the shared memory buffer pool (cache) used
192 by the berkeley environment. The minimum allowed value is 20.
193 The maximum allowed value is 4194303 (4GB).
194
195 berkeley_locks_max: 50000
196 Maximum number of locks to be held or requested in the berkeley
197 environment.
198
199 berkeley_txns_max: 100
200 Maximum number of transactions to be supported in the berkeley
201 environment.
202
203 boundary_limit: 1000
204 messages are parsed recursively and a deep enough MIME structure
205 can cause a stack overflow. Do not parse deeper than this many
206 layers of MIME structure. The default of 1000 is much higher than
207 any sane message should have.
208
209 client_timeout: 10
210 Number of seconds to wait before returning a timeout failure when
211 performing a client connection (e.g., in a murder environment)
212
213 commandmintimer: <none>
214 Time in seconds. Any imap command that takes longer than this time
215 is logged.
216
217 configdirectory: <none>
218 The pathname of the IMAP configuration directory. This field is
219 required.
220
221 debug_command: <none>
222 Debug command to be used by processes started with -D option. The
223 string is a C format string that gets 3 options: the first is the
224 name of the executable (without path). The second is the pid
225 (integer) and the third is the service ID. Example:
226 /usr/local/bin/gdb /usr/cyrus/bin/%s %d
227
228 defaultacl: anyone lrs
229 The Access Control List (ACL) placed on a newly-created (non-user)
230 mailbox that does not have a parent mailbox.
231
232 defaultdomain: <none>
233 The default domain for virtual domain support
234
235 defaultpartition: <none>
236 The partition name used by default for new mailboxes. If not
237 specified, the partition with the most free space will be used for
238 new mailboxes.
239
240 defaultserver: <none>
241 The backend server name used by default for new mailboxes. If not
242 specified, the server with the most free space will be used for
243 new mailboxes.
244
245 deletedprefix: DELETED
246 If "delete_mode" set to be "delayed", the prefix for the deleted
247 mailboxes hierarchy. The hierarchy delimiter will be automati‐
248 cally appended.
249
250 delete_mode: immediate
251 The manner in which mailboxes are deleted. "immediate" mode is the
252 default behavior in which mailboxes are removed immediately. In
253 "delayed" mode, mailboxes are renamed to a special hiearchy
254 defined by the "deletedprefix" option to be removed later by
255 cyr_expire.
256
257
258 Allowed values: immediate, delayed
259
260 deleteright: c
261 Deprecated - only used for backwards compatibility with existing
262 installations. Lists the old RFC 2086 right which was used to
263 grant the user the ability to delete a mailbox. If a user has
264 this right, they will automatically be given the new 'x' right.
265
266 disable_user_namespace: 0
267 Preclude list command on user namespace. If set to 'yes', the
268 LIST response will never include any other user's mailbox. Admin
269 users will always see all mailboxes. The default is 'no'
270
271 disable_shared_namespace: 0
272 Preclude list command on user namespace. If set to 'yes', the
273 LIST response will never include any non-user mailboxes. Admin
274 users will always see all mailboxes. The default is 'no'
275
276 disconnect_on_vanished_mailbox: 0
277 If enabled, IMAP/POP3/NNTP clients will be disconnected by the
278 server if the currently selected mailbox is (re)moved by another
279 session. Otherwise, the missing mailbox is treated as empty while
280 in use by the client.
281
282 duplicate_db: skiplist
283 The cyrusdb backend to use for the duplicate delivery suppression
284 and sieve.
285
286 Allowed values: berkeley, berkeley-nosync, berkeley-hash, berke‐
287 ley-hash-nosync, skiplist, sql
288
289 duplicate_db_path: <none>
290 The absolute path to the duplicate db file. If not specified,
291 will be confdir/deliver.db
292
293 duplicatesuppression: 1
294 If enabled, lmtpd will suppress delivery of a message to a mailbox
295 if a message with the same message-id (or resent-message-id) is
296 recorded as having already been delivered to the mailbox. Records
297 the mailbox and message-id/resent-message-id of all successful
298 deliveries.
299
300 expunge_mode: default
301 The mode in which messages (and their corresponding cache entries)
302 are expunged. "default" mode is the default behavior in which the
303 message files are purged at the time of the EXPUNGE, but index and
304 cache records are retained to facilitate QRESYNC. In "delayed"
305 mode, the message files are also retained, allowing unexpunge to
306 rescue them. In "immediate" mode, both the message files and the
307 index records are removed as soon as possible. In all cases,
308 nothing will be finally purged until all other processes have
309 closed the mailbox to ensure they never see data disappear under
310 them. In "default" or "delayed" mode, a later run of "cyr_expire"
311 will clean out the retained records (and possibly message files).
312 This reduces the amount of I/O that takes place at the time of
313 EXPUNGE and should result in greater responsiveness for the
314 client, especially when expunging a large number of messages.
315
316 Allowed values: default, immediate, delayed
317
318 expunge_days: 7
319 Number of days to retain expunged messages before cleaning up
320 their index records. The default is 7. This is necessary for
321 QRESYNC to work correctly. If combined with delayed expunge
322 (above) you will also be able to unexpunge messages during this
323 time.
324
325 failedloginpause: 3
326 Number of seconds to pause after a failed login.
327
328 flushseenstate: 0
329 If enabled, changes to the seen state will be flushed to disk
330 immediately, otherwise changes will be cached and flushed when the
331 mailbox is closed. This option may be used to fix the problem of
332 previously read messages being marked as unread in Microsoft Out‐
333 look, at the expense of a loss of performance/scalability.
334
335 foolstupidclients: 0
336 If enabled, only list the personal namespace when a LIST "*" is
337 performed (it changes the request to a LIST "INBOX*").
338
339 force_sasl_client_mech: <none>
340 Force preference of a given SASL mechanism for client side opera‐
341 tions (e.g., murder environments). This is separate from (and
342 overridden by) the ability to use the <host shortname>_mechs
343 option to set preferred mechanisms for a specific host
344
345 fulldirhash: 0
346 If enabled, uses an improved directory hashing scheme which hashes
347 on the entire username instead of using just the first letter as
348 the hash. This changes hash algorithm used for quota and user
349 directories and if hashimapspool is enabled, the entire mail
350 spool.
351
352 Note that this option CANNOT be changed on a live system. The server
353 must be quiesced and then the directories moved with the rehash util‐
354 ity.
355
356 hashimapspool: 0
357 If enabled, the partitions will also be hashed, in addition to the
358 hashing done on configuration directories. This is recommended if
359 one partition has a very bushy mailbox tree.
360
361 debug: 0
362 If enabled, allow syslog() to pass LOG_DEBUG messages.
363
364 hostname_mechs: <none>
365 Force a particular list of SASL mechanisms to be used when authen‐
366 ticating to the backend server hostname (where hostname is the
367 short hostname of the server in question). If it is not specified
368 it will query the server for available mechanisms and pick one to
369 use. - Cyrus Murder
370
371 hostname_password: <none>
372 The password to use for authentication to the backend server host‐
373 name (where hostname is the short hostname of the server) - Cyrus
374 Murder
375
376 idlesocket: {configdirectory}/socket/idle
377 Unix domain socket that idled listens on.
378
379 ignorereference: 0
380 For backwards compatibility with Cyrus 1.5.10 and earlier --
381 ignore the reference argument in LIST or LSUB commands.
382
383 imapidlepoll: 60
384 The interval (in seconds) for polling for mailbox changes and
385 ALERTs while running the IDLE command. This option is used when
386 idled is not enabled or cannot be contacted. The minimum value is
387 1. A value of 0 will disable IDLE.
388
389 imapidresponse: 1
390 If enabled, the server responds to an ID command with a parameter
391 list containing: version, vendor, support-url, os, os-version,
392 command, arguments, environment. Otherwise the server returns
393 NIL.
394
395 imapmagicplus: 0
396 Only list a restricted set of mailboxes via IMAP by using
397 userid+namespace syntax as the authentication/authorization id.
398 Using userid+ (with an empty namespace) will list only subscribed
399 mailboxes.
400
401 implicit_owner_rights: lkxa
402 The implicit Access Control List (ACL) for the owner of a mailbox.
403
404 @include: <none>
405 Directive which includes the specified file as part of the config‐
406 uration. If the path to the file is not absolute, CYRUS_PATH is
407 prepended.
408
409 improved_mboxlist_sort: 0
410 If enabled, a special comparator will be used which will correctly
411 sort mailbox names that contain characters such as ' ' and '-'.
412
413 Note that this option SHOULD NOT be changed on a live system. The
414 mailboxes database should be dumped (ctl_mboxlist) before the option is
415 changed, removed, and then undumped after changing the option. When
416 not using flat files for the subscriptions databases the same has to be
417 done (cyr_dbtool) for each subscription database See
418 improved_mboxlist_sort.html.
419
420 internaldate_heuristic: standard
421 Mechanism to determine email internaldates on delivery/recon‐
422 struct. "standard" uses time() when delivering a message, mtime
423 on reconstruct. "receivedheader" looks at the top most Received
424 header or time/mtime otherwise
425
426 Allowed values: standard, receivedheader
427
428 ldap_authz: <none>
429 SASL authorization ID for the LDAP server
430
431 ldap_base: <empty string>
432 Contains the LDAP base dn for the LDAP ptloader module
433
434 ldap_bind_dn: <none>
435 Bind DN for the connection to the LDAP server (simple bind). Do
436 not use for anonymous simple binds
437
438 ldap_deref: never
439 Specify how aliases dereferencing is handled during search.
440
441 Allowed values: search, find, always, never
442
443 ldap_filter: (uid=%u)
444 Specify a filter that searches user identifiers. The following
445 tokens can be used in the filter string:
446
447 %% = % %u = user %U = user portion of %u (%U = test when %u
448 = test@domain.tld) %d = domain portion of %u if available (%d =
449 domain.tld when %u = %test@domain.tld), otherwise same as %r %D
450 = user dn. (use when ldap_member_method: filter) %1-9 = domain
451 tokens (%1 = tld, %2 = domain when %d = domain.tld)
452
453 ldap_filter is not used when ldap_sasl is enabled.
454
455 ldap_group_base: <empty string>
456 LDAP base dn for ldap_group_filter.
457
458 ldap_group_filter: (cn=%u)
459 Specify a filter that searches for group identifiers. See
460 ldap_filter for more options.
461
462 ldap_group_scope: sub
463 Specify search scope for ldap_group_filter.
464
465 Allowed values: sub, one, base
466
467 ldap_id: <none>
468 SASL authentication ID for the LDAP server
469
470 ldap_mech: <none>
471 SASL mechanism for LDAP authentication
472
473 ldap_member_attribute: <none>
474 See ldap_member_method.
475
476 ldap_member_base: <empty string>
477 LDAP base dn for ldap_member_filter.
478
479 ldap_member_filter: (member=%D)
480 Specify a filter for "ldap_member_method: filter". See ldap_fil‐
481 ter for more options.
482
483 ldap_member_method: attribute
484 Specify a group method. The "attribute" method retrieves groups
485 from a multi-valued attribute specified in ldap_member_attribute.
486
487 The "filter" method uses a filter, specified by ldap_member_fil‐
488 ter, to find groups; ldap_member_attribute is a single-value
489 attribute group name.
490
491 Allowed values: attribute, filter
492
493 ldap_member_scope: sub
494 Specify search scope for ldap_member_filter.
495
496 Allowed values: sub, one, base
497
498 ldap_password: <none>
499 Password for the connection to the LDAP server (SASL and simple
500 bind). Do not use for anonymous simple binds
501
502 ldap_realm: <none>
503 SASL realm for LDAP authentication
504
505 ldap_referrals: 0
506 Specify whether or not the client should follow referrals.
507
508 ldap_restart: 1
509 Specify whether or not LDAP I/O operations are automatically
510 restarted if they abort prematurely.
511
512 ldap_sasl: 1
513 Use SASL for LDAP binds in the LDAP PTS module.
514
515 ldap_sasl_authc: <none>
516 Deprecated. Use ldap_id
517
518 ldap_sasl_authz: <none>
519 Deprecated. Use ldap_authz
520
521 ldap_sasl_mech: <none>
522 Deprecated. Use ldap_mech
523
524 ldap_sasl_password: <none>
525 Deprecated. User ldap_password
526
527 ldap_sasl_realm: <none>
528 Deprecated. Use ldap_realm
529
530 ldap_scope: sub
531 Specify search scope.
532
533 Allowed values: sub, one, base
534
535 ldap_servers: ldap://localhost/
536 Deprecated. Use ldap_uri
537
538 ldap_size_limit: 1
539 Specify a number of entries for a search request to return.
540
541 ldap_start_tls: 0
542 Use StartTLS extended operation. Do not use ldaps: ldap_uri when
543 this option is enabled.
544
545 ldap_time_limit: 5
546 Specify a number of seconds for a search request to complete.
547
548 ldap_timeout: 5
549 Specify a number of seconds a search can take before timing out.
550
551 ldap_tls_cacert_dir: <none>
552 Path to directory with CA (Certificate Authority) certificates.
553
554 ldap_tls_cacert_file: <none>
555 File containing CA (Certificate Authority) certificate(s).
556
557 ldap_tls_cert: <none>
558 File containing the client certificate.
559
560 ldap_tls_check_peer: 0
561 Require and verify server certificate. If this option is yes, you
562 must specify ldap_tls_cacert_file or ldap_tls_cacert_dir.
563
564 ldap_tls_ciphers: <none>
565 List of SSL/TLS ciphers to allow. The format of the string is
566 described in ciphers(1).
567
568 ldap_tls_key: <none>
569 File containing the private client key.
570
571 ldap_uri: <none>
572 Contains a list of the URLs of all the LDAP servers when using the
573 LDAP PTS module.
574
575 ldap_version: 3
576 Specify the LDAP protocol version. If ldap_start_tls and/or
577 ldap_use_sasl are enabled, ldap_version will be automatically set
578 to 3.
579
580 lmtp_downcase_rcpt: 0
581 If enabled, lmtpd will convert the recipient addresses to lower‐
582 case (up to a '+' character, if present).
583
584 lmtp_fuzzy_mailbox_match: 0
585 If enabled, and the mailbox specified in the detail part of the
586 recipient (everything after the '+') does not exist, lmtpd will
587 try to find the closest match (ignoring case, ignoring whitespace,
588 falling back to parent) to the specified mailbox name.
589
590 lmtp_over_quota_perm_failure: 0
591 If enabled, lmtpd returns a permanent failure code when a user's
592 mailbox is over quota. By default, the failure is temporary,
593 causing the MTA to queue the message and retry later.
594
595 lmtp_strict_quota: 0
596 If enabled, lmtpd returns a failure code when the incoming message
597 will cause the user's mailbox to exceed its quota. By default,
598 the failure won't occur until the mailbox is already over quota.
599
600 lmtp_strict_rfc2821: 1
601 By default, lmtpd will be strict (per RFC 2821) with regards to
602 which envelope addresses are allowed. If this option is set to
603 false, 8bit characters in the local-part of envelope addresses are
604 changed to 'X' instead. This is useful to avoid generating
605 backscatter with certain MTAs like Postfix or Exim which accept
606 such messages.
607
608 lmtpsocket: {configdirectory}/socket/lmtp
609 Unix domain socket that lmtpd listens on, used by deliver(8). This
610 should match the path specified in cyrus.conf(5).
611
612 lmtptxn_timeout: 300
613 Timeout (in seconds) used during a lmtp transaction to a remote
614 backend (e.g. in a murder environment). Can be used to prevent
615 hung lmtpds on proxy hosts when a backend server becomes unrespon‐
616 sive during a lmtp transaction. The default is 300 - change to
617 zero for infinite.
618
619 loginrealms: <empty string>
620 The list of remote realms whose users may authenticate using
621 cross-realm authentication identifiers. Separate each realm name
622 by a space. (A cross-realm identity is considered any identity
623 returned by SASL with an "@" in it.).
624
625 loginuseacl: 0
626 If enabled, any authentication identity which has a rights on a
627 user's INBOX may log in as that user.
628
629 logtimestamps: 0
630 Include notations in the protocol telemetry logs indicating the
631 number of seconds since the last command or response.
632
633 mailbox_default_options: 0
634 Default "options" field for the mailbox on create. You'll want to
635 know what you're doing before setting this, but it can apply some
636 default annotations like duplicate supression
637
638 mailnotifier: <none>
639 Notifyd(8) method to use for "MAIL" notifications. If not set,
640 "MAIL" notifications are disabled.
641
642 maxheaderlines: 1000
643 Maximum number of lines of header that will be processed into
644 cache records. Default 1000. If set to zero, it is unlimited.
645 If a message hits the limit, an error will be logged and the rest
646 of the lines in the header will be skipped. This is to avoid mal‐
647 formed messages causing giant cache records
648
649 maxmessagesize: 0
650 Maximum incoming LMTP message size. If non-zero, lmtpd will
651 reject messages larger than maxmessagesize bytes. If set to 0,
652 this will allow messages of any size (the default).
653
654 maxquoted: 131072
655 Maximum size of a single quoted string for the parser. Default
656 128k
657
658 maxword: 131072
659 Maximum size of a single word for the parser. Default 128k
660
661 mboxkey_db: skiplist
662 The cyrusdb backend to use for mailbox keys.
663
664 Allowed values: berkeley, skiplist
665
666 mboxlist_db: skiplist
667 The cyrusdb backend to use for the mailbox list.
668
669 Allowed values: flat, berkeley, berkeley-hash, skiplist
670
671 mboxlist_db_path: <none>
672 The absolute path to the mailboxes db file. If not specified will
673 be confdir/mailboxes.db
674
675 mboxname_lockpath: <none>
676 Path to mailbox name lock files (default $conf/lock)
677
678 metapartition_files: <empty string>
679 Space-separated list of metadata files to be stored on a meta‐
680 partition rather than in the mailbox directory on a spool parti‐
681 tion.
682
683 Allowed values: header, index, cache, expunge, squat
684
685 metapartition-name: <none>
686 The pathname of the metadata partition name, corresponding to
687 spool partition partition-name. For any mailbox residing in a
688 directory on partition-name, the metadata files listed in meta‐
689 partition_files will be stored in a corresponding directory on
690 metapartition-name. Note that not every partition-name option is
691 required to have a corresponding metapartition-name option, so
692 that you can selectively choose which spool partitions will have
693 separate metadata partitions.
694
695 mupdate_authname: <none>
696 The SASL username (Authentication Name) to use when authenticating
697 to the mupdate server (if needed).
698
699 mupdate_config: standard
700 The configuration of the mupdate servers in the Cyrus Murder. The
701 "standard" config is one in which there are discreet frontend
702 (proxy) and backend servers. The "unified" config is one in which
703 a server can be both a frontend and backend. The "replicated"
704 config is one in which multiple backend servers all share the same
705 mailspool, but each have their own "replicated" copy of mail‐
706 boxes.db.
707
708 Allowed values: standard, unified, replicated
709
710 munge8bit: 1
711 If enabled, lmtpd munges messages with 8-bit characters in the
712 headers. The 8-bit characters are changed to `X'. If reject8bit
713 is enabled, setting munge8bit has no effect. (A proper solution
714 to non-ASCII characters in headers is offered by RFC 2047 and its
715 predecessors.)
716
717 mupdate_connections_max: 128
718 The max number of connections that a mupdate process will allow,
719 this is related to the number of file descriptors in the mupdate
720 process. Beyond this number connections will be immediately
721 issued a BYE response.
722
723 mupdate_password: <none>
724 The SASL password (if needed) to use when authenticating to the
725 mupdate server.
726
727 mupdate_realm: <none>
728 The SASL realm (if needed) to use when authenticating to the mup‐
729 date server.
730
731 mupdate_retry_delay: 20
732 The base time to wait between connection retries to the mupdate
733 server.
734
735 mupdate_server: <none>
736 The mupdate server for the Cyrus Murder
737
738 mupdate_username: <empty string>
739 The SASL username (Authorization Name) to use when authenticating
740 to the mupdate server
741
742 mupdate_workers_max: 50
743 The maximum number of mupdate worker threads (overall)
744
745 mupdate_workers_maxspare: 10
746 The maximum number of idle mupdate worker threads
747
748 mupdate_workers_minspare: 2
749 The minimum number of idle mupdate worker threads
750
751 mupdate_workers_start: 5
752 The number of mupdate worker threads to start
753
754 netscapeurl: <none>
755 If enabled at compile time, this specifies a URL to reply when
756 Netscape asks the server where the mail administration HTTP server
757 is. Administrators should set this to a local resource.
758
759 newsaddheaders: to
760 Space-separated list of headers to be added to incoming usenet
761 articles. Added To: headers will contain email delivery addresses
762 corresponding to each newsgroup in the Newsgroups: header. Added
763 Reply-To: headers will contain email delivery addresses corre‐
764 sponding to each newsgroup in the Followup-To: or Newsgroups:
765 header. If the specified header(s) already exist in an article,
766 the email delivery addresses will be appended to the original
767 header body(s).
768
769 This option applies if and only if the newspostuser option is set.
770
771 Allowed values: to, replyto
772
773 newsgroups: *
774 A wildmat pattern specifying which mailbox hierarchies should be
775 treated as newsgroups. Only mailboxes matching the wildmat will
776 accept and/or serve articles via NNTP. If not set, a default
777 wildmat of "*" (ALL shared mailboxes) will be used. If the
778 newsprefix option is also set, the default wildmat will be trans‐
779 lated to "<newsprefix>.*"
780
781 newsmaster: news
782 Userid that is used for checking access controls when executing
783 Usenet control messages. For instance, to allow articles to be
784 automatically deleted by cancel messages, give the "news" user the
785 'd' right on the desired mailboxes. To allow newsgroups to be
786 automatically created, deleted and renamed by the corresponding
787 control messages, give the "news" user the 'c' right on the
788 desired mailbox hierarchies.
789
790 newspeer: <none>
791 A list of whitespace-separated news server specifications to which
792 articles should be fed. Each server specification is a string of
793 the form [user[:pass]@]host[:port][/wildmat] where 'host' is the
794 fully qualified hostname of the server, 'port' is the port on
795 which the server is listening, 'user' and 'pass' are the authenti‐
796 cation credentials and 'wildmat' is a pattern that specifies which
797 groups should be fed. If no 'port' is specified, port 119 is
798 used. If no 'wildmat' is specified, all groups are fed. If
799 'user' is specified (even if empty), then the NNTP POST command
800 will be used to feed the article to the server, otherwise the
801 IHAVE command will be used.
802
803 A '@' may be used in place of '!' in the wildmat to prevent feed‐
804 ing articles cross-posted to the given group, otherwise cross-
805 posted articles are fed if any part of the wildmat matches. For
806 example, the string "peer.example.com:*,!control.*,@local.*" would
807 feed all groups except control messages and local groups to
808 peer.example.com. In the case of cross-posting to local groups,
809 these articles would not be fed.
810
811 newspostuser: <none>
812 Userid used to deliver usenet articles to newsgroup folders (usu‐
813 ally via lmtp2nntp). For example, if set to "post", email sent to
814 "post+comp.mail.imap" would be delivered to the "comp.mail.imap"
815 folder.
816
817 When set, the Cyrus NNTP server will add the header(s) specified
818 in the newsaddheaders option to each incoming usenet article. The
819 added header(s) will contain email delivery addresses correspond‐
820 ing to each relevent newsgroup. If not set, no headers are added
821 to usenet articles.
822
823 newsprefix: <none>
824 Prefix to be prepended to newsgroup names to make the correspond‐
825 ing IMAP mailbox names.
826
827 newsrc_db_path: <none>
828 The absolute path to the newsrc db file. If not specified, will
829 be confdir/fetchnews.db
830
831 nntptimeout: 3
832 Set the length of the NNTP server's inactivity autologout timer,
833 in minutes. The minimum value is 3, the default.
834
835 normalizeuid: 0
836 Lowercase uid and strip leading and trailing blanks. It is recom‐
837 mended to set this to yes, especially if OpenLDAP is used as
838 authentication source.
839
840 notifysocket: {configdirectory}/socket/notify
841 Unix domain socket that the mail notification daemon listens on.
842
843 notify_external: <none>
844 Path to the external program that notifyd(8) will call to send
845 mail notifications.
846
847 The external program will be called with the following command line
848 options:
849
850 -c class
851
852 -p priority
853
854 -u user
855
856 -m mailbox
857
858 And the notification message will be available on stdin.
859
860
861 partition-name: <none>
862 The pathname of the partition name. At least one partition path‐
863 name MUST be specified. If the defaultpartition option is used,
864 then its pathname MUST be specified. For example, if the value of
865 the defaultpartion option is default, then the partition-default
866 field is required.
867
868 plaintextloginpause: 0
869 Number of seconds to pause after a successful plaintext login.
870 For systems that support strong authentication, this permits users
871 to perceive a cost of using plaintext passwords. (This does not
872 affect the use of PLAIN in SASL authentications.)
873
874 plaintextloginalert: <none>
875 Message to send to client after a successful plaintext login.
876
877 popexpiretime: -1
878 The number of days advertised as being the minimum a message may
879 be left on the POP server before it is deleted (via the CAPA com‐
880 mand, defined in the POP3 Extension Mechanism, which some clients
881 may support). "NEVER", the default, may be specified with a nega‐
882 tive number. The Cyrus POP3 server never deletes mail, no matter
883 what the value of this parameter is. However, if a site imple‐
884 ments a less liberal policy, it needs to change this parameter
885 accordingly.
886
887 popminpoll: 0
888 Set the minimum amount of time the server forces users to wait
889 between successive POP logins, in minutes.
890
891 popsubfolders: 0
892 Allow access to subfolders of INBOX via POP3 by using userid+sub‐
893 folder syntax as the authentication/authorization id.
894
895 poppollpadding: 1
896 Create a softer minimum poll restriction. Allows poppollpadding
897 connections before the minpoll restriction is triggered. Addi‐
898 tionally, one padding entry is recovered every popminpoll minutes.
899 This allows for the occasional polling rate faster than popmin‐
900 poll, (i.e., for clients that require a send/receive to send mail)
901 but still enforces the rate long-term. Default is 1 (disabled).
902
903 The easiest way to think of it is a queue of past connections,
904 with one slot being filled for every connection, and one slot
905 being cleared every popminpoll minutes. When the queue is full,
906 the user will not be able to check mail again until a slot is
907 cleared. If the user waits a sufficient amount of time, they will
908 get back many or all of the slots.
909
910 poptimeout: 10
911 Set the length of the POP server's inactivity autologout timer, in
912 minutes. The minimum value is 10, the default.
913
914 popuseacl: 0
915 Enforce IMAP ACLs in the pop server. Due to the nature of the
916 POP3 protocol, the only rights which are used by the pop server
917 are 'r', user to open the mailbox and list/retrieve messages. The
918 't' right allows the user to delete messages. The 's' right
919 allows messages retrieved by the user to have the \Seen flag set
920 (only if popuseimapflags is also enabled).
921
922 popuseimapflags: 0
923 If enabled, the pop server will set and obey IMAP flags. Messages
924 having the \Deleted flag are ignored as if they do not exist.
925 Messages that are retrieved by the client will have the \Seen flag
926 set. All messages will have the \Recent flag unset.
927
928 postmaster: postmaster
929 Username that is used as the 'From' address in rejection MDNs pro‐
930 duced by sieve.
931
932 postuser: <empty string>
933 Userid used to deliver messages to shared folders. For example,
934 if set to "bb", email sent to "bb+shared.blah" would be delivered
935 to the "shared.blah" folder. By default, an email address of
936 "+shared.blah" would be used.
937
938 proc_path: <none>
939 Path to proc directory. Default is NULL - must be an absolute
940 path if specified. If not specified, the path $confdir/proc/ will
941 be used.
942
943 proxy_authname: proxy
944 The authentication name to use when authenticating to a backend
945 server in the Cyrus Murder.
946
947 proxy_compress: 0
948 Try to enable protocol-specific compression when performing a
949 client connection to a backend server in the Cyrus Murder.
950
951 Note that this should only be necessary over slow network connections.
952 Also note that currently only IMAP and MUPDATE support compression.
953
954 proxy_password: <none>
955 The default password to use when authenticating to a backend
956 server in the Cyrus Murder. May be overridden on a host-specific
957 basis using the hostname_password option.
958
959 proxy_realm: <none>
960 The authentication realm to use when authenticating to a backend
961 server in the Cyrus Murder
962
963 proxyd_allow_status_referral: 0
964 Set to true to allow proxyd to issue referrals to clients that
965 support it when answering the STATUS command. This is disabled by
966 default since some clients issue many STATUS commands in a row,
967 and do not cache the connections that these referrals would cause,
968 thus resulting in a higher authentication load on the respective
969 backend server.
970
971 proxyd_disable_mailbox_referrals: 0
972 Set to true to disable the use of mailbox-referrals on the proxy
973 servers.
974
975 proxyservers: <none>
976 A list of users and groups that are allowed to proxy for other
977 users, separated by spaces. Any user listed in this will be
978 allowed to login for any other user: use with caution. In a stan‐
979 dard murder this option should ONLY be set on backends. DO NOT
980 SET on frontends or things won't work properly.
981
982 pts_module: afskrb
983 The PTS module to use.
984
985 Allowed values: afskrb, ldap
986
987 ptloader_sock: <none>
988 Unix domain socket that ptloader listens on. (defaults to con‐
989 figdir/ptclient/ptsock)
990
991 ptscache_db: skiplist
992 The cyrusdb backend to use for the pts cache.
993
994 Allowed values: berkeley, berkeley-hash, skiplist
995
996 ptscache_db_path: <none>
997 The absolute path to the ptscache db file. If not specified, will
998 be confdir/ptscache.db
999
1000 ptscache_timeout: 10800
1001 The timeout (in seconds) for the PTS cache database when using the
1002 auth_krb_pts authorization method (default: 3 hours).
1003
1004 ptskrb5_convert524: 1
1005 When using the AFSKRB ptloader module with Kerberos 5 canonical‐
1006 ization, do the final 524 conversion to get a n AFS style name
1007 (using '.' instead of '/', and using short names
1008
1009 ptskrb5_strip_default_realm: 1
1010 When using the AFSKRB ptloader module with Kerberos 5 canonical‐
1011 ization, strip the default realm from the userid (this does not
1012 affect the stripping of realms specified by the afspts_localrealms
1013 option)
1014
1015 qosmarking: cs0
1016 This specifies the Class Selector or Differentiated Services Code
1017 Point designation on IP headers (in the ToS field).
1018
1019 Allowed values: cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11,
1020 af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43,
1021 ef
1022
1023 quota_db: quotalegacy
1024 The cyrusdb backend to use for quotas.
1025
1026 Allowed values: flat, berkeley, berkeley-hash, skiplist, sql, quo‐
1027 talegacy
1028
1029 quota_db_path: <none>
1030 The absolute path for the quota database (if you choose a single-
1031 file quota DB type - or the base path if you choose quotalegacy).
1032 If not specified will be confdir/quota.db or confdir/quota/
1033
1034 quotawarn: 90
1035 The percent of quota utilization over which the server generates
1036 warnings.
1037
1038 quotawarnkb: 0
1039 The maximum amount of free space (in kB) at which to give a quota
1040 warning (if this value is 0, or if the quota is smaller than this
1041 amount, than warnings are always given).
1042
1043 reject8bit: 0
1044 If enabled, lmtpd rejects messages with 8-bit characters in the
1045 headers.
1046
1047 rfc2046_strict: 0
1048 If enabled, imapd will be strict (per RFC 2046) when matching MIME
1049 boundary strings. This means that boundaries containing other
1050 boundaries as substrings will be treated as identical. Since
1051 enabling this option will break some messages created by Eudora
1052 5.1 (and earlier), it is recommended that it be left disabled
1053 unless there is good reason to do otherwise.
1054
1055 rfc3028_strict: 1
1056 If enabled, Sieve will be strict (per RFC 3028) with regards to
1057 which headers are allowed to be used in address and envelope
1058 tests. This means that only those headers which are defined to
1059 contain addresses will be allowed in address tests and only "to"
1060 and "from" will be allowed in envelope tests. When disabled, ANY
1061 grammatically correct header will be allowed.
1062
1063 sasl_auto_transition: 0
1064 If enabled, the SASL library will automatically create authentica‐
1065 tion secrets when given a plaintext password. See the SASL docu‐
1066 mentation.
1067
1068 sasl_maximum_layer: 256
1069 Maximum SSF (security strength factor) that the server will allow
1070 a client to negotiate.
1071
1072 sasl_minimum_layer: 0
1073 The minimum SSF that the server will allow a client to negotiate.
1074 A value of 1 requires integrity protection; any higher value
1075 requires some amount of encryption.
1076
1077 sasl_option: 0
1078 Any SASL option can be set by preceding it with "sasl_". This
1079 file overrides the SASL configuration file.
1080
1081 sasl_pwcheck_method: <none>
1082 The mechanism used by the server to verify plaintext passwords.
1083 Possible values include "auxprop", "saslauthd", and "pwcheck".
1084
1085 seenstate_db: skiplist
1086 The cyrusdb backend to use for the seen state.
1087
1088 Allowed values: flat, berkeley, berkeley-hash, skiplist
1089
1090 sendmail: /usr/lib/sendmail
1091 The pathname of the sendmail executable. Sieve invokes sendmail
1092 for sending rejections, redirects and vacation responses.
1093
1094 serverlist: <none>
1095 Whitespace separated list of backend server names. Used for find‐
1096 ing server with the most available free space for proxying CREATE.
1097
1098 servername: <none>
1099 This is the hostname visible in the greeting messages of the POP,
1100 IMAP and LMTP daemons. If it is unset, then the result returned
1101 from gethostname(2) is used.
1102
1103 serverinfo: on
1104 The server information to display in the greeting and capability
1105 responses. Information is displayed as follows:
1106
1107 "off" = no server information in the greeting or capabilities
1108 "min" = servername in the greeting; no server information in the
1109 capabilities
1110 "on" = servername and product version in the greeting; product
1111 version in the capabilities
1112
1113 Allowed values: off, min, on
1114
1115 sharedprefix: Shared Folders
1116 If using the alternate IMAP namespace, the prefix for the shared
1117 namespace. The hierarchy delimiter will be automatically
1118 appended.
1119
1120 sieve_allowreferrals: 1
1121 If enabled, timsieved will issue referrals to clients when the
1122 user's scripts reside on a remote server (in a Murder). Other‐
1123 wise, timsieved will proxy traffic to the remote server.
1124
1125 sieve_extensions: fileinto reject vacation imapflags notify envelope
1126 relational regex subaddress copy
1127 Space-separated list of Sieve extensions allowed to be used in
1128 sieve scripts, enforced at submission by timsieved(8). Any previ‐
1129 ously installed script will be unaffected by this option and will
1130 continue to execute regardless of the extensions used. This
1131 option has no effect on options that are disabled at compile time
1132 (e.g., "regex").
1133
1134 Allowed values: fileinto, reject, vacation, imapflags, notify,
1135 include, envelope, body, relational, regex, subaddress, copy
1136
1137 sieve_maxscriptsize: 32
1138 Maximum size (in kilobytes) any sieve script can be, enforced at
1139 submission by timsieved(8).
1140
1141 sieve_maxscripts: 5
1142 Maximum number of sieve scripts any user may have, enforced at
1143 submission by timsieved(8).
1144
1145 sieve_utf8fileinto: 0
1146 If enabled, the sieve engine expects folder names for the fileinto
1147 action in scripts to use UTF8 encoding. Otherwise, modified UTF7
1148 encoding should be used.
1149
1150 sieve_sasl_send_unsolicited_capability: 0
1151 If enabled, timsieved will emit a capability response after a suc‐
1152 cessful SASL authentication, per draft-martin-managesieve-12.txt .
1153
1154 sievedir: /usr/sieve
1155 If sieveusehomedir is false, this directory is searched for Sieve
1156 scripts.
1157
1158 sievenotifier: <none>
1159 Notifyd(8) method to use for "SIEVE" notifications. If not set,
1160 "SIEVE" notifications are disabled.
1161
1162 This method is only used when no method is specified in the script.
1163
1164 sieveusehomedir: 0
1165 If enabled, lmtpd will look for Sieve scripts in user's home
1166 directories: ~user/.sieve.
1167
1168 singleinstancestore: 1
1169 If enabled, imapd, lmtpd and nntpd attempt to only write one copy
1170 of a message per partition and create hard links, resulting in a
1171 potentially large disk savings.
1172
1173 skiplist_always_checkpoint: 1
1174 If enabled, this option forces the skiplist cyrusdb backend to
1175 always checkpoint when doing a recovery. This causes slightly
1176 more IO, but on the other hand leads to more efficient databases,
1177 and the entire file is already "hot".
1178
1179 skiplist_unsafe: 0
1180 If enabled, this option forces the skiplist cyrusdb backend to not
1181 sync writes to the disk. Enabling this option is NOT RECOMMENDED.
1182
1183 soft_noauth: 1
1184 If enabled, lmtpd returns temporary failures if the client does
1185 not successfully authenticate. Otherwise lmtpd returns permanent
1186 failures (causing the mail to bounce immediately).
1187
1188 specialusealways: 0
1189 If enabled, this option causes LIST and LSUB output to always
1190 include the XLIST "special-use" flags. See "xlist-*'"
1191
1192 sql_database: <none>
1193 Name of the database which contains the cyrusdb table(s).
1194
1195 sql_engine: <none>
1196 Name of the SQL engine to use.
1197
1198 Allowed values: mysql, pgsql, sqlite
1199
1200 sql_hostnames: <empty string>
1201 Comma separated list of SQL servers (in host[:port] format).
1202
1203 sql_passwd: <none>
1204 Password to use for authentication to the SQL server.
1205
1206 sql_user: <none>
1207 Username to use for authentication to the SQL server.
1208
1209 sql_usessl: 0
1210 If enabled, a secure connection will be made to the SQL server.
1211
1212 srvtab: <empty string>
1213 The pathname of srvtab file containing the server's private key.
1214 This option is passed to the SASL library and overrides its
1215 default setting.
1216
1217 submitservers: <none>
1218 A list of users and groups that are allowed to resolve
1219 "urlauth=submit+" IMAP URLs, separated by spaces. Any user listed
1220 in this will be allowed to fetch the contents of any valid
1221 "urlauth=submit+" IMAP URL: use with caution.
1222
1223 subscription_db: flat
1224 The cyrusdb backend to use for the subscriptions list.
1225
1226 Allowed values: flat, berkeley, berkeley-hash, skiplist
1227
1228 suppress_capabilities: <none>
1229 Suppress the named capabilities from any capability response. Use
1230 the exact case as it appears in the response, e.g. "sup‐
1231 press_capabilities: ESEARCH QRESYNC WITHIN XLIST LIST-EXTENDED" if
1232 you have a murder with 2.3.x backends and don't want clients being
1233 confused by new capabilities that some backends don't support.
1234
1235 statuscache: 0
1236 Enable/disable the imap status cache.
1237
1238 statuscache_db: skiplist
1239 The cyrusdb backend to use for the imap status cache.
1240
1241 Allowed values: berkeley, berkeley-nosync, berkeley-hash, berke‐
1242 ley-hash-nosync, skiplist
1243
1244 statuscache_db_path: <none>
1245 The absolute path to the statuscache db file. If not specified,
1246 will be confdir/statuscache.db
1247
1248 sync_authname: <none>
1249 The authentication name to use when authenticating to a sync
1250 server. Prefix with a channel name to only apply for that channel
1251
1252 sync_compress: 0
1253 Enable compression on replication traffic. Prefix with a channel
1254 name to only apply for that channel
1255
1256 sync_host: <none>
1257 Name of the host (replica running sync_server(8)) to which repli‐
1258 cation actions will be sent by sync_client(8). Prefix with a
1259 channel name to only apply for that channel
1260
1261 sync_log: 0
1262 Enable replication action logging by lmtpd(8), imapd(8), pop3d(8),
1263 and nntpd(8). The log {configdirectory}/sync/log is used by
1264 sync_client(8) for "rolling" replication.
1265
1266 sync_log_chain: 0
1267 Enable replication action logging by sync_server as well, allowing
1268 chaining of replicas. Use this on 'B' for A => B => C replication
1269 layout
1270
1271 sync_log_channels: <none>
1272 If specified, log all events to multiple log files in directories
1273 specified by each "channel". To run these log files, you need to
1274 pass the -n option to sync_client -r with the channel name. Use
1275 this for a mesh style replication layout - every machine replicat‐
1276 ing to every other machine.
1277
1278 sync_password: <none>
1279 The default password to use when authenticating to a sync server.
1280 Prefix with a channel name to only apply for that channel
1281
1282 sync_port: csync
1283 Name of the service (or port number) of the replication service on
1284 replica host. The default is "csync" which is usally port 2005,
1285 but any service name or numeric port can be specified. Prefix
1286 with a channel name to only apply for that channel
1287
1288 sync_realm: <none>
1289 The authentication realm to use when authenticating to a sync
1290 server. Prefix with a channel name to only apply for that channel
1291
1292 sync_repeat_interval: 1
1293 Minimum interval (in seconds) between replication runs in rolling
1294 replication mode. If a replication run takes longer than this
1295 time, we repeat immediately. Prefix with a channel name to only
1296 apply for that channel
1297
1298 sync_shutdown_file: <none>
1299 Simple latch used to tell sync_client(8) that it should shut down
1300 at the next opportunity. Safer than sending signals to running
1301 processes. Prefix with a channel name to only apply for that
1302 channel
1303
1304 syslog_prefix: <none>
1305 String to be prepended to the process name in syslog entries.
1306
1307 tcp_keepalive: 0
1308 Enable keepalive on TCP connections
1309
1310 tcp_keepalive_cnt: 0
1311 Number of TCP keepalive probes to send before declaring the con‐
1312 nection dead (0 == system default)
1313
1314 tcp_keepalive_idle: 0
1315 Number of seconds a connection must be idle before keepalive
1316 probes are sent (0 == system default)
1317
1318 tcp_keepalive_intvl: 0
1319 Number of seconds between keepalive probes (0 == system default)
1320
1321 temp_path: /tmp
1322 The pathname to store temporary files in
1323
1324 timeout: 30
1325 The length of the IMAP server's inactivity autologout timer, in
1326 minutes. The minimum value is 30, the default.
1327
1328 tls_ca_file: <none>
1329 File containing one or more Certificate Authority (CA) certifi‐
1330 cates.
1331
1332 tls_ca_path: <none>
1333 Path to directory with certificates of CAs. This directory must
1334 have filenames with the hashed value of the certificates (see
1335 openssl(XXX)).
1336
1337 tlscache_db: skiplist
1338 The cyrusdb backend to use for the TLS cache.
1339
1340 Allowed values: berkeley, berkeley-nosync, berkeley-hash, berke‐
1341 ley-hash-nosync, skiplist, sql
1342
1343 tlscache_db_path: <none>
1344 The absolute path to the tlscache db file. If not specified, will
1345 be confdir/tls_sessions.db
1346
1347 tls_cert_file: <none>
1348 File containing the certificate presented for server authentica‐
1349 tion during STARTTLS. A value of "disabled" will disable SSL/TLS.
1350
1351 tls_cipher_list: DEFAULT
1352 The list of SSL/TLS ciphers to allow. The format of the string is
1353 described in ciphers(1).
1354
1355 tls_key_file: <none>
1356 File containing the private key belonging to the server certifi‐
1357 cate. A value of "disabled" will disable SSL/TLS.
1358
1359 tls_require_cert: 0
1360 Require a client certificate for ALL services (imap, pop3, lmtp,
1361 sieve).
1362
1363 tls_session_timeout: 1440
1364 The length of time (in minutes) that a TLS session will be cached
1365 for later reuse. The maximum value is 1440 (24 hours), the
1366 default. A value of 0 will disable session caching.
1367
1368 umask: 077
1369 The umask value used by various Cyrus IMAP programs.
1370
1371 userdeny_db: flat
1372 The cyrusdb backend to use for the user access list.
1373
1374 Allowed values: flat, berkeley, berkeley-hash, skiplist, sql
1375
1376 userdeny_db_path: <none>
1377 The absolute path to the userdeny db file. If not specified, will
1378 be confdir/user_deny.db
1379
1380 user_folder_limit: 0
1381 Limit the number of folders a user can create in their INBOX. Set
1382 to 0 (default) for no limit. Only affects folders in user.
1383
1384 username_tolower: 1
1385 Convert usernames to all lowercase before login/authentication.
1386 This is useful with authentication backends which ignore case dur‐
1387 ing username lookups (such as LDAP).
1388
1389 userprefix: Other Users
1390 If using the alternate IMAP namespace, the prefix for the other
1391 users namespace. The hierarchy delimiter will be automatically
1392 appended.
1393
1394 unix_group_enable: 1
1395 Should we look up groups when using auth_unix (disable this if you
1396 are not using groups in ACLs for your IMAP server, and you are
1397 using auth_unix with a backend (such as LDAP) that can make get‐
1398 grent() calls very slow)
1399
1400 unixhierarchysep: 0
1401 Use the UNIX separator character '/' for delimiting levels of
1402 mailbox hierarchy. The default is to use the netnews separator
1403 character '.'.
1404
1405 virtdomains: off
1406 Enable virtual domain support. If enabled, the user's domain will
1407 be determined by splitting a fully qualified userid at the last
1408 '@' or '%' symbol. If the userid is unqualified, and the virtdo‐
1409 mains option is set to "on", then the domain will be determined by
1410 doing a reverse lookup on the IP address of the incoming network
1411 interface, otherwise the user is assumed to be in the default
1412 domain (if set).
1413
1414 Allowed values: off, userid, on
1415
1416 xlist-*: <none>
1417 Cyrus 2.4 ONLY - enable special use flags. The valid names can be
1418 taken from GMail's XLIST documents or RFC 6154. Attribute name in
1419 the configuration key should be defined in lowercase. The
1420 attribute value is case sensitive, may contain whitespace and must
1421 be valid UTF7-IMAP string. It must exactly match the name of the
1422 subfolder of a user's INBOX.
1423
1424 Example: xlist-drafts: My Drafts
1425
1426 Every user on your server with a 'INBOX.My Drafts' folder will get
1427 the special use flag " versions of Cyrus have a much more flexible
1428 RFC 6154 compatible system.
1429
1430 tls_prefer_server_ciphers: 0
1431 Prefer the ciphers on the server side instead of client side
1432
1433 tls_versions: ssl2 ssl3 tls1_0 tls1_1 tls1_2
1434 A list of SSL/TLS versions to not disable. Cyrus IMAP SSL/TLS
1435 starts with all protocols, and substracts protocols not in this
1436 list. Newer versions of SSL/TLS will need to be added here to
1437 allow them to get disabled.
1438
1439
1441 imapd(8), pop3d(8), nntpd(8), lmtpd(8), timsieved(8), idled(8), noti‐
1442 fyd(8), deliver(8), cyrus-master(8), ciphers(1)
1443
1444
1445
1446
1447CMU Project Cyrus IMAPD.CONF(5)