1IMAPD.CONF(5) Cyrus IMAP IMAPD.CONF(5)
2
6 imapd.conf - Cyrus IMAP documentation
7 IMAP configuration file
9
11 /etc/imapd.conf is the configuration file for the Cyrus IMAP server.
12 It defines local parameters for IMAP.
13 Each line of the /etc/imapd.conf file has the form
15 option: value
16 where option is the name of the configuration option being set and
18 value is the value that the configuration option is being set to.
19 Although there is no limit to the length of a line, a ``'’ (back‐
21 slash) character may be used as the last character on a line to
22 force it to continue on the next one. No additional whitespace is
23 inserted before or after the ``'’. Note that a line that is split
24 using ``'’ character(s) is still considered a single line.
25 For example
27 option:\
28 value1 value2 \
29 value3
30 is equivalent to
32 option: value1 value2 value3
33 Blank lines and lines beginning with ``#’’ are ignored.
35 For boolean and enumerated options, the values ``yes’‘, ``on’‘,
37 ``t’‘, ``true’’ and ``1’’ turn the option on, the values ``no’‘,
38 ``off’‘, ``f’‘, ``false’’ and ``0’’ turn the option off.
39 Duration options take the form of a number followed by a unit, for
41 example 32m (32 minutes). Units are d (days), h (hours), m (min‐
42 utes) and s (seconds). Multiple units can be combined and will be
43 summed together, for example 1h30m is equivalent to 90m. If no unit
44 is specified, an option-specific backward-compatible default unit is
45 assumed (documented on an option-by-option basis). These are simple
46 time units: 1d=24h, 1h=60m, 1m=60s (daylight savings, timezones,
47 leap adjustments, etc are not considered).
48
50 The sections below detail options that can be placed in the
51 /etc/imapd.conf file, and show each option’s default value. Some
52 options have no default value, these are listed with ``<no de‐
53 fault>’‘. Some options default to the empty string, these are
54 listed with ``<none>’‘.
55 addressbookprefix: #addressbooks
57 The prefix for the addressbook mailboxes hierarchies. The hier‐
58 archy delimiter will be automatically appended. The public ad‐
59 dressbook hierarchy will be at the toplevel of the shared name‐
60 space. A user’s personal addressbook hierarchy will be a child
61 of their Inbox.
62 admins: <empty string>
64 The list of userids with administrative rights. Separate each
65 userid with a space. Sites using Kerberos authentication may
66 use separate “admin” instances.
67 Note that accounts used by users should not be administrators.
69 Administrative accounts should not receive mail. That is, if
70 user “jbRo” is a user reading mail, he should not also be in the
71 admins line. Some problems may occur otherwise, most notably
72 the ability of administrators to create top-level mailboxes vis‐
73 ible to users, but not writable by users.
74 afspts_localrealms: <none>
76 The list of realms which are to be treated as local, and thus
77 stripped during identifier canonicalization (for the AFSPTS pt‐
78 loader module). This is different from loginrealms in that it
79 occurs later in the authorization process (as the user id is
80 canonified for PTS lookup)
81 afspts_mycell: <none>
83 Cell to use for AFS PTS lookups. Defaults to the local cell.
84 allowallsubscribe: 0
86 Allow subscription to nonexistent mailboxes. This option is
87 typically used on backend servers in a Murder so that users can
88 subscribe to mailboxes that don’t reside on their “home” server.
89 This option can also be used as a workaround for IMAP clients
90 which don’t play well with nonexistent or unselectable mailboxes
91 (e.g., Microsoft Outlook).
92 allowanonymouslogin: 0
94 Permit logins by the user “anonymous” using any password. Also
95 allows use of the SASL ANONYMOUS mechanism.
96 allowapop: 1
98 Allow use of the POP3 APOP authentication command.
99 Note that this command requires that SASL is compiled with APOP
101 support, that the plaintext passwords are available in a SASL
102 auxprop backend (e.g., sasldb), and that the system can provide
103 enough entropy (e.g., from /dev/urandom) to create a challenge
104 in the banner.
105 allowdeleted: 0
107 Allow access to deleted and expunged data via vendor.cmu-* ac‐
108 cess
109 allownewnews: 0
111 Allow use of the NNTP NEWNEWS command.
112 Note that this is a very expensive command and should only be
114 enabled when absolutely necessary.
115 allowplaintext: 0
117 If enabled, allows the use of cleartext passwords on the wire.
118 By default, the use of cleartext passwords requires a TLS/SSL
120 encryption layer to be negotiated prior to any cleartext authen‐
121 tication mechanisms being advertised or allowed. To require a
122 TLS/SSL encryption layer to be negotiated prior to ANY authenti‐
123 cation, see the tls_required option.
124 allowsetacl: 1
126 Defaults to enabled. If disabled, disallows the use of the SE‐
127 TACL command at all via IMAP.
128 allowusermoves: 0
130 Allow moving user accounts (with associated meta-data) via RE‐
131 NAME or XFER.
132 Note that measures should be taken to make sure that the user
134 being moved is not logged in, and cannot login during the move.
135 Failure to do so may result in the user’s meta-data (seen state,
136 subscriptions, etc) being corrupted or out of date.
137 altnamespace: 1
139 Use the alternate IMAP namespace, where personal folders reside
140 at the same level in the hierarchy as INBOX.
141 This option ONLY applies where interaction takes place with the
143 client/user. Currently this is limited to the IMAP protocol
144 (imapd) and Sieve scripts (lmtpd). This option does NOT apply
145 to admin tools such as cyradm (admins ONLY), reconstruct, quota,
146 etc., NOR does it affect LMTP delivery of messages directly to
147 mailboxes via plus-addressing. The default changed in 3.0 from
148 off to on.
149 altprefix: Alt Folders
151 Alternative INBOX spellings that can’t be accessed in altnames‐
152 pace otherwise go under here
153 annotation_db: twoskip
155 The cyrusdb backend to use for mailbox annotations.
156 Allowed values: skiplist, twoskip, zeroskip
158 annotation_db_path: <none>
160 The absolute path to the annotations db file. If not specified,
161 will be configdirectory/annotations.db
162 anyoneuseracl: 1
164 Should non-admin users be allowed to set ACLs for the ‘anyone’
165 user on their mailboxes? In a large organization this can cause
166 support problems, but it’s enabled by default.
167 annotation_allow_undefined: 0
169 Allow clients to store values for entries which are not defined
170 either by Cyrus or in the annotations_definitions file.
171 annotation_definitions: <none>
173 File containing external (third-party) annotation definitions.
174 Each line of the file specifies the properties of an annotation
176 and has the following form:
177 name, scope, attrib-type, proxy-type, attrib-names, acl
178 name is the hierarchical name as in RFC 5257 or RFC 5464 (in
180 the latter case, without the leading /shared or /pri‐
181 vate). For example, /vendor/acme/blurdybloop.
182 scope specifies whether the annotation is for the server, a
184 mailbox, or a message.
185 attrib-type
187 specifies the attribute data type, which is used only
188 to check the string value passed by clients when set‐
189 ting annotations. The attrib-type is one of:
190 string any value is accepted.
192 content-type
194 this obsolete data type, which was useful for
195 early drafts of the standard, is accepted but
196 silently translated to string.
197 boolean
199 only the strings “true” or “false” are accepted.
200 Checking is case-insensitive but the value is
201 forced to lowercase.
202 int integers are accepted.
204 uint non-negative integers are accepted.
206 proxy-type
208 specifies whether this attribute is for the backend or
209 proxy servers or both (proxy_and_backend)
210 attrib-names
212 is the space-separated list of available attributes for
213 the annotation. Possible attribute names are
214 value.shared, value.priv, and value (which permits both
215 value.priv and value.shared). The attribute names size,
216 size.shared, and size.priv are accepted but ignored;
217 these attributes are automatically provided by the server
218 if the corresponding value attribute is specified. Some
219 obsolete attributes, which were defined early drafts of
220 the standard, are accepted and ignored with a warning.
221 extra-permissions
223 is the extra ACL permission bits required for setting
224 this annotation, in standard IMAP ACL permission bit
225 string format. Note that this is in addition to the per‐
226 mission bits specified in RFC 5257 and RFC 5464, so leav‐
227 ing this field empty is harmless. Note also that there
228 is no way to specify that an annotation can only be set
229 by an admin user; in particular the a permission bit does
230 not achieve this.
231 Blank lines and lines beginning with ``#’’ are ignored.
233 annotation_callout: <none>
235 The pathname of a callout to be used to automatically add anno‐
236 tations or flags to a message when it is appended to a mailbox.
237 The path can be either an executable (including a script), or a
238 UNIX domain socket.
239 annotation_callout_disable_append: 0
241 Disables annotations on append with xrunannotator
242 annotation_enable_legacy_commands: 0
244 Whether to enable the legacy GETANNOTATION/SETANNOTATION com‐
245 mands. These commands are deprecated and will be removed in the
246 future, but might be useful in the meantime for supporting old
247 clients that do not implement the RFC 5464 IMAP METADATA exten‐
248 sion.
249 aps_topic: <none>
251 Topic for Apple Push Service registration.
252 aps_topic_caldav: <none>
254 Topic for Apple Push Service registration for CalDAV.
255 aps_topic_carddav: <none>
257 Topic for Apple Push Service registration for CardDAV.
258 archive_enabled: 0
260 Is archiving enabled for this server. You also need to have an
261 archivepartition for the mailbox. Archiving allows older email
262 to be stored on slower, cheaper disks - even within the same
263 mailbox, as distinct from partitions.
264 archive_days: <none>
266 Deprecated in favour of archive_after.
267 archive_after: 7d
269 The duration after which to move messages to the archive parti‐
270 tion if archiving is enabled.
271 For backward compatibility, if no unit is specified, days is as‐
273 sumed.
274 archive_maxsize: 1024
276 The size in kilobytes of the largest message that won’t be
277 archived immediately. Default is 1Mb
278 archive_keepflagged: 0
280 If set, messages with the \Flagged system flag won’t be
281 archived, provided they are smaller than archive_maxsize.
282 archivepartition-name: <none>
284 The pathname of the archive partition name, corresponding to
285 spool partition partition-name. For any mailbox residing in a
286 directory on partition-name, the archived messages will be
287 stored in a corresponding directory on archivepartition-name.
288 Note that not every partition-name option is strictly required
289 to have a corresponding archivepartition-name option, but that
290 without one there’s no benefit to enabling archiving.
291 auditlog: 0
293 Should cyrus output log entries for every action taken on a mes‐
294 sage file or mailboxes list entry? It’s noisy so disabled by
295 default, but can be very useful for tracking down what happened
296 if things look strange
297 auth_mech: unix
299 The authorization mechanism to use.
300 Allowed values: unix, pts, krb, krb5
302 autocreateinboxfolders: <none>
304 Deprecated in favor of autocreate_inbox_folders.
305 autocreatequota: 0
307 Deprecated in favor of autocreate_quota.
308 autocreatequotamsg: -1
310 Deprecated in favor of autocreate_quota_messages.
311 autosievefolders: <none>
313 Deprecated in favor of autocreate_sieve_folders.
314 generate_compiled_sieve_script: 0
316 Deprecated in favor of autocreate_sieve_script_compile.
317 autocreate_sieve_compiled_script: <none>
319 Deprecated in favor of autocreate_sieve_script_compiled.
320 autosubscribeinboxfolders: <none>
322 Deprecated in favor of autocreate_subscribe_folders.
323 autosubscribesharedfolders: <none>
325 Deprecated in favor of autocreate_subscribe_sharedfolders.
326 autosubscribe_all_sharedfolders: 0
328 Deprecated in favor of autocreate_subscribe_sharedfolders_all.
329 autocreate_acl: <none>
331 If folders are to be created by autocreate_inbox_folders, this
332 setting can be used to apply additional ACLs to the autocreated
333 folders. The syntax is “autocreate_acl folder identifier
334 rights”, where folder must match one of the autocreate_in‐
335 box_folders folders, identifier must be a valid cyrus identi‐
336 fier, and rights must be a valid cyrus rights string. Multiple
337 identifier|rights pairs can be assigned to a single folder by
338 providing this setting multiple times.
339 For example, “autocreate_acl Plus anyone p” would allow lmtp de‐
341 livery to a folder named “Plus”.
342 autocreate_inbox_folders: <none>
344 If a user does not have an INBOX already, and the INBOX is to be
345 created, create the list of folders in this setting as well.
346 autocreate_inbox_folders is a list of INBOX’s subfolders sepa‐
347 rated by a “|”, that are automatically created by the server un‐
348 der the following two scenarios. Leading and trailing whitespace
349 is stripped, so “Junk | Trash” results in two folders: “Junk”
350 and “Trash”. See also the xlist-flag option, for setting spe‐
351 cial-use flags on autocreated folders.
352 INBOX folders are created under both the following conditions:
354 1. The user logins via the IMAP or the POP3 protocol. autocre‐
356 ate_quota option must have a value of zero or greater.
357 2. A message arrives for the user through the lmtpd(8). au‐
359 tocreate_post option must be enabled.
360 autocreate_post: 0
362 If enabled, when lmtpd(8) receives an incoming mail for an INBOX
363 that does not exist, then the INBOX is automatically created by
364 lmtpd(8) and delivery of the message continues.
365 autocreate_quota: -1
367 If set to a value of zero or higher, users have their INBOX
368 folders created upon a successful login event or upon lmtpd(8)
369 message delivery if autocreate_post is enabled, provided their
370 INBOX did not yet already exist.
371 The user’s quota is set to the value if it is greater than zero,
373 otherwise the user has unlimited quota.
374 Note that quota is specified in kilobytes.
376 autocreate_quota_messages: -1
378 If set to a value of zero or higher, users who have their INBOX
379 folders created upon a successful login event (see autocre‐
380 ate_quota), or upon lmtpd(8) message delivery if autocreate_post
381 is enabled, receive the message quota configured in this option.
382 The default of -1 disables assigning message quota.
384 For consistency with autocreate_quota, a value of zero is
386 treated as unlimited message quota, rather than a message quota
387 of zero.
388 autocreate_sieve_folders: <none>
390 A “|” separated list of subfolders of INBOX that will be auto‐
391 matically created, if requested by a sieve filter, through the
392 “fileinto” action. The default is to create no folders automati‐
393 cally.
394 Leading and trailing whitespace is stripped from each folder, so
396 a setting of “Junk | Trash” will create two folders: “Junk” and
397 “Trash”.
398 autocreate_sieve_script: <none>
400 The full path of a file that contains a sieve script. This
401 script automatically becomes a user’s initial default sieve fil‐
402 ter script.
403 When this option is not defined, no default sieve filter is cre‐
405 ated. The file must be readable by the Cyrus daemon.
406 autocreate_sieve_script_compile: 0
408 If set to yes and no compiled sieve script file exists, the
409 sieve script which is compiled on the fly will be saved in the
410 file name that autocreate_sieve_compiledscript option points to.
411 In order a compiled script to be generated, autocre‐
412 ate_sieve_script and autocreate_sieve_compiledscript must have
413 valid values
414 autocreate_sieve_script_compiled: <none>
416 The full path of a file that contains a compiled in bytecode
417 sieve script. This script automatically becomes a user’s initial
418 default sieve filter script. If this option is not specified,
419 or the filename doesn’t exist then the script defined by au‐
420 tocreate_sieve_script is compiled on the fly and installed as
421 the user’s default sieve script
422 autocreate_subscribe_folders: <none>
424 A list of folder names, separated by “|”, that the users get au‐
425 tomatically subscribed to, when their INBOX is created. These
426 folder names must have been included in the autocreateinboxfold‐
427 ers option of the imapd.conf.
428 autocreate_subscribe_sharedfolders: <none>
430 A list of shared folders (bulletin boards), separated by “|”,
431 that the users get automatically subscribed to, after their IN‐
432 BOX is created. The shared folder must have been created and the
433 user must have the required permissions to get subscribed to it.
434 Otherwise, subscribing to the shared folder fails.
435 autocreate_subscribe_sharedfolders_all: 0
437 If set to yes, the user is automatically subscribed to all
438 shared folders, one has permission to subscribe to.
439 autocreate_users: anyone
441 A space separated list of users and/or groups that are allowed
442 their INBOX to be automatically created.
443 autoexpunge: 0
445 If set to yes, then all Deleted messages will be automatically
446 expunged whenever an index is closed, whether CLOSE, UNSELECT,
447 SELECT or on disconnect
448 backuppartition-name: <none>
450 The pathname of the backup partition name. At least one backup
451 partition pathname MUST be specified if backups are in use.
452 Note that there is no relationship between spool partitions and
453 backup partitions.
454 backup_compact_minsize: 0
456 The minimum size in kilobytes of chunks in each backup. The
457 compact tool will try to combine adjacent chunks that are
458 smaller than this.
459 Setting this value to zero or negative disables combining of
461 chunks.
462 backup_compact_maxsize: 0
464 The maximum size in kilobytes of chunks in each backup. The
465 compact tool will try to split chunks larger than this into
466 smaller chunks.
467 Setting this value to zero or negative disables splitting of
469 chunks.
470 backup_compact_work_threshold: 1
472 The number of chunks that must obviously need compaction before
473 the compact tool will go ahead with the compaction. If set to
474 less than one, the value is treated as being one.
475 backup_staging_path: <none>
477 The absolute path of the backup staging area. If not specified,
478 will be temp_path/backup
479 backup_retention_days: <none>
481 Deprecated in favor of backup_retention.
482 backup_retention: 7d
484 How long to keep content in backup after it has been deleted
485 from the source. If set to a negative value or zero, deleted
486 content will be kept indefinitely.
487 For backward compatibility, if no unit is specified, days is as‐
489 sumed.
490 backup_db: twoskip
492 The cyrusdb backend to use for the backup locations database.
493 Allowed values: skiplist, sql, twoskip, zeroskip
495 backup_db_path: <none>
497 The absolute path to the backup db file. If not specified, will
498 be configdirectory/backups.db
499 backup_keep_previous: 0
501 Whether the ctl_backups compact and ctl_backups reindex commands
502 should preserve the original file. The original file will be
503 named with a timestamped suffix. This is mostly useful for de‐
504 bugging.
505 Note that with this enabled, compacting a backup will actually
507 increase the disk used by it (because there will now be an extra
508 copy: the original version, and the compacted version).
509 boundary_limit: 1000
511 messages are parsed recursively and a deep enough MIME structure
512 can cause a stack overflow. Do not parse deeper than this many
513 layers of MIME structure. The default of 1000 is much higher
514 than any sane message should have.
515 caldav_allowattach: 1
517 Enable managed attachments support on the CalDAV server.
518 caldav_allowcalendaradmin: 0
520 Enable per-user calendar administration web UI on the CalDAV
521 server.
522 caldav_allowscheduling: on
524 Enable calendar scheduling operations. If set to “apple”, the
525 server will emulate Apple CalendarServer behavior as closely as
526 possible. Allowed values: off, on, apple
527 caldav_create_attach: 1
529 Create the ‘Attachments’ collection if it doesn’t already exist
530 caldav_create_default: 1
532 Create the ‘Default’ calendar if it doesn’t already exist
533 caldav_create_sched: 1
535 Create the ‘Inbox’ and ‘Outbox’ calendars if they don’t already
536 exist
537 caldav_historical_age: 7d
539 How long after an occurrence of event or task has concluded that
540 it is considered ‘historical’. Changes to historical occur‐
541 rences of events or tasks WILL NOT have invite or reply messages
542 sent for them. A negative value means that events and tasks are
543 NEVER considered historical.
544 For backward compatibility, if no unit is specified, days is as‐
546 sumed.
547 caldav_maxdatetime: 20380119T031407Z
549 The latest date and time accepted by the server (ISO format).
550 This value is also used for expanding non-terminating recurrence
551 rules.
552 Note that increasing this value will require the DAV databases
554 for calendars to be reconstructed with the dav_reconstruct util‐
555 ity in order to see its effect on serer-side time-based queries.
556 caldav_mindatetime: 19011213T204552Z
558 The earliest date and time accepted by the server (ISO format).
559 caldav_realm: <none>
561 The realm to present for HTTP authentication of CalDAV re‐
562 sources. If not set (the default), the value of the “server‐
563 name” option will be used.
564 calendarprefix: #calendars
566 The prefix for the calendar mailboxes hierarchies. The hierar‐
567 chy delimiter will be automatically appended. The public calen‐
568 dar hierarchy will be at the toplevel of the shared namespace.
569 A user’s personal calendar hierarchy will be a child of their
570 Inbox.
571 calendar_default_displayname: personal
573 The displayname to be used when creating a user’s ‘Default’ cal‐
574 endar.
575 calendar_user_address_set: <none>
577 Space-separated list of domains corresponding to calendar user
578 addresses for which the server is responsible. If not set (the
579 default), the value of the “servername” option will be used.
580 calendar_component_set: VEVENT VTODO VJOURNAL VFREEBUSY VAVAILABIL‐
582 ITY VPOLL
583 Space-separated list of iCalendar component types that calendar
584 object resources may contain in a calendar collection. This re‐
585 striction is only set at calendar creation time and only if the
586 CalDAV client hasn’t specified a restriction in the creation re‐
587 quest. Allowed values: VEVENT, VTODO, VJOURNAL, VFREEBUSY,
588 VAVAILABILITY, VPOLL
589 carddav_allowaddmember: 0
591 Enable support for POST add-member on the CardDAV server.
592 carddav_allowaddressbookadmin: 0
594 Enable per-user addressbook administration web UI on the CardDAV
595 server.
596 carddav_realm: <none>
598 The realm to present for HTTP authentication of CardDAV re‐
599 sources. If not set (the default), the value of the “server‐
600 name” option will be used.
601 carddav_repair_vcard: 0
603 If enabled, VCARDs with invalid content are attempted to be re‐
604 paired during creation.
605 chatty: 0
607 If yes, syslog tags and commands for every IMAP command, mail‐
608 boxes for every lmtp connection, every POP3 command, etc
609 client_bind: 0
611 If enabled, a specific IP will be bound when performing a client
612 connection. client_bind_name is used if it is set, otherwise
613 servername is used. This is useful on multi-homed servers where
614 Cyrus should not use other services’ interfaces.
615 If not enabled (the default), no bind will be performed. Client
617 connections will use an IP chosen by the operating system.
618 client_bind_name: <none>
620 IPv4, IPv6 address or hostname to bind for client connections
621 when client_bind is enabled. If not set (the default), server‐
622 name will be used.
623 client_timeout: 10s
625 Time to wait before returning a timeout failure when performing
626 a client connection (e.g. in a murder environment).
627 For backward compatibility, if no unit is specified, seconds is
629 assumed.
630 commandmintimer: <none>
632 Time in seconds. Any imap command that takes longer than this
633 time is logged.
634 configdirectory: <none>
636 The pathname of the IMAP configuration directory. This field is
637 required.
638 createonpost: 0
640 Deprecated in favor of autocreate_post.
641 conversations: 0
643 Enable the XCONVERSATIONS extensions. Extract conversation
644 tracking information from incoming messages and track them in
645 per-user databases.
646 conversations_counted_flags: <none>
648 space-separated list of flags for which per-conversation counts
649 will be kept. Note that you need to reconstruct the conversa‐
650 tions database with ctl_conversationsdb if you change this op‐
651 tion on a running server, or the counts will be wrong.
652 conversations_db: skiplist
654 The cyrusdb backend to use for the per-user conversations data‐
655 base.
656 Allowed values: skiplist, sql, twoskip, zeroskip
658 conversations_expire_days: <none>
660 Deprecated in favor of conversations_expire_after.
661 conversations_expire_after: 90d
663 How long the conversations database keeps the message tracking
664 information needed for receiving new messages in existing con‐
665 versations.
666 For backward compatibility, if no unit is specified, days is as‐
668 sumed.
669 conversations_keep_existing: 1
671 during conversations cleanup, don’t clean up if there are still
672 existing emails with one of the mentioned CIDs
673 conversations_max_thread: 100
675 maximum size for a single thread. Threads will split if they
676 have this many messages in them and another message arrives
677 conversations_max_guidrecords: 5000
679 maximum records with the same guid. This is just a sanity check
680 to stop the same email being added and removed over and over, so
681 the default is 5000
682 conversations_max_guidexists: 100
684 maximum records with the same guid. This maps to “labels”, so
685 with the default of 100, you can only have 100 labels on an
686 email in JMAP
687 conversations_max_guidinfolder: 10
689 maximum records with the same guid in the same folder. You can’t
690 do this via JMAP, but could via IMAP. The default of 10 should
691 be heaps normally!
692 crossdomains: 0
694 Enable cross domain sharing. This works best with alt namespace
695 and unix hierarchy separators on, so you get Other
696 Users/foo@example.com/…
697 crossdomains_onlyother: 0
699 only show the domain for users in other domains than your own
700 (for backwards compatibility if you’re already sharing
701 cyrus_group: <none>
703 The name of the group Cyrus services will run as. If not con‐
704 figured, the primary group of cyrus_user will be used. Can be
705 further overridden by setting the $CYRUS_GROUP environment vari‐
706 able.
707 cyrus_user: <none>
709 The username to use as the ‘cyrus’ user. If not configured, the
710 compile time default will be used. Can be further overridden by
711 setting the $CYRUS_USER environment variable.
712 davdriveprefix: #drive
714 The prefix for the DAV storage mailboxes hierarchies. The hier‐
715 archy delimiter will be automatically appended. The public
716 storage hierarchy will be at the toplevel of the shared name‐
717 space. A user’s personal storage hierarchy will be a child of
718 their Inbox.
719 davnotificationsprefix: #notifications
721 The prefix for the DAV notifications hierarchy. The hierarchy
722 delimiter will be automatically appended. The public notifica‐
723 tions hierarchy will be at the toplevel of the shared namespace.
724 A user’s personal notifications hierarchy will be a child of
725 their Inbox.
726 dav_realm: <none>
728 The realm to present for HTTP authentication of generic DAV re‐
729 sources (principals). If not set (the default), the value of
730 the “servername” option will be used.
731 dav_lock_timeout: 20s
733 The maximum time to wait for a write lock on the per-user DAV
734 database before timeout. For HTTP requests, the HTTP status code
735 503 is returned if the lock can not be obtained within this
736 time.
737 For backward compatibility, if no unit is specified, seconds is
739 assumed.
740 debug_command: <none>
742 Debug command to be used by processes started with -D option.
743 The string is a C format string that gets 3 options: the first
744 is the name of the executable (as specified in the cmd parameter
745 in cyrus.conf). The second is the pid (integer) and the third is
746 the service ID. Example: /usr/local/bin/gdb /usr/cyrus/bin/%s
747 %d
748 defaultacl: anyone lrs
750 The Access Control List (ACL) placed on a newly-created
751 (non-user) mailbox that does not have a parent mailbox.
752 defaultdomain: internal
754 The default domain for virtual domain support
755 defaultpartition: <none>
757 The partition name used by default for new mailboxes. If not
758 specified, the partition with the most free space will be used
759 for new mailboxes.
760 Note that the partition specified by this option must also be
762 specified as partition-name, where you substitute ‘name’ for the
763 alphanumeric string you set defaultpartition to.
764 defaultsearchtier: <empty string>
766 Name of the default tier that messages will be indexed to.
767 Search indexes can be organized in tiers to allow index storage
768 in different directories and physical media. See the man page of
769 squatter for details. The default search tier also requires the
770 definition of an according searchtierpartition-name entry.
771 This option MUST be specified for xapian search.
773 defaultserver: <none>
775 The backend server name used by default for new mailboxes. If
776 not specified, the server with the most free space will be used
777 for new mailboxes.
778 deletedprefix: DELETED
780 With delete_mode set to delayed, the deletedprefix setting de‐
781 fines the prefix for the hierarchy of deleted mailboxes.
782 The hierarchy delimiter will be automatically appended.
784 delete_mode: delayed
786 The manner in which mailboxes are deleted. In the default de‐
787 layed mode, mailboxes that are being deleted are renamed to a
788 special mailbox hierarchy under the deletedprefix, to be removed
789 later by cyr_expire(8).
790 In immediate mode, the mailbox is removed from the filesystem
792 immediately.
793 Allowed values: immediate, delayed
795 delete_unsubscribe: 0
797 Whether to also unsubscribe from mailboxes when they are
798 deleted. Note that this behaviour contravenes RFC 3501 section
799 6.3.9, but may be useful for avoiding user/client software con‐
800 fusion. The default is ‘no’.
801 deleteright: c
803 Deprecated - only used for backwards compatibility with existing
804 installations. Lists the old RFC 2086 right which was used to
805 grant the user the ability to delete a mailbox. If a user has
806 this right, they will automatically be given the new ‘x’ right.
807 disable_user_namespace: 0
809 Preclude list command on user namespace. If set to ‘yes’, the
810 LIST response will never include any other user’s mailbox. Ad‐
811 min users will always see all mailboxes. The default is ‘no’
812 disable_shared_namespace: 0
814 Preclude list command on shared namespace. If set to ‘yes’, the
815 LIST response will never include any non-user mailboxes. Admin
816 users will always see all mailboxes. The default is ‘no’
817 disconnect_on_vanished_mailbox: 0
819 If enabled, IMAP/POP3/NNTP clients will be disconnected by the
820 server if the currently selected mailbox is (re)moved by another
821 session. Otherwise, the missing mailbox is treated as empty
822 while in use by the client.
823 ischedule_dkim_domain: <none>
825 The domain to be reported as doing iSchedule DKIM signing.
826 ischedule_dkim_key_file: <none>
828 File containing the private key for iSchedule DKIM signing.
829 ischedule_dkim_required: 1
831 A DKIM signature is required on received iSchedule requests.
832 ischedule_dkim_selector: <none>
834 Name of the selector subdividing the domain namespace. This
835 specifies the actual key used for iSchedule DKIM signing within
836 the domain.
837 duplicate_db: twoskip
839 The cyrusdb backend to use for the duplicate delivery suppres‐
840 sion and sieve. Allowed values: skiplist, sql, twoskip, ze‐
841 roskip
842 duplicate_db_path: <none>
844 The absolute path to the duplicate db file. If not specified,
845 will be configdirectory/deliver.db
846 duplicatesuppression: 1
848 If enabled, lmtpd will suppress delivery of a message to a mail‐
849 box if a message with the same message-id (or resent-message-id)
850 is recorded as having already been delivered to the mailbox.
851 Records the mailbox and message-id/resent-message-id of all suc‐
852 cessful deliveries.
853 event_content_inclusion_mode: standard
855 The mode in which message content may be included with Mes‐
856 sageAppend and MessageNew. “standard” mode is the default behav‐
857 ior in which message is included up to a size with the notifica‐
858 tion. In “message” mode, the message is included and may be
859 truncated to a size. In “header” mode, it includes headers trun‐
860 cated to a size. In “body” mode, it includes body truncated to a
861 size. In “headerbody” mode, it includes full headers and body
862 truncated to a size Allowed values: standard, message, header,
863 body, headerbody
864 event_content_size: 0
866 Truncate the message content that may be included with Mes‐
867 sageAppend and MessageNew. Set 0 to include the entire message
868 itself
869 event_exclude_flags: <none>
871 Don’t send event notification for given IMAP flag(s)
872 event_exclude_specialuse: \Junk
874 Don’t send event notification for folder with given special-use
875 attributes. Set ALL for any folder
876 event_extra_params: timestamp
878 Space-separated list of extra parameters to add to any appropri‐
879 ated event.
880 Allowed values: bodyStructure, clientAddress, diskUsed,
882 flagNames, messageContent, messageSize, messages, modseq, ser‐
883 vice, timestamp, uidnext, vnd.cmu.midset, vnd.cmu.unseenMes‐
884 sages, vnd.cmu.envelope, vnd.cmu.sessionId, vnd.cmu.mailboxACL,
885 vnd.cmu.mbtype, vnd.cmu.davFilename, vnd.cmu.davUid, vnd.fast‐
886 mail.clientId, vnd.fastmail.sessionId, vnd.fastmail.convExists,
887 vnd.fastmail.convUnseen, vnd.fastmail.cid, vnd.fastmail.coun‐
888 ters, vnd.cmu.emailid, vnd.cmu.threadid
889 event_groups: message mailbox
891 Space-separated list of groups of related events to turn on no‐
892 tification
893 Allowed values: message, quota, flags, access, mailbox, sub‐
895 scription, calendar, applepushservice
896 event_notifier: <none>
898 Notifyd(8) method to use for “EVENT” notifications which are
899 based on the RFC 5423. If not set, “EVENT” notifications are
900 disabled.
901 expunge_mode: delayed
903 The mode in which messages (and their corresponding cache en‐
904 tries) are expunged. “semidelayed” mode is the old behavior in
905 which the message files are purged at the time of the EXPUNGE,
906 but index and cache records are retained to facilitate QRESYNC.
907 In “delayed” mode, which is the default since Cyrus 2.5.0, the
908 message files are also retained, allowing unexpunge to rescue
909 them. In “immediate” mode, both the message files and the index
910 records are removed as soon as possible. In all cases, nothing
911 will be finally purged until all other processes have closed the
912 mailbox to ensure they never see data disappear under them. In
913 “semidelayed” or “delayed” mode, a later run of “cyr_expire”
914 will clean out the retained records (and possibly message
915 files). This reduces the amount of I/O that takes place at the
916 time of EXPUNGE and should result in greater responsiveness for
917 the client, especially when expunging a large number of mes‐
918 sages. Allowed values: immediate, semidelayed, delayed
919 failedloginpause: 3s
921 Time to pause after a failed login.
922 For backward compatibility, if no unit is specified, seconds is
924 assumed.
925 flushseenstate: 1
927 Deprecated. No longer used
928 foolstupidclients: 0
930 If enabled, only list the personal namespace when a LIST “*” is
931 performed (it changes the request to a LIST “INBOX*”).
932 force_sasl_client_mech: <none>
934 Force preference of a given SASL mechanism for client side oper‐
935 ations (e.g., murder environments). This is separate from (and
936 overridden by) the ability to use the <host shortname>_mechs op‐
937 tion to set preferred mechanisms for a specific host
938 fulldirhash: 0
940 If enabled, uses an improved directory hashing scheme which
941 hashes on the entire username instead of using just the first
942 letter as the hash. This changes hash algorithm used for quota
943 and user directories and if hashimapspool is enabled, the entire
944 mail spool.
945 Note that this option CANNOT be changed on a live system. The
947 server must be quiesced and then the directories moved with the
948 rehash utility.
949 hashimapspool: 0
951 If enabled, the partitions will also be hashed, in addition to
952 the hashing done on configuration directories. This is recom‐
953 mended if one partition has a very bushy mailbox tree.
954 debug: 0
956 If enabled, allow syslog() to pass LOG_DEBUG messages.
957 hostname_mechs: <none>
959 Force a particular list of SASL mechanisms to be used when au‐
960 thenticating to the backend server hostname (where hostname is
961 the short hostname of the server in question). If it is not
962 specified it will query the server for available mechanisms and
963 pick one to use. - Cyrus Murder
964 hostname_password: <none>
966 The password to use for authentication to the backend server
967 hostname (where hostname is the short hostname of the server) -
968 Cyrus Murder
969 httpallowcompress: 1
971 If enabled, the server will compress response payloads if the
972 client indicates that it can accept them. Note that the com‐
973 pressed data will appear in telemetry logs, leaving only the re‐
974 sponse headers as human-readable.
975 httpallowcors: <none>
977 A wildmat pattern specifying a list of origin URIs ( scheme
978 “://” host [ “:” port ] ) that are allowed to make Cross-Origin
979 Resource Sharing (CORS) requests on the server. By default,
980 CORS requests are disabled.
981 Note that the scheme and host should both be lowercase, the port
983 should be omitted if using the default for the scheme (80 for
984 http, 443 for https), and there should be no trailing ‘/’ (e.g.:
985 “http://www.example.com:8080”, “https://example.org”).
986 httpallowtrace: 0
988 Allow use of the TRACE method.
989 Note that sensitive data might be disclosed by the response.
991 httpallowedurls: <none>
993 Space-separated list of relative URLs (paths) rooted at “http‐
994 docroot” (see below) to be served by httpd. If set, this option
995 will limit served static content to only those paths specified
996 (returning “404 Not Found” to any other client requested URLs).
997 Otherwise, httpd will serve any content found in “httpdocroot”.
998 Note that any path specified by “rss_feedlist_template” is an
1000 exception to this rule.
1001 httpcontentmd5: 0
1003 If enabled, HTTP responses will include a Content-MD5 header for
1004 the purpose of providing an end-to-end message integrity check
1005 (MIC) of the payload body. Note that enabling this option will
1006 use additional CPU to generate the MD5 digest, which may be ig‐
1007 nored by clients anyways.
1008 httpdocroot: <none>
1010 If set, http will serve the static content (html/text/jpeg/gif
1011 files, etc) rooted at this directory. Otherwise, httpd will not
1012 serve any static content.
1013 httpkeepalive: 20s
1015 Set the length of the HTTP server’s keepalive heartbeat. The
1016 default is 20 seconds. The minimum value is 0, which will dis‐
1017 able the keepalive heartbeat. When enabled, if a request takes
1018 longer than httpkeepalive to process, the server will send the
1019 client provisional responses every httpkeepalive until the final
1020 response can be sent.
1021 For backward compatibility, if no unit is specified, seconds is
1023 assumed.
1024 httplogheaders: <none>
1026 Space-separated list of HTTP header fields that will be included
1027 in the requests logged by httpd(8).
1028 httpmodules: <empty string>
1030 Space-separated list of HTTP modules that will be enabled in
1031 httpd(8). This option has no effect on modules that are dis‐
1032 abled at compile time due to missing dependencies (e.g. libi‐
1033 cal).
1034 Note that “domainkey” depends on “ischedule” being enabled, and
1036 that both “freebusy” and “ischedule” depend on “caldav” being
1037 enabled. Allowed values: admin, caldav, carddav, cgi, do‐
1038 mainkey, freebusy, ischedule, jmap, prometheus, rss, tzdist,
1039 webdav
1040 httpprettytelemetry: 0
1042 If enabled, HTTP response payloads including server-generated
1043 markup languages (HTML, XML) will utilize line breaks and inden‐
1044 tation to promote better human-readability in telemetry logs.
1045 Note that enabling this option will increase the amount of data
1046 sent across the wire.
1047 httptimeout: 5m
1049 Set the length of the HTTP server’s inactivity autologout timer.
1050 The default is 5 minutes. The minimum value is 0, which will
1051 disable persistent connections.
1052 For backwards compatibility, if no unit is specified, minutes is
1054 assumed.
1055 idlesocket: {configdirectory}/socket/idle
1057 Unix domain socket that idled listens on.
1058 ignorereference: 0
1060 For backwards compatibility with Cyrus 1.5.10 and earlier – ig‐
1061 nore the reference argument in LIST or LSUB commands.
1062 imapidlepoll: 60s
1064 The interval for polling for mailbox changes and ALERTs while
1065 running the IDLE command. This option is used when idled is not
1066 enabled or cannot be contacted. The minimum value is 1 second.
1067 A value of 0 will disable IDLE.
1068 For backward compatibility, if no unit is specified, seconds is
1070 assumed.
1071 imapidresponse: 1
1073 If enabled, the server responds to an ID command with a parame‐
1074 ter list containing: version, vendor, support-url, os, os-ver‐
1075 sion, command, arguments, environment. Otherwise the server re‐
1076 turns NIL.
1077 imapmagicplus: 0
1079 Only list a restricted set of mailboxes via IMAP by using
1080 userid+namespace syntax as the authentication/authorization id.
1081 Using userid+ (with an empty namespace) will list only sub‐
1082 scribed mailboxes.
1083 imipnotifier: <none>
1085 Notifyd(8) method to use for “IMIP” notifications which are
1086 based on the RFC 6047. If not set, “IMIP” notifications are
1087 disabled.
1088 implicit_owner_rights: lkxan
1090 The implicit Access Control List (ACL) for the owner of a mail‐
1091 box.
1092 @include: <none>
1094 Directive which includes the specified file as part of the con‐
1095 figuration. If the path to the file is not absolute, CYRUS_PATH
1096 is prepended.
1097 improved_mboxlist_sort: 0
1099 If enabled, a special comparator will be used which will cor‐
1100 rectly sort mailbox names that contain characters such as ‘ ‘
1101 and ‘-‘.
1102 Note that this option SHOULD NOT be changed on a live system.
1104 The mailboxes database should be dumped (ctl_mboxlist) before
1105 the option is changed, removed, and then undumped after changing
1106 the option. When not using flat files for the subscriptions
1107 databases the same has to be done (cyr_dbtool) for each sub‐
1108 scription database See improved_mboxlist_sort.html.
1109 jmap_emailsearch_db_path: <none>
1111 The absolute path to the JMAP email search cache file. If not
1112 specified, JMAP Email/query and Email/queryChanges will not
1113 cache email search results.
1114 jmap_preview_annot: <none>
1116 The name of the per-message annotation, if any, to store message
1117 previews.
1118 jmap_imagesize_annot: <none>
1120 The name of the per-message annotation, if any, that stores a
1121 JSON object, mapping message part numbers of MIME image types to
1122 an array of their image dimensions. The array must have at least
1123 two entries, where the first entry denotes the width and the
1124 second entry the height of the image. Any additional values are
1125 ignored.
1126 For example, if message part 1.2 contains an image of width 300
1128 and height 200, then the value of this annotation would be:
1129 { “1.2” : [ 300, 200 ] }
1131 jmap_inlinedcids_annot: <none>
1133 The name of the per-message annotation, if any, that stores a
1134 JSON object, mapping RFC 2392 Content-IDs referenced in HTML
1135 bodies to the respective HTML body part number.
1136 For example, if message part 1.2 contains HTML and references an
1138 inlined image at “cid:foo”, then the value of this annotation
1139 would be:
1140 { “<foo>” : “1.2” }
1142 Note that the Content-ID key must be URL-unescaped and enclosed
1144 in angular brackets, as defined in RFC 2392.
1145 jmap_preview_length: 64
1147 The maximum byte length of dynamically generated message pre‐
1148 views. Previews stored in jmap_preview_annot take precedence.
1149 jmap_max_size_upload: 1048576
1151 The maximum size (in kilobytes) that the JMAP API accepts for
1152 blob uploads. Returned as the maxSizeUpload property value of
1153 the JMAP “urn:ietf:params:jmap:core” capabilities object. De‐
1154 fault is 1Gb.
1155 jmap_max_size_blob_set: 4096
1157 The maximum size (in kilobytes) that the JMAP API accepts for
1158 Blob/set. Returned as the maxSizeBlobSet property value of the
1159 JMAP “https://cyrusimap.org/ns/jmap/blob” capabilities object.
1160 Default is 4Mb.
1161 jmap_max_concurrent_upload: 5
1163 The value to return for the maxConcurrentUpload property of the
1164 JMAP “urn:ietf:params:jmap:core” capabilities object. The Cyrus
1165 JMAP implementation does not enforce this rate-limit.
1166 jmap_max_size_request: 10240
1168 The maximum size (in kilobytes) that the JMAP API accepts for
1169 requests at the API endpoint. Returned as the maxSizeRequest
1170 property value of the JMAP “urn:ietf:params:jmap:core” capabili‐
1171 ties object. Default is 10Mb.
1172 jmap_max_concurrent_requests: 5
1174 The value to return for the maxConcurrentRequests property of
1175 the JMAP “urn:ietf:params:jmap:core” capabilities object. The
1176 Cyrus JMAP implementation does not enforce this rate-limit.
1177 jmap_max_calls_in_request: 50
1179 The maximum number of calls per JMAP request object. Returned
1180 as the maxCallsInRequest property value of the JMAP “‐
1181 urn:ietf:params:jmap:core” capabilities object.
1182 jmap_max_delayed_send: 512d
1184 The value to return for the maxDelayedSend property of the JMAP
1185 “urn:ietf:params:jmap:emailsubmission” capabilities object. The
1186 Cyrus JMAP implementation does not enforce this limit.
1187 For backward compatibility, if no unit is specified, seconds is
1189 assumed.
1190 jmap_max_objects_in_get: 4096
1192 The maximum number of ids that a JMAP client may request in a
1193 single “/get” type method call. The actual number of returned
1194 objects in the response may exceed this number if the JMAP ob‐
1195 ject type supports unbounded “/get” calls. Returned as the
1196 maxObjectsInGet property value of the JMAP “‐
1197 urn:ietf:params:jmap:core” capabilities object.
1198 jmap_max_objects_in_set: 4096
1200 The maximum number of objects a JMAP client may send to create,
1201 update or destroy in a single /set type method call. Returned
1202 as the maxObjectsInSet property value of the JMAP “‐
1203 urn:ietf:params:jmap:core” capabilities object.
1204 jmap_mail_max_size_attachments_per_email: 10240
1206 The value (in kilobytes) to return for the maxSizeAttach‐
1207 mentsPerEmail property of the JMAP “urn:ietf:params:jmap:mail”
1208 capabilities object. The Cyrus JMAP implementation does not en‐
1209 force this size limit. Default is 10 Mb.
1210 jmap_nonstandard_extensions: 0
1212 If enabled, support non-standard JMAP extensions. If not en‐
1213 abled, only IETF standard JMAP functionality is supported.
1214 jmap_set_has_attachment: 1
1216 If enabled, the $hasAttachment flag is determined and set for
1217 new messages created with the JMAP Email/set or Email/import
1218 methods. This option should typically be enabled, but installa‐
1219 tions using Cyrus-external message annatotors to determine the
1220 $hasAttachment flag might want to disable it.
1221 jmap_vacation: 1
1223 If enabled, support the JMAP vacation extension
1224 jmapuploadfolder: #jmap
1226 the name of the folder for JMAP uploads (#jmap)
1227 jmapsubmission_deleteonsend: 1
1229 If enabled (the default) then delete the EmailSubmission as soon
1230 as the email * has been sent
1231 jmapsubmissionfolder: #jmapsubmission
1233 the name of the folder for JMAP Submissions (#jmapsubmission)
1234 jmappushsubscriptionfolder: #jmappushsubscription
1236 the name of the folder for JMAP Push Subscriptions (#jmappush‐
1237 subscription)
1238 iolog: 0
1240 Should cyrus output I/O log entries
1241 ldap_authz: <none>
1243 SASL authorization ID for the LDAP server
1244 ldap_base: <empty string>
1246 Contains the LDAP base dn for the LDAP ptloader module
1247 ldap_bind_dn: <none>
1249 Bind DN for the connection to the LDAP server (simple bind). Do
1250 not use for anonymous simple binds
1251 ldap_deref: never
1253 Specify how aliases dereferencing is handled during search.
1254 Allowed values: search, find, always, never
1256 ldap_domain_base_dn: <empty string>
1258 Base DN to search for domain name spaces.
1259 ldap_domain_filter: (&(objectclass=domainrelatedobject)(associated‐
1261 domain=%s))
1262 Filter to use searching for domains
1263 ldap_domain_name_attribute: associateddomain
1265 The attribute name for domains.
1266 ldap_domain_scope: sub
1268 Search scope
1269 Allowed values: sub, one, base
1271 ldap_domain_result_attribute: inetdomainbasedn
1273 Result attribute
1274 ldap_filter: (uid=%u)
1276 Specify a filter that searches user identifiers. The following
1277 tokens can be used in the filter string:
1278 %% = % %u = user %U = user portion of %u (%U = test when
1280 %u = test@domain.tld) %d = domain portion of %u if available
1281 (%d = domain.tld when %u = test@domain.tld), otherwise same as
1282 %R %R = domain portion of %u starting with @ (%R = @domain.tld
1283 when %u = test@domain.tld) %D = user dn. (use when ldap_mem‐
1284 ber_method: filter) %1-9 = domain tokens (%1 = tld, %2 = domain
1285 when %d = domain.tld)
1286 ldap_filter is not used when ldap_sasl is enabled.
1288 ldap_group_base: <empty string>
1290 LDAP base dn for ldap_group_filter.
1291 ldap_group_filter: (cn=%u)
1293 Specify a filter that searches for group identifiers. See
1294 ldap_filter for more options.
1295 ldap_group_scope: sub
1297 Specify search scope for ldap_group_filter.
1298 Allowed values: sub, one, base
1300 ldap_id: <none>
1302 SASL authentication ID for the LDAP server
1303 ldap_mech: <none>
1305 SASL mechanism for LDAP authentication
1306 ldap_user_attribute: <none>
1308 Specify LDAP attribute to use as canonical user id
1309 ldap_member_attribute: <none>
1311 See ldap_member_method.
1312 ldap_member_base: <empty string>
1314 LDAP base dn for ldap_member_filter.
1315 ldap_member_filter: (member=%D)
1317 Specify a filter for “ldap_member_method: filter”. See
1318 ldap_filter for more options.
1319 ldap_member_method: attribute
1321 Specify a group method. The “attribute” method retrieves groups
1322 from a multi-valued attribute specified in ldap_member_attri‐
1323 bute.
1324 The “filter” method uses a filter, specified by ldap_member_fil‐
1326 ter, to find groups; ldap_member_attribute is a single-value at‐
1327 tribute group name. Allowed values: attribute, filter
1328 ldap_member_scope: sub
1330 Specify search scope for ldap_member_filter.
1331 Allowed values: sub, one, base
1333 ldap_password: <none>
1335 Password for the connection to the LDAP server (SASL and simple
1336 bind). Do not use for anonymous simple binds
1337 ldap_realm: <none>
1339 SASL realm for LDAP authentication
1340 ldap_referrals: 0
1342 Specify whether or not the client should follow referrals.
1343 ldap_restart: 1
1345 Specify whether or not LDAP I/O operations are automatically
1346 restarted if they abort prematurely.
1347 ldap_sasl: 1
1349 Use SASL for LDAP binds in the LDAP PTS module.
1350 ldap_sasl_authc: <none>
1352 Deprecated. Use ldap_id
1353 ldap_sasl_authz: <none>
1355 Deprecated. Use ldap_authz
1356 ldap_sasl_mech: <none>
1358 Deprecated. Use ldap_mech
1359 ldap_sasl_password: <none>
1361 Deprecated. User ldap_password
1362 ldap_sasl_realm: <none>
1364 Deprecated. Use ldap_realm
1365 ldap_scope: sub
1367 Specify search scope.
1368 Allowed values: sub, one, base
1370 ldap_servers: ldap://localhost/
1372 Deprecated. Use ldap_uri
1373 ldap_size_limit: 1
1375 Specify a number of entries for a search request to return.
1376 ldap_start_tls: 0
1378 Use transport layer security for ldap:// using STARTTLS. Do not
1379 use ldaps:// in ‘ldap_uri’ with this option enabled.
1380 ldap_time_limit: 5s
1382 How long to wait for a search request to complete.
1383 For backward compatibility, if no unit is specified, seconds is
1385 assumed.
1386 ldap_timeout: 5s
1388 How long a search can take before timing out.
1389 For backward compatibility, if no unit is specified, seconds is
1391 assumed.
1392 ldap_ca_dir: <none>
1394 Path to a directory with CA (Certificate Authority) certifi‐
1395 cates.
1396 ldap_ca_file: <none>
1398 Path to a file containing CA (Certificate Authority) certifi‐
1399 cate(s).
1400 ldap_ciphers: <none>
1402 List of SSL/TLS ciphers to allow. The format of the string is
1403 described in ciphers(1).
1404 ldap_client_cert: <none>
1406 File containing the client certificate.
1407 ldap_client_key: <none>
1409 File containing the private client key.
1410 ldap_verify_peer: 0
1412 Require and verify server certificate. If this option is yes,
1413 you must specify ldap_ca_file or ldap_ca_dir.
1414 ldap_tls_cacert_dir: <none>
1416 Deprecated in favor of ldap_ca_dir.
1417 ldap_tls_cacert_file: <none>
1419 Deprecated in favor of ldap_ca_file.
1420 ldap_tls_cert: <none>
1422 Deprecated in favor of ldap_client_cert.
1423 ldap_tls_key: <none>
1425 Deprecated in favor of ldap_client_key.
1426 ldap_tls_check_peer: 0
1428 Deprecated in favor of ldap_verify_peer.
1429 ldap_tls_ciphers: <none>
1431 Deprecated in favor of ldap_ciphers.
1432 ldap_uri: <none>
1434 Contains a list of the URLs of all the LDAP servers when using
1435 the LDAP PTS module.
1436 ldap_version: 3
1438 Specify the LDAP protocol version. If ldap_start_tls and/or
1439 ldap_use_sasl are enabled, ldap_version will be automatically
1440 set to 3.
1441 literalminus: 0
1443 if enabled, CAPABILITIES will reply with LITERAL- rather than
1444 LITERAL+ (RFC 7888). Doesn’t actually size-restrict uploads
1445 though
1446 lmtp_downcase_rcpt: 1
1448 If enabled, lmtpd will convert the recipient addresses to lower‐
1449 case (up to a ‘+’ character, if present).
1450 lmtp_exclude_specialuse: \Snoozed
1452 Don’t allow delivery to folders with given special-use at‐
1453 tributes.
1454 Note that “snoozing” of emails can currently only be done via
1456 the JMAP protocol, so delivery directly to the Snoozed mailbox
1457 is prohibited by default as it will not be moved back into INBOX
1458 automatically.
1459 lmtp_fuzzy_mailbox_match: 0
1461 If enabled, and the mailbox specified in the detail part of the
1462 recipient (everything after the ‘+’) does not exist, lmtpd will
1463 try to find the closest match (ignoring case, ignoring white‐
1464 space, falling back to parent) to the specified mailbox name.
1465 lmtp_over_quota_perm_failure: 0
1467 If enabled, lmtpd returns a permanent failure code when a user’s
1468 mailbox is over quota. By default, the failure is temporary,
1469 causing the MTA to queue the message and retry later.
1470 lmtp_preparse: 0
1472 If enabled, lmtpd will map in the email and parse the xapian
1473 data for jmapsearch. The advantage is that the parsing is done
1474 without holding any locks. The disadvantage is that the parsing
1475 is done even if it winds up not being needed.
1476 lmtp_strict_quota: 0
1478 If enabled, lmtpd returns a failure code when the incoming mes‐
1479 sage will cause the user’s mailbox to exceed its quota. By de‐
1480 fault, the failure won’t occur until the mailbox is already over
1481 quota.
1482 lmtp_strict_rfc2821: 1
1484 By default, lmtpd will be strict (per RFC 2821) with regards to
1485 which envelope addresses are allowed. If this option is set to
1486 false, 8bit characters in the local-part of envelope addresses
1487 are changed to ‘X’ instead. This is useful to avoid generating
1488 backscatter with certain MTAs like Postfix or Exim which accept
1489 such messages.
1490 lmtpsocket: {configdirectory}/socket/lmtp
1492 Unix domain socket that lmtpd listens on, used by deliver(8).
1493 This should match the path specified in cyrus.conf(5).
1494 lmtptxn_timeout: 5m
1496 Timeout used during a lmtp transaction to a remote backend (e.g.
1497 in a murder environment). Can be used to prevent hung lmtpds on
1498 proxy hosts when a backend server becomes unresponsive during a
1499 lmtp transaction. The default is 5 minutes - change to zero for
1500 infinite.
1501 For backward compatibility, if no unit is specified, seconds is
1503 assumed.
1504 lock_debugtime: <none>
1506 A floating point number of seconds. If set, time how long we
1507 wait for any lock, and syslog the filename and time if it’s
1508 longer than this value. The default of NULL means not to time
1509 locks.
1510 loginrealms: <empty string>
1512 The list of remote realms whose users may authenticate using
1513 cross-realm authentication identifiers. Separate each realm
1514 name by a space. (A cross-realm identity is considered any
1515 identity returned by SASL with an “@” in it.).
1516 loginuseacl: 0
1518 If enabled, any authentication identity which has a rights on a
1519 user’s INBOX may log in as that user.
1520 logtimestamps: 0
1522 Include notations in the protocol telemetry logs indicating the
1523 number of seconds since the last command or response.
1524 mailbox_default_options: 0
1526 Default “options” field for the mailbox on create. You’ll want
1527 to know what you’re doing before setting this, but it can apply
1528 some default annotations like duplicate suppression
1529 mailbox_initial_flags: <none>
1531 space-separated list of permanent flags which will be pre-set in
1532 every newly created mailbox. If you know you will require par‐
1533 ticular flag names then this avoids a possible race condition
1534 against a client that fills the entire 128 available slots. De‐
1535 fault is NULL, which is no flags. Example: $Label1 $Label2 $La‐
1536 bel3 NotSpam Spam
1537 mailbox_maxmessages_addressbook: 0
1539 Limit the number of messages that may exist in a single mailbox
1540 of “addressbook” type. Default (0) means no limit. This limit
1541 applies after quotas are checked, so if you have both quota lim‐
1542 its and this set, then you will be denied if you are either over
1543 quota or over this per-mailbox count.
1544 mailbox_maxmessages_calendar: 0
1546 Limit the number of messages that may exist in a single mailbox
1547 of “calendar” type. Default (0) means no limit. This limit ap‐
1548 plies after quotas are checked, so if you have both quota limits
1549 and this set, then you will be denied if you are either over
1550 quota or over this per-mailbox count.
1551 mailbox_maxmessages_email: 0
1553 Limit the number of messages that may exist in a single mailbox
1554 of “email” (normal) type. Default (0) means no limit. This
1555 limit applies after quotas are checked, so if you have both
1556 quota limits and this set, then you will be denied if you are
1557 either over quota or over this per-mailbox count.
1558 mailnotifier: <none>
1560 Notifyd(8) method to use for “MAIL” notifications. If not set,
1561 “MAIL” notifications are disabled.
1562 master_bind_errors_fatal: 0
1564 If enabled, failure to bind a port during startup is treated as
1565 a fatal error, causing master to shut down immediately. The de‐
1566 fault is to keep running, with the affected service disabled un‐
1567 til the next SIGHUP causes it to retry.
1568 Note that this only applies during startup. New services that
1570 fail to come up in response to a reconfig+SIGHUP will just be
1571 logged and disabled like the default behaviour, without causing
1572 master to exit.
1573 maxheaderlines: 1000
1575 Maximum number of lines of header that will be processed into
1576 cache records. Default 1000. If set to zero, it is unlimited.
1577 If a message hits the limit, an error will be logged and the
1578 rest of the lines in the header will be skipped. This is to
1579 avoid malformed messages causing giant cache records
1580 maxlogins_per_host: 0
1582 Maximum number of logged in sessions allowed per host, zero
1583 means no limit
1584 maxlogins_per_user: 0
1586 Maximum number of logged in sessions allowed per user, zero
1587 means no limit
1588 maxmessagesize: 0
1590 Maximum incoming LMTP message size. If non-zero, lmtpd will re‐
1591 ject messages larger than maxmessagesize bytes. If set to 0,
1592 this will allow messages of any size (the default).
1593 maxquoted: 131072
1595 Maximum size of a single quoted string for the parser. Default
1596 128k
1597 maxword: 131072
1599 Maximum size of a single word for the parser. Default 128k
1600 mboxkey_db: twoskip
1602 The cyrusdb backend to use for mailbox keys.
1603 Allowed values: skiplist, twoskip, zeroskip
1605 mboxlist_db: twoskip
1607 The cyrusdb backend to use for the mailbox list.
1608 Allowed values: flat, skiplist, sql, twoskip, zeroskip
1610 mboxlist_db_path: <none>
1612 The absolute path to the mailboxes db file. If not specified
1613 will be configdirectory/mailboxes.db
1614 mboxname_lockpath: <none>
1616 Path to mailbox name lock files (default $conf/lock)
1617 metapartition_files: <empty string>
1619 Space-separated list of metadata files to be stored on a meta‐
1620 partition rather than in the mailbox directory on a spool parti‐
1621 tion. Allowed values: header, index, cache, expunge, squat, an‐
1622 notations, lock, dav, archivecache
1623 metapartition-name: <none>
1625 The pathname of the metadata partition name, corresponding to
1626 spool partition partition-name. For any mailbox residing in a
1627 directory on partition-name, the metadata files listed in meta‐
1628 partition_files will be stored in a corresponding directory on
1629 metapartition-name. Note that not every partition-name option
1630 is required to have a corresponding metapartition-name option,
1631 so that you can selectively choose which spool partitions will
1632 have separate metadata partitions.
1633 mupdate_authname: <none>
1635 The SASL username (Authentication Name) to use when authenticat‐
1636 ing to the mupdate server (if needed).
1637 mupdate_config: standard
1639 The configuration of the mupdate servers in the Cyrus Murder.
1640 The “standard” config is one in which there are discreet front‐
1641 end (proxy) and backend servers. The “unified” config is one in
1642 which a server can be both a frontend and backend. The “repli‐
1643 cated” config is one in which multiple backend servers all share
1644 the same mailspool, but each have their own “replicated” copy of
1645 mailboxes.db. Allowed values: standard, unified, replicated
1646 munge8bit: 1
1648 If enabled, lmtpd munges messages with 8-bit characters in the
1649 headers. The 8-bit characters are changed to `X’. If re‐
1650 ject8bit is enabled, setting munge8bit has no effect. (A proper
1651 solution to non-ASCII characters in headers is offered by RFC
1652 2047 and its predecessors.)
1653 mupdate_connections_max: 128
1655 The max number of connections that a mupdate process will allow,
1656 this is related to the number of file descriptors in the mupdate
1657 process. Beyond this number connections will be immediately is‐
1658 sued a BYE response.
1659 mupdate_password: <none>
1661 The SASL password (if needed) to use when authenticating to the
1662 mupdate server.
1663 mupdate_port: 3905
1665 The port of the mupdate server for the Cyrus Murder
1666 mupdate_realm: <none>
1668 The SASL realm (if needed) to use when authenticating to the
1669 mupdate server.
1670 mupdate_retry_delay: 20
1672 The base time to wait between connection retries to the mupdate
1673 server.
1674 mupdate_server: <none>
1676 The mupdate server for the Cyrus Murder
1677 mupdate_username: <empty string>
1679 The SASL username (Authorization Name) to use when authenticat‐
1680 ing to the mupdate server
1681 mupdate_workers_max: 50
1683 The maximum number of mupdate worker threads (overall)
1684 mupdate_workers_maxspare: 10
1686 The maximum number of idle mupdate worker threads
1687 mupdate_workers_minspare: 2
1689 The minimum number of idle mupdate worker threads
1690 mupdate_workers_start: 5
1692 The number of mupdate worker threads to start
1693 netscapeurl: <none>
1695 If enabled at compile time, this specifies a URL to reply when
1696 Netscape asks the server where the mail administration HTTP
1697 server is. Administrators should set this to a local resource.
1698 newsaddheaders: to
1700 Space-separated list of headers to be added to incoming usenet
1701 articles. Added To: headers will contain email delivery ad‐
1702 dresses corresponding to each newsgroup in the Newsgroups:
1703 header. Added Reply-To: headers will contain email delivery ad‐
1704 dresses corresponding to each newsgroup in the Followup-To: or
1705 Newsgroups: header. If the specified header(s) already exist in
1706 an article, the email delivery addresses will be appended to the
1707 original header body(s).
1708 This option applies if and only if the newspostuser option is
1710 set. Allowed values: to, replyto
1711 newsgroups: *
1713 A wildmat pattern specifying which mailbox hierarchies should be
1714 treated as newsgroups. Only mailboxes matching the wildmat will
1715 accept and/or serve articles via NNTP. If not set, a default
1716 wildmat of “*” (ALL shared mailboxes) will be used. If the
1717 newsprefix option is also set, the default wildmat will be
1718 translated to “<newsprefix>.*”
1719 newsmaster: news
1721 Userid that is used for checking access controls when executing
1722 Usenet control messages. For instance, to allow articles to be
1723 automatically deleted by cancel messages, give the “news” user
1724 the ‘d’ right on the desired mailboxes. To allow newsgroups to
1725 be automatically created, deleted and renamed by the correspond‐
1726 ing control messages, give the “news” user the ‘c’ right on the
1727 desired mailbox hierarchies.
1728 newspeer: <none>
1730 A list of whitespace-separated news server specifications to
1731 which articles should be fed. Each server specification is a
1732 string of the form [user[:pass]@]host[:port][/wildmat] where
1733 ‘host’ is the fully qualified hostname of the server, ‘port’ is
1734 the port on which the server is listening, ‘user’ and ‘pass’ are
1735 the authentication credentials and ‘wildmat’ is a pattern that
1736 specifies which groups should be fed. If no ‘port’ is speci‐
1737 fied, port 119 is used. If no ‘wildmat’ is specified, all
1738 groups are fed. If ‘user’ is specified (even if empty), then
1739 the NNTP POST command will be used to feed the article to the
1740 server, otherwise the IHAVE command will be used.
1741 A ‘@’ may be used in place of ‘!’ in the wildmat to prevent
1743 feeding articles cross-posted to the given group, otherwise
1744 cross-posted articles are fed if any part of the wildmat
1745 matches. For example, the string “peer.example.com:*,!con‐
1746 trol.*,@local.*” would feed all groups except control messages
1747 and local groups to peer.example.com. In the case of
1748 cross-posting to local groups, these articles would not be fed.
1749 newspostuser: <none>
1751 Userid used to deliver usenet articles to newsgroup folders
1752 (usually via lmtp2nntp). For example, if set to “post”, email
1753 sent to “post+comp.mail.imap” would be delivered to the
1754 “comp.mail.imap” folder.
1755 When set, the Cyrus NNTP server will add the header(s) specified
1757 in the newsaddheaders option to each incoming usenet article.
1758 The added header(s) will contain email delivery addresses corre‐
1759 sponding to each relevant newsgroup. If not set, no headers are
1760 added to usenet articles.
1761 newsprefix: <none>
1763 Prefix to be prepended to newsgroup names to make the corre‐
1764 sponding IMAP mailbox names.
1765 newsrc_db_path: <none>
1767 The absolute path to the newsrc db file. If not specified, will
1768 be configdirectory/fetchnews.db
1769 nntptimeout: 3m
1771 Set the length of the NNTP server’s inactivity autologout timer.
1772 The minimum value is 3 minutes, also the default.
1773 For backward compatibility, if no unit is specified, minutes is
1775 assumed.
1776 notesmailbox: <none>
1778 The top level mailbox in each user’s account which is used to
1779 store * Apple-style Notes. Default is blank (disabled)
1780 notifysocket: {configdirectory}/socket/notify
1782 Unix domain socket that the mail notification daemon listens on.
1783 notify_external: <none>
1785 Path to the external program that notifyd(8) will call to send
1786 mail notifications.
1787 The external program will be called with the following command
1789 line options:
1790 -c class
1792 -p priority
1794 -u user
1796 -m mailbox
1798 And the notification message will be available on stdin.
1800 partition-name: <none>
1802 The pathname of the partition name. At least one partition
1803 pathname MUST be specified. If the defaultpartition option is
1804 used, then its pathname MUST be specified. For example, if the
1805 value of the defaultpartion option is part1, then the parti‐
1806 tion-part1 field is required.
1807 partition_select_mode: freespace-most
1809 Partition selection mode.
1810 random (pseudo-)random selection
1812 freespace-most
1814 partition with the most free space (KiB)
1815 freespace-percent-most
1817 partition with the most free space (%)
1818 freespace-percent-weighted
1820 each partition is weighted according to its free space
1821 (%); the more free space the partition has, the more
1822 chances it has to be selected
1823 freespace-percent-weighted-delta
1825 each partition is weighted according to its difference of
1826 free space (%) compared to the most used partition; the
1827 more the partition is lagging behind the most used parti‐
1828 tion, the more chances it has to be selected
1829 Note that actually even the most used partition has a few
1831 chances to be selected, and those chances increase when
1832 other partitions get closer
1833 Allowed values: random, freespace-most, freespace-per‐
1835 cent-most, freespace-percent-weighted, freespace-per‐
1836 cent-weighted-delta
1837 partition_select_exclude: <none>
1839 List of partitions to exclude from selection mode.
1840 partition_select_usage_reinit: 0
1842 For a given session, number of operations (e.g. partition selec‐
1843 tion) for which partitions usage data are cached.
1844 partition_select_soft_usage_limit: 0
1846 Limit of partition usage (%): if a partition is over that limit,
1847 it is automatically excluded from selection mode.
1848 If all partitions are over that limit, this feature is not used
1850 anymore.
1851 plaintextloginpause: <none>
1853 Time to pause after a successful plaintext login. For systems
1854 that support strong authentication, this permits users to per‐
1855 ceive a cost of using plaintext passwords. (This does not af‐
1856 fect the use of PLAIN in SASL authentications.)
1857 For backward compatibility, if no unit is specified, seconds is
1859 assumed.
1860 plaintextloginalert: <none>
1862 Message to send to client after a successful plaintext login.
1863 popexpiretime: -1
1865 The duration advertised as being the minimum a message may be
1866 left on the POP server before it is deleted (via the CAPA com‐
1867 mand, defined in the POP3 Extension Mechanism, which some
1868 clients may support). This duration has a granularity of whole
1869 days, with partial days truncated (so e.g. “45m” is effectively
1870 “0d”). “NEVER”, the default, may be specified with a negative
1871 number.
1872 The Cyrus POP3 server never deletes mail, no matter what the
1874 value of this parameter is. However, if a site implements a
1875 less liberal policy, it needs to change this parameter accord‐
1876 ingly.
1877 For backward compatibility, if no unit is specified, days is as‐
1879 sumed.
1880 popminpoll: <none>
1882 Set the minimum amount of time the server forces users to wait
1883 between successive POP logins.
1884 For backward compatibility, if no unit is specified, minutes is
1886 assumed.
1887 popsubfolders: 0
1889 Allow access to subfolders of INBOX via POP3 by using
1890 userid+subfolder syntax as the authentication/authorization id.
1891 poppollpadding: 1
1893 Create a softer minimum poll restriction. Allows poppollpadding
1894 connections before the minpoll restriction is triggered. Addi‐
1895 tionally, one padding entry is recovered every popminpoll min‐
1896 utes. This allows for the occasional polling rate faster than
1897 popminpoll, (i.e., for clients that require a send/receive to
1898 send mail) but still enforces the rate long-term. Default is 1
1899 (disabled).
1900 The easiest way to think of it is a queue of past connections,
1902 with one slot being filled for every connection, and one slot
1903 being cleared every popminpoll minutes. When the queue is full,
1904 the user will not be able to check mail again until a slot is
1905 cleared. If the user waits a sufficient amount of time, they
1906 will get back many or all of the slots.
1907 poptimeout: 10m
1909 Set the length of the POP server’s inactivity autologout timer.
1910 The minimum value is 10 minutes, the default.
1911 For backward compatibility, if no unit is specified, minutes is
1913 assumed.
1914 popuseacl: 0
1916 Enforce IMAP ACLs in the pop server. Due to the nature of the
1917 POP3 protocol, the only rights which are used by the pop server
1918 are ‘r’, ‘t’, and ‘s’ for the owner of the mailbox. The ‘r’
1919 right allows the user to open the mailbox and list/retrieve mes‐
1920 sages. The ‘t’ right allows the user to delete messages. The
1921 ‘s’ right allows messages retrieved by the user to have the
1922 \Seen flag set (only if popuseimapflags is also enabled).
1923 popuseimapflags: 0
1925 If enabled, the pop server will set and obey IMAP flags. Mes‐
1926 sages having the \Deleted flag are ignored as if they do not ex‐
1927 ist. Messages that are retrieved by the client will have the
1928 \Seen flag set. All messages will have the \Recent flag unset.
1929 postmaster: postmaster
1931 Username that is used as the ‘From’ address in rejection MDNs
1932 produced by sieve.
1933 postuser: <empty string>
1935 Userid used to deliver messages to shared folders. For example,
1936 if set to “bb”, email sent to “bb+shared.blah” would be deliv‐
1937 ered to the “shared.blah” folder. By default, an email address
1938 of “+shared.blah” would be used.
1939 proc_path: <none>
1941 Path to proc directory. Default is NULL - must be an absolute
1942 path if specified. If not specified, the path $configdirec‐
1943 tory/proc/ will be used.
1944 prometheus_enabled: 0
1946 Whether tracking of service metrics for Prometheus is enabled.
1947 prometheus_need_auth: admin
1949 Authentication level required to fetch Prometheus metrics.
1950 Allowed values: none, user, admin
1952 prometheus_update_freq: 10s
1954 Frequency in at which promstatsd should re-collate its statis‐
1955 tics report. The minimum value is 1 second, the default is 10
1956 seconds.
1957 For backward compatibility, if no unit is specified, seconds is
1959 assumed.
1960 prometheus_stats_dir: <none>
1962 Directory to use for gathering prometheus statistics. If speci‐
1963 fied, must be an absolute path. If not specified, the default
1964 path $configdirectory/stats/ will be used. It may be advanta‐
1965 geous to locate this directory on ephemeral storage.
1966 proxy_authname: proxy
1968 The authentication name to use when authenticating to a backend
1969 server in the Cyrus Murder.
1970 proxy_compress: 0
1972 Try to enable protocol-specific compression when performing a
1973 client connection to a backend server in the Cyrus Murder.
1974 Note that this should only be necessary over slow network con‐
1976 nections. Also note that currently only IMAP and MUPDATE sup‐
1977 port compression.
1978 proxy_password: <none>
1980 The default password to use when authenticating to a backend
1981 server in the Cyrus Murder. May be overridden on a host-spe‐
1982 cific basis using the hostname_password option.
1983 proxy_realm: <none>
1985 The authentication realm to use when authenticating to a backend
1986 server in the Cyrus Murder
1987 proxyd_allow_status_referral: 0
1989 Set to true to allow proxyd to issue referrals to clients that
1990 support it when answering the STATUS command. This is disabled
1991 by default since some clients issue many STATUS commands in a
1992 row, and do not cache the connections that these referrals would
1993 cause, thus resulting in a higher authentication load on the re‐
1994 spective backend server.
1995 proxyd_disable_mailbox_referrals: 0
1997 Set to true to disable the use of mailbox-referrals on the proxy
1998 servers.
1999 proxyservers: <none>
2001 A list of users and groups that are allowed to proxy for other
2002 users, separated by spaces. Any user listed in this will be al‐
2003 lowed to login for any other user: use with caution. In a stan‐
2004 dard murder this option should ONLY be set on backends. DO NOT
2005 SET on frontends or things won’t work properly.
2006 pts_module: afskrb
2008 The PTS module to use.
2009 Allowed values: afskrb, ldap
2011 ptloader_sock: <none>
2013 Unix domain socket that ptloader listens on. (defaults to con‐
2014 figdirectory/ptclient/ptsock)
2015 ptscache_db: twoskip
2017 The cyrusdb backend to use for the pts cache.
2018 Allowed values: skiplist, twoskip, zeroskip
2020 ptscache_db_path: <none>
2022 The absolute path to the ptscache db file. If not specified,
2023 will be configdirectory/ptscache.db
2024 ptscache_timeout: 3h
2026 The timeout for the PTS cache database when using the
2027 auth_krb_pts authorization method (default: 3 hours).
2028 For backward compatibility, if no unit is specified, seconds is
2030 assumed.
2031 ptskrb5_convert524: 1
2033 When using the AFSKRB ptloader module with Kerberos 5 canonical‐
2034 ization, do the final 524 conversion to get a n AFS style name
2035 (using ‘.’ instead of ‘/’, and using short names
2036 ptskrb5_strip_default_realm: 1
2038 When using the AFSKRB ptloader module with Kerberos 5 canonical‐
2039 ization, strip the default realm from the userid (this does not
2040 affect the stripping of realms specified by the afspts_local‐
2041 realms option)
2042 qosmarking: cs0
2044 This specifies the Class Selector or Differentiated Services
2045 Code Point designation on IP headers (in the ToS field). Al‐
2046 lowed values: cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11,
2047 af12, af13, af21, af22, af23, af31, af32, af33, af41, af42,
2048 af43, ef
2049 quota_db: quotalegacy
2051 The cyrusdb backend to use for quotas.
2052 Allowed values: flat, skiplist, sql, quotalegacy, twoskip, ze‐
2054 roskip
2055 quota_db_path: <none>
2057 The absolute path for the quota database (if you choose a sin‐
2058 gle-file quota DB type - or the base path if you choose quotale‐
2059 gacy). If not specified will be configdirectory/quotas.db or
2060 configdirectory/quota/
2061 quota_use_conversations: 0
2063 If conversations it enabled and quotaroot is a user folder, use
2064 the conversations quota counts, which count multiple copies of
2065 exactly the same message (by GUID) as only one
2066 quotawarn: 90
2068 The percent of quota utilization over which the server generates
2069 warnings.
2070 quotawarnkb: 0
2072 The maximum amount of free space (in kB) at which to give a
2073 quota warning (if this value is 0, or if the quota is smaller
2074 than this amount, then warnings are always given).
2075 quotawarnmsg: 0
2077 The maximum amount of messages at which to give a quota warning
2078 (if this value is 0, or if the quota is smaller than this
2079 amount, then warnings are always given).
2080 readonly: 0
2082 If enabled, all IMAP, POP and JMAP connections are read-only, *
2083 no writes allowed
2084 reject8bit: 0
2086 If enabled, lmtpd rejects messages with 8-bit characters in the
2087 headers.
2088 restore_authname: <none>
2090 The authentication used by the restore tool when authenticating
2091 to an IMAP/sync server.
2092 restore_password: <none>
2094 The password used by the restore tool when authenticating to an
2095 IMAP/sync server.
2096 restore_realm: <none>
2098 The authentication realm used by the restore tool when authenti‐
2099 cating to an IMAP/sync server.
2100 reverseacls: 0
2102 At startup time, ctl_cyrusdb -r will check this value and it
2103 will either add or remove reverse ACL pointers from mailboxes.db
2104 reverseuniqueids: 1
2106 At startup time, ctl_cyrusdb -r will check this value and it
2107 will either add or remove reverse UNIQUEID pointers from mail‐
2108 boxes.db
2109 rfc2046_strict: 0
2111 If enabled, imapd will be strict (per RFC 2046) when matching
2112 MIME boundary strings. This means that boundaries containing
2113 other boundaries as substrings will be treated as identical.
2114 Since enabling this option will break some messages created by
2115 Eudora 5.1 (and earlier), it is recommended that it be left dis‐
2116 abled unless there is good reason to do otherwise.
2117 rfc2047_utf8: 0
2119 If enabled, imapd will parse any non-encoded character sequence
2120 in MIME header values as UTF8. This is useful for installations
2121 that either advertise the UTF8SMTP (RFC 5335) extension or re‐
2122 ceive mails with improperly escaped UTF-8 byte sequences. It is
2123 recommended that this option is left disabled unless there is
2124 good reason to do otherwise.
2125 rfc3028_strict: 1
2127 If enabled, Sieve will be strict (per RFC 3028) with regards to
2128 which headers are allowed to be used in address and envelope
2129 tests. This means that only those headers which are defined to
2130 contain addresses will be allowed in address tests and only “to”
2131 and “from” will be allowed in envelope tests. When disabled,
2132 ANY grammatically correct header will be allowed.
2133 rss_feedlist_template: <none>
2135 File containing HTML that will be used as a template for dis‐
2136 playing the list of available RSS feeds. A single instance of
2137 the variable %RSS_FEEDLIST% should appear in the file, which
2138 will be replaced by a nested unordered list of feeds. The
2139 toplevel unordered list will be tagged with an id of “feed” (<ul
2140 id=’feed’>) which can be used by stylesheet(s) in your template.
2141 The dynamically created list of feeds based on the HTML template
2142 will be accessible at the “/rss” URL on the server.
2143 rss_feeds: *
2145 A wildmat pattern specifying which mailbox hierarchies should be
2146 treated as RSS feeds. Only mailboxes matching the wildmat will
2147 have their messages available via RSS. If not set, a default
2148 wildmat of “*” (ALL mailboxes) will be used.
2149 rss_maxage: <none>
2151 Maximum age of items to display in an RSS channel. If non-zero,
2152 httpd will only display items received within this time period.
2153 If set to 0, all available items will be displayed (the de‐
2154 fault).
2155 For backward compatibility, if no unit is specified, days is as‐
2157 sumed.
2158 rss_maxitems: 0
2160 Maximum number of items to display in an RSS channel. If
2161 non-zero, httpd will display no more than the rss_maxitems most
2162 recent items. If set to 0, all available items will be dis‐
2163 played (the default).
2164 rss_maxsynopsis: 0
2166 Maximum RSS item synopsis length. If non-zero, httpd will dis‐
2167 play no more than the first rss_maxsynopsis characters of an
2168 item’s synopsis. If set to 0, the entire synopsis will be dis‐
2169 played (the default).
2170 rss_realm: <none>
2172 The realm to present for HTTP authentication of RSS feeds. If
2173 not set (the default), the value of the “servername” option will
2174 be used.
2175 sasl_auto_transition: 0
2177 If enabled, the SASL library will automatically create authenti‐
2178 cation secrets when given a plaintext password. See the SASL
2179 documentation.
2180 sasl_maximum_layer: 256
2182 Maximum SSF (security strength factor) that the server will al‐
2183 low a client to negotiate.
2184 sasl_minimum_layer: 0
2186 The minimum SSF that the server will allow a client to negoti‐
2187 ate. A value of 1 requires integrity protection; any higher
2188 value requires some amount of encryption.
2189 sasl_option: 0
2191 Any SASL option can be set by preceding it with sasl_. This
2192 file overrides the SASL configuration file.
2193 sasl_pwcheck_method: <none>
2195 The mechanism used by the server to verify plaintext passwords.
2196 Possible values include “auxprop”, “saslauthd”, and “pwcheck”.
2197 search_batchsize: 20
2199 The number of messages to be indexed in one batch (default 20).
2200 Note that long batches may delay user commands or mail delivery.
2201 search_attachment_extractor_url: <none>
2203 A HTTP or HTTPS URL to extract search text from rich text at‐
2204 tachments and other media during search indexing. The server at
2205 this URL must implement the following protocol:
2206 1. For each attachment of an email, Cyrus sends a GET request to
2208 the URL <extractor-url>/<cyrus-id>, where <extractor-url> is the
2209 configured URL and <cyrus-id> is a Cyrus-chosen path segment
2210 that uniquely identifies this attachment.
2211 2. If the extractor already has a cached plain text extract of
2213 the attachment identified by <cyrus-id> then it may return HTTP
2214 status code 200 (OK) and the plain text extract with a Con‐
2215 tent-Type “text/plain” header. Otherwise it must return HTTP
2216 status 404 (Not Found).
2217 3. If Cyrus receives the HTTP status code 404 (Not Found), then
2219 it sends a PUT request to the same URL as previously. The PUT
2220 request body contains the decoded, binary body of the attach‐
2221 ment. The Content-Type request header has the same value as de‐
2222 clared in the MIME part headers, including any type parameters.
2223 4. The extractor must return the plain text extract with either
2225 HTTP status 200 (OK) or 201 (Created) and a Content-Type
2226 “text/plain” header. If no text can be extracted, then the ex‐
2227 tractor may return any return code in the range 4xx, or 200 and
2228 an empty response body.
2229 Any other HTTP status code is treated as an error. For perfor‐
2231 mance reasons, the Cyrus indexer attempts to keep-alive the TCP
2232 connection to the extractor. Xapian only.
2233 search_index_language: 0
2235 If enabled, then messages bodies are stemmed by detected lan‐
2236 guage in addition to the default English stemmer. Xapian only.
2237 search_index_parts: 0
2239 Deprecated. No longer used.
2240 search_index_skip_domains: <none>
2242 A space separated list of domains - if set, any users in the
2243 listed domains will be skipped when indexing.
2244 search_index_skip_users: <none>
2246 A space separated list of usernames - if set, any users in the
2247 list will be skipped when indexing.
2248 search_query_language: 0
2250 Deprecated. No longer used.
2251 search_normalisation_max: 1000
2253 A resource bound for the combinatorial explosion of search ex‐
2254 pression tree complexity caused by normalising expressions with
2255 many OR nodes. These can use more CPU time to optimise than
2256 they save IO time in scanning folders.
2257 search_engine: none
2259 The indexing engine used to speed up searching.
2260 Allowed values: none, squat, xapian
2262 search_fuzzy_always: 0
2264 Whether to enable RFC 6203 FUZZY search for all IMAP SEARCH. If
2265 turned on, search attributes will be searched using FUZZY search
2266 by default. If turned off, clients have to explicitly use the
2267 FUZZY search key to enable fuzzy search for regular SEARCH com‐
2268 mands.
2269 search_index_headers: 1
2271 Whether to index headers other than From, To, Cc, Bcc, and Sub‐
2272 ject. Experiment shows that some headers such as Received and
2273 DKIM-Signature can contribute up to 2/3rds of the index size but
2274 almost nothing to the utility of searching. Note that if header
2275 indexing is disabled, headers can still be searched, the
2276 searches will just be slower.
2277 search_indexed_db: twoskip
2279 The cyrusdb backend to use for the search latest indexed uid
2280 state. Xapian only.
2281 Allowed values: flat, skiplist, twoskip, zeroskip
2283 search_maxtime: <none>
2285 The maximum number of seconds to run a search for before abort‐
2286 ing. Default of no value means search “forever” until other
2287 timeouts.
2288 search_queryscan: 5000
2290 The minimum number of records require to do a direct scan of all
2291 G keys * rather than indexed lookups. A value of 0 means always
2292 do indexed lookups.
2293 search_skipdiacrit: 1
2295 When searching, should diacriticals be stripped from the search
2296 terms. The default is “true”, a search for “hav” will match
2297 “Håvard”. This is not RFC 5051 compliant, but it backwards com‐
2298 patible, and may be preferred by some sites.
2299 search_skiphtml: 0
2301 If enabled, HTML parts of messages are skipped, i.e. not indexed
2302 and not searchable. Otherwise, they’re indexed.
2303 search_whitespace: merge
2305 When searching, how whitespace should be handled. Options are:
2306 “skip” (default in 2.3 and earlier series) - where a search for
2307 “equi” would match “the quick brown fox”. “merge” - the de‐
2308 fault, where “he qu” would match “the quick brownfox”, and
2309 “keep”, where whitespace must match exactly. The default of
2310 “merge” is recommended for most cases - it’s a good compromise
2311 which keeps words separate. Allowed values: skip, merge, keep
2312 search_snippet_length: 255
2314 The maximum byte length of a snippet generated by the XSNIPPETS
2315 command. Only supported by the Xapian search backend, which at‐
2316 tempts to always fill search_snippet_length bytes in the gener‐
2317 ated snippet.
2318 search_stopword_path: <none>
2320 The absolute base path to the search stopword lists. If not
2321 specified, no stopwords will be taken into account during search
2322 indexing. Currently, the only supported and default stop word
2323 file is english.txt.
2324 searchpartition-name: <none>
2326 The pathname where to store the xapian search indexes of
2327 searchtier for mailboxes of partition name. This must be config‐
2328 ured for the defaultsearchtier and any additional search tier
2329 (see squatter for details).
2330 For example: if defaultpartition is defined as part1 and de‐
2332 faultsearchtier as tier1 then the configuration must contain an
2333 entry tier1searchpartition-part1 that defines the path where to
2334 store this tier1’s search index for the part1 partition.
2335 This option MUST be specified for xapian search.
2337 seenstate_db: twoskip
2339 The cyrusdb backend to use for the seen state.
2340 Allowed values: flat, skiplist, twoskip, zeroskip
2342 sendmail: /usr/lib/sendmail
2344 The pathname of the sendmail executable. Sieve invokes sendmail
2345 for sending rejections, redirects and vacation responses.
2346 sendmail_auth_id: CYRUS_SENDMAIL_AUTH_ID
2348 The name of an environment variable to set when invoking send‐
2349 mail. The value of this environment variable will contain the
2350 user id of the currently authenticated user. If no user is au‐
2351 thenticated the environment variable is not set.
2352 serverlist: <none>
2354 Whitespace separated list of backend server names. Used for
2355 finding server with the most available free space for proxying
2356 CREATE.
2357 serverlist_select_mode: freespace-most
2359 Server selection mode.
2360 random (pseudo-)random selection
2362 freespace-most
2364 backend with the most (total) free space (KiB)
2365 freespace-percent-most
2367 backend whose partition has the most free space (%)
2368 freespace-percent-weighted
2370 same as for partition selection, comparing the free space
2371 (%) of the least used partition of each backend
2372 freespace-percent-weighted-delta
2374 same as for partition selection, comparing the free space
2375 (%) of the least used partition of each backend.
2376 Allowed values: random, freespace-most, freespace-per‐
2378 cent-most, freespace-percent-weighted, freespace-per‐
2379 cent-weighted-delta
2380 serverlist_select_usage_reinit: 0
2382 For a given session, number of operations (e.g. backend selec‐
2383 tion) for which backend usage data are cached.
2384 serverlist_select_soft_usage_limit: 0
2386 Limit of backend usage (%): if a backend is over that limit, it
2387 is automatically excluded from selection mode.
2388 If all backends are over that limit, this feature is not used
2390 anymore.
2391 servername: <none>
2393 This is the hostname visible in the greeting messages of the
2394 POP, IMAP and LMTP daemons. If it is unset, then the result re‐
2395 turned from gethostname(2) is used. This is also the value used
2396 by murder clusters to identify the host name. It should be re‐
2397 solvable by DNS to the correct host, and unique within an active
2398 cluster. If you are using low level replication (e.g. drbd)
2399 then it should be the same on each copy and the DNS name should
2400 also be moved to the new master on failover.
2401 serverinfo: on
2403 The server information to display in the greeting and capability
2404 responses. Information is displayed as follows:
2405 “off” = no server information in the greeting or capabilities
2406 “min” = servername in the greeting; no server information in
2408 the capabilities
2409 “on” = servername and product version in the greeting; prod‐
2411 uct version in the capabilities
2412 Allowed values: off, min, on
2414 sharedprefix: Shared Folders
2416 If using the alternate IMAP namespace, the prefix for the shared
2417 namespace. The hierarchy delimiter will be automatically ap‐
2418 pended.
2419 sieve_allowreferrals: 1
2421 If enabled, timsieved will issue referrals to clients when the
2422 user’s scripts reside on a remote server (in a Murder). Other‐
2423 wise, timsieved will proxy traffic to the remote server.
2424 sieve_duplicate_max_expiration: 90d
2426 Maximum expiration time for duplicate message tracking records.
2427 For backward compatibility, if no unit is specified, seconds is
2429 assumed.
2430 sieve_extensions: fileinto reject vacation vacation-seconds notify
2432 include envelope environment body relational regex subaddress copy
2433 date index imap4flags mailbox mboxmetadata servermetadata variables
2434 editheader extlists duplicate ihave fcc special-use redirect-dsn re‐
2435 direct-deliverby mailboxid vnd.cyrus.log vnd.cyrus.jmapquery snooze
2436 Space-separated list of Sieve extensions allowed to be used in
2437 sieve scripts, enforced at submission by timsieved(8). Any pre‐
2438 viously installed script will be unaffected by this option and
2439 will continue to execute regardless of the extensions used.
2440 This option has no effect on options that are disabled at com‐
2441 pile time (e.g., “regex”). Allowed values: fileinto, reject,
2442 vacation, vacation-seconds, notify, include, envelope, environ‐
2443 ment, body, relational, regex, subaddress, copy, date, index,
2444 imap4flags=imapflags, mailbox, mboxmetadata, servermetadata,
2445 variables, editheader, extlists, duplicate, ihave, fcc, spe‐
2446 cial-use, redirect-dsn, redirect-deliverby, mailboxid,
2447 vnd.cyrus.log=x-cyrus-log, vnd.cyrus.jmapquery=x-cyrus-jmap‐
2448 query, snooze=vnd.cyrus.snooze=x-cyrus-snooze
2449 sieve_maxscriptsize: 32
2451 Maximum size (in kilobytes) any sieve script can be, enforced at
2452 submission by timsieved(8).
2453 sieve_maxscripts: 5
2455 Maximum number of sieve scripts any user may have, enforced at
2456 submission by timsieved(8).
2457 sieve_utf8fileinto: 0
2459 If enabled, the sieve engine expects folder names for the
2460 fileinto action in scripts to use UTF8 encoding. Otherwise,
2461 modified UTF7 encoding should be used.
2462 sieve_sasl_send_unsolicited_capability: 0
2464 If enabled, timsieved will emit a capability response after a
2465 successful SASL authentication, per draft-martin-manage‐
2466 sieve-12.txt .
2467 sieve_use_lmtp_reject: 1
2469 Enabled by default. If reject can be done via LMTP, then return
2470 a 550 rather than generating the bounce message in Cyrus.
2471 sieve_vacation_min_response: 3d
2473 Minimum time interval between consecutive vacation responses,
2474 per draft-ietf-vacation-seconds.txt. The default is 3 days.
2475 For backward compatibility, if no unit is specified, seconds is
2477 assumed.
2478 sieve_vacation_max_response: 90d
2480 Maximum time interval between consecutive vacation responses,
2481 per draft-ietf-vacation-seconds.txt. The default is 90 days.
2482 The minimum is 7 days.
2483 For backward compatibility, if no unit is specified, seconds is
2485 assumed.
2486 sievedir: /usr/sieve
2488 If sieveusehomedir is false, this directory is searched for
2489 Sieve scripts.
2490 sievenotifier: <none>
2492 Notifyd(8) method to use for “SIEVE” notifications. If not set,
2493 “SIEVE” notifications are disabled.
2494 This method is only used when no method is specified in the
2496 script.
2497 sieveusehomedir: 0
2499 If enabled, lmtpd will look for Sieve scripts in user’s home di‐
2500 rectories: ~user/.sieve.
2501 anysievefolder: 0
2503 It must be “yes” in order to permit the autocreation of any IN‐
2504 BOX subfolder requested by a sieve filter, through the
2505 “fileinto” action. (default = no)
2506 singleinstancestore: 1
2508 If enabled, imapd, lmtpd and nntpd attempt to only write one
2509 copy of a message per partition and create hard links, resulting
2510 in a potentially large disk savings.
2511 skiplist_always_checkpoint: 1
2513 If enabled, this option forces the skiplist cyrusdb backend to
2514 always checkpoint when doing a recovery. This causes slightly
2515 more IO, but on the other hand leads to more efficient data‐
2516 bases, and the entire file is already “hot”.
2517 skiplist_unsafe: 0
2519 If enabled, this option forces the skiplist cyrusdb backend to
2520 not sync writes to the disk. Enabling this option is NOT RECOM‐
2521 MENDED.
2522 smtp_backend: sendmail
2524 The SMTP backend to use for sending email.
2525 The “host” backend sends message submissions via a TCP socket to
2527 the SMTP host defined in the config option smtp_host.
2528 The “sendmail” backend forks the Cyrus process into the exe‐
2530 cutable defined in the config option sendmail. The executable
2531 must accept “-bs” as command line argument, read from stdin and
2532 must implement the minimum SMTP protocol as defined in section
2533 4.5.1 of RFC 5321.
2534 If the SMTP EHLO command reports AUTH (RFC 4954) as a supported
2536 extension, then the MAIL FROM command includes the AUTH parame‐
2537 ter, with its value set to the name of any authenticated user
2538 which triggered the email. The AUTH parameter is omitted if the
2539 user is unknown to the calling process.
2540 If the directory configdirectory/log/smtpclient.smtp_backend ex‐
2542 ists, then telemetry logs for outgoing SMTP sessions will be
2543 created in this directory.
2544 Allowed values: host, sendmail
2546 smtp_host: localhost:587
2548 The SMTP host to use for sending mail (also see the smtp_backend
2549 option). The value of this option must the name or IP address of
2550 a TCP host, followed optionally by a colon and the port or ser‐
2551 vice to use. The default port is 587. TLS may be activated by
2552 appending “/tls” to the value. Authentication is enabled if
2553 smtp_auth_authname is set. Authentication can be explicitly dis‐
2554 abled by appending “/noauth” to the host address.
2555 smtp_auth_authname: <none>
2557 The authentication name to use when authenticating to the SMTP
2558 server defined in smtp_host.
2559 smtp_auth_password: <none>
2561 The password to use when authenticating to the SMTP server de‐
2562 fined in smtp_host.
2563 smtp_auth_realm: <none>
2565 The authentication SASL realm to use when authenticating to a
2566 SMTP server.
2567 soft_noauth: 1
2569 If enabled, lmtpd returns temporary failures if the client does
2570 not successfully authenticate. Otherwise lmtpd returns perma‐
2571 nent failures (causing the mail to bounce immediately).
2572 sortcache_db: twoskip
2574 The cyrusdb backend to use for caching sort results (currently
2575 only used for xconvmultisort) Allowed values: skiplist, twoskip,
2576 zeroskip
2577 specialuse_extra: <none>
2579 Whitespace separated list of extra special-use attributes that
2580 can be set on a mailbox. RFC 6154 currently lists what spe‐
2581 cial-use attributes can be set. This allows extending that list
2582 in the future or adding your own if needed.
2583 specialuse_protect: \Archive \Drafts \Important \Junk \Sent \Trash
2585 Whitespace separated list of special-use attributes to protect
2586 the mailboxes for. If set, don’t allow mailboxes with these
2587 special use attributes to be deleted or renamed to have a dif‐
2588 ferent parent. Default is the built-in list
2589 specialusealways: 1
2591 If enabled, this option causes LIST and LSUB output to always
2592 include the XLIST “special-use” flags
2593 sql_database: <none>
2595 Name of the database which contains the cyrusdb table(s).
2596 sql_engine: <none>
2598 Name of the SQL engine to use.
2599 Allowed values: mysql, pgsql, sqlite
2601 sql_hostnames: <empty string>
2603 Comma separated list of SQL servers (in host[:port] format).
2604 sql_passwd: <none>
2606 Password to use for authentication to the SQL server.
2607 sql_user: <none>
2609 Username to use for authentication to the SQL server.
2610 sql_usessl: 0
2612 If enabled, a secure connection will be made to the SQL server.
2613 srs_alwaysrewrite: 0
2615 If true, perform SRS rewriting for ALL forwarding, even when not
2616 required.
2617 srs_domain: <none>
2619 The domain to use in rewritten addresses. This must point only
2620 to machines which know the encoding secret used by this system.
2621 When present, SRS is enabled.
2622 srs_hashlength: 0
2624 The hash length to generate in a rewritten address.
2625 srs_secrets: <none>
2627 A list of secrets with which to generate addresses.
2628 srs_separator: <none>
2630 The separator to appear immediately after SRS[01] in rewritten
2631 addresses.
2632 srvtab: <empty string>
2634 The pathname of srvtab file containing the server’s private key.
2635 This option is passed to the SASL library and overrides its de‐
2636 fault setting.
2637 submitservers: <none>
2639 A list of users and groups that are allowed to resolve
2640 “urlauth=submit+” IMAP URLs, separated by spaces. Any user
2641 listed in this will be allowed to fetch the contents of any
2642 valid “urlauth=submit+” IMAP URL: use with caution.
2643 subscription_db: flat
2645 The cyrusdb backend to use for the subscriptions list.
2646 Allowed values: flat, skiplist, twoskip, zeroskip
2648 suppress_capabilities: <none>
2650 Suppress the named capabilities from any capability response.
2651 Use the exact case as it appears in the response, e.g. “sup‐
2652 press_capabilities: ESEARCH QRESYNC WITHIN XLIST LIST-EXTENDED”
2653 if you have a murder with 2.3.x backends and don’t want clients
2654 being confused by new capabilities that some backends don’t sup‐
2655 port.
2656 statuscache: 0
2658 Enable/disable the imap status cache.
2659 statuscache_db: twoskip
2661 The cyrusdb backend to use for the imap status cache.
2662 Allowed values: skiplist, sql, twoskip, zeroskip
2664 statuscache_db_path: <none>
2666 The absolute path to the statuscache db file. If not specified,
2667 will be configdirectory/statuscache.db
2668 sync_authname: <none>
2670 The authentication name to use when authenticating to a sync
2671 server. Prefix with a channel name to only apply for that chan‐
2672 nel
2673 sync_batchsize: 8192
2675 the number of messages to upload in a single mailbox replica‐
2676 tion. Default is 8192. If there are more than this many mes‐
2677 sages appended to the mailbox, generate a synthetic partial
2678 state and send that.
2679 sync_cache_db: twoskip
2681 The cyrusdb backend to use for the replication cache.
2682 Allowed values: skiplist, sql, twoskip, zeroskip
2684 sync_cache_db_path: <none>
2686 The path for the replication cache. Prefix with a channel name
2687 to apply for that channel. NOTE, it’s quite important to have a
2688 different one per backend!
2689 sync_host: <none>
2691 Name of the host (replica running sync_server(8)) to which
2692 replication actions will be sent by sync_client(8). Prefix with
2693 a channel name to only apply for that channel
2694 sync_log: 0
2696 Enable replication action logging by lmtpd(8), imapd(8),
2697 pop3d(8), and nntpd(8). The log {configdirectory}/sync/log is
2698 used by sync_client(8) for “rolling” replication.
2699 sync_log_chain: 0
2701 Enable replication action logging by sync_server as well, allow‐
2702 ing chaining of replicas. Use this on ‘B’ for A => B => C
2703 replication layout
2704 sync_log_channels: <none>
2706 If specified, log all events to multiple log files in directo‐
2707 ries specified by each “channel”. Each channel can then be pro‐
2708 cessed separately, such as by multiple sync_client(8)s in a mesh
2709 replication scheme, or by squatter(8) for rolling search index
2710 updates.
2711 You can use “” (the two-character string U+22 U+22) to mean the
2713 default sync channel.
2714 sync_log_unsuppressable_channels: squatter
2716 If specified, the named channels are exempt from the effect of
2717 setting sync_log_chain:off, i.e. they are always logged to by
2718 the sync_server process. This is only really useful to allow
2719 rolling search indexing on a replica.
2720 sync_password: <none>
2722 The default password to use when authenticating to a sync
2723 server. Prefix with a channel name to only apply for that chan‐
2724 nel
2725 sync_port: <none>
2727 Name of the service (or port number) of the replication service
2728 on replica host. Prefix with a channel name to only apply for
2729 that channel. If not specified, and if sync_try_imap is set to
2730 “yes” (the default), then the replication client will first try
2731 “imap” (port 143) to check if imapd supports replication. oth‐
2732 erwise it will default to “csync” (usually port 2005).
2733 sync_realm: <none>
2735 The authentication realm to use when authenticating to a sync
2736 server. Prefix with a channel name to only apply for that chan‐
2737 nel
2738 sync_repeat_interval: 1s
2740 Minimum interval between replication runs in rolling replication
2741 mode. If a replication run takes longer than this time, we re‐
2742 peat immediately. Prefix with a channel name to only apply for
2743 that channel.
2744 For backward compatibility, if no unit is specified, seconds is
2746 assumed.
2747 sync_rightnow_channel: <none>
2749 if set, run sync_client to this channel immediately. As with
2750 channels, set this value to ‘”“’ to sync the default channel!
2751 sync_shutdown_file: <none>
2753 Simple latch used to tell sync_client(8) that it should shut
2754 down at the next opportunity. Safer than sending signals to run‐
2755 ning processes. Prefix with a channel name to only apply for
2756 that channel
2757 sync_timeout: 30m
2759 How long to wait for a response before returning a timeout fail‐
2760 ure when talking to a replication peer (client or server). The
2761 minimum duration is 3 seconds, the default is 30 minutes.
2762 For backward compatibility, if no unit is specified, seconds is
2764 assumed.
2765 sync_try_imap: 1
2767 Whether sync_client should try to perform an IMAP connection be‐
2768 fore falling back to csync. If this is set to “no”, sync_client
2769 will only use csync. Prefix with a channel name to apply only
2770 for that channel
2771 syslog_prefix: <none>
2773 String to be prepended to the process name in syslog entries.
2774 Can be further overridden by setting the $CYRUS_SYSLOG_PREFIX
2775 environment variable.
2776 Using the $CYRUS_SYSLOG_PREFIX environment variable has the ad‐
2778 ditional advantage that it can be set before the imapd.conf is
2779 read, so errors while reading the config file can be syslogged
2780 with the correct prefix.
2781 syslog_facility: <none>
2783 Configure a syslog facility. The default is whatever is com‐
2784 piled in. Allowed values are: DAEMON, MAIL, NEWS, USER, and LO‐
2785 CAL0 through to LOCAL7
2786 tcp_keepalive: 0
2788 Enable keepalive on TCP connections
2789 tcp_keepalive_cnt: 0
2791 Number of TCP keepalive probes to send before declaring the con‐
2792 nection dead (0 == system default)
2793 tcp_keepalive_idle: 0
2795 How long a connection must be idle before keepalive probes are
2796 sent (0 == system default).
2797 For backward compatibility, if no unit is specified, seconds is
2799 assumed.
2800 tcp_keepalive_intvl: 0
2802 Time between keepalive probes (0 == system default).
2803 For backward compatibility, if no unit is specified, seconds is
2805 assumed.
2806 temp_path: /tmp
2808 The pathname to store temporary files in. It is recommended to
2809 use an in-memory filesystem such as tmpfs for this path.
2810 telemetry_bysessionid: 0
2812 If true, log by sessionid instead of PID for telemetry
2813 timeout: 32m
2815 The length of the IMAP server’s inactivity autologout timer.
2816 The minimum value is 30 minutes. The default is 32 minutes, to
2817 allow a bit of leeway for clients that try to NOOP every 30 min‐
2818 utes.
2819 For backward compatibility, if no unit is specified, minutes is
2821 assumed.
2822 imapidletimeout: <none>
2824 Timeout for idling clients (RFC 2177). If not set (the de‐
2825 fault), the value of “timeout” will be used instead.
2826 For backward compatibility, if no unit is specified, minutes is
2828 assumed.
2829 tls_ca_file: <none>
2831 Deprecated in favor of tls_client_ca_file.
2832 tls_ca_path: <none>
2834 Deprecated in favor of tls_client_ca_dir.
2835 tlscache_db: twoskip
2837 Deprecated in favor of tls_sessions_db.
2838 tlscache_db_path: <none>
2840 Deprecated in favor of tls_sessions_db_path.
2841 tls_cert_file: <none>
2843 Deprecated in favor of tls_server_cert.
2844 tls_cipher_list: DEFAULT
2846 Deprecated in favor of tls_ciphers.
2847 tls_ciphers: DEFAULT
2849 The list of SSL/TLS ciphers to allow. The format of the string
2850 (and definition of “DEFAULT”) is described in ciphers(1).
2851 See also Mozilla’s server-side TLS recommendations:
2853 https://wiki.mozilla.org/Security/Server_Side_TLS
2855 tls_crl_file: <none>
2857 Path to a file containing the Certificate Revocation List
2858 tls_client_ca_dir: <none>
2860 Path to a directory containing the CA certificates used to ver‐
2861 ify client SSL certificates used for authentication.
2862 tls_client_ca_file: <none>
2864 Path to a file containing the CA certificate(s) used to verify
2865 client SSL certificates used for authentication.
2866 tls_client_cert: <none>
2868 File containing the certificate presented to a server for au‐
2869 thentication during STARTTLS. A value of “disabled” will disable
2870 this server’s use of certificate-based authentication.
2871 tls_client_certs: optional
2873 Disable (“off”), allow (“optional”, default) or require (“re‐
2874 quire”) the use of SSL certificates by clients to authenticate
2875 themselves. Allowed values: off, optional, require
2876 tls_client_key: <none>
2878 File containing the private key belonging to the tls_client_cert
2879 certificate. A value of “disabled” will disable this server’s
2880 use of certificate-based authentication.
2881 tls_eccurve: prime256v1
2883 The elliptic curve used for ECDHE. Default is NIST Suite B
2884 prime256. See ‘openssl ecparam -list_curves’ for possible val‐
2885 ues.
2886 tls_key_file: <none>
2888 Deprecated in favor of tls_server_key.
2889 tls_required: 0
2891 If enabled, require a TLS/SSL encryption layer to be negotiated
2892 prior to ANY authentication mechanisms being advertised or al‐
2893 lowed.
2894 tls_prefer_server_ciphers: 0
2896 Prefer the ciphers on the server side instead of client side.
2897 tls_server_ca_dir: <none>
2899 Path to a directory with CA certificates used to verify certifi‐
2900 cates offered by the server, when cyrus acts as client. This di‐
2901 rectory must have filenames with the hashed value of the cer‐
2902 tificates (see openssl(1)).
2903 tls_server_ca_file: <none>
2905 Path to a file containing CA certificates used to verify cer‐
2906 tificates offered by the server, when cyrus acts as client.
2907 tls_server_cert: <none>
2909 File containing the certificate, including the full chain, pre‐
2910 sented to clients. Two certificates can be set, e.g RSA and EC,
2911 if the filenames are separated with comma without spaces.
2912 tls_server_dhparam: <none>
2914 File containing the DH parameters belonging to the certificate
2915 in tls_server_cert.
2916 tls_server_key: <none>
2918 File containing the private key belonging to the certificate in
2919 tls_server_cert. If not set, tls_server_cert must contain both
2920 private and public key. Two files with keys can be set, if two
2921 certificates are used, in which case the files must be separated
2922 with comma without spaces
2923 tls_sessions_db: twoskip
2925 The cyrusdb backend to use for the TLS cache.
2926 Allowed values: skiplist, sql, twoskip, zeroskip
2928 tls_sessions_db_path: <none>
2930 The absolute path to the TLS sessions db file. If not specified,
2931 will be configdirectory/tls_sessions.db
2932 tls_session_timeout: 24h
2934 The length of time that a TLS session will be cached for later
2935 reuse. The maximum value is 24 hours, also the default. A
2936 value of 0 will disable session caching.
2937 For backward compatibility, if no unit is specified, minutes is
2939 assumed.
2940 tls_versions: tls1_0 tls1_1 tls1_2 tls1_3
2942 A list of SSL/TLS versions to not disable. Cyrus IMAP SSL/TLS
2943 starts with all protocols, and subtracts protocols not in this
2944 list. Newer versions of SSL/TLS will need to be added here to
2945 allow them to get disabled.
2946 uidl_format: cyrus
2948 Choose the format for UIDLs in pop3. Possible values are
2949 “uidonly”, “cyrus”, “dovecot” and “courier”. “uidonly” forces
2950 the old default of UID, “cyrus” is UIDVALIDITY.UID. Dovecot is
2951 8 digits of leading hex (lower case) each UID UIDVALIDITY.
2952 Courier is UIDVALIDITY-UID. Allowed values: uidonly, cyrus,
2953 dovecot, courier
2954 umask: 077
2956 The umask value used by various Cyrus IMAP programs.
2957 userdeny_db: flat
2959 The cyrusdb backend to use for the user access list.
2960 Allowed values: flat, skiplist, sql, twoskip, zeroskip
2962 userdeny_db_path: <none>
2964 The absolute path to the userdeny db file. If not specified,
2965 will be configdirectory/user_deny.db
2966 username_tolower: 1
2968 Convert usernames to all lowercase before login/authentication.
2969 This is useful with authentication backends which ignore case
2970 during username lookups (such as LDAP).
2971 userprefix: Other Users
2973 If using the alternate IMAP namespace, the prefix for the other
2974 users namespace. The hierarchy delimiter will be automatically
2975 appended.
2976 unix_group_enable: 1
2978 Should we look up groups when using auth_unix (disable this if
2979 you are not using groups in ACLs for your IMAP server, and you
2980 are using auth_unix with a backend (such as LDAP) that can make
2981 getgrent() calls very slow)
2982 unixhierarchysep: 1
2984 Use the UNIX separator character ‘/’ for delimiting levels of
2985 mailbox hierarchy. Turn off to use the netnews separator char‐
2986 acter ‘.’. Note that with the newnews separator, no dots may oc‐
2987 cur in mailbox names. The default switched in 3.0 from off to
2988 on.
2989 virtdomains: off
2991 Configure virtual domain support.
2992 off Cyrus does not know or care about domains. Only the local
2994 part of email addresses is ever considered. This is not
2995 recommended for any deployment, but is currently the de‐
2996 fault.
2997 userid The user’s domain is determined by splitting a fully
2999 qualified userid at the last ‘@’ or ‘%’ symbol. If the
3000 userid is unqualified, the defaultdomain will be used.
3001 This is the recommended configuration for all deploy‐
3002 ments. If you wish to provide calendaring services you
3003 must use this configuration.
3004 on Fully qualified userids are respected, as per “userid”.
3006 Unqualified userids will have their domain determined by
3007 doing a reverse lookup on the IP address of the incoming
3008 network interface, or if no record is found, the default‐
3009 domain will be used.
3010 Allowed values: off, userid, on
3012 virusscan_notification_subject: Automatically deleted mail
3014 The text used in the subject of email notifications created by
3015 cyr_virusscan(8) when deleting infected mail.
3016 virusscan_notification_template: <none>
3018 The absolute path to a file containing a template to use to de‐
3019 scribe infected messages that have been deleted by cyr_viruss‐
3020 can(8). See cyr_virusscan(8) for specification of the format of
3021 this file. If not specified, the builtin default template will
3022 be used.
3023 xbackup_enabled: 0
3025 Enable support for the XBACKUP command in imapd. If enabled,
3026 admin users can use this command to provoke a replication of
3027 specified users to the named backup channel.
3028 xlist-flag: <none>
3030 Set the special-use flag flag on the specified folder when it is
3031 autocreated (see the autocreate_inbox_folders option). For ex‐
3032 ample, if xlist-junk: Spam is set, and the folder Spam is au‐
3033 tocreated, the special-use flag \Junk will be set on it.
3034 (This option is so named for backward compatibility with old
3036 config files.)
3037 lmtp_catchall_mailbox: <none>
3039 Mail sent to mailboxes which do not exist, will be delivered to
3040 this user. NOTE: This must be an existing local user name with
3041 an INBOX, NOT an email address!
3042 zoneinfo_db: twoskip
3044 The cyrusdb backend to use for zoneinfo. This database is used
3045 by the “tzdist” httpmodules, and is managed by ctl_zoneinfo(8).
3046 Allowed values: flat, skiplist, twoskip, zeroskip
3047 zoneinfo_db_path: <none>
3049 The absolute path to the zoneinfo db file. If not specified,
3050 will be configdirectory/zoneinfo.db
3051 zoneinfo_dir: <none>
3053 The absolute path to the zoneinfo directory, containing timezone
3054 definitions as generated by the vzic tool. If not specified,
3055 whatever definitions libical finds will be used.
3056 If you are providing a Time Zone Data Distribution Service (i.e.
3058 you have “tzdist” listed in httpmodules), then this configura‐
3059 tion option MUST be specified.
3060 object_storage_enabled: 0
3062 Is Object storage enabled for this server. You also need to
3063 have archiving enabled and archivepartition for the mailbox.
3064 Only email files will be stored on object Storage archive parti‐
3065 tion will be used to store any other files
3066 object_storage_dummy_spool: <none>
3068 Dummy object storage spool; this is for test only. Spool where
3069 user directory (container) will be created to store all emails
3070 in a flat structure
3071 openio_namespace: <none>
3073 The OpenIO namespace used to store archived email messages. A
3074 namespace identifies the physical platform cyrus must contact.
3075 This directive is used by the OpenIO’s SDK to locate its plat‐
3076 form entry point.
3077 openio_account: <none>
3079 The OpenIO account used to account for stored emails. Accounts
3080 are unique in their namespace. They provides virtual partitions,
3081 with quotas and QoS features.
3082 openio_rawx_timeout: 30s
3084 The OpenIO timeout to query to the RAWX services (default 30
3085 sec).
3086 openio_proxy_timeout: 5s
3088 The OpenIO timeout to query to the PROXY services (default 5
3089 sec).
3090 openio_autocreate: 0
3092 Allow the OpenIO SDK to autocreate containers. Mainly destined
3093 to be turned on development environments. In production, the
3094 container should have been provisioned with the mailboxes.
3095 openio_verbosity: <none>
3097 Sets the logging verbosity of the OpenIO’s internal behavior.
3098 Admissible values are: “warning”, “notice”, “info”, “debug”,
3099 “trace”, “quiet”. The default verbosity is “warning”. Set to
3100 “notice” for a few lines on a per-client basis. Set to “info”
3101 for a few lines on a per-request basis. Set to “debug” Set to
3102 “trace” to activate the underlying libcurl debug output. En‐
3103 abling a verbosity higher to equal than “debug” requires the
3104 cyrus to be set in debug mode. The special “quiet” value dis‐
3105 ables all kinds of logging at the GLib level.
3106 caringo_hostname: <none>
3108 The Caringo hostname used to store archived email messages. A
3109 hostname identifies the physical platform cyrus must contact.
3110 This directive is used by the Caringo’s SDK (CastorSDK: Caringo
3111 Simple Content Storage Protocol (SCSP) on HTTP 1.1 using a REST‐
3112 ful architecture
3113 caringo_port: 80
3115 The port of the caringo server (caringo_hostname); default is
3116 80.
3117 fastmailsharing: 0
3119 If enabled, use FastMail style sharing (oldschool full server
3120 paths)
3121
3123 imapd(8), pop3d(8), nntpd(8), lmtpd(8), httpd(8), timsieved(8),
3124 idled(8), notifyd(8), deliver(8), master(8), ciphers(1)
3125
3127 The Cyrus Team
3128
3130 1993-2018, The Cyrus Team
31313.4.4 June 27, 2022 IMAPD.CONF(5)