1IMAPD.CONF(5)                     Cyrus IMAP                     IMAPD.CONF(5)


6       imapd.conf - Cyrus IMAP documentation
8       IMAP configuration file


11          /etc/imapd.conf is the configuration file for the Cyrus IMAP server.
12          It defines local parameters for IMAP.
14          Each line of the /etc/imapd.conf file has the form
15                 option: value
17          where option is the name of the configuration option being  set  and
18          value is the value that the configuration option is being set to.
20          Although  there  is  no limit to the length of a line, a ``'’ (back‐
21          slash) character may be used as the last  character  on  a  line  to
22          force  it  to continue on the next one.  No additional whitespace is
23          inserted before or after the ``'’.  Note that a line that  is  split
24          using ``'’ character(s) is still considered a single line.
26          For example
27                 option:\
28                     value1 value2 \
29                        value3
31          is equivalent to
32                 option: value1 value2   value3
34          Blank lines and lines beginning with ``#’’ are ignored.
36          For  boolean  and  enumerated  options,  the values ``yes’‘, ``on’‘,
37          ``t’‘, ``true’’ and ``1’’ turn the option  on,  the  values  ``no’‘,
38          ``off’‘, ``f’‘, ``false’’ and ``0’’ turn the option off.
40          Duration  options  take the form of a number followed by a unit, for
41          example 32m (32 minutes).  Units are d (days), h  (hours),  m  (min‐
42          utes)  and  s (seconds).  Multiple units can be combined and will be
43          summed together, for example 1h30m is equivalent to 90m.  If no unit
44          is specified, an option-specific backward-compatible default unit is
45          assumed (documented on an option-by-option basis).  These are simple
46          time  units:  1d=24h,  1h=60m,  1m=60s (daylight savings, timezones,
47          leap adjustments, etc are not considered).


50          The sections  below  detail  options  that  can  be  placed  in  the
51          /etc/imapd.conf  file,  and  show each option’s default value.  Some
52          options have no default value,  these  are  listed  with  ``<no  de‐
53          fault>’‘.   Some  options  default  to  the  empty string, these are
54          listed with ``<none>’‘.
56          addressbookprefix: #addressbooks
57              The prefix for the addressbook mailboxes hierarchies.  The hier‐
58              archy  delimiter will be automatically appended.  The public ad‐
59              dressbook hierarchy will be at the toplevel of the shared  name‐
60              space.   A user’s personal addressbook hierarchy will be a child
61              of their Inbox.
63          admins: <empty string>
64              The list of userids with administrative rights.   Separate  each
65              userid  with  a  space.  Sites using Kerberos authentication may
66              use separate “admin” instances.
68              Note that accounts used by users should not  be  administrators.
69              Administrative  accounts  should  not receive mail.  That is, if
70              user “jbRo” is a user reading mail, he should not also be in the
71              admins  line.   Some  problems may occur otherwise, most notably
72              the ability of administrators to create top-level mailboxes vis‐
73              ible to users, but not writable by users.
75          afspts_localrealms: <none>
76              The  list  of  realms which are to be treated as local, and thus
77              stripped during identifier canonicalization (for the AFSPTS  pt‐
78              loader  module).   This is different from loginrealms in that it
79              occurs later in the authorization process (as  the  user  id  is
80              canonified for PTS lookup)
82          afspts_mycell: <none>
83              Cell to use for AFS PTS lookups.  Defaults to the local cell.
85          allowallsubscribe: 0
86              Allow  subscription  to  nonexistent  mailboxes.  This option is
87              typically used on backend servers in a Murder so that users  can
88              subscribe to mailboxes that don’t reside on their “home” server.
89              This option can also be used as a workaround  for  IMAP  clients
90              which don’t play well with nonexistent or unselectable mailboxes
91              (e.g., Microsoft Outlook).
93          allowanonymouslogin: 0
94              Permit logins by the user “anonymous” using any password.   Also
95              allows use of the SASL ANONYMOUS mechanism.
97          allowapop: 1
98              Allow use of the POP3 APOP authentication command.
100              Note  that this command requires that SASL is compiled with APOP
101              support, that the plaintext passwords are available  in  a  SASL
102              auxprop  backend (e.g., sasldb), and that the system can provide
103              enough entropy (e.g., from /dev/urandom) to create  a  challenge
104              in the banner.
106          allowdeleted: 0
107              Allow  access  to deleted and expunged data via vendor.cmu-* ac‐
108              cess
110          allownewnews: 0
111              Allow use of the NNTP NEWNEWS command.
113              Note that this is a very expensive command and  should  only  be
114              enabled when absolutely necessary.
116          allowplaintext: 0
117              If enabled, allows the use of cleartext passwords on the wire.
119              By  default,  the  use of cleartext passwords requires a TLS/SSL
120              encryption layer to be negotiated prior to any cleartext authen‐
121              tication  mechanisms  being advertised or allowed.  To require a
122              TLS/SSL encryption layer to be negotiated prior to ANY authenti‐
123              cation, see the tls_required option.
125          allowsetacl: 1
126              Defaults  to enabled.  If disabled, disallows the use of the SE‐
127              TACL command at all via IMAP.
129          allowusermoves: 0
130              Allow moving user accounts (with associated meta-data)  via  RE‐
131              NAME or XFER.
133              Note  that  measures  should be taken to make sure that the user
134              being moved is not logged in, and cannot login during the  move.
135              Failure to do so may result in the user’s meta-data (seen state,
136              subscriptions, etc) being corrupted or out of date.
138          altnamespace: 1
139              Use the alternate IMAP namespace, where personal folders  reside
140              at the same level in the hierarchy as INBOX.
142              This  option ONLY applies where interaction takes place with the
143              client/user.  Currently this is limited  to  the  IMAP  protocol
144              (imapd)  and  Sieve scripts (lmtpd).  This option does NOT apply
145              to admin tools such as cyradm (admins ONLY), reconstruct, quota,
146              etc.,  NOR  does it affect LMTP delivery of messages directly to
147              mailboxes via plus-addressing.  The default changed in 3.0  from
148              off to on.
150          altprefix: Alt Folders
151              Alternative  INBOX spellings that can’t be accessed in altnames‐
152              pace otherwise go under here
154          annotation_db: twoskip
155              The cyrusdb backend to use for mailbox annotations.
157              Allowed values: skiplist, twoskip, zeroskip
159          annotation_db_path: <none>
160              The absolute path to the annotations db file.  If not specified,
161              will be configdirectory/annotations.db
163          anyoneuseracl: 1
164              Should  non-admin  users be allowed to set ACLs for the ‘anyone’
165              user on their mailboxes?  In a large organization this can cause
166              support problems, but it’s enabled by default.
168          annotation_allow_undefined: 0
169              Allow  clients to store values for entries which are not defined
170              either by Cyrus or in the annotations_definitions file.
172          annotation_definitions: <none>
173              File containing external (third-party) annotation definitions.
175              Each line of the file specifies the properties of an  annotation
176              and has the following form:
177                 name, scope, attrib-type, proxy-type, attrib-names, acl
179              name   is  the  hierarchical name as in RFC 5257 or RFC 5464 (in
180                     the latter case, without the  leading  /shared  or  /pri‐
181                     vate).  For example, /vendor/acme/blurdybloop.
183              scope  specifies  whether  the  annotation  is for the server, a
184                     mailbox, or a message.
186              attrib-type
187                        specifies the attribute data type, which is used  only
188                        to  check the string value passed by clients when set‐
189                        ting annotations.  The attrib-type is one of:
191                     string any value is accepted.
193                     content-type
194                            this obsolete data  type,  which  was  useful  for
195                            early  drafts  of  the  standard,  is accepted but
196                            silently translated to string.
198                     boolean
199                            only the strings “true” or “false”  are  accepted.
200                            Checking  is  case-insensitive  but  the  value is
201                            forced to lowercase.
203                     int    integers are accepted.
205                     uint   non-negative integers are accepted.
207              proxy-type
208                     specifies whether this attribute is for  the  backend  or
209                     proxy servers or both (proxy_and_backend)
211              attrib-names
212                     is  the  space-separated list of available attributes for
213                     the   annotation.   Possible    attribute    names    are
214                     value.shared,  value.priv,  and value (which permits both
215                     value.priv and value.shared).  The attribute names  size,
216                     size.shared,  and  size.priv  are  accepted  but ignored;
217                     these attributes are automatically provided by the server
218                     if  the corresponding value attribute is specified.  Some
219                     obsolete attributes, which were defined early  drafts  of
220                     the standard, are accepted and ignored with a warning.
222              extra-permissions
223                     is  the  extra  ACL  permission bits required for setting
224                     this annotation, in  standard  IMAP  ACL  permission  bit
225                     string format.  Note that this is in addition to the per‐
226                     mission bits specified in RFC 5257 and RFC 5464, so leav‐
227                     ing  this  field empty is harmless.  Note also that there
228                     is no way to specify that an annotation can only  be  set
229                     by an admin user; in particular the a permission bit does
230                     not achieve this.
232                     Blank lines and lines beginning with ``#’’ are ignored.
234          annotation_callout: <none>
235              The pathname of a callout to be used to automatically add  anno‐
236              tations  or flags to a message when it is appended to a mailbox.
237              The path can be either an executable (including a script), or  a
238              UNIX domain socket.
240          annotation_callout_disable_append: 0
241              Disables annotations on append with xrunannotator
243          annotation_enable_legacy_commands: 0
244              Whether  to  enable  the legacy GETANNOTATION/SETANNOTATION com‐
245              mands.  These commands are deprecated and will be removed in the
246              future,  but  might be useful in the meantime for supporting old
247              clients that do not implement the RFC 5464 IMAP METADATA  exten‐
248              sion.
250          aps_topic: <none>
251              Topic for Apple Push Service registration.
253          aps_topic_caldav: <none>
254              Topic for Apple Push Service registration for CalDAV.
256          aps_topic_carddav: <none>
257              Topic for Apple Push Service registration for CardDAV.
259          archive_enabled: 0
260              Is  archiving enabled for this server.  You also need to have an
261              archivepartition for the mailbox.  Archiving allows older  email
262              to  be  stored  on  slower, cheaper disks - even within the same
263              mailbox, as distinct from partitions.
265          archive_days: <none>
266              Deprecated in favour of archive_after.
268          archive_after: 7d
269              The duration after which to move messages to the archive  parti‐
270              tion if archiving is enabled.
272              For backward compatibility, if no unit is specified, days is as‐
273              sumed.
275          archive_maxsize: 1024
276              The size in kilobytes of  the  largest  message  that  won’t  be
277              archived immediately.  Default is 1Mb
279          archive_keepflagged: 0
280              If  set,  messages  with  the  \Flagged  system  flag  won’t  be
281              archived, provided they are smaller than archive_maxsize.
283          archivepartition-name: <none>
284              The pathname of the archive  partition  name,  corresponding  to
285              spool  partition  partition-name.  For any mailbox residing in a
286              directory on  partition-name,  the  archived  messages  will  be
287              stored  in  a  corresponding directory on archivepartition-name.
288              Note that not every partition-name option is  strictly  required
289              to  have  a corresponding archivepartition-name option, but that
290              without one there’s no benefit to enabling archiving.
292          auditlog: 0
293              Should cyrus output log entries for every action taken on a mes‐
294              sage  file  or  mailboxes list entry?  It’s noisy so disabled by
295              default, but can be very useful for tracking down what  happened
296              if things look strange
298          auth_mech: unix
299              The authorization mechanism to use.
301              Allowed values: unix, pts, krb, krb5
303          autocreateinboxfolders: <none>
304              Deprecated in favor of autocreate_inbox_folders.
306          autocreatequota: 0
307              Deprecated in favor of autocreate_quota.
309          autocreatequotamsg: -1
310              Deprecated in favor of autocreate_quota_messages.
312          autosievefolders: <none>
313              Deprecated in favor of autocreate_sieve_folders.
315          generate_compiled_sieve_script: 0
316              Deprecated in favor of autocreate_sieve_script_compile.
318          autocreate_sieve_compiled_script: <none>
319              Deprecated in favor of autocreate_sieve_script_compiled.
321          autosubscribeinboxfolders: <none>
322              Deprecated in favor of autocreate_subscribe_folders.
324          autosubscribesharedfolders: <none>
325              Deprecated in favor of autocreate_subscribe_sharedfolders.
327          autosubscribe_all_sharedfolders: 0
328              Deprecated in favor of autocreate_subscribe_sharedfolders_all.
330          autocreate_acl: <none>
331              If  folders  are to be created by autocreate_inbox_folders, this
332              setting can be used to apply additional ACLs to the  autocreated
333              folders.    The  syntax  is  “autocreate_acl  folder  identifier
334              rights”, where folder  must  match  one  of  the  autocreate_in‐
335              box_folders  folders,  identifier  must be a valid cyrus identi‐
336              fier, and rights must be a valid cyrus rights string.   Multiple
337              identifier|rights  pairs  can  be assigned to a single folder by
338              providing this setting multiple times.
340              For example, “autocreate_acl Plus anyone p” would allow lmtp de‐
341              livery to a folder named “Plus”.
343          autocreate_inbox_folders: <none>
344              If a user does not have an INBOX already, and the INBOX is to be
345              created, create the list of folders in  this  setting  as  well.
346              autocreate_inbox_folders  is  a list of INBOX’s subfolders sepa‐
347              rated by a “|”, that are automatically created by the server un‐
348              der the following two scenarios. Leading and trailing whitespace
349              is stripped, so “Junk | Trash” results in  two  folders:  “Junk”
350              and  “Trash”.   See also the xlist-flag option, for setting spe‐
351              cial-use flags on autocreated folders.
353              INBOX folders are created under both the following conditions:
355              1. The user logins via the IMAP or the POP3 protocol.   autocre‐
356                 ate_quota option must have a value of zero or greater.
358              2. A  message  arrives  for  the user through the lmtpd(8).  au‐
359                 tocreate_post option must be enabled.
361          autocreate_post: 0
362              If enabled, when lmtpd(8) receives an incoming mail for an INBOX
363              that  does not exist, then the INBOX is automatically created by
364              lmtpd(8) and delivery of the message continues.
366          autocreate_quota: -1
367              If set to a value of zero or  higher,  users  have  their  INBOX
368              folders  created  upon a successful login event or upon lmtpd(8)
369              message delivery if autocreate_post is enabled,  provided  their
370              INBOX did not yet already exist.
372              The user’s quota is set to the value if it is greater than zero,
373              otherwise the user has unlimited quota.
375              Note that quota is specified in kilobytes.
377          autocreate_quota_messages: -1
378              If set to a value of zero or higher, users who have their  INBOX
379              folders  created  upon  a  successful  login event (see autocre‐
380              ate_quota), or upon lmtpd(8) message delivery if autocreate_post
381              is enabled, receive the message quota configured in this option.
383              The default of -1 disables assigning message quota.
385              For  consistency  with  autocreate_quota,  a  value  of  zero is
386              treated as unlimited message quota, rather than a message  quota
387              of zero.
389          autocreate_sieve_folders: <none>
390              A  “|”  separated list of subfolders of INBOX that will be auto‐
391              matically created, if requested by a sieve filter,  through  the
392              “fileinto” action. The default is to create no folders automati‐
393              cally.
395              Leading and trailing whitespace is stripped from each folder, so
396              a  setting of “Junk | Trash” will create two folders: “Junk” and
397              “Trash”.
399          autocreate_sieve_script: <none>
400              The full path of a file  that  contains  a  sieve  script.  This
401              script automatically becomes a user’s initial default sieve fil‐
402              ter script.
404              When this option is not defined, no default sieve filter is cre‐
405              ated.  The file must be readable by the Cyrus daemon.
407          autocreate_sieve_script_compile: 0
408              If  set  to  yes  and  no compiled sieve script file exists, the
409              sieve script which is compiled on the fly will be saved  in  the
410              file name that autocreate_sieve_compiledscript option points to.
411              In  order  a  compiled  script   to   be   generated,   autocre‐
412              ate_sieve_script  and  autocreate_sieve_compiledscript must have
413              valid values
415          autocreate_sieve_script_compiled: <none>
416              The full path of a file that contains  a  compiled  in  bytecode
417              sieve script. This script automatically becomes a user’s initial
418              default sieve filter script.  If this option is  not  specified,
419              or  the  filename  doesn’t  exist then the script defined by au‐
420              tocreate_sieve_script is compiled on the fly  and  installed  as
421              the user’s default sieve script
423          autocreate_subscribe_folders: <none>
424              A list of folder names, separated by “|”, that the users get au‐
425              tomatically subscribed to, when their INBOX  is  created.  These
426              folder names must have been included in the autocreateinboxfold‐
427              ers option of the imapd.conf.
429          autocreate_subscribe_sharedfolders: <none>
430              A list of shared folders (bulletin boards),  separated  by  “|”,
431              that  the users get automatically subscribed to, after their IN‐
432              BOX is created. The shared folder must have been created and the
433              user must have the required permissions to get subscribed to it.
434              Otherwise, subscribing to the shared folder fails.
436          autocreate_subscribe_sharedfolders_all: 0
437              If set to yes, the  user  is  automatically  subscribed  to  all
438              shared folders, one has permission to subscribe to.
440          autocreate_users: anyone
441              A  space  separated list of users and/or groups that are allowed
442              their INBOX to be automatically created.
444          autoexpunge: 0
445              If set to yes, then all Deleted messages will  be  automatically
446              expunged  whenever  an index is closed, whether CLOSE, UNSELECT,
447              SELECT or on disconnect
449          backuppartition-name: <none>
450              The pathname of the backup partition name.  At least one  backup
451              partition  pathname  MUST  be  specified  if backups are in use.
452              Note that there is no relationship between spool partitions  and
453              backup partitions.
455          backup_compact_minsize: 0
456              The  minimum  size  in  kilobytes of chunks in each backup.  The
457              compact tool will  try  to  combine  adjacent  chunks  that  are
458              smaller than this.
460              Setting  this  value  to  zero or negative disables combining of
461              chunks.
463          backup_compact_maxsize: 0
464              The maximum size in kilobytes of chunks  in  each  backup.   The
465              compact  tool  will  try  to  split chunks larger than this into
466              smaller chunks.
468              Setting this value to zero or  negative  disables  splitting  of
469              chunks.
471          backup_compact_work_threshold: 1
472              The  number of chunks that must obviously need compaction before
473              the compact tool will go ahead with the compaction.  If  set  to
474              less than one, the value is treated as being one.
476          backup_staging_path: <none>
477              The absolute path of the backup staging area.  If not specified,
478              will be temp_path/backup
480          backup_retention_days: <none>
481              Deprecated in favor of backup_retention.
483          backup_retention: 7d
484              How long to keep content in backup after  it  has  been  deleted
485              from  the  source.   If set to a negative value or zero, deleted
486              content will be kept indefinitely.
488              For backward compatibility, if no unit is specified, days is as‐
489              sumed.
491          backup_db: twoskip
492              The cyrusdb backend to use for the backup locations database.
494              Allowed values: skiplist, sql, twoskip, zeroskip
496          backup_db_path: <none>
497              The absolute path to the backup db file.  If not specified, will
498              be configdirectory/backups.db
500          backup_keep_previous: 0
501              Whether the ctl_backups compact and ctl_backups reindex commands
502              should  preserve  the  original file.  The original file will be
503              named with a timestamped suffix.  This is mostly useful for  de‐
504              bugging.
506              Note  that  with this enabled, compacting a backup will actually
507              increase the disk used by it (because there will now be an extra
508              copy: the original version, and the compacted version).
510          boundary_limit: 1000
511              messages are parsed recursively and a deep enough MIME structure
512              can cause a stack overflow.  Do not parse deeper than this  many
513              layers  of  MIME  structure.  The default of 1000 is much higher
514              than any sane message should have.
516          caldav_allowattach: 1
517              Enable managed attachments support on the CalDAV server.
519          caldav_allowcalendaradmin: 0
520              Enable per-user calendar administration web  UI  on  the  CalDAV
521              server.
523          caldav_allowscheduling: on
524              Enable  calendar  scheduling  operations. If set to “apple”, the
525              server will emulate Apple CalendarServer behavior as closely  as
526              possible.  Allowed values: off, on, apple
528          caldav_create_attach: 1
529              Create the ‘Attachments’ collection if it doesn’t already exist
531          caldav_create_default: 1
532              Create the ‘Default’ calendar if it doesn’t already exist
534          caldav_create_sched: 1
535              Create  the ‘Inbox’ and ‘Outbox’ calendars if they don’t already
536              exist
538          caldav_historical_age: 7d
539              How long after an occurrence of event or task has concluded that
540              it  is  considered  ‘historical’.   Changes to historical occur‐
541              rences of events or tasks WILL NOT have invite or reply messages
542              sent for them.  A negative value means that events and tasks are
543              NEVER considered historical.
545              For backward compatibility, if no unit is specified, days is as‐
546              sumed.
548          caldav_maxdatetime: 20380119T031407Z
549              The  latest  date  and time accepted by the server (ISO format).
550              This value is also used for expanding non-terminating recurrence
551              rules.
553              Note  that  increasing this value will require the DAV databases
554              for calendars to be reconstructed with the dav_reconstruct util‐
555              ity in order to see its effect on serer-side time-based queries.
557          caldav_mindatetime: 19011213T204552Z
558              The earliest date and time accepted by the server (ISO format).
560          caldav_realm: <none>
561              The  realm  to  present  for  HTTP  authentication of CalDAV re‐
562              sources.  If not set (the default), the value  of  the  “server‐
563              name” option will be used.
565          calendarprefix: #calendars
566              The  prefix for the calendar mailboxes hierarchies.  The hierar‐
567              chy delimiter will be automatically appended.  The public calen‐
568              dar  hierarchy  will be at the toplevel of the shared namespace.
569              A user’s personal calendar hierarchy will be a  child  of  their
570              Inbox.
572          calendar_user_address_set: <none>
573              Space-separated  list  of domains corresponding to calendar user
574              addresses for which the server is responsible.  If not set  (the
575              default), the value of the “servername” option will be used.
577          calendar_component_set:  VEVENT VTODO VJOURNAL VFREEBUSY VAVAILABIL‐
578          ITY VPOLL
579              Space-separated list of iCalendar component types that  calendar
580              object resources may contain in a calendar collection.  This re‐
581              striction is only set at calendar creation time and only if  the
582              CalDAV client hasn’t specified a restriction in the creation re‐
583              quest.  Allowed  values:  VEVENT,  VTODO,  VJOURNAL,  VFREEBUSY,
584              VAVAILABILITY, VPOLL
586          carddav_allowaddmember: 0
587              Enable support for POST add-member on the CardDAV server.
589          carddav_allowaddressbookadmin: 0
590              Enable per-user addressbook administration web UI on the CardDAV
591              server.
593          carddav_realm: <none>
594              The realm to present for  HTTP  authentication  of  CardDAV  re‐
595              sources.   If  not  set (the default), the value of the “server‐
596              name” option will be used.
598          carddav_repair_vcard: 0
599              If enabled, VCARDs with invalid content are attempted to be  re‐
600              paired during creation.
602          chatty: 0
603              If  yes,  syslog tags and commands for every IMAP command, mail‐
604              boxes for every lmtp connection, every POP3 command, etc
606          client_bind: 0
607              If enabled, a specific IP will be bound when performing a client
608              connection.   client_bind_name  is  used if it is set, otherwise
609              servername is used.  This is useful on multi-homed servers where
610              Cyrus should not use other services’ interfaces.
612              If not enabled (the default), no bind will be performed.  Client
613              connections will use an IP chosen by the operating system.
615          client_bind_name: <none>
616              IPv4, IPv6 address or hostname to bind  for  client  connections
617              when  client_bind is enabled.  If not set (the default), server‐
618              name will be used.
620          client_timeout: 10s
621              Time to wait before returning a timeout failure when  performing
622              a client connection (e.g. in a murder environment).
624              For  backward compatibility, if no unit is specified, seconds is
625              assumed.
627          commandmintimer: <none>
628              Time in seconds. Any imap command that takes  longer  than  this
629              time is logged.
631          configdirectory: <none>
632              The pathname of the IMAP configuration directory.  This field is
633              required.
635          createonpost: 0
636              Deprecated in favor of autocreate_post.
638          conversations: 0
639              Enable  the  XCONVERSATIONS  extensions.   Extract  conversation
640              tracking  information  from  incoming messages and track them in
641              per-user databases.
643          conversations_counted_flags: <none>
644              space-separated list of flags for which per-conversation  counts
645              will  be  kept.  Note that you need to reconstruct the conversa‐
646              tions database with ctl_conversationsdb if you change  this  op‐
647              tion on a running server, or the counts will be wrong.
649          conversations_db: skiplist
650              The  cyrusdb backend to use for the per-user conversations data‐
651              base.
653              Allowed values: skiplist, sql, twoskip, zeroskip
655          conversations_expire_days: <none>
656              Deprecated in favor of conversations_expire_after.
658          conversations_expire_after: 90d
659              How long the conversations database keeps the  message  tracking
660              information  needed  for receiving new messages in existing con‐
661              versations.
663              For backward compatibility, if no unit is specified, days is as‐
664              sumed.
666          conversations_max_thread: 100
667              maximum  size  for  a single thread.  Threads will split if they
668              have this many * messages in them and another message arrives
670          crossdomains: 0
671              Enable cross domain sharing.  This works best with alt namespace
672              and   unix   hierarchy   separators   on,   so   you  get  Other
673              Users/foo@example.com/
675          crossdomains_onlyother: 0
676              only show the domain for users in other domains  than  your  own
677              (for backwards compatibility if you’re already sharing
679          cyrus_group: <none>
680              The  name  of the group Cyrus services will run as.  If not con‐
681              figured, the primary group of cyrus_user will be  used.  Can  be
682              further overridden by setting the $CYRUS_GROUP environment vari‐
683              able.
685          cyrus_user: <none>
686              The username to use as the ‘cyrus’ user.  If not configured, the
687              compile  time default will be used. Can be further overridden by
688              setting the $CYRUS_USER environment variable.
690          davdriveprefix: #drive
691              The prefix for the DAV storage mailboxes hierarchies.  The hier‐
692              archy  delimiter  will  be  automatically  appended.  The public
693              storage hierarchy will be at the toplevel of  the  shared  name‐
694              space.   A  user’s personal storage hierarchy will be a child of
695              their Inbox.
697          davnotificationsprefix: #notifications
698              The prefix for the DAV notifications hierarchy.   The  hierarchy
699              delimiter  will be automatically appended.  The public notifica‐
700              tions hierarchy will be at the toplevel of the shared namespace.
701              A  user’s  personal  notifications  hierarchy will be a child of
702              their Inbox.
704          dav_realm: <none>
705              The realm to present for HTTP authentication of generic DAV  re‐
706              sources  (principals).   If  not set (the default), the value of
707              the “servername” option will be used.
709          dav_lock_timeout: 20s
710              The maximum time to wait for a write lock on  the  per-user  DAV
711              database before timeout. For HTTP requests, the HTTP status code
712              503 is returned if the lock can  not  be  obtained  within  this
713              time.
715              For  backward compatibility, if no unit is specified, seconds is
716              assumed.
718          debug_command: <none>
719              Debug command to be used by processes started  with  -D  option.
720              The  string  is a C format string that gets 3 options: the first
721              is the name of the executable (as specified in the cmd parameter
722              in cyrus.conf). The second is the pid (integer) and the third is
723              the service ID.  Example:  /usr/local/bin/gdb  /usr/cyrus/bin/%s
724              %d
726          defaultacl: anyone lrs
727              The   Access  Control  List  (ACL)  placed  on  a  newly-created
728              (non-user) mailbox that does not have a parent mailbox.
730          defaultdomain: internal
731              The default domain for virtual domain support
733          defaultpartition: <none>
734              The partition name used by default for new  mailboxes.   If  not
735              specified,  the  partition with the most free space will be used
736              for new mailboxes.
738              Note that the partition specified by this option  must  also  be
739              specified as partition-name, where you substitute ‘name’ for the
740              alphanumeric string you set defaultpartition to.
742          defaultsearchtier: <empty string>
743              Name of the default tier  that  messages  will  be  indexed  to.
744              Search  indexes can be organized in tiers to allow index storage
745              in different directories and physical media. See the man page of
746              squatter  for details. The default search tier also requires the
747              definition of an according searchtierpartition-name entry.
749              This option MUST be specified for xapian search.
751          defaultserver: <none>
752              The backend server name used by default for new  mailboxes.   If
753              not  specified, the server with the most free space will be used
754              for new mailboxes.
756          deletedprefix: DELETED
757              With delete_mode set to delayed, the deletedprefix  setting  de‐
758              fines the prefix for the hierarchy of deleted mailboxes.
760              The hierarchy delimiter will be automatically appended.
762          delete_mode: delayed
763              The  manner  in  which mailboxes are deleted. In the default de‐
764              layed mode, mailboxes that are being deleted are  renamed  to  a
765              special mailbox hierarchy under the deletedprefix, to be removed
766              later by cyr_expire(8).
768              In immediate mode, the mailbox is removed  from  the  filesystem
769              immediately.
771              Allowed values: immediate, delayed
773          delete_unsubscribe: 0
774              Whether  to  also  unsubscribe  from  mailboxes  when  they  are
775              deleted.  Note that this behaviour contravenes RFC 3501  section
776              6.3.9,  but may be useful for avoiding user/client software con‐
777              fusion.  The default is ‘no’.
779          deleteright: c
780              Deprecated - only used for backwards compatibility with existing
781              installations.   Lists  the old RFC 2086 right which was used to
782              grant the user the ability to delete a mailbox.  If a  user  has
783              this right, they will automatically be given the new ‘x’ right.
785          disable_user_namespace: 0
786              Preclude  list  command on user namespace.  If set to ‘yes’, the
787              LIST response will never include any other user’s mailbox.   Ad‐
788              min users will always see all mailboxes.  The default is ‘no’
790          disable_shared_namespace: 0
791              Preclude list command on shared namespace.  If set to ‘yes’, the
792              LIST response will never include any non-user mailboxes.   Admin
793              users will always see all mailboxes.  The default is ‘no’
795          disconnect_on_vanished_mailbox: 0
796              If  enabled,  IMAP/POP3/NNTP clients will be disconnected by the
797              server if the currently selected mailbox is (re)moved by another
798              session.   Otherwise,  the  missing  mailbox is treated as empty
799              while in use by the client.
801          ischedule_dkim_domain: <none>
802              The domain to be reported as doing iSchedule DKIM signing.
804          ischedule_dkim_key_file: <none>
805              File containing the private key for iSchedule DKIM signing.
807          ischedule_dkim_required: 1
808              A DKIM signature is required on received iSchedule requests.
810          ischedule_dkim_selector: <none>
811              Name of the selector subdividing  the  domain  namespace.   This
812              specifies  the actual key used for iSchedule DKIM signing within
813              the domain.
815          duplicate_db: twoskip
816              The cyrusdb backend to use for the duplicate  delivery  suppres‐
817              sion  and  sieve.   Allowed  values: skiplist, sql, twoskip, ze‐
818              roskip
820          duplicate_db_path: <none>
821              The absolute path to the duplicate db file.  If  not  specified,
822              will be configdirectory/deliver.db
824          duplicatesuppression: 1
825              If enabled, lmtpd will suppress delivery of a message to a mail‐
826              box if a message with the same message-id (or resent-message-id)
827              is  recorded  as  having  already been delivered to the mailbox.
828              Records the mailbox and message-id/resent-message-id of all suc‐
829              cessful deliveries.
831          event_content_inclusion_mode: standard
832              The  mode  in  which  message  content may be included with Mes‐
833              sageAppend and MessageNew. “standard” mode is the default behav‐
834              ior in which message is included up to a size with the notifica‐
835              tion. In “message” mode, the message  is  included  and  may  be
836              truncated to a size. In “header” mode, it includes headers trun‐
837              cated to a size. In “body” mode, it includes body truncated to a
838              size.  In  “headerbody”  mode, it includes full headers and body
839              truncated to a size Allowed values: standard,  message,  header,
840              body, headerbody
842          event_content_size: 0
843              Truncate  the  message  content  that  may be included with Mes‐
844              sageAppend and MessageNew. Set 0 to include the  entire  message
845              itself
847          event_exclude_flags: <none>
848              Don’t send event notification for given IMAP flag(s)
850          event_exclude_specialuse: \Junk
851              Don’t  send event notification for folder with given special-use
852              attributes.  Set ALL for any folder
854          event_extra_params: timestamp
855              Space-separated list of extra parameters to add to any appropri‐
856              ated event.
858              Allowed    values:   bodyStructure,   clientAddress,   diskUsed,
859              flagNames, messageContent, messageSize, messages,  modseq,  ser‐
860              vice,  timestamp,  uidnext,  vnd.cmu.midset,  vnd.cmu.unseenMes‐
861              sages, vnd.cmu.envelope, vnd.cmu.sessionId,  vnd.cmu.mailboxACL,
862              vnd.cmu.mbtype,  vnd.cmu.davFilename,  vnd.cmu.davUid, vnd.fast‐
863              mail.clientId, vnd.fastmail.sessionId,  vnd.fastmail.convExists,
864              vnd.fastmail.convUnseen,   vnd.fastmail.cid,  vnd.fastmail.coun‐
865              ters, vnd.cmu.emailid, vnd.cmu.threadid
867          event_groups: message mailbox
868              Space-separated list of groups of related events to turn on  no‐
869              tification
871              Allowed  values:  message,  quota,  flags, access, mailbox, sub‐
872              scription, calendar, applepushservice
874          event_notifier: <none>
875              Notifyd(8) method to use for  “EVENT”  notifications  which  are
876              based  on  the  RFC 5423.  If not set, “EVENT” notifications are
877              disabled.
879          expunge_mode: delayed
880              The mode in which messages (and their  corresponding  cache  en‐
881              tries)  are expunged.  “semidelayed” mode is the old behavior in
882              which the message files are purged at the time of  the  EXPUNGE,
883              but  index and cache records are retained to facilitate QRESYNC.
884              In “delayed” mode, which is the default since Cyrus  2.5.0,  the
885              message  files  are  also retained, allowing unexpunge to rescue
886              them.  In “immediate” mode, both the message files and the index
887              records  are removed as soon as possible.  In all cases, nothing
888              will be finally purged until all other processes have closed the
889              mailbox  to ensure they never see data disappear under them.  In
890              “semidelayed” or “delayed” mode, a  later  run  of  “cyr_expire”
891              will  clean  out  the  retained  records  (and  possibly message
892              files).  This reduces the amount of I/O that takes place at  the
893              time  of EXPUNGE and should result in greater responsiveness for
894              the client, especially when expunging a  large  number  of  mes‐
895              sages.  Allowed values: immediate, semidelayed, delayed
897          failedloginpause: 3s
898              Time to pause after a failed login.
900              For  backward compatibility, if no unit is specified, seconds is
901              assumed.
903          flushseenstate: 1
904              Deprecated. No longer used
906          foolstupidclients: 0
907              If enabled, only list the personal namespace when a LIST “*”  is
908              performed (it changes the request to a LIST “INBOX*”).
910          force_sasl_client_mech: <none>
911              Force preference of a given SASL mechanism for client side oper‐
912              ations (e.g., murder environments).  This is separate from  (and
913              overridden by) the ability to use the <host shortname>_mechs op‐
914              tion to set preferred mechanisms for a specific host
916          fulldirhash: 0
917              If enabled, uses an  improved  directory  hashing  scheme  which
918              hashes  on  the  entire username instead of using just the first
919              letter as the hash.  This changes hash algorithm used for  quota
920              and user directories and if hashimapspool is enabled, the entire
921              mail spool.
923              Note that this option CANNOT be changed on a live  system.   The
924              server  must be quiesced and then the directories moved with the
925              rehash utility.
927          hashimapspool: 0
928              If enabled, the partitions will also be hashed, in  addition  to
929              the  hashing  done on configuration directories.  This is recom‐
930              mended if one partition has a very bushy mailbox tree.
932          debug: 0
933              If enabled, allow syslog() to pass LOG_DEBUG messages.
935          hostname_mechs: <none>
936              Force a particular list of SASL mechanisms to be used  when  au‐
937              thenticating  to  the backend server hostname (where hostname is
938              the short hostname of the server in  question).  If  it  is  not
939              specified  it will query the server for available mechanisms and
940              pick one to use. - Cyrus Murder
942          hostname_password: <none>
943              The password to use for authentication  to  the  backend  server
944              hostname  (where hostname is the short hostname of the server) -
945              Cyrus Murder
947          httpallowcompress: 1
948              If enabled, the server will compress response  payloads  if  the
949              client  indicates  that  it can accept them.  Note that the com‐
950              pressed data will appear in telemetry logs, leaving only the re‐
951              sponse headers as human-readable.
953          httpallowcors: <none>
954              A  wildmat  pattern  specifying  a  list of origin URIs ( scheme
955              “://” host [ “:” port ] ) that are allowed to make  Cross-Origin
956              Resource  Sharing  (CORS)  requests  on the server.  By default,
957              CORS requests are disabled.
959              Note that the scheme and host should both be lowercase, the port
960              should  be  omitted  if using the default for the scheme (80 for
961              http, 443 for https), and there should be no trailing ‘/’ (e.g.:
962http://www.example.com:8080”, “https://example.org”).
964          httpallowtrace: 0
965              Allow use of the TRACE method.
967              Note that sensitive data might be disclosed by the response.
969          httpallowedurls: <none>
970              Space-separated  list  of relative URLs (paths) rooted at “http‐
971              docroot” (see below) to be served by httpd.  If set, this option
972              will  limit  served static content to only those paths specified
973              (returning “404 Not Found” to any other client requested  URLs).
974              Otherwise, httpd will serve any content found in “httpdocroot”.
976              Note  that  any  path specified by “rss_feedlist_template” is an
977              exception to this rule.
979          httpcontentmd5: 0
980              If enabled, HTTP responses will include a Content-MD5 header for
981              the  purpose  of providing an end-to-end message integrity check
982              (MIC) of the payload body.  Note that enabling this option  will
983              use  additional CPU to generate the MD5 digest, which may be ig‐
984              nored by clients anyways.
986          httpdocroot: <none>
987              If set, http will serve the static  content  (html/text/jpeg/gif
988              files, etc) rooted at this directory.  Otherwise, httpd will not
989              serve any static content.
991          httpkeepalive: 20s
992              Set the length of the HTTP server’s  keepalive  heartbeat.   The
993              default  is 20 seconds.  The minimum value is 0, which will dis‐
994              able the keepalive heartbeat.  When enabled, if a request  takes
995              longer  than  httpkeepalive to process, the server will send the
996              client provisional responses every httpkeepalive until the final
997              response can be sent.
999              For  backward compatibility, if no unit is specified, seconds is
1000              assumed.
1002          httpmodules: <empty string>
1003              Space-separated list of HTTP modules that  will  be  enabled  in
1004              httpd(8).   This  option  has no effect on modules that are dis‐
1005              abled at compile time due to missing  dependencies  (e.g.  libi‐
1006              cal).
1008              Note  that “domainkey” depends on “ischedule” being enabled, and
1009              that both “freebusy” and “ischedule” depend  on  “caldav”  being
1010              enabled.   Allowed  values:  admin,  caldav,  carddav,  cgi, do‐
1011              mainkey, freebusy, ischedule,  jmap,  prometheus,  rss,  tzdist,
1012              webdav
1014          httpprettytelemetry: 0
1015              If  enabled,  HTTP  response payloads including server-generated
1016              markup languages (HTML, XML) will utilize line breaks and inden‐
1017              tation  to  promote  better human-readability in telemetry logs.
1018              Note that enabling this option will increase the amount of  data
1019              sent across the wire.
1021          httptimeout: 5m
1022              Set the length of the HTTP server’s inactivity autologout timer.
1023              The default is 5 minutes.  The minimum value is  0,  which  will
1024              disable persistent connections.
1026              For backwards compatibility, if no unit is specified, minutes is
1027              assumed.
1029          idlesocket: {configdirectory}/socket/idle
1030              Unix domain socket that idled listens on.
1032          ignorereference: 0
1033              For backwards compatibility with Cyrus 1.5.10 and earlier –  ig‐
1034              nore the reference argument in LIST or LSUB commands.
1036          imapidlepoll: 60s
1037              The  interval  for  polling for mailbox changes and ALERTs while
1038              running the IDLE command.  This option is used when idled is not
1039              enabled  or cannot be contacted.  The minimum value is 1 second.
1040              A value of 0 will disable IDLE.
1042              For backward compatibility, if no unit is specified, seconds  is
1043              assumed.
1045          imapidresponse: 1
1046              If  enabled, the server responds to an ID command with a parame‐
1047              ter list containing: version, vendor, support-url,  os,  os-ver‐
1048              sion, command, arguments, environment.  Otherwise the server re‐
1049              turns NIL.
1051          imapmagicplus: 0
1052              Only list a restricted  set  of  mailboxes  via  IMAP  by  using
1053              userid+namespace  syntax as the authentication/authorization id.
1054              Using userid+ (with an empty  namespace)  will  list  only  sub‐
1055              scribed mailboxes.
1057          imipnotifier: <none>
1058              Notifyd(8)  method  to  use  for  “IMIP” notifications which are
1059              based on the RFC 6047.  If not  set,  “IMIP”  notifications  are
1060              disabled.
1062          implicit_owner_rights: lkxan
1063              The  implicit Access Control List (ACL) for the owner of a mail‐
1064              box.
1066          @include: <none>
1067              Directive which includes the specified file as part of the  con‐
1068              figuration.  If the path to the file is not absolute, CYRUS_PATH
1069              is prepended.
1071          improved_mboxlist_sort: 0
1072              If enabled, a special comparator will be used  which  will  cor‐
1073              rectly  sort  mailbox  names that contain characters such as ‘ ‘
1074              and ‘-‘.
1076              Note that this option SHOULD NOT be changed on  a  live  system.
1077              The  mailboxes  database  should be dumped (ctl_mboxlist) before
1078              the option is changed, removed, and then undumped after changing
1079              the  option.   When  not  using flat files for the subscriptions
1080              databases the same has to be done  (cyr_dbtool)  for  each  sub‐
1081              scription database See improved_mboxlist_sort.html.
1083          jmap_emailsearch_db_path: <none>
1084              The  absolute  path to the JMAP email search cache file.  If not
1085              specified, JMAP  Email/query  and  Email/queryChanges  will  not
1086              cache email search results.
1088          jmap_preview_annot: <none>
1089              The name of the per-message annotation, if any, to store message
1090              previews.
1092          jmap_imagesize_annot: <none>
1093              The name of the per-message annotation, if any,  that  stores  a
1094              JSON object, mapping message part numbers of MIME image types to
1095              an array of their image dimensions. The array must have at least
1096              two  entries,  where  the  first entry denotes the width and the
1097              second entry the height of the image. Any additional values  are
1098              ignored.
1100              For  example, if message part 1.2 contains an image of width 300
1101              and height 200, then the value of this annotation would be:
1103              { “1.2” : [ 300, 200 ] }
1105          jmap_inlinedcids_annot: <none>
1106              The name of the per-message annotation, if any,  that  stores  a
1107              JSON  object,  mapping  RFC  2392 Content-IDs referenced in HTML
1108              bodies to the respective HTML body part number.
1110              For example, if message part 1.2 contains HTML and references an
1111              inlined  image  at  “cid:foo”, then the value of this annotation
1112              would be:
1114              { “<foo>” : “1.2” }
1116              Note that the Content-ID key must be URL-unescaped and  enclosed
1117              in angular brackets, as defined in RFC 2392.
1119          jmap_preview_length: 64
1120              The  maximum  byte  length of dynamically generated message pre‐
1121              views. Previews stored in jmap_preview_annot take precedence.
1123          jmap_max_size_upload: 1048576
1124              The maximum size (in kilobytes) that the JMAP  API  accepts  for
1125              blob  uploads.  Returned  as the maxSizeUpload property value of
1126              the JMAP “urn:ietf:params:jmap:core” capabilities  object.   De‐
1127              fault is 1Gb.
1129          jmap_max_concurrent_upload: 5
1130              The  value to return for the maxConcurrentUpload property of the
1131              JMAP “urn:ietf:params:jmap:core” capabilities object. The  Cyrus
1132              JMAP implementation does not enforce this rate-limit.
1134          jmap_max_size_request: 10240
1135              The  maximum  size  (in kilobytes) that the JMAP API accepts for
1136              requests at the API endpoint.  Returned  as  the  maxSizeRequest
1137              property value of the JMAP “urn:ietf:params:jmap:core” capabili‐
1138              ties object. Default is 10Mb.
1140          jmap_max_concurrent_requests: 5
1141              The value to return for the  maxConcurrentRequests  property  of
1142              the  JMAP  “urn:ietf:params:jmap:core”  capabilities object. The
1143              Cyrus JMAP implementation does not enforce this rate-limit.
1145          jmap_max_calls_in_request: 50
1146              The maximum number of calls per JMAP request  object.   Returned
1147              as   the   maxCallsInRequest  property  value  of  the  JMAP  “‐
1148              urn:ietf:params:jmap:core” capabilities object.
1150          jmap_max_delayed_send: 512d
1151              The value to return for the maxDelayedSend property of the  JMAP
1152urn:ietf:params:jmap:emailsubmission” capabilities object.  The
1153              Cyrus JMAP implementation does not enforce this limit.
1155              For backward compatibility, if no unit is specified, seconds  is
1156              assumed.
1158          jmap_max_objects_in_get: 4096
1159              The  maximum  number  of ids that a JMAP client may request in a
1160              single “/get” type method call. The actual  number  of  returned
1161              objects  in  the response may exceed this number if the JMAP ob‐
1162              ject type supports unbounded  “/get”  calls.   Returned  as  the
1163              maxObjectsInGet     property    value    of    the    JMAP    “‐
1164              urn:ietf:params:jmap:core” capabilities object.
1166          jmap_max_objects_in_set: 4096
1167              The maximum number of objects a JMAP client may send to  create,
1168              update  or  destroy in a single /set type method call.  Returned
1169              as  the  maxObjectsInSet  property  value   of   the   JMAP   “‐
1170              urn:ietf:params:jmap:core” capabilities object.
1172          jmap_mail_max_size_attachments_per_email: 10240
1173              The  value  (in  kilobytes)  to  return  for  the maxSizeAttach‐
1174              mentsPerEmail property of the  JMAP  “urn:ietf:params:jmap:mail
1175              capabilities  object. The Cyrus JMAP implementation does not en‐
1176              force this size limit. Default is 10 Mb.
1178          jmap_nonstandard_extensions: 0
1179              If enabled, support non-standard JMAP extensions.   If  not  en‐
1180              abled, only IETF standard JMAP functionality is supported.
1182          jmap_set_has_attachment: 1
1183              If  enabled,  the  $hasAttachment flag is determined and set for
1184              new messages created with the  JMAP  Email/set  or  Email/import
1185              methods.  This option should typically be enabled, but installa‐
1186              tions using Cyrus-external message annatotors to  determine  the
1187              $hasAttachment flag might want to disable it.
1189          jmap_vacation: 1
1190              If enabled, support the JMAP vacation extension
1192          jmapuploadfolder: #jmap
1193              the name of the folder for JMAP uploads (#jmap)
1195          jmapsubmission_deleteonsend: 1
1196              If enabled (the default) then delete the EmailSubmission as soon
1197              as the email * has been sent
1199          jmapsubmissionfolder: #jmapsubmission
1200              the name of the folder for JMAP Submissions (#jmapsubmission)
1202          jmappushsubscriptionfolder: #jmappushsubscription
1203              the name of the folder for JMAP Push  Subscriptions  (#jmappush‐
1204              subscription)
1206          iolog: 0
1207              Should cyrus output I/O log entries
1209          ldap_authz: <none>
1210              SASL authorization ID for the LDAP server
1212          ldap_base: <empty string>
1213              Contains the LDAP base dn for the LDAP ptloader module
1215          ldap_bind_dn: <none>
1216              Bind DN for the connection to the LDAP server (simple bind).  Do
1217              not use for anonymous simple binds
1219          ldap_deref: never
1220              Specify how aliases dereferencing is handled during search.
1222              Allowed values: search, find, always, never
1224          ldap_domain_base_dn: <empty string>
1225              Base DN to search for domain name spaces.
1227          ldap_domain_filter:  (&(objectclass=domainrelatedobject)(associated‐
1228          domain=%s))
1229              Filter to use searching for domains
1231          ldap_domain_name_attribute: associateddomain
1232              The attribute name for domains.
1234          ldap_domain_scope: sub
1235              Search scope
1237              Allowed values: sub, one, base
1239          ldap_domain_result_attribute: inetdomainbasedn
1240              Result attribute
1242          ldap_filter: (uid=%u)
1243              Specify  a filter that searches user identifiers.  The following
1244              tokens can be used in the filter string:
1246              %%   = % %u   = user %U   = user portion of %u (%U =  test  when
1247              %u  =  test@domain.tld) %d   = domain portion of %u if available
1248              (%d = domain.tld when %u = test@domain.tld), otherwise  same  as
1249              %R %R   = domain portion of %u starting with @ (%R = @domain.tld
1250              when %u = test@domain.tld) %D   = user dn.  (use when  ldap_mem‐
1251              ber_method:  filter) %1-9 = domain tokens (%1 = tld, %2 = domain
1252              when %d = domain.tld)
1254              ldap_filter is not used when ldap_sasl is enabled.
1256          ldap_group_base: <empty string>
1257              LDAP base dn for ldap_group_filter.
1259          ldap_group_filter: (cn=%u)
1260              Specify a filter  that  searches  for  group  identifiers.   See
1261              ldap_filter for more options.
1263          ldap_group_scope: sub
1264              Specify search scope for ldap_group_filter.
1266              Allowed values: sub, one, base
1268          ldap_id: <none>
1269              SASL authentication ID for the LDAP server
1271          ldap_mech: <none>
1272              SASL mechanism for LDAP authentication
1274          ldap_user_attribute: <none>
1275              Specify LDAP attribute to use as canonical user id
1277          ldap_member_attribute: <none>
1278              See ldap_member_method.
1280          ldap_member_base: <empty string>
1281              LDAP base dn for ldap_member_filter.
1283          ldap_member_filter: (member=%D)
1284              Specify   a   filter   for  “ldap_member_method:  filter”.   See
1285              ldap_filter for more options.
1287          ldap_member_method: attribute
1288              Specify a group method.  The “attribute” method retrieves groups
1289              from  a  multi-valued  attribute specified in ldap_member_attri‐
1290              bute.
1292              The “filter” method uses a filter, specified by ldap_member_fil‐
1293              ter, to find groups; ldap_member_attribute is a single-value at‐
1294              tribute group name.  Allowed values: attribute, filter
1296          ldap_member_scope: sub
1297              Specify search scope for ldap_member_filter.
1299              Allowed values: sub, one, base
1301          ldap_password: <none>
1302              Password for the connection to the LDAP server (SASL and  simple
1303              bind).  Do not use for anonymous simple binds
1305          ldap_realm: <none>
1306              SASL realm for LDAP authentication
1308          ldap_referrals: 0
1309              Specify whether or not the client should follow referrals.
1311          ldap_restart: 1
1312              Specify  whether  or  not  LDAP I/O operations are automatically
1313              restarted if they abort prematurely.
1315          ldap_sasl: 1
1316              Use SASL for LDAP binds in the LDAP PTS module.
1318          ldap_sasl_authc: <none>
1319              Deprecated.  Use ldap_id
1321          ldap_sasl_authz: <none>
1322              Deprecated.  Use ldap_authz
1324          ldap_sasl_mech: <none>
1325              Deprecated.  Use ldap_mech
1327          ldap_sasl_password: <none>
1328              Deprecated.  User ldap_password
1330          ldap_sasl_realm: <none>
1331              Deprecated.  Use ldap_realm
1333          ldap_scope: sub
1334              Specify search scope.
1336              Allowed values: sub, one, base
1338          ldap_servers: ldap://localhost/
1339              Deprecated.  Use ldap_uri
1341          ldap_size_limit: 1
1342              Specify a number of entries for a search request to return.
1344          ldap_start_tls: 0
1345              Use transport layer security for ldap:// using STARTTLS. Do  not
1346              use ldaps:// in ‘ldap_uri’ with this option enabled.
1348          ldap_time_limit: 5s
1349              How long to wait for a search request to complete.
1351              For  backward compatibility, if no unit is specified, seconds is
1352              assumed.
1354          ldap_timeout: 5s
1355              How long a search can take before timing out.
1357              For backward compatibility, if no unit is specified, seconds  is
1358              assumed.
1360          ldap_ca_dir: <none>
1361              Path  to  a  directory  with CA (Certificate Authority) certifi‐
1362              cates.
1364          ldap_ca_file: <none>
1365              Path to a file containing CA  (Certificate  Authority)  certifi‐
1366              cate(s).
1368          ldap_ciphers: <none>
1369              List  of  SSL/TLS ciphers to allow.  The format of the string is
1370              described in ciphers(1).
1372          ldap_client_cert: <none>
1373              File containing the client certificate.
1375          ldap_client_key: <none>
1376              File containing the private client key.
1378          ldap_verify_peer: 0
1379              Require and verify server certificate.  If this option  is  yes,
1380              you must specify ldap_ca_file or ldap_ca_dir.
1382          ldap_tls_cacert_dir: <none>
1383              Deprecated in favor of ldap_ca_dir.
1385          ldap_tls_cacert_file: <none>
1386              Deprecated in favor of ldap_ca_file.
1388          ldap_tls_cert: <none>
1389              Deprecated in favor of ldap_client_cert.
1391          ldap_tls_key: <none>
1392              Deprecated in favor of ldap_client_key.
1394          ldap_tls_check_peer: 0
1395              Deprecated in favor of ldap_verify_peer.
1397          ldap_tls_ciphers: <none>
1398              Deprecated in favor of ldap_ciphers.
1400          ldap_uri: <none>
1401              Contains  a  list of the URLs of all the LDAP servers when using
1402              the LDAP PTS module.
1404          ldap_version: 3
1405              Specify the LDAP protocol  version.   If  ldap_start_tls  and/or
1406              ldap_use_sasl  are  enabled,  ldap_version will be automatically
1407              set to 3.
1409          literalminus: 0
1410              if enabled, CAPABILITIES will reply with  LITERAL-  rather  than
1411              LITERAL+  (RFC  7888).   Doesn’t  actually size-restrict uploads
1412              though
1414          lmtp_downcase_rcpt: 1
1415              If enabled, lmtpd will convert the recipient addresses to lower‐
1416              case (up to a ‘+’ character, if present).
1418          lmtp_exclude_specialuse: \Snoozed
1419              Don’t  allow  delivery  to  folders  with  given special-use at‐
1420              tributes.
1422              Note that “snoozing” of emails can currently only  be  done  via
1423              the  JMAP  protocol, so delivery directly to the Snoozed mailbox
1424              is prohibited by default as it will not be moved back into INBOX
1425              automatically.
1427          lmtp_fuzzy_mailbox_match: 0
1428              If  enabled, and the mailbox specified in the detail part of the
1429              recipient (everything after the ‘+’) does not exist, lmtpd  will
1430              try  to  find  the closest match (ignoring case, ignoring white‐
1431              space, falling back to parent) to the specified mailbox name.
1433          lmtp_over_quota_perm_failure: 0
1434              If enabled, lmtpd returns a permanent failure code when a user’s
1435              mailbox  is  over  quota.  By default, the failure is temporary,
1436              causing the MTA to queue the message and retry later.
1438          lmtp_strict_quota: 0
1439              If enabled, lmtpd returns a failure code when the incoming  mes‐
1440              sage  will cause the user’s mailbox to exceed its quota.  By de‐
1441              fault, the failure won’t occur until the mailbox is already over
1442              quota.
1444          lmtp_strict_rfc2821: 1
1445              By  default, lmtpd will be strict (per RFC 2821) with regards to
1446              which envelope addresses are allowed.  If this option is set  to
1447              false,  8bit  characters in the local-part of envelope addresses
1448              are changed to ‘X’ instead.  This is useful to avoid  generating
1449              backscatter  with certain MTAs like Postfix or Exim which accept
1450              such messages.
1452          lmtpsocket: {configdirectory}/socket/lmtp
1453              Unix domain socket that lmtpd listens on,  used  by  deliver(8).
1454              This should match the path specified in cyrus.conf(5).
1456          lmtptxn_timeout: 5m
1457              Timeout used during a lmtp transaction to a remote backend (e.g.
1458              in a murder environment).  Can be used to prevent hung lmtpds on
1459              proxy  hosts when a backend server becomes unresponsive during a
1460              lmtp transaction.  The default is 5 minutes - change to zero for
1461              infinite.
1463              For  backward compatibility, if no unit is specified, seconds is
1464              assumed.
1466          lock_debugtime: <none>
1467              A floating point number of seconds.  If set, time  how  long  we
1468              wait  for  any  lock,  and  syslog the filename and time if it’s
1469              longer than this value.  The default of NULL means not  to  time
1470              locks.
1472          loginrealms: <empty string>
1473              The  list  of  remote  realms whose users may authenticate using
1474              cross-realm authentication  identifiers.   Separate  each  realm
1475              name  by  a  space.   (A  cross-realm identity is considered any
1476              identity returned by SASL with an “@” in it.).
1478          loginuseacl: 0
1479              If enabled, any authentication identity which has a rights on  a
1480              user’s INBOX may log in as that user.
1482          logtimestamps: 0
1483              Include  notations in the protocol telemetry logs indicating the
1484              number of seconds since the last command or response.
1486          mailbox_default_options: 0
1487              Default “options” field for the mailbox on create.  You’ll  want
1488              to  know what you’re doing before setting this, but it can apply
1489              some default annotations like duplicate suppression
1491          mailbox_initial_flags: <none>
1492              space-separated list of permanent flags which will be pre-set in
1493              every  newly created mailbox.  If you know you will require par‐
1494              ticular flag names then this avoids a  possible  race  condition
1495              against a client that fills the entire 128 available slots.  De‐
1496              fault is NULL, which is no flags.  Example: $Label1 $Label2 $La‐
1497              bel3 NotSpam Spam
1499          mailnotifier: <none>
1500              Notifyd(8)  method to use for “MAIL” notifications.  If not set,
1501              “MAIL” notifications are disabled.
1503          master_bind_errors_fatal: 0
1504              If enabled, failure to bind a port during startup is treated  as
1505              a fatal error, causing master to shut down immediately.  The de‐
1506              fault is to keep running, with the affected service disabled un‐
1507              til the next SIGHUP causes it to retry.
1509              Note  that  this only applies during startup.  New services that
1510              fail to come up in response to a reconfig+SIGHUP  will  just  be
1511              logged  and disabled like the default behaviour, without causing
1512              master to exit.
1514          maxheaderlines: 1000
1515              Maximum number of lines of header that will  be  processed  into
1516              cache  records.  Default 1000.  If set to zero, it is unlimited.
1517              If a message hits the limit, an error will  be  logged  and  the
1518              rest  of  the  lines  in the header will be skipped.  This is to
1519              avoid malformed messages causing giant cache records
1521          maxlogins_per_host: 0
1522              Maximum number of logged in  sessions  allowed  per  host,  zero
1523              means no limit
1525          maxlogins_per_user: 0
1526              Maximum  number  of  logged  in  sessions allowed per user, zero
1527              means no limit
1529          maxmessagesize: 0
1530              Maximum incoming LMTP message size.  If non-zero, lmtpd will re‐
1531              ject  messages  larger  than maxmessagesize bytes.  If set to 0,
1532              this will allow messages of any size (the default).
1534          maxquoted: 131072
1535              Maximum size of a single quoted string for the parser.   Default
1536              128k
1538          maxword: 131072
1539              Maximum size of a single word for the parser.  Default 128k
1541          mboxkey_db: twoskip
1542              The cyrusdb backend to use for mailbox keys.
1544              Allowed values: skiplist, twoskip, zeroskip
1546          mboxlist_db: twoskip
1547              The cyrusdb backend to use for the mailbox list.
1549              Allowed values: flat, skiplist, sql, twoskip, zeroskip
1551          mboxlist_db_path: <none>
1552              The  absolute  path  to the mailboxes db file.  If not specified
1553              will be configdirectory/mailboxes.db
1555          mboxname_lockpath: <none>
1556              Path to mailbox name lock files (default $conf/lock)
1558          metapartition_files: <empty string>
1559              Space-separated list of metadata files to be stored on  a  meta‐
1560              partition rather than in the mailbox directory on a spool parti‐
1561              tion.  Allowed values: header, index, cache, expunge, squat, an‐
1562              notations, lock, dav, archivecache
1564          metapartition-name: <none>
1565              The  pathname  of  the metadata partition name, corresponding to
1566              spool partition partition-name.  For any mailbox residing  in  a
1567              directory  on partition-name, the metadata files listed in meta‐
1568              partition_files will be stored in a corresponding  directory  on
1569              metapartition-name.    Note that not every partition-name option
1570              is required to have a corresponding  metapartition-name  option,
1571              so  that  you can selectively choose which spool partitions will
1572              have separate metadata partitions.
1574          mupdate_authname: <none>
1575              The SASL username (Authentication Name) to use when authenticat‐
1576              ing to the mupdate server (if needed).
1578          mupdate_config: standard
1579              The  configuration  of  the mupdate servers in the Cyrus Murder.
1580              The “standard” config is one in which there are discreet  front‐
1581              end (proxy) and backend servers.  The “unified” config is one in
1582              which a server can be both a frontend and backend.  The  “repli‐
1583              cated” config is one in which multiple backend servers all share
1584              the same mailspool, but each have their own “replicated” copy of
1585              mailboxes.db.  Allowed values: standard, unified, replicated
1587          munge8bit: 1
1588              If  enabled,  lmtpd munges messages with 8-bit characters in the
1589              headers.  The 8-bit characters  are  changed  to  `X’.   If  re‐
1590              ject8bit is enabled, setting munge8bit has no effect.  (A proper
1591              solution to non-ASCII characters in headers is  offered  by  RFC
1592              2047 and its predecessors.)
1594          mupdate_connections_max: 128
1595              The max number of connections that a mupdate process will allow,
1596              this is related to the number of file descriptors in the mupdate
1597              process.  Beyond this number connections will be immediately is‐
1598              sued a BYE response.
1600          mupdate_password: <none>
1601              The SASL password (if needed) to use when authenticating to  the
1602              mupdate server.
1604          mupdate_port: 3905
1605              The port of the mupdate server for the Cyrus Murder
1607          mupdate_realm: <none>
1608              The  SASL  realm  (if  needed) to use when authenticating to the
1609              mupdate server.
1611          mupdate_retry_delay: 20
1612              The base time to wait between connection retries to the  mupdate
1613              server.
1615          mupdate_server: <none>
1616              The mupdate server for the Cyrus Murder
1618          mupdate_username: <empty string>
1619              The  SASL username (Authorization Name) to use when authenticat‐
1620              ing to the mupdate server
1622          mupdate_workers_max: 50
1623              The maximum number of mupdate worker threads (overall)
1625          mupdate_workers_maxspare: 10
1626              The maximum number of idle mupdate worker threads
1628          mupdate_workers_minspare: 2
1629              The minimum number of idle mupdate worker threads
1631          mupdate_workers_start: 5
1632              The number of mupdate worker threads to start
1634          netscapeurl: <none>
1635              If enabled at compile time, this specifies a URL to  reply  when
1636              Netscape  asks  the  server  where  the mail administration HTTP
1637              server is.  Administrators should set this to a local resource.
1639          newsaddheaders: to
1640              Space-separated list of headers to be added to  incoming  usenet
1641              articles.   Added  To:  headers  will contain email delivery ad‐
1642              dresses corresponding  to  each  newsgroup  in  the  Newsgroups:
1643              header.  Added Reply-To: headers will contain email delivery ad‐
1644              dresses corresponding to each newsgroup in the  Followup-To:  or
1645              Newsgroups: header.  If the specified header(s) already exist in
1646              an article, the email delivery addresses will be appended to the
1647              original header body(s).
1649              This  option  applies  if and only if the newspostuser option is
1650              set.  Allowed values: to, replyto
1652          newsgroups: *
1653              A wildmat pattern specifying which mailbox hierarchies should be
1654              treated as newsgroups.  Only mailboxes matching the wildmat will
1655              accept and/or serve articles via NNTP.  If not  set,  a  default
1656              wildmat  of  “*”  (ALL  shared  mailboxes) will be used.  If the
1657              newsprefix option is also  set,  the  default  wildmat  will  be
1658              translated to “<newsprefix>.*”
1660          newsmaster: news
1661              Userid  that is used for checking access controls when executing
1662              Usenet control messages.  For instance, to allow articles to  be
1663              automatically  deleted  by cancel messages, give the “news” user
1664              the ‘d’ right on the desired mailboxes.  To allow newsgroups  to
1665              be automatically created, deleted and renamed by the correspond‐
1666              ing control messages, give the “news” user the ‘c’ right on  the
1667              desired mailbox hierarchies.
1669          newspeer: <none>
1670              A  list  of  whitespace-separated  news server specifications to
1671              which articles should be fed.  Each server  specification  is  a
1672              string  of  the  form  [user[:pass]@]host[:port][/wildmat] where
1673              ‘host’ is the fully qualified hostname of the server, ‘port’  is
1674              the port on which the server is listening, ‘user’ and ‘pass’ are
1675              the authentication credentials and ‘wildmat’ is a  pattern  that
1676              specifies  which  groups  should be fed.  If no ‘port’ is speci‐
1677              fied, port 119 is used.   If  no  ‘wildmat’  is  specified,  all
1678              groups  are  fed.   If ‘user’ is specified (even if empty), then
1679              the NNTP POST command will be used to feed the  article  to  the
1680              server, otherwise the IHAVE command will be used.
1682              A  ‘@’  may  be  used  in place of ‘!’ in the wildmat to prevent
1683              feeding articles cross-posted  to  the  given  group,  otherwise
1684              cross-posted  articles  are  fed  if  any  part  of  the wildmat
1685              matches.   For  example,  the  string  “peer.example.com:*,!con‐
1686              trol.*,@local.*”  would  feed all groups except control messages
1687              and  local  groups  to  peer.example.com.   In   the   case   of
1688              cross-posting to local groups, these articles would not be fed.
1690          newspostuser: <none>
1691              Userid  used  to  deliver  usenet  articles to newsgroup folders
1692              (usually via lmtp2nntp).  For example, if set to  “post”,  email
1693              sent   to   “post+comp.mail.imap”  would  be  delivered  to  the
1694              “comp.mail.imap” folder.
1696              When set, the Cyrus NNTP server will add the header(s) specified
1697              in  the  newsaddheaders  option to each incoming usenet article.
1698              The added header(s) will contain email delivery addresses corre‐
1699              sponding to each relevant newsgroup.  If not set, no headers are
1700              added to usenet articles.
1702          newsprefix: <none>
1703              Prefix to be prepended to newsgroup names  to  make  the  corre‐
1704              sponding IMAP mailbox names.
1706          newsrc_db_path: <none>
1707              The absolute path to the newsrc db file.  If not specified, will
1708              be configdirectory/fetchnews.db
1710          nntptimeout: 3m
1711              Set the length of the NNTP server’s inactivity autologout timer.
1712              The minimum value is 3 minutes, also the default.
1714              For  backward compatibility, if no unit is specified, minutes is
1715              assumed.
1717          notesmailbox: <none>
1718              The top level mailbox in each user’s account which  is  used  to
1719              store * Apple-style Notes.  Default is blank (disabled)
1721          notifysocket: {configdirectory}/socket/notify
1722              Unix domain socket that the mail notification daemon listens on.
1724          notify_external: <none>
1725              Path  to  the external program that notifyd(8) will call to send
1726              mail notifications.
1728              The external program will be called with the  following  command
1729              line options:
1731                 -c class
1733                 -p priority
1735                 -u user
1737                 -m mailbox
1739                 And the notification message will be available on stdin.
1741          partition-name: <none>
1742              The  pathname  of  the  partition  name.  At least one partition
1743              pathname MUST be specified.  If the defaultpartition  option  is
1744              used,  then its pathname MUST be specified.  For example, if the
1745              value of the defaultpartion option is  part1,  then  the  parti‐
1746              tion-part1 field is required.
1748          partition_select_mode: freespace-most
1749              Partition selection mode.
1751              random (pseudo-)random selection
1753              freespace-most
1754                     partition with the most free space (KiB)
1756              freespace-percent-most
1757                     partition with the most free space (%)
1759              freespace-percent-weighted
1760                     each  partition  is  weighted according to its free space
1761                     (%); the more free space  the  partition  has,  the  more
1762                     chances it has to be selected
1764              freespace-percent-weighted-delta
1765                     each partition is weighted according to its difference of
1766                     free space (%) compared to the most used  partition;  the
1767                     more the partition is lagging behind the most used parti‐
1768                     tion, the more chances it has to be selected
1770                     Note that actually even the most used partition has a few
1771                     chances  to  be selected, and those chances increase when
1772                     other partitions get closer
1774                     Allowed values:  random,  freespace-most,  freespace-per‐
1775                     cent-most,   freespace-percent-weighted,   freespace-per‐
1776                     cent-weighted-delta
1778          partition_select_exclude: <none>
1779              List of partitions to exclude from selection mode.
1781          partition_select_usage_reinit: 0
1782              For a given session, number of operations (e.g. partition selec‐
1783              tion) for which partitions usage data are cached.
1785          partition_select_soft_usage_limit: 0
1786              Limit of partition usage (%): if a partition is over that limit,
1787              it is automatically excluded from selection mode.
1789              If all partitions are over that limit, this feature is not  used
1790              anymore.
1792          plaintextloginpause: <none>
1793              Time  to  pause after a successful plaintext login.  For systems
1794              that support strong authentication, this permits users  to  per‐
1795              ceive  a  cost of using plaintext passwords.  (This does not af‐
1796              fect the use of PLAIN in SASL authentications.)
1798              For backward compatibility, if no unit is specified, seconds  is
1799              assumed.
1801          plaintextloginalert: <none>
1802              Message to send to client after a successful plaintext login.
1804          popexpiretime: -1
1805              The  duration  advertised  as being the minimum a message may be
1806              left on the POP server before it is deleted (via the  CAPA  com‐
1807              mand,  defined  in  the  POP3  Extension  Mechanism,  which some
1808              clients may support).  This duration has a granularity of  whole
1809              days,  with partial days truncated (so e.g. “45m” is effectively
1810              “0d”).  “NEVER”, the default, may be specified with  a  negative
1811              number.
1813              The  Cyrus  POP3  server  never deletes mail, no matter what the
1814              value of this parameter is.  However, if  a  site  implements  a
1815              less  liberal  policy, it needs to change this parameter accord‐
1816              ingly.
1818              For backward compatibility, if no unit is specified, days is as‐
1819              sumed.
1821          popminpoll: <none>
1822              Set  the  minimum amount of time the server forces users to wait
1823              between successive POP logins.
1825              For backward compatibility, if no unit is specified, minutes  is
1826              assumed.
1828          popsubfolders: 0
1829              Allow   access   to  subfolders  of  INBOX  via  POP3  by  using
1830              userid+subfolder syntax as the authentication/authorization id.
1832          poppollpadding: 1
1833              Create a softer minimum poll restriction.  Allows poppollpadding
1834              connections  before the minpoll restriction is triggered.  Addi‐
1835              tionally, one padding entry is recovered every  popminpoll  min‐
1836              utes.   This  allows for the occasional polling rate faster than
1837              popminpoll, (i.e., for clients that require  a  send/receive  to
1838              send  mail) but still enforces the rate long-term.  Default is 1
1839              (disabled).
1841              The easiest way to think of it is a queue of  past  connections,
1842              with  one  slot  being filled for every connection, and one slot
1843              being cleared every popminpoll minutes. When the queue is  full,
1844              the  user  will  not be able to check mail again until a slot is
1845              cleared.  If the user waits a sufficient amount  of  time,  they
1846              will get back many or all of the slots.
1848          poptimeout: 10m
1849              Set  the length of the POP server’s inactivity autologout timer.
1850              The minimum value is 10 minutes, the default.
1852              For backward compatibility, if no unit is specified, minutes  is
1853              assumed.
1855          popuseacl: 0
1856              Enforce  IMAP  ACLs in the pop server.  Due to the nature of the
1857              POP3 protocol, the only rights which are used by the pop  server
1858              are  ‘r’,  ‘t’,  and  ‘s’ for the owner of the mailbox.  The ‘r’
1859              right allows the user to open the mailbox and list/retrieve mes‐
1860              sages.   The  ‘t’ right allows the user to delete messages.  The
1861              ‘s’ right allows messages retrieved by  the  user  to  have  the
1862              \Seen flag set (only if popuseimapflags is also enabled).
1864          popuseimapflags: 0
1865              If  enabled,  the pop server will set and obey IMAP flags.  Mes‐
1866              sages having the \Deleted flag are ignored as if they do not ex‐
1867              ist.   Messages  that  are retrieved by the client will have the
1868              \Seen flag set.  All messages will have the \Recent flag unset.
1870          postmaster: postmaster
1871              Username that is used as the ‘From’ address  in  rejection  MDNs
1872              produced by sieve.
1874          postuser: <empty string>
1875              Userid used to deliver messages to shared folders.  For example,
1876              if set to “bb”, email sent to “bb+shared.blah” would  be  deliv‐
1877              ered  to the “shared.blah” folder.  By default, an email address
1878              of “+shared.blah” would be used.
1880          proc_path: <none>
1881              Path to proc directory.  Default is NULL - must be  an  absolute
1882              path  if  specified.   If  not specified, the path $configdirec‐
1883              tory/proc/ will be used.
1885          prometheus_enabled: 0
1886              Whether tracking of service metrics for Prometheus is enabled.
1888          prometheus_need_auth: admin
1889              Authentication level required to fetch Prometheus metrics.
1891              Allowed values: none, user, admin
1893          prometheus_update_freq: 10s
1894              Frequency in at which promstatsd should re-collate  its  statis‐
1895              tics  report.   The minimum value is 1 second, the default is 10
1896              seconds.
1898              For backward compatibility, if no unit is specified, seconds  is
1899              assumed.
1901          prometheus_stats_dir: <none>
1902              Directory to use for gathering prometheus statistics.  If speci‐
1903              fied, must be an absolute path.  If not specified,  the  default
1904              path  $configdirectory/stats/  will be used.  It may be advanta‐
1905              geous to locate this directory on ephemeral storage.
1907          proxy_authname: proxy
1908              The authentication name to use when authenticating to a  backend
1909              server in the Cyrus Murder.
1911          proxy_compress: 0
1912              Try  to  enable  protocol-specific compression when performing a
1913              client connection to a backend server in the Cyrus Murder.
1915              Note that this should only be necessary over slow  network  con‐
1916              nections.   Also  note that currently only IMAP and MUPDATE sup‐
1917              port compression.
1919          proxy_password: <none>
1920              The default password to use when  authenticating  to  a  backend
1921              server  in  the  Cyrus Murder.  May be overridden on a host-spe‐
1922              cific basis using the hostname_password option.
1924          proxy_realm: <none>
1925              The authentication realm to use when authenticating to a backend
1926              server in the Cyrus Murder
1928          proxyd_allow_status_referral: 0
1929              Set  to  true to allow proxyd to issue referrals to clients that
1930              support it when answering the STATUS command.  This is  disabled
1931              by  default  since  some clients issue many STATUS commands in a
1932              row, and do not cache the connections that these referrals would
1933              cause, thus resulting in a higher authentication load on the re‐
1934              spective backend server.
1936          proxyd_disable_mailbox_referrals: 0
1937              Set to true to disable the use of mailbox-referrals on the proxy
1938              servers.
1940          proxyservers: <none>
1941              A  list  of users and groups that are allowed to proxy for other
1942              users, separated by spaces.  Any user listed in this will be al‐
1943              lowed to login for any other user: use with caution.  In a stan‐
1944              dard murder this option should ONLY be set on backends.  DO  NOT
1945              SET on frontends or things won’t work properly.
1947          pts_module: afskrb
1948              The PTS module to use.
1950              Allowed values: afskrb, ldap
1952          ptloader_sock: <none>
1953              Unix  domain socket that ptloader listens on.  (defaults to con‐
1954              figdirectory/ptclient/ptsock)
1956          ptscache_db: twoskip
1957              The cyrusdb backend to use for the pts cache.
1959              Allowed values: skiplist, twoskip, zeroskip
1961          ptscache_db_path: <none>
1962              The absolute path to the ptscache db file.   If  not  specified,
1963              will be configdirectory/ptscache.db
1965          ptscache_timeout: 3h
1966              The   timeout   for  the  PTS  cache  database  when  using  the
1967              auth_krb_pts authorization method (default: 3 hours).
1969              For backward compatibility, if no unit is specified, seconds  is
1970              assumed.
1972          ptskrb5_convert524: 1
1973              When using the AFSKRB ptloader module with Kerberos 5 canonical‐
1974              ization, do the final 524 conversion to get a n AFS  style  name
1975              (using ‘.’ instead of ‘/’, and using short names
1977          ptskrb5_strip_default_realm: 1
1978              When using the AFSKRB ptloader module with Kerberos 5 canonical‐
1979              ization, strip the default realm from the userid (this does  not
1980              affect  the  stripping  of realms specified by the afspts_local‐
1981              realms option)
1983          qosmarking: cs0
1984              This specifies the Class  Selector  or  Differentiated  Services
1985              Code  Point  designation  on IP headers (in the ToS field).  Al‐
1986              lowed values: cs0, cs1, cs2, cs3,  cs4,  cs5,  cs6,  cs7,  af11,
1987              af12,  af13,  af21,  af22,  af23,  af31, af32, af33, af41, af42,
1988              af43, ef
1990          quota_db: quotalegacy
1991              The cyrusdb backend to use for quotas.
1993              Allowed values: flat, skiplist, sql, quotalegacy,  twoskip,  ze‐
1994              roskip
1996          quota_db_path: <none>
1997              The  absolute  path for the quota database (if you choose a sin‐
1998              gle-file quota DB type - or the base path if you choose quotale‐
1999              gacy).   If  not  specified will be configdirectory/quotas.db or
2000              configdirectory/quota/
2002          quotawarn: 90
2003              The percent of quota utilization over which the server generates
2004              warnings.
2006          quotawarnkb: 0
2007              The  maximum  amount  of  free  space (in kB) at which to give a
2008              quota warning (if this value is 0, or if the  quota  is  smaller
2009              than this amount, then warnings are always given).
2011          quotawarnmsg: 0
2012              The  maximum amount of messages at which to give a quota warning
2013              (if this value is 0, or  if  the  quota  is  smaller  than  this
2014              amount, then warnings are always given).
2016          reject8bit: 0
2017              If  enabled, lmtpd rejects messages with 8-bit characters in the
2018              headers.
2020          restore_authname: <none>
2021              The authentication used by the restore tool when  authenticating
2022              to an IMAP/sync server.
2024          restore_password: <none>
2025              The  password used by the restore tool when authenticating to an
2026              IMAP/sync server.
2028          restore_realm: <none>
2029              The authentication realm used by the restore tool when authenti‐
2030              cating to an IMAP/sync server.
2032          reverseacls: 0
2033              At  startup  time,  ctl_cyrusdb  -r will check this value and it
2034              will either add or remove reverse ACL pointers from mailboxes.db
2036          rfc2046_strict: 0
2037              If enabled, imapd will be strict (per RFC  2046)  when  matching
2038              MIME  boundary  strings.   This means that boundaries containing
2039              other boundaries as substrings will  be  treated  as  identical.
2040              Since  enabling  this option will break some messages created by
2041              Eudora 5.1 (and earlier), it is recommended that it be left dis‐
2042              abled unless there is good reason to do otherwise.
2044          rfc2047_utf8: 0
2045              If  enabled, imapd will parse any non-encoded character sequence
2046              in MIME header values as UTF8. This is useful for  installations
2047              that  either  advertise the UTF8SMTP (RFC 5335) extension or re‐
2048              ceive mails with improperly escaped UTF-8 byte sequences. It  is
2049              recommended  that  this  option is left disabled unless there is
2050              good reason to do otherwise.
2052          rfc3028_strict: 1
2053              If enabled, Sieve will be strict (per RFC 3028) with regards  to
2054              which  headers  are  allowed  to be used in address and envelope
2055              tests.  This means that only those headers which are defined  to
2056              contain addresses will be allowed in address tests and only “to”
2057              and “from” will be allowed in envelope  tests.   When  disabled,
2058              ANY grammatically correct header will be allowed.
2060          rss_feedlist_template: <none>
2061              File  containing  HTML  that will be used as a template for dis‐
2062              playing the list of available RSS feeds.  A single  instance  of
2063              the  variable  %RSS_FEEDLIST%  should  appear in the file, which
2064              will be replaced by a  nested  unordered  list  of  feeds.   The
2065              toplevel unordered list will be tagged with an id of “feed” (<ul
2066              id=’feed’>) which can be used by stylesheet(s) in your template.
2067              The dynamically created list of feeds based on the HTML template
2068              will be accessible at the “/rss” URL on the server.
2070          rss_feeds: *
2071              A wildmat pattern specifying which mailbox hierarchies should be
2072              treated  as RSS feeds.  Only mailboxes matching the wildmat will
2073              have their messages available via RSS.  If not  set,  a  default
2074              wildmat of “*” (ALL mailboxes) will be used.
2076          rss_maxage: <none>
2077              Maximum age of items to display in an RSS channel.  If non-zero,
2078              httpd will only display items received within this time  period.
2079              If  set  to  0,  all  available items will be displayed (the de‐
2080              fault).
2082              For backward compatibility, if no unit is specified, days is as‐
2083              sumed.
2085          rss_maxitems: 0
2086              Maximum  number  of  items  to  display  in  an RSS channel.  If
2087              non-zero, httpd will display no more than the rss_maxitems  most
2088              recent  items.   If  set  to 0, all available items will be dis‐
2089              played (the default).
2091          rss_maxsynopsis: 0
2092              Maximum RSS item synopsis length.  If non-zero, httpd will  dis‐
2093              play  no  more  than  the first rss_maxsynopsis characters of an
2094              item’s synopsis.  If set to 0, the entire synopsis will be  dis‐
2095              played (the default).
2097          rss_realm: <none>
2098              The  realm  to present for HTTP authentication of RSS feeds.  If
2099              not set (the default), the value of the “servername” option will
2100              be used.
2102          sasl_auto_transition: 0
2103              If enabled, the SASL library will automatically create authenti‐
2104              cation secrets when given a plaintext password.   See  the  SASL
2105              documentation.
2107          sasl_maximum_layer: 256
2108              Maximum  SSF (security strength factor) that the server will al‐
2109              low a client to negotiate.
2111          sasl_minimum_layer: 0
2112              The minimum SSF that the server will allow a client  to  negoti‐
2113              ate.   A  value  of  1 requires integrity protection; any higher
2114              value requires some amount of encryption.
2116          sasl_option: 0
2117              Any SASL option can be set by preceding  it  with  sasl_.   This
2118              file overrides the SASL configuration file.
2120          sasl_pwcheck_method: <none>
2121              The  mechanism used by the server to verify plaintext passwords.
2122              Possible values include “auxprop”, “saslauthd”, and “pwcheck”.
2124          search_batchsize: 20
2125              The number of messages to be indexed in one batch (default  20).
2126              Note that long batches may delay user commands or mail delivery.
2128          search_attachment_extractor_url: <none>
2129              Reserved for future use.
2131          search_index_language: 0
2132              Reserved for future use.
2134          search_index_parts: 0
2135              Deprecated. No longer used.
2137          search_query_language: 0
2138              Reserved for future use.
2140          search_normalisation_max: 1000
2141              A  resource  bound for the combinatorial explosion of search ex‐
2142              pression tree complexity caused by normalising expressions  with
2143              many  OR  nodes.   These  can use more CPU time to optimise than
2144              they save IO time in scanning folders.
2146          search_engine: none
2147              The indexing engine used to speed up searching.
2149              Allowed values: none, squat, xapian
2151          search_fuzzy_always: 0
2152              Whether to enable RFC 6203 FUZZY search for all IMAP SEARCH.  If
2153              turned on, search attributes will be searched using FUZZY search
2154              by default.  If turned off, clients have to explicitly  use  the
2155              FUZZY  search key to enable fuzzy search for regular SEARCH com‐
2156              mands.
2158          search_index_headers: 1
2159              Whether to index headers other than From, To, Cc, Bcc, and  Sub‐
2160              ject.   Experiment  shows that some headers such as Received and
2161              DKIM-Signature can contribute up to 2/3rds of the index size but
2162              almost nothing to the utility of searching.  Note that if header
2163              indexing  is  disabled,  headers  can  still  be  searched,  the
2164              searches will just be slower.
2166          search_indexed_db: twoskip
2167              The  cyrusdb  backend  to  use for the search latest indexed uid
2168              state.  Xapian only.
2170              Allowed values: flat, skiplist, twoskip, zeroskip
2172          search_maxtime: <none>
2173              The maximum number of seconds to run a search for before  abort‐
2174              ing.   Default  of  no  value means search “forever” until other
2175              timeouts.
2177          search_queryscan: 5000
2178              The minimum number of records require to do a direct scan of all
2179              G keys * rather than indexed lookups.  A value of 0 means always
2180              do indexed lookups.
2182          search_skipdiacrit: 1
2183              When searching, should diacriticals be stripped from the  search
2184              terms.   The  default  is  “true”, a search for “hav” will match
2185              “Håvard”.  This is not RFC 5051 compliant, but it backwards com‐
2186              patible, and may be preferred by some sites.
2188          search_skiphtml: 0
2189              If enabled, HTML parts of messages are skipped, i.e. not indexed
2190              and not searchable.  Otherwise, they’re indexed.
2192          search_whitespace: merge
2193              When searching, how whitespace should be handled.  Options  are:
2194              “skip”  (default in 2.3 and earlier series) - where a search for
2195              “equi” would match “the quick brown fox”.   “merge”  -  the  de‐
2196              fault,  where  “he   qu” would match “the quick   brownfox”, and
2197              “keep”, where whitespace must match  exactly.   The  default  of
2198              “merge”  is  recommended for most cases - it’s a good compromise
2199              which keeps words separate.  Allowed values: skip, merge, keep
2201          search_snippet_length: 255
2202              The maximum byte length of a snippet generated by the  XSNIPPETS
2203              command.  Only supported by the Xapian search backend, which at‐
2204              tempts to always fill search_snippet_length bytes in the  gener‐
2205              ated snippet.
2207          search_stopword_path: <none>
2208              The  absolute  base  path  to  the search stopword lists. If not
2209              specified, no stopwords will be taken into account during search
2210              indexing.  Currently,  the  only supported and default stop word
2211              file is english.txt.
2213          searchpartition-name: <none>
2214              The pathname  where  to  store  the  xapian  search  indexes  of
2215              searchtier for mailboxes of partition name. This must be config‐
2216              ured for the defaultsearchtier and any  additional  search  tier
2217              (see squatter for details).
2219              For  example:  if  defaultpartition  is defined as part1 and de‐
2220              faultsearchtier as tier1 then the configuration must contain  an
2221              entry  tier1searchpartition-part1 that defines the path where to
2222              store this tier1’s search index for the part1 partition.
2224              This option MUST be specified for xapian search.
2226          seenstate_db: twoskip
2227              The cyrusdb backend to use for the seen state.
2229              Allowed values: flat, skiplist, twoskip, zeroskip
2231          sendmail: /usr/lib/sendmail
2232              The pathname of the sendmail executable.  Sieve invokes sendmail
2233              for sending rejections, redirects and vacation responses.
2235          sendmail_auth_id: CYRUS_SENDMAIL_AUTH_ID
2236              The  name  of an environment variable to set when invoking send‐
2237              mail.  The value of this environment variable will  contain  the
2238              user  id  of the currently authenticated user. If no user is au‐
2239              thenticated the environment variable is not set.
2241          serverlist: <none>
2242              Whitespace separated list of backend  server  names.   Used  for
2243              finding  server  with the most available free space for proxying
2244              CREATE.
2246          serverlist_select_mode: freespace-most
2247              Server selection mode.
2249              random (pseudo-)random selection
2251              freespace-most
2252                     backend with the most (total) free space (KiB)
2254              freespace-percent-most
2255                     backend whose partition has the most free space (%)
2257              freespace-percent-weighted
2258                     same as for partition selection, comparing the free space
2259                     (%) of the least used partition of each backend
2261              freespace-percent-weighted-delta
2262                     same as for partition selection, comparing the free space
2263                     (%) of the least used partition of each backend.
2265                     Allowed values:  random,  freespace-most,  freespace-per‐
2266                     cent-most,   freespace-percent-weighted,   freespace-per‐
2267                     cent-weighted-delta
2269          serverlist_select_usage_reinit: 0
2270              For a given session, number of operations (e.g.  backend  selec‐
2271              tion) for which backend usage data are cached.
2273          serverlist_select_soft_usage_limit: 0
2274              Limit  of backend usage (%): if a backend is over that limit, it
2275              is automatically excluded from selection mode.
2277              If all backends are over that limit, this feature  is  not  used
2278              anymore.
2280          servername: <none>
2281              This  is  the  hostname  visible in the greeting messages of the
2282              POP, IMAP and LMTP daemons. If it is unset, then the result  re‐
2283              turned from gethostname(2) is used.  This is also the value used
2284              by murder clusters to identify the host name.  It should be  re‐
2285              solvable by DNS to the correct host, and unique within an active
2286              cluster.  If you are using low  level  replication  (e.g.  drbd)
2287              then  it should be the same on each copy and the DNS name should
2288              also be moved to the new master on failover.
2290          serverinfo: on
2291              The server information to display in the greeting and capability
2292              responses. Information is displayed as follows:
2293                 “off” = no server information in the greeting or capabilities
2295                 “min”  = servername in the greeting; no server information in
2296                 the capabilities
2298                 “on” = servername and product version in the greeting;  prod‐
2299                 uct version in the capabilities
2301                 Allowed values: off, min, on
2303          sharedprefix: Shared Folders
2304              If using the alternate IMAP namespace, the prefix for the shared
2305              namespace.  The hierarchy delimiter will  be  automatically  ap‐
2306              pended.
2308          sieve_allowreferrals: 1
2309              If  enabled,  timsieved will issue referrals to clients when the
2310              user’s scripts reside on a remote server (in a Murder).   Other‐
2311              wise, timsieved will proxy traffic to the remote server.
2313          sieve_duplicate_max_expiration: 90d
2314              Maximum expiration time for duplicate message tracking records.
2316              For  backward compatibility, if no unit is specified, seconds is
2317              assumed.
2319          sieve_extensions:   fileinto   reject   vacation    vacation-seconds
2320          imapflags  notify include envelope environment body relational regex
2321          subaddress copy date index imap4flags mailbox  mboxmetadata  server‐
2322          metadata  variables  editheader  extlists  duplicate  ihave fcc spe‐
2323          cial-use  redirect-dsn  redirect-deliverby   mailboxid   x-cyrus-log
2324          x-cyrus-jmapquery x-cyrus-snooze
2325              Space-separated  list  of Sieve extensions allowed to be used in
2326              sieve scripts, enforced at submission by timsieved(8).  Any pre‐
2327              viously  installed  script will be unaffected by this option and
2328              will continue to execute  regardless  of  the  extensions  used.
2329              This  option  has no effect on options that are disabled at com‐
2330              pile time (e.g., “regex”).  Allowed  values:  fileinto,  reject,
2331              vacation,  vacation-seconds,  imapflags,  notify, include, enve‐
2332              lope, environment, body, relational,  regex,  subaddress,  copy,
2333              date,  index, imap4flags, mailbox, mboxmetadata, servermetadata,
2334              variables, editheader, extlists,  duplicate,  ihave,  fcc,  spe‐
2335              cial-use,     redirect-dsn,    redirect-deliverby,    mailboxid,
2336              x-cyrus-log, x-cyrus-jmapquery, x-cyrus-snooze
2338          sieve_maxscriptsize: 32
2339              Maximum size (in kilobytes) any sieve script can be, enforced at
2340              submission by timsieved(8).
2342          sieve_maxscripts: 5
2343              Maximum  number  of sieve scripts any user may have, enforced at
2344              submission by timsieved(8).
2346          sieve_utf8fileinto: 0
2347              If enabled, the  sieve  engine  expects  folder  names  for  the
2348              fileinto  action  in  scripts  to use UTF8 encoding.  Otherwise,
2349              modified UTF7 encoding should be used.
2351          sieve_sasl_send_unsolicited_capability: 0
2352              If enabled, timsieved will emit a capability  response  after  a
2353              successful   SASL   authentication,   per   draft-martin-manage‐
2354              sieve-12.txt .
2356          sieve_use_lmtp_reject: 1
2357              Enabled by default.  If reject can be done via LMTP, then return
2358              a 550 rather than generating the bounce message in Cyrus.
2360          sieve_vacation_min_response: 3d
2361              Minimum  time  interval  between consecutive vacation responses,
2362              per draft-ietf-vacation-seconds.txt.  The default is 3 days.
2364              For backward compatibility, if no unit is specified, seconds  is
2365              assumed.
2367          sieve_vacation_max_response: 90d
2368              Maximum  time  interval  between consecutive vacation responses,
2369              per draft-ietf-vacation-seconds.txt.  The default  is  90  days.
2370              The minimum is 7 days.
2372              For  backward compatibility, if no unit is specified, seconds is
2373              assumed.
2375          sievedir: /usr/sieve
2376              If sieveusehomedir is false,  this  directory  is  searched  for
2377              Sieve scripts.
2379          sievenotifier: <none>
2380              Notifyd(8) method to use for “SIEVE” notifications.  If not set,
2381              “SIEVE” notifications are disabled.
2383              This method is only used when no  method  is  specified  in  the
2384              script.
2386          sieveusehomedir: 0
2387              If enabled, lmtpd will look for Sieve scripts in user’s home di‐
2388              rectories: ~user/.sieve.
2390          anysievefolder: 0
2391              It must be “yes” in order to permit the autocreation of any  IN‐
2392              BOX   subfolder   requested  by  a  sieve  filter,  through  the
2393              “fileinto” action. (default = no)
2395          singleinstancestore: 1
2396              If enabled, imapd, lmtpd and nntpd attempt  to  only  write  one
2397              copy of a message per partition and create hard links, resulting
2398              in a potentially large disk savings.
2400          skiplist_always_checkpoint: 1
2401              If enabled, this option forces the skiplist cyrusdb  backend  to
2402              always  checkpoint  when doing a recovery.  This causes slightly
2403              more IO, but on the other hand leads  to  more  efficient  data‐
2404              bases, and the entire file is already “hot”.
2406          skiplist_unsafe: 0
2407              If  enabled,  this option forces the skiplist cyrusdb backend to
2408              not sync writes to the disk.  Enabling this option is NOT RECOM‐
2409              MENDED.
2411          smtp_backend: sendmail
2412              The SMTP backend to use for sending email.
2414              The “host” backend sends message submissions via a TCP socket to
2415              the SMTP host defined in the config option smtp_host.
2417              The “sendmail” backend forks the Cyrus  process  into  the  exe‐
2418              cutable  defined  in the config option sendmail.  The executable
2419              must accept “-bs” as command line argument, read from stdin  and
2420              must  implement  the minimum SMTP protocol as defined in section
2421              4.5.1 of RFC 5321.
2423              If the SMTP EHLO command reports AUTH (RFC 4954) as a  supported
2424              extension,  then the MAIL FROM command includes the AUTH parame‐
2425              ter, with its value set to the name of  any  authenticated  user
2426              which  triggered the email. The AUTH parameter is omitted if the
2427              user is unknown to the calling process.
2429              If the directory configdirectory/log/smtpclient.smtp_backend ex‐
2430              ists,  then  telemetry  logs  for outgoing SMTP sessions will be
2431              created in this directory.
2433              Allowed values: host, sendmail
2435          smtp_host: localhost:587
2436              The SMTP host to use for sending mail (also see the smtp_backend
2437              option). The value of this option must the name or IP address of
2438              a TCP host, followed optionally by a colon and the port or  ser‐
2439              vice  to  use.  The default port is 587. TLS may be activated by
2440              appending “/tls” to the  value.  Authentication  is  enabled  if
2441              smtp_auth_authname is set. Authentication can be explicitly dis‐
2442              abled by appending “/noauth” to the host address.
2444          smtp_auth_authname: <none>
2445              The authentication name to use when authenticating to  the  SMTP
2446              server defined in smtp_host.
2448          smtp_auth_password: <none>
2449              The  password  to use when authenticating to the SMTP server de‐
2450              fined in smtp_host.
2452          smtp_auth_realm: <none>
2453              The authentication SASL realm to use when  authenticating  to  a
2454              SMTP server.
2456          soft_noauth: 1
2457              If  enabled, lmtpd returns temporary failures if the client does
2458              not successfully authenticate.  Otherwise lmtpd  returns  perma‐
2459              nent failures (causing the mail to bounce immediately).
2461          sortcache_db: twoskip
2462              The  cyrusdb  backend to use for caching sort results (currently
2463              only used for xconvmultisort) Allowed values: skiplist, twoskip,
2464              zeroskip
2466          specialuse_extra: <none>
2467              Whitespace  separated  list of extra special-use attributes that
2468              can be set on a mailbox. RFC  6154  currently  lists  what  spe‐
2469              cial-use  attributes can be set. This allows extending that list
2470              in the future or adding your own if needed.
2472          specialuse_protect: \Archive \Drafts \Important \Junk \Sent \Trash
2473              Whitespace separated list of special-use attributes  to  protect
2474              the  mailboxes  for.   If  set, don’t allow mailboxes with these
2475              special use attributes to be deleted or renamed to have  a  dif‐
2476              ferent parent. Default is the built-in list
2478          specialusealways: 1
2479              If  enabled,  this  option causes LIST and LSUB output to always
2480              include the XLIST “special-use” flags
2482          sql_database: <none>
2483              Name of the database which contains the cyrusdb table(s).
2485          sql_engine: <none>
2486              Name of the SQL engine to use.
2488              Allowed values: mysql, pgsql, sqlite
2490          sql_hostnames: <empty string>
2491              Comma separated list of SQL servers (in host[:port] format).
2493          sql_passwd: <none>
2494              Password to use for authentication to the SQL server.
2496          sql_user: <none>
2497              Username to use for authentication to the SQL server.
2499          sql_usessl: 0
2500              If enabled, a secure connection will be made to the SQL server.
2502          srs_alwaysrewrite: 0
2503              If true, perform SRS rewriting for ALL forwarding, even when not
2504              required.
2506          srs_domain: <none>
2507              The  domain  to use in rewritten addresses. This must point only
2508              to machines which know the encoding secret used by this  system.
2509              When present, SRS is enabled.
2511          srs_hashlength: 0
2512              The hash length to generate in a rewritten address.
2514          srs_secrets: <none>
2515              A list of secrets with which to generate addresses.
2517          srs_separator: <none>
2518              The  separator  to appear immediately after SRS[01] in rewritten
2519              addresses.
2521          srvtab: <empty string>
2522              The pathname of srvtab file containing the server’s private key.
2523              This  option is passed to the SASL library and overrides its de‐
2524              fault setting.
2526          submitservers: <none>
2527              A  list  of  users  and  groups  that  are  allowed  to  resolve
2528              “urlauth=submit+”  IMAP  URLs,  separated  by  spaces.  Any user
2529              listed in this will be allowed to  fetch  the  contents  of  any
2530              valid “urlauth=submit+” IMAP URL: use with caution.
2532          subscription_db: flat
2533              The cyrusdb backend to use for the subscriptions list.
2535              Allowed values: flat, skiplist, twoskip, zeroskip
2537          suppress_capabilities: <none>
2538              Suppress  the  named  capabilities from any capability response.
2539              Use the exact case as it appears in the  response,  e.g.   “sup‐
2540              press_capabilities:  ESEARCH QRESYNC WITHIN XLIST LIST-EXTENDED”
2541              if you have a murder with 2.3.x backends and don’t want  clients
2542              being confused by new capabilities that some backends don’t sup‐
2543              port.
2545          statuscache: 0
2546              Enable/disable the imap status cache.
2548          statuscache_db: twoskip
2549              The cyrusdb backend to use for the imap status cache.
2551              Allowed values: skiplist, sql, twoskip, zeroskip
2553          statuscache_db_path: <none>
2554              The absolute path to the statuscache db file.  If not specified,
2555              will be configdirectory/statuscache.db
2557          sync_authname: <none>
2558              The  authentication  name  to  use when authenticating to a sync
2559              server.  Prefix with a channel name to only apply for that chan‐
2560              nel
2562          sync_batchsize: 8192
2563              the  number  of  messages to upload in a single mailbox replica‐
2564              tion.  Default is 8192.  If there are more than this  many  mes‐
2565              sages  appended  to  the  mailbox,  generate a synthetic partial
2566              state and send that.
2568          sync_host: <none>
2569              Name of the  host  (replica  running  sync_server(8))  to  which
2570              replication actions will be sent by sync_client(8).  Prefix with
2571              a channel name to only apply for that channel
2573          sync_log: 0
2574              Enable  replication  action  logging  by   lmtpd(8),   imapd(8),
2575              pop3d(8),  and  nntpd(8).  The log {configdirectory}/sync/log is
2576              used by sync_client(8) for “rolling” replication.
2578          sync_log_chain: 0
2579              Enable replication action logging by sync_server as well, allow‐
2580              ing  chaining  of  replicas.   Use  this  on ‘B’ for A => B => C
2581              replication layout
2583          sync_log_channels: <none>
2584              If specified, log all events to multiple log files  in  directo‐
2585              ries specified by each “channel”.  Each channel can then be pro‐
2586              cessed separately, such as by multiple sync_client(8)s in a mesh
2587              replication  scheme,  or by squatter(8) for rolling search index
2588              updates.
2590              You can use “” (the two-character string U+22 U+22) to mean  the
2591              default sync channel.
2593          sync_log_unsuppressable_channels: squatter
2594              If  specified,  the named channels are exempt from the effect of
2595              setting sync_log_chain:off, i.e. they are always  logged  to  by
2596              the  sync_server  process.   This is only really useful to allow
2597              rolling search indexing on a replica.
2599          sync_password: <none>
2600              The default password  to  use  when  authenticating  to  a  sync
2601              server.  Prefix with a channel name to only apply for that chan‐
2602              nel
2604          sync_port: <none>
2605              Name of the service (or port number) of the replication  service
2606              on  replica  host.  Prefix with a channel name to only apply for
2607              that channel.  If not specified, and if sync_try_imap is set  to
2608              “yes”  (the default), then the replication client will first try
2609              “imap” (port 143) to check if imapd supports replication.   oth‐
2610              erwise it will default to “csync” (usually port 2005).
2612          sync_realm: <none>
2613              The  authentication  realm  to use when authenticating to a sync
2614              server.  Prefix with a channel name to only apply for that chan‐
2615              nel
2617          sync_repeat_interval: 1s
2618              Minimum interval between replication runs in rolling replication
2619              mode. If a replication run takes longer than this time,  we  re‐
2620              peat  immediately.  Prefix with a channel name to only apply for
2621              that channel.
2623              For backward compatibility, if no unit is specified, seconds  is
2624              assumed.
2626          sync_shutdown_file: <none>
2627              Simple  latch  used  to  tell sync_client(8) that it should shut
2628              down at the next opportunity. Safer than sending signals to run‐
2629              ning  processes.   Prefix  with a channel name to only apply for
2630              that channel
2632          sync_timeout: 30m
2633              How long to wait for a response before returning a timeout fail‐
2634              ure  when talking to a replication peer (client or server).  The
2635              minimum duration is 3 seconds, the default is 30 minutes.
2637              For backward compatibility, if no unit is specified, seconds  is
2638              assumed.
2640          sync_try_imap: 1
2641              Whether sync_client should try to perform an IMAP connection be‐
2642              fore falling back to csync.  If this is set to “no”, sync_client
2643              will  only  use csync.  Prefix with a channel name to apply only
2644              for that channel
2646          syslog_prefix: <none>
2647              String to be prepended to the process name  in  syslog  entries.
2648              Can  be  further  overridden by setting the $CYRUS_SYSLOG_PREFIX
2649              environment variable.
2651              Using the $CYRUS_SYSLOG_PREFIX environment variable has the  ad‐
2652              ditional  advantage  that it can be set before the imapd.conf is
2653              read, so errors while reading the config file can  be  syslogged
2654              with the correct prefix.
2656          syslog_facility: <none>
2657              Configure  a  syslog  facility.  The default is whatever is com‐
2658              piled in.  Allowed values are: DAEMON, MAIL, NEWS, USER, and LO‐
2659              CAL0 through to LOCAL7
2661          tcp_keepalive: 0
2662              Enable keepalive on TCP connections
2664          tcp_keepalive_cnt: 0
2665              Number of TCP keepalive probes to send before declaring the con‐
2666              nection dead (0 == system default)
2668          tcp_keepalive_idle: 0
2669              How long a connection must be idle before keepalive  probes  are
2670              sent (0 == system default).
2672              For  backward compatibility, if no unit is specified, seconds is
2673              assumed.
2675          tcp_keepalive_intvl: 0
2676              Time between keepalive probes (0 == system default).
2678              For backward compatibility, if no unit is specified, seconds  is
2679              assumed.
2681          temp_path: /tmp
2682              The pathname to store temporary files in
2684          telemetry_bysessionid: 0
2685              If true, log by sessionid instead of PID for telemetry
2687          timeout: 32m
2688              The  length  of  the  IMAP server’s inactivity autologout timer.
2689              The minimum value is 30 minutes.  The default is 32 minutes,  to
2690              allow a bit of leeway for clients that try to NOOP every 30 min‐
2691              utes.
2693              For backward compatibility, if no unit is specified, minutes  is
2694              assumed.
2696          imapidletimeout: <none>
2697              Timeout  for  idling  clients  (RFC  2177).  If not set (the de‐
2698              fault), the value of “timeout” will be used instead.
2700              For backward compatibility, if no unit is specified, minutes  is
2701              assumed.
2703          tls_ca_file: <none>
2704              Deprecated in favor of tls_client_ca_file.
2706          tls_ca_path: <none>
2707              Deprecated in favor of tls_client_ca_dir.
2709          tlscache_db: twoskip
2710              Deprecated in favor of tls_sessions_db.
2712          tlscache_db_path: <none>
2713              Deprecated in favor of tls_sessions_db_path.
2715          tls_cert_file: <none>
2716              Deprecated in favor of tls_server_cert.
2718          tls_cipher_list: DEFAULT
2719              Deprecated in favor of tls_ciphers.
2721          tls_ciphers: DEFAULT
2722              The  list of SSL/TLS ciphers to allow.  The format of the string
2723              (and definition of “DEFAULT”) is described in ciphers(1).
2725              See also Mozilla’s server-side TLS recommendations:
2727              https://wiki.mozilla.org/Security/Server_Side_TLS
2729          tls_crl_file: <none>
2730              Path to a file containing the Certificate Revocation List
2732          tls_client_ca_dir: <none>
2733              Path to a directory containing the CA certificates used to  ver‐
2734              ify client SSL certificates used for authentication.
2736          tls_client_ca_file: <none>
2737              Path  to  a file containing the CA certificate(s) used to verify
2738              client SSL certificates used for authentication.
2740          tls_client_cert: <none>
2741              File containing the certificate presented to a  server  for  au‐
2742              thentication during STARTTLS. A value of “disabled” will disable
2743              this server’s use of certificate-based authentication.
2745          tls_client_certs: optional
2746              Disable (“off”), allow (“optional”, default)  or  require  (“re‐
2747              quire”)  the  use of SSL certificates by clients to authenticate
2748              themselves.  Allowed values: off, optional, require
2750          tls_client_key: <none>
2751              File containing the private key belonging to the tls_client_cert
2752              certificate.  A  value  of “disabled” will disable this server’s
2753              use of certificate-based authentication.
2755          tls_eccurve: prime256v1
2756              The elliptic curve used for  ECDHE.  Default  is  NIST  Suite  B
2757              prime256.   See ‘openssl ecparam -list_curves’ for possible val‐
2758              ues.
2760          tls_key_file: <none>
2761              Deprecated in favor of tls_server_key.
2763          tls_required: 0
2764              If enabled, require a TLS/SSL encryption layer to be  negotiated
2765              prior  to  ANY authentication mechanisms being advertised or al‐
2766              lowed.
2768          tls_prefer_server_ciphers: 0
2769              Prefer the ciphers on the server side instead of client side.
2771          tls_server_ca_dir: <none>
2772              Path to a directory with CA certificates used to verify certifi‐
2773              cates offered by the server, when cyrus acts as client. This di‐
2774              rectory must have filenames with the hashed value  of  the  cer‐
2775              tificates (see openssl(1)).
2777          tls_server_ca_file: <none>
2778              Path  to  a  file containing CA certificates used to verify cer‐
2779              tificates offered by the server, when cyrus acts as client.
2781          tls_server_cert: <none>
2782              File containing the certificate, including the full chain,  pre‐
2783              sented to clients.  Two certificates can be set, e.g RSA and EC,
2784              if the filenames are separated with comma without spaces.
2786          tls_server_dhparam: <none>
2787              File containing the DH parameters belonging to  the  certificate
2788              in tls_server_cert.
2790          tls_server_key: <none>
2791              File  containing the private key belonging to the certificate in
2792              tls_server_cert.  If not set, tls_server_cert must contain  both
2793              private  and public key.  Two files with keys can be set, if two
2794              certificates are used, in which case the files must be separated
2795              with comma without spaces
2797          tls_sessions_db: twoskip
2798              The cyrusdb backend to use for the TLS cache.
2800              Allowed values: skiplist, sql, twoskip, zeroskip
2802          tls_sessions_db_path: <none>
2803              The absolute path to the TLS sessions db file. If not specified,
2804              will be configdirectory/tls_sessions.db
2806          tls_session_timeout: 24h
2807              The length of time that a TLS session will be cached  for  later
2808              reuse.   The  maximum  value  is  24 hours, also the default.  A
2809              value of 0 will disable session caching.
2811              For backward compatibility, if no unit is specified, minutes  is
2812              assumed.
2814          tls_versions: tls1_0 tls1_1 tls1_2 tls1_3
2815              A  list  of  SSL/TLS versions to not disable. Cyrus IMAP SSL/TLS
2816              starts with all protocols, and subtracts protocols not  in  this
2817              list.  Newer  versions  of SSL/TLS will need to be added here to
2818              allow them to get disabled.
2820          uidl_format: cyrus
2821              Choose the format  for  UIDLs  in  pop3.   Possible  values  are
2822              “uidonly”,  “cyrus”,  “dovecot” and “courier”.  “uidonly” forces
2823              the old default of UID, “cyrus” is UIDVALIDITY.UID.  Dovecot  is
2824              8  digits  of  leading  hex  (lower  case) each UID UIDVALIDITY.
2825              Courier is UIDVALIDITY-UID.   Allowed  values:  uidonly,  cyrus,
2826              dovecot, courier
2828          umask: 077
2829              The umask value used by various Cyrus IMAP programs.
2831          userdeny_db: flat
2832              The cyrusdb backend to use for the user access list.
2834              Allowed values: flat, skiplist, sql, twoskip, zeroskip
2836          userdeny_db_path: <none>
2837              The  absolute  path  to the userdeny db file.  If not specified,
2838              will be configdirectory/user_deny.db
2840          username_tolower: 1
2841              Convert usernames to all lowercase before  login/authentication.
2842              This  is  useful  with authentication backends which ignore case
2843              during username lookups (such as LDAP).
2845          userprefix: Other Users
2846              If using the alternate IMAP namespace, the prefix for the  other
2847              users  namespace.  The hierarchy delimiter will be automatically
2848              appended.
2850          unix_group_enable: 1
2851              Should we look up groups when using auth_unix (disable  this  if
2852              you  are  not using groups in ACLs for your IMAP server, and you
2853              are using auth_unix with a backend (such as LDAP) that can  make
2854              getgrent() calls very slow)
2856          unixhierarchysep: 1
2857              Use  the  UNIX  separator character ‘/’ for delimiting levels of
2858              mailbox hierarchy.  Turn off to use the netnews separator  char‐
2859              acter ‘.’. Note that with the newnews separator, no dots may oc‐
2860              cur in mailbox names.  The default switched in 3.0 from  off  to
2861              on.
2863          virtdomains: off
2864              Configure virtual domain support.
2866              off    Cyrus does not know or care about domains. Only the local
2867                     part of email addresses is ever considered.  This is  not
2868                     recommended  for any deployment, but is currently the de‐
2869                     fault.
2871              userid The user’s domain is  determined  by  splitting  a  fully
2872                     qualified  userid  at the last ‘@’ or ‘%’ symbol.  If the
2873                     userid is unqualified, the defaultdomain  will  be  used.
2874                     This  is  the  recommended  configuration for all deploy‐
2875                     ments.  If you wish to provide calendaring  services  you
2876                     must use this configuration.
2878              on     Fully  qualified  userids are respected, as per “userid”.
2879                     Unqualified userids will have their domain determined  by
2880                     doing  a reverse lookup on the IP address of the incoming
2881                     network interface, or if no record is found, the default‐
2882                     domain will be used.
2884                     Allowed values: off, userid, on
2886          virusscan_notification_subject: Automatically deleted mail
2887              The  text  used in the subject of email notifications created by
2888              cyr_virusscan(8) when deleting infected mail.
2890          virusscan_notification_template: <none>
2891              The absolute path to a file containing a template to use to  de‐
2892              scribe  infected  messages that have been deleted by cyr_viruss‐
2893              can(8).  See cyr_virusscan(8) for specification of the format of
2894              this  file.  If not specified, the builtin default template will
2895              be used.
2897          xbackup_enabled: 0
2898              Enable support for the XBACKUP command in  imapd.   If  enabled,
2899              admin  users  can  use  this command to provoke a replication of
2900              specified users to the named backup channel.
2902          xlist-flag: <none>
2903              Set the special-use flag flag on the specified folder when it is
2904              autocreated  (see the autocreate_inbox_folders option).  For ex‐
2905              ample, if xlist-junk: Spam is set, and the folder  Spam  is  au‐
2906              tocreated, the special-use flag \Junk will be set on it.
2908              (This  option  is  so  named for backward compatibility with old
2909              config files.)
2911          lmtp_catchall_mailbox: <none>
2912              Mail sent to mailboxes which do not exist, will be delivered  to
2913              this  user.  NOTE: This must be an existing local user name with
2914              an INBOX, NOT an email address!
2916          zoneinfo_db: twoskip
2917              The cyrusdb backend to use for zoneinfo.  This database is  used
2918              by  the “tzdist” httpmodules, and is managed by ctl_zoneinfo(8).
2919              Allowed values: flat, skiplist, twoskip, zeroskip
2921          zoneinfo_db_path: <none>
2922              The absolute path to the zoneinfo db file.   If  not  specified,
2923              will be configdirectory/zoneinfo.db
2925          zoneinfo_dir: <none>
2926              The absolute path to the zoneinfo directory, containing timezone
2927              definitions as generated by the vzic tool.   If  not  specified,
2928              whatever definitions libical finds will be used.
2930              If you are providing a Time Zone Data Distribution Service (i.e.
2931              you have “tzdist” listed in httpmodules), then  this  configura‐
2932              tion option MUST be specified.
2934          object_storage_enabled: 0
2935              Is  Object  storage  enabled  for this server.  You also need to
2936              have archiving enabled and  archivepartition  for  the  mailbox.
2937              Only email files will be stored on object Storage archive parti‐
2938              tion will be used to store any other files
2940          object_storage_dummy_spool: <none>
2941              Dummy object storage spool; this is for test only.  Spool  where
2942              user  directory  (container) will be created to store all emails
2943              in a flat structure
2945          openio_namespace: <none>
2946              The OpenIO namespace used to store archived  email  messages.  A
2947              namespace  identifies  the physical platform cyrus must contact.
2948              This directive is used by the OpenIO’s SDK to locate  its  plat‐
2949              form entry point.
2951          openio_account: <none>
2952              The  OpenIO  account used to account for stored emails. Accounts
2953              are unique in their namespace. They provides virtual partitions,
2954              with quotas and QoS features.
2956          openio_rawx_timeout: 30s
2957              The  OpenIO  timeout  to  query to the RAWX services (default 30
2958              sec).
2960          openio_proxy_timeout: 5s
2961              The OpenIO timeout to query to the  PROXY  services  (default  5
2962              sec).
2964          openio_autocreate: 0
2965              Allow  the  OpenIO SDK to autocreate containers. Mainly destined
2966              to be turned on development  environments.  In  production,  the
2967              container should have been provisioned with the mailboxes.
2969          openio_verbosity: <none>
2970              Sets  the  logging  verbosity of the OpenIO’s internal behavior.
2971              Admissible values are:  “warning”,  “notice”,  “info”,  “debug”,
2972              “trace”,  “quiet”.   The  default verbosity is “warning”. Set to
2973              “notice” for a few lines on a per-client basis.  Set  to  “info”
2974              for  a  few  lines on a per-request basis. Set to “debug” Set to
2975              “trace” to activate the underlying  libcurl  debug  output.  En‐
2976              abling  a  verbosity  higher  to equal than “debug” requires the
2977              cyrus to be set in debug mode. The special  “quiet”  value  dis‐
2978              ables all kinds of logging at the GLib level.
2980          caringo_hostname: <none>
2981              The  Caringo  hostname  used to store archived email messages. A
2982              hostname identifies the physical platform  cyrus  must  contact.
2983              This  directive is used by the Caringo’s SDK (CastorSDK: Caringo
2984              Simple Content Storage Protocol (SCSP) on HTTP 1.1 using a REST‐
2985              ful architecture
2987          caringo_port: 80
2988              The  port  of  the caringo server (caringo_hostname); default is
2989              80.
2991          fastmailsharing: 0
2992              If enabled, use FastMail style sharing  (oldschool  full  server
2993              paths)


2996          imapd(8),  pop3d(8),  nntpd(8),  lmtpd(8),  httpd(8),  timsieved(8),
2997          idled(8), notifyd(8), deliver(8), master(8), ciphers(1)


3000       The Cyrus Team
3003       1993-2018, The Cyrus Team
30083.2.8                         September 01, 2021                 IMAPD.CONF(5)