1IMAPD.CONF(5) Cyrus IMAP IMAPD.CONF(5)
2
6 imapd.conf - Cyrus IMAP documentation
7 IMAP configuration file
9
11 /etc/imapd.conf is the configuration file for the Cyrus IMAP server.
12 It defines local parameters for IMAP.
13 Each line of the /etc/imapd.conf file has the form
15 option: value
16 where option is the name of the configuration option being set and
18 value is the value that the configuration option is being set to.
19 Although there is no limit to the length of a line, a ``'’ (back‐
21 slash) character may be used as the last character on a line to
22 force it to continue on the next one. No additional whitespace is
23 inserted before or after the ``'’. Note that a line that is split
24 using ``'’ character(s) is still considered a single line.
25 For example
27 option:\
28 value1 value2 \
29 value3
30 is equivalent to
32 option: value1 value2 value3
33 Blank lines and lines beginning with ``#’’ are ignored.
35 For boolean and enumerated options, the values ``yes’‘, ``on’‘,
37 ``t’‘, ``true’’ and ``1’’ turn the option on, the values ``no’‘,
38 ``off’‘, ``f’‘, ``false’’ and ``0’’ turn the option off.
39 Duration options take the form of a number followed by a unit, for
41 example 32m (32 minutes). Units are d (days), h (hours), m (min‐
42 utes) and s (seconds). Multiple units can be combined and will be
43 summed together, for example 1h30m is equivalent to 90m. If no unit
44 is specified, an option-specific backward-compatible default unit is
45 assumed (documented on an option-by-option basis). These are simple
46 time units: 1d=24h, 1h=60m, 1m=60s (daylight savings, timezones,
47 leap adjustments, etc are not considered).
48
50 The sections below detail options that can be placed in the
51 /etc/imapd.conf file, and show each option’s default value. Some
52 options have no default value, these are listed with ``<no de‐
53 fault>’‘. Some options default to the empty string, these are
54 listed with ``<none>’‘.
55 acl_admin_implies_write: 0
57 If enabled, any user with the admin ACL on a mailbox implicitly
58 gets the ability to write to that mailbox as well.
59 addressbookprefix: #addressbooks
61 The prefix for the addressbook mailboxes hierarchies. The hier‐
62 archy delimiter will be automatically appended. The public ad‐
63 dressbook hierarchy will be at the toplevel of the shared name‐
64 space. A user’s personal addressbook hierarchy will be a child
65 of their Inbox.
66 admins: <empty string>
68 The list of userids with administrative rights. Separate each
69 userid with a space. Sites using Kerberos authentication may
70 use separate “admin” instances.
71 Note that accounts used by users should not be administrators.
73 Administrative accounts should not receive mail. That is, if
74 user “jbRo” is a user reading mail, he should not also be in the
75 admins line. Some problems may occur otherwise, most notably
76 the ability of administrators to create top-level mailboxes vis‐
77 ible to users, but not writable by users.
78 afspts_localrealms: <none>
80 The list of realms which are to be treated as local, and thus
81 stripped during identifier canonicalization (for the AFSPTS pt‐
82 loader module). This is different from loginrealms in that it
83 occurs later in the authorization process (as the user id is
84 canonified for PTS lookup)
85 afspts_mycell: <none>
87 Cell to use for AFS PTS lookups. Defaults to the local cell.
88 allowallsubscribe: 0
90 Allow subscription to nonexistent mailboxes. This option is
91 typically used on backend servers in a Murder so that users can
92 subscribe to mailboxes that don’t reside on their “home” server.
93 This option can also be used as a workaround for IMAP clients
94 which don’t play well with nonexistent or unselectable mailboxes
95 (e.g., Microsoft Outlook).
96 allowanonymouslogin: 0
98 Permit logins by the user “anonymous” using any password. Also
99 allows use of the SASL ANONYMOUS mechanism.
100 allowapop: 1
102 Allow use of the POP3 APOP authentication command.
103 Note that this command requires that SASL is compiled with APOP
105 support, that the plaintext passwords are available in a SASL
106 auxprop backend (e.g., sasldb), and that the system can provide
107 enough entropy (e.g., from /dev/urandom) to create a challenge
108 in the banner.
109 allowdeleted: 0
111 Allow access to deleted and expunged data via vendor.cmu-* ac‐
112 cess
113 allownewnews: 0
115 Allow use of the NNTP NEWNEWS command.
116 Note that this is a very expensive command and should only be
118 enabled when absolutely necessary.
119 allowplaintext: 0
121 If enabled, allows the use of cleartext passwords on the wire.
122 By default, the use of cleartext passwords requires a TLS/SSL
124 encryption layer to be negotiated prior to any cleartext authen‐
125 tication mechanisms being advertised or allowed. To require a
126 TLS/SSL encryption layer to be negotiated prior to ANY authenti‐
127 cation, see the tls_required option.
128 allowsetacl: 1
130 Defaults to enabled. If disabled, disallows the use of the SE‐
131 TACL command at all via IMAP.
132 allowusermoves: 0
134 Allow moving user accounts (with associated meta-data) via RE‐
135 NAME or XFER.
136 Note that measures should be taken to make sure that the user
138 being moved is not logged in, and cannot login during the move.
139 Failure to do so may result in the user’s meta-data (seen state,
140 subscriptions, etc) being corrupted or out of date.
141 altnamespace: 1
143 Use the alternate IMAP namespace, where personal folders reside
144 at the same level in the hierarchy as INBOX.
145 This option ONLY applies where interaction takes place with the
147 client/user. Currently this is limited to the IMAP protocol
148 (imapd) and Sieve scripts (lmtpd). This option does NOT apply
149 to admin tools such as cyradm (admins ONLY), reconstruct, quota,
150 etc., NOR does it affect LMTP delivery of messages directly to
151 mailboxes via plus-addressing. The default changed in 3.0 from
152 off to on.
153 altprefix: Alt Folders
155 Alternative INBOX spellings that can’t be accessed in altnames‐
156 pace otherwise go under here
157 annotation_db: twoskip
159 The cyrusdb backend to use for mailbox annotations.
160 Allowed values: skiplist, twoskip, zeroskip
162 annotation_db_path: <none>
164 The absolute path to the annotations db file. If not specified,
165 will be configdirectory/annotations.db
166 anyoneuseracl: 1
168 Should non-admin users be allowed to set ACLs for the ‘anyone’
169 user on their mailboxes? In a large organization this can cause
170 support problems, but it’s enabled by default.
171 annotation_allow_undefined: 0
173 Allow clients to store values for entries which are not defined
174 either by Cyrus or in the annotations_definitions file.
175 annotation_definitions: <none>
177 File containing external (third-party) annotation definitions.
178 Each line of the file specifies the properties of an annotation
180 and has the following form:
181 name, scope, attrib-type, proxy-type, attrib-names, acl
182 name is the hierarchical name as in RFC 5257 or RFC 5464 (in
184 the latter case, without the leading /shared or /pri‐
185 vate). For example, /vendor/acme/blurdybloop.
186 scope specifies whether the annotation is for the server, a
188 mailbox, or a message.
189 attrib-type
191 specifies the attribute data type, which is used only
192 to check the string value passed by clients when set‐
193 ting annotations. The attrib-type is one of:
194 string any value is accepted.
196 content-type
198 this obsolete data type, which was useful for
199 early drafts of the standard, is accepted but
200 silently translated to string.
201 boolean
203 only the strings “true” or “false” are accepted.
204 Checking is case-insensitive but the value is
205 forced to lowercase.
206 int integers are accepted.
208 uint non-negative integers are accepted.
210 proxy-type
212 specifies whether this attribute is for the backend or
213 proxy servers or both (proxy_and_backend)
214 attrib-names
216 is the space-separated list of available attributes for
217 the annotation. Possible attribute names are
218 value.shared, value.priv, and value (which permits both
219 value.priv and value.shared). The attribute names size,
220 size.shared, and size.priv are accepted but ignored;
221 these attributes are automatically provided by the server
222 if the corresponding value attribute is specified. Some
223 obsolete attributes, which were defined early drafts of
224 the standard, are accepted and ignored with a warning.
225 extra-permissions
227 is the extra ACL permission bits required for setting
228 this annotation, in standard IMAP ACL permission bit
229 string format. Note that this is in addition to the per‐
230 mission bits specified in RFC 5257 and RFC 5464, so leav‐
231 ing this field empty is harmless. Note also that there
232 is no way to specify that an annotation can only be set
233 by an admin user; in particular the a permission bit does
234 not achieve this.
235 Blank lines and lines beginning with ``#’’ are ignored.
237 annotation_callout: <none>
239 The pathname of a callout to be used to automatically add anno‐
240 tations or flags to a message when it is appended to a mailbox.
241 The path can be either an executable (including a script), or a
242 UNIX domain socket.
243 annotation_callout_disable_append: 0
245 Disables annotations on append with xrunannotator
246 annotation_enable_legacy_commands: 0
248 Whether to enable the legacy GETANNOTATION/SETANNOTATION com‐
249 mands. These commands are deprecated and will be removed in the
250 future, but might be useful in the meantime for supporting old
251 clients that do not implement the RFC 5464 IMAP METADATA exten‐
252 sion.
253 aps_topic: <none>
255 Topic for Apple Push Service registration.
256 aps_topic_caldav: <none>
258 Topic for Apple Push Service registration for CalDAV.
259 aps_topic_carddav: <none>
261 Topic for Apple Push Service registration for CardDAV.
262 archive_enabled: 0
264 Is archiving enabled for this server. You also need to have an
265 archivepartition for the mailbox. Archiving allows older email
266 to be stored on slower, cheaper disks - even within the same
267 mailbox, as distinct from partitions.
268 archive_days: <none>
270 Deprecated in favour of archive_after.
271 archive_after: 7d
273 The duration after which to move messages to the archive parti‐
274 tion if archiving is enabled.
275 For backward compatibility, if no unit is specified, days is as‐
277 sumed.
278 archive_maxsize: 1024
280 The size in kilobytes of the largest message that won’t be
281 archived immediately. Default is 1Mb
282 archive_keepflagged: 0
284 If set, messages with the \Flagged system flag won’t be
285 archived, provided they are smaller than archive_maxsize.
286 archivepartition-name: <none>
288 The pathname of the archive partition name, corresponding to
289 spool partition partition-name. For any mailbox residing in a
290 directory on partition-name, the archived messages will be
291 stored in a corresponding directory on archivepartition-name.
292 Note that not every partition-name option is strictly required
293 to have a corresponding archivepartition-name option, but that
294 without one there’s no benefit to enabling archiving.
295 auditlog: 0
297 Should cyrus output log entries for every action taken on a mes‐
298 sage file or mailboxes list entry? It’s noisy so disabled by
299 default, but can be very useful for tracking down what happened
300 if things look strange
301 auth_mech: unix
303 The authorization mechanism to use.
304 Allowed values: unix, pts, krb, krb5
306 autocreateinboxfolders: <none>
308 Deprecated in favor of autocreate_inbox_folders.
309 autocreatequota: 0
311 Deprecated in favor of autocreate_quota.
312 autocreatequotamsg: -1
314 Deprecated in favor of autocreate_quota_messages.
315 autosievefolders: <none>
317 Deprecated in favor of autocreate_sieve_folders.
318 generate_compiled_sieve_script: 0
320 Deprecated in favor of autocreate_sieve_script_compile.
321 autocreate_sieve_compiled_script: <none>
323 Deprecated in favor of autocreate_sieve_script_compiled.
324 autosubscribeinboxfolders: <none>
326 Deprecated in favor of autocreate_subscribe_folders.
327 autosubscribesharedfolders: <none>
329 Deprecated in favor of autocreate_subscribe_sharedfolders.
330 autosubscribe_all_sharedfolders: 0
332 Deprecated in favor of autocreate_subscribe_sharedfolders_all.
333 autocreate_acl: <none>
335 If folders are to be created by autocreate_inbox_folders, this
336 setting can be used to apply additional ACLs to the autocreated
337 folders. The syntax is “autocreate_acl folder identifier
338 rights”, where folder must match one of the autocreate_in‐
339 box_folders folders, identifier must be a valid cyrus identi‐
340 fier, and rights must be a valid cyrus rights string. Multiple
341 identifier|rights pairs can be assigned to a single folder by
342 providing this setting multiple times.
343 For example, “autocreate_acl Plus anyone p” would allow lmtp de‐
345 livery to a folder named “Plus”.
346 autocreate_inbox_folders: <none>
348 If a user does not have an INBOX already, and the INBOX is to be
349 created, create the list of folders in this setting as well.
350 autocreate_inbox_folders is a list of INBOX’s subfolders sepa‐
351 rated by a “|”, that are automatically created by the server un‐
352 der the following two scenarios. Leading and trailing whitespace
353 is stripped, so “Junk | Trash” results in two folders: “Junk”
354 and “Trash”. See also the xlist-flag option, for setting spe‐
355 cial-use flags on autocreated folders.
356 INBOX folders are created under both the following conditions:
358 1. The user logins via the IMAP or the POP3 protocol. autocre‐
360 ate_quota option must have a value of zero or greater.
361 2. A message arrives for the user through the lmtpd(8). au‐
363 tocreate_post option must be enabled.
364 autocreate_post: 0
366 If enabled, when lmtpd(8) receives an incoming mail for an INBOX
367 that does not exist, then the INBOX is automatically created by
368 lmtpd(8) and delivery of the message continues.
369 autocreate_quota: -1
371 If set to a value of zero or higher, users have their INBOX
372 folders created upon a successful login event or upon lmtpd(8)
373 message delivery if autocreate_post is enabled, provided their
374 INBOX did not yet already exist.
375 The user’s quota is set to the value if it is greater than zero,
377 otherwise the user has unlimited quota.
378 Note that quota is specified in kilobytes.
380 autocreate_quota_messages: -1
382 If set to a value of zero or higher, users who have their INBOX
383 folders created upon a successful login event (see autocre‐
384 ate_quota), or upon lmtpd(8) message delivery if autocreate_post
385 is enabled, receive the message quota configured in this option.
386 The default of -1 disables assigning message quota.
388 For consistency with autocreate_quota, a value of zero is
390 treated as unlimited message quota, rather than a message quota
391 of zero.
392 autocreate_sieve_folders: <none>
394 A “|” separated list of subfolders of INBOX that will be auto‐
395 matically created, if requested by a sieve filter, through the
396 “fileinto” action. The default is to create no folders automati‐
397 cally.
398 Leading and trailing whitespace is stripped from each folder, so
400 a setting of “Junk | Trash” will create two folders: “Junk” and
401 “Trash”.
402 autocreate_sieve_script: <none>
404 The full path of a file that contains a sieve script. This
405 script automatically becomes a user’s initial default sieve fil‐
406 ter script.
407 When this option is not defined, no default sieve filter is cre‐
409 ated. The file must be readable by the Cyrus daemon.
410 autocreate_sieve_script_compile: 0
412 If set to yes and no compiled sieve script file exists, the
413 sieve script which is compiled on the fly will be saved in the
414 file name that autocreate_sieve_compiledscript option points to.
415 In order a compiled script to be generated, autocre‐
416 ate_sieve_script and autocreate_sieve_compiledscript must have
417 valid values
418 autocreate_sieve_script_compiled: <none>
420 The full path of a file that contains a compiled in bytecode
421 sieve script. This script automatically becomes a user’s initial
422 default sieve filter script. If this option is not specified,
423 or the filename doesn’t exist then the script defined by au‐
424 tocreate_sieve_script is compiled on the fly and installed as
425 the user’s default sieve script
426 autocreate_subscribe_folders: <none>
428 A list of folder names, separated by “|”, that the users get au‐
429 tomatically subscribed to, when their INBOX is created. These
430 folder names must have been included in the autocreateinboxfold‐
431 ers option of the imapd.conf.
432 autocreate_subscribe_sharedfolders: <none>
434 A list of shared folders (bulletin boards), separated by “|”,
435 that the users get automatically subscribed to, after their IN‐
436 BOX is created. The shared folder must have been created and the
437 user must have the required permissions to get subscribed to it.
438 Otherwise, subscribing to the shared folder fails.
439 autocreate_subscribe_sharedfolders_all: 0
441 If set to yes, the user is automatically subscribed to all
442 shared folders, one has permission to subscribe to.
443 autocreate_users: anyone
445 A space separated list of users and/or groups that are allowed
446 their INBOX to be automatically created.
447 autoexpunge: 0
449 If set to yes, then all Deleted messages will be automatically
450 expunged whenever an index is closed, whether CLOSE, UNSELECT,
451 SELECT or on disconnect
452 backuppartition-name: <none>
454 The pathname of the backup partition name. At least one backup
455 partition pathname MUST be specified if backups are in use.
456 Note that there is no relationship between spool partitions and
457 backup partitions.
458 backup_compact_minsize: 0
460 The minimum size in kilobytes of chunks in each backup. The
461 compact tool will try to combine adjacent chunks that are
462 smaller than this.
463 Setting this value to zero or negative disables combining of
465 chunks.
466 backup_compact_maxsize: 0
468 The maximum size in kilobytes of chunks in each backup. The
469 compact tool will try to split chunks larger than this into
470 smaller chunks.
471 Setting this value to zero or negative disables splitting of
473 chunks.
474 backup_compact_work_threshold: 1
476 The number of chunks that must obviously need compaction before
477 the compact tool will go ahead with the compaction. If set to
478 less than one, the value is treated as being one.
479 backup_staging_path: <none>
481 The absolute path of the backup staging area. If not specified,
482 will be temp_path/backup
483 backup_retention_days: <none>
485 Deprecated in favor of backup_retention.
486 backup_retention: 7d
488 How long to keep content in backup after it has been deleted
489 from the source. If set to a negative value or zero, deleted
490 content will be kept indefinitely.
491 For backward compatibility, if no unit is specified, days is as‐
493 sumed.
494 backup_db: twoskip
496 The cyrusdb backend to use for the backup locations database.
497 Allowed values: skiplist, sql, twoskip, zeroskip
499 backup_db_path: <none>
501 The absolute path to the backup db file. If not specified, will
502 be configdirectory/backups.db
503 backup_keep_previous: 0
505 Whether the ctl_backups compact and ctl_backups reindex commands
506 should preserve the original file. The original file will be
507 named with a timestamped suffix. This is mostly useful for de‐
508 bugging.
509 Note that with this enabled, compacting a backup will actually
511 increase the disk used by it (because there will now be an extra
512 copy: the original version, and the compacted version).
513 boundary_limit: 1000
515 messages are parsed recursively and a deep enough MIME structure
516 can cause a stack overflow. Do not parse deeper than this many
517 layers of MIME structure. The default of 1000 is much higher
518 than any sane message should have.
519 caldav_accept_invalid_rrules: 0
521 Accept invalid RRULEs (e.g. FREQ=WEEKLY;BYMONTHDAY=15) rather
522 than rejecting them as errors.
523 caldav_allowattach: 1
525 Enable managed attachments support on the CalDAV server.
526 caldav_allowcalendaradmin: 0
528 Enable per-user calendar administration web UI on the CalDAV
529 server.
530 caldav_allowscheduling: on
532 Enable calendar scheduling operations. If set to “apple”, the
533 server will emulate Apple CalendarServer behavior as closely as
534 possible. Allowed values: off, on, apple
535 caldav_create_attach: 1
537 Create the ‘Attachments’ collection if it doesn’t already exist
538 caldav_create_default: 1
540 Create the ‘Default’ calendar if it doesn’t already exist
541 caldav_create_sched: 1
543 Create the ‘Inbox’ and ‘Outbox’ calendars if they don’t already
544 exist
545 caldav_historical_age: 7d
547 How long after an occurrence of event or task has concluded that
548 it is considered ‘historical’. Changes to historical occur‐
549 rences of events or tasks WILL NOT have invite or reply messages
550 sent for them. A negative value means that events and tasks are
551 NEVER considered historical.
552 For backward compatibility, if no unit is specified, days is as‐
554 sumed.
555 caldav_maxdatetime: 20380119T031407Z
557 The latest date and time accepted by the server (ISO format).
558 This value is also used for expanding non-terminating recurrence
559 rules.
560 Note that increasing this value will require the DAV databases
562 for calendars to be reconstructed with the dav_reconstruct util‐
563 ity in order to see its effect on serer-side time-based queries.
564 caldav_mindatetime: 19011213T204552Z
566 The earliest date and time accepted by the server (ISO format).
567 caldav_realm: <none>
569 The realm to present for HTTP authentication of CalDAV re‐
570 sources. If not set (the default), the value of the “server‐
571 name” option will be used.
572 calendarprefix: #calendars
574 The prefix for the calendar mailboxes hierarchies. The hierar‐
575 chy delimiter will be automatically appended. The public calen‐
576 dar hierarchy will be at the toplevel of the shared namespace.
577 A user’s personal calendar hierarchy will be a child of their
578 Inbox.
579 calendar_default_displayname: personal
581 The displayname to be used when creating a user’s ‘Default’ cal‐
582 endar.
583 calendar_user_address_set: <none>
585 Space-separated list of domains corresponding to calendar user
586 addresses for which the server is responsible. If not set (the
587 default), the value of the “servername” option will be used.
588 calendar_component_set: VEVENT VTODO VJOURNAL VFREEBUSY VAVAILABIL‐
590 ITY VPOLL
591 Space-separated list of iCalendar component types that calendar
592 object resources may contain in a calendar collection. This re‐
593 striction is only set at calendar creation time and only if the
594 CalDAV client hasn’t specified a restriction in the creation re‐
595 quest. Allowed values: VEVENT, VTODO, VJOURNAL, VFREEBUSY,
596 VAVAILABILITY, VPOLL
597 carddav_allowaddmember: 0
599 Enable support for POST add-member on the CardDAV server.
600 carddav_allowaddressbookadmin: 0
602 Enable per-user addressbook administration web UI on the CardDAV
603 server.
604 carddav_realm: <none>
606 The realm to present for HTTP authentication of CardDAV re‐
607 sources. If not set (the default), the value of the “server‐
608 name” option will be used.
609 carddav_repair_vcard: 0
611 If enabled, VCARDs with invalid content are attempted to be re‐
612 paired during creation.
613 chatty: 0
615 If yes, syslog tags and commands for every IMAP command, mail‐
616 boxes for every lmtp connection, every POP3 command, etc
617 client_bind: 0
619 If enabled, a specific IP will be bound when performing a client
620 connection. client_bind_name is used if it is set, otherwise
621 servername is used. This is useful on multi-homed servers where
622 Cyrus should not use other services’ interfaces.
623 If not enabled (the default), no bind will be performed. Client
625 connections will use an IP chosen by the operating system.
626 client_bind_name: <none>
628 IPv4, IPv6 address or hostname to bind for client connections
629 when client_bind is enabled. If not set (the default), server‐
630 name will be used.
631 client_timeout: 10s
633 Time to wait before returning a timeout failure when performing
634 a client connection (e.g. in a murder environment).
635 For backward compatibility, if no unit is specified, seconds is
637 assumed.
638 commandmintimer: <none>
640 Time in floating point seconds. Any imap command that takes
641 longer than this time is logged.
642 configdirectory: <none>
644 The pathname of the IMAP configuration directory. This field is
645 required.
646 createonpost: 0
648 Deprecated in favor of autocreate_post.
649 conversations: 0
651 Enable the XCONVERSATIONS extensions. Extract conversation
652 tracking information from incoming messages and track them in
653 per-user databases.
654 conversations_counted_flags: <none>
656 space-separated list of flags for which per-conversation counts
657 will be kept. Note that you need to reconstruct the conversa‐
658 tions database with ctl_conversationsdb if you change this op‐
659 tion on a running server, or the counts will be wrong.
660 conversations_db: skiplist
662 The cyrusdb backend to use for the per-user conversations data‐
663 base.
664 Allowed values: skiplist, sql, twoskip, zeroskip
666 conversations_expire_days: <none>
668 Deprecated in favor of conversations_expire_after.
669 conversations_expire_after: 90d
671 How long the conversations database keeps the message tracking
672 information needed for receiving new messages in existing con‐
673 versations.
674 For backward compatibility, if no unit is specified, days is as‐
676 sumed.
677 conversations_keep_existing: 1
679 during conversations cleanup, don’t clean up if there are still
680 existing emails with one of the mentioned CIDs
681 conversations_max_thread: 100
683 maximum size for a single thread. Threads will split if they
684 have this many messages in them and another message arrives
685 conversations_max_guidrecords: 5000
687 maximum records with the same guid. This is just a sanity check
688 to stop the same email being added and removed over and over, so
689 the default is 5000
690 conversations_max_guidexists: 100
692 maximum records with the same guid. This maps to “labels”, so
693 with the default of 100, you can only have 100 labels on an
694 email in JMAP
695 conversations_max_guidinfolder: 10
697 maximum records with the same guid in the same folder. You can’t
698 do this via JMAP, but could via IMAP. The default of 10 should
699 be heaps normally!
700 crossdomains: 0
702 Enable cross domain sharing. This works best with alt namespace
703 and unix hierarchy separators on, so you get Other
704 Users/foo@example.com/…
705 crossdomains_onlyother: 0
707 only show the domain for users in other domains than your own
708 (for backwards compatibility if you’re already sharing
709 cyrus_group: <none>
711 The name of the group Cyrus services will run as. If not con‐
712 figured, the primary group of cyrus_user will be used. Can be
713 further overridden by setting the $CYRUS_GROUP environment vari‐
714 able.
715 cyrus_user: <none>
717 The username to use as the ‘cyrus’ user. If not configured, the
718 compile time default will be used. Can be further overridden by
719 setting the $CYRUS_USER environment variable.
720 davdriveprefix: #drive
722 The prefix for the DAV storage mailboxes hierarchies. The hier‐
723 archy delimiter will be automatically appended. The public
724 storage hierarchy will be at the toplevel of the shared name‐
725 space. A user’s personal storage hierarchy will be a child of
726 their Inbox.
727 davnotificationsprefix: #notifications
729 The prefix for the DAV notifications hierarchy. The hierarchy
730 delimiter will be automatically appended. The public notifica‐
731 tions hierarchy will be at the toplevel of the shared namespace.
732 A user’s personal notifications hierarchy will be a child of
733 their Inbox.
734 dav_realm: <none>
736 The realm to present for HTTP authentication of generic DAV re‐
737 sources (principals). If not set (the default), the value of
738 the “servername” option will be used.
739 dav_lock_timeout: 20s
741 The maximum time to wait for a write lock on the per-user DAV
742 database before timeout. For HTTP requests, the HTTP status code
743 503 is returned if the lock can not be obtained within this
744 time.
745 For backward compatibility, if no unit is specified, seconds is
747 assumed.
748 debug: 0
750 If enabled, allow syslog() to pass LOG_DEBUG messages.
751 debug_command: <none>
753 Debug command to be used by processes started with -D option.
754 The string is a C format string that gets 3 options: the first
755 is the name of the executable (as specified in the cmd parameter
756 in cyrus.conf). The second is the pid (integer) and the third is
757 the service ID. Example: /usr/local/bin/gdb /usr/cyrus/bin/%s
758 %d
759 debug_writefail_guid: <none>
761 If set, any arriving message with this guid will fail as if the
762 underlying disk write had failed, pretending to be a disk full
763 condition. This is mainly useful for regression testing certain
764 edge case handling. Currently only implemented for replication
765 uploads.
766 defaultacl: anyone lrs
768 The Access Control List (ACL) placed on a newly-created
769 (non-user) mailbox that does not have a parent mailbox.
770 defaultdomain: internal
772 The default domain for virtual domain support
773 defaultpartition: <none>
775 The partition name used by default for new mailboxes. If not
776 specified, the partition with the most free space will be used
777 for new mailboxes.
778 Note that the partition specified by this option must also be
780 specified as partition-name, where you substitute ‘name’ for the
781 alphanumeric string you set defaultpartition to.
782 defaultsearchtier: <empty string>
784 Name of the default tier that messages will be indexed to.
785 Search indexes can be organized in tiers to allow index storage
786 in different directories and physical media. See the man page of
787 squatter for details. The default search tier also requires the
788 definition of an according searchtierpartition-name entry.
789 This option MUST be specified for xapian search.
791 defaultserver: <none>
793 The backend server name used by default for new mailboxes. If
794 not specified, the server with the most free space will be used
795 for new mailboxes.
796 deletedprefix: DELETED
798 With delete_mode set to delayed, the deletedprefix setting de‐
799 fines the prefix for the hierarchy of deleted mailboxes.
800 The hierarchy delimiter will be automatically appended.
802 delete_mode: delayed
804 The manner in which mailboxes are deleted. In the default de‐
805 layed mode, mailboxes that are being deleted are renamed to a
806 special mailbox hierarchy under the deletedprefix, to be removed
807 later by cyr_expire(8).
808 In immediate mode, the mailbox is removed from the filesystem
810 immediately.
811 Allowed values: immediate, delayed
813 delete_unsubscribe: 0
815 Whether to also unsubscribe from mailboxes when they are
816 deleted. Note that this behaviour contravenes RFC 3501 section
817 6.3.9, but may be useful for avoiding user/client software con‐
818 fusion. The default is ‘no’.
819 deleteright: c
821 Deprecated - only used for backwards compatibility with existing
822 installations. Lists the old RFC 2086 right which was used to
823 grant the user the ability to delete a mailbox. If a user has
824 this right, they will automatically be given the new ‘x’ right.
825 disable_user_namespace: 0
827 Preclude list command on user namespace. If set to ‘yes’, the
828 LIST response will never include any other user’s mailbox. Ad‐
829 min users will always see all mailboxes. The default is ‘no’
830 disable_shared_namespace: 0
832 Preclude list command on shared namespace. If set to ‘yes’, the
833 LIST response will never include any non-user mailboxes. Admin
834 users will always see all mailboxes. The default is ‘no’
835 disconnect_on_vanished_mailbox: 0
837 If enabled, IMAP/POP3/NNTP clients will be disconnected by the
838 server if the currently selected mailbox is (re)moved by another
839 session. Otherwise, the missing mailbox is treated as empty
840 while in use by the client.
841 ischedule_dkim_domain: <none>
843 The domain to be reported as doing iSchedule DKIM signing.
844 ischedule_dkim_key_file: <none>
846 File containing the private key for iSchedule DKIM signing.
847 ischedule_dkim_required: 1
849 A DKIM signature is required on received iSchedule requests.
850 ischedule_dkim_selector: <none>
852 Name of the selector subdividing the domain namespace. This
853 specifies the actual key used for iSchedule DKIM signing within
854 the domain.
855 duplicate_db: twoskip
857 The cyrusdb backend to use for the duplicate delivery suppres‐
858 sion and sieve. Allowed values: skiplist, sql, twoskip, ze‐
859 roskip
860 duplicate_db_path: <none>
862 The absolute path to the duplicate db file. If not specified,
863 will be configdirectory/deliver.db
864 duplicatesuppression: 1
866 If enabled, lmtpd will suppress delivery of a message to a mail‐
867 box if a message with the same message-id (or resent-message-id)
868 is recorded as having already been delivered to the mailbox.
869 Records the mailbox and message-id/resent-message-id of all suc‐
870 cessful deliveries.
871 event_content_inclusion_mode: standard
873 The mode in which message content may be included with Mes‐
874 sageAppend and MessageNew. “standard” mode is the default behav‐
875 ior in which message is included up to a size with the notifica‐
876 tion. In “message” mode, the message is included and may be
877 truncated to a size. In “header” mode, it includes headers trun‐
878 cated to a size. In “body” mode, it includes body truncated to a
879 size. In “headerbody” mode, it includes full headers and body
880 truncated to a size Allowed values: standard, message, header,
881 body, headerbody
882 event_content_size: 0
884 Truncate the message content that may be included with Mes‐
885 sageAppend and MessageNew. Set 0 to include the entire message
886 itself
887 event_exclude_flags: <none>
889 Don’t send event notification for given IMAP flag(s)
890 event_exclude_specialuse: \Junk
892 Don’t send event notification for folder with given special-use
893 attributes. Set ALL for any folder
894 event_extra_params: timestamp
896 Space-separated list of extra parameters to add to any appropri‐
897 ated event.
898 Allowed values: bodyStructure, clientAddress, diskUsed,
900 flagNames, messageContent, messageSize, messages, modseq, ser‐
901 vice, timestamp, uidnext, vnd.cmu.midset, vnd.cmu.unseenMes‐
902 sages, vnd.cmu.envelope, vnd.cmu.sessionId, vnd.cmu.mailboxACL,
903 vnd.cmu.mbtype, vnd.cmu.davFilename, vnd.cmu.davUid, vnd.fast‐
904 mail.clientId, vnd.fastmail.sessionId, vnd.fastmail.convExists,
905 vnd.fastmail.convUnseen, vnd.fastmail.cid, vnd.fastmail.coun‐
906 ters, vnd.fastmail.jmapEmail, vnd.fastmail.jmapStates,
907 vnd.cmu.emailid, vnd.cmu.threadid
908 event_groups: message mailbox
910 Space-separated list of groups of related events to turn on no‐
911 tification
912 Allowed values: message, quota, flags, access, mailbox, sub‐
914 scription, calendar, applepushservice
915 event_notifier: <none>
917 Notifyd(8) method to use for “EVENT” notifications which are
918 based on the RFC 5423. If not set, “EVENT” notifications are
919 disabled.
920 expunge_mode: delayed
922 The mode in which messages (and their corresponding cache en‐
923 tries) are expunged. “semidelayed” mode is the old behavior in
924 which the message files are purged at the time of the EXPUNGE,
925 but index and cache records are retained to facilitate QRESYNC.
926 In “delayed” mode, which is the default since Cyrus 2.5.0, the
927 message files are also retained, allowing unexpunge to rescue
928 them. In “immediate” mode, both the message files and the index
929 records are removed as soon as possible. In all cases, nothing
930 will be finally purged until all other processes have closed the
931 mailbox to ensure they never see data disappear under them. In
932 “semidelayed” or “delayed” mode, a later run of “cyr_expire”
933 will clean out the retained records (and possibly message
934 files). This reduces the amount of I/O that takes place at the
935 time of EXPUNGE and should result in greater responsiveness for
936 the client, especially when expunging a large number of mes‐
937 sages. Allowed values: immediate, semidelayed, delayed
938 failedloginpause: 3s
940 Time to pause after a failed login.
941 For backward compatibility, if no unit is specified, seconds is
943 assumed.
944 flushseenstate: 1
946 Deprecated. No longer used
947 foolstupidclients: 0
949 If enabled, only list the personal namespace when a LIST “*” is
950 performed (it changes the request to a LIST “INBOX*”).
951 force_sasl_client_mech: <none>
953 Force preference of a given SASL mechanism for client side oper‐
954 ations (e.g., murder environments). This is separate from (and
955 overridden by) the ability to use the <host shortname>_mechs op‐
956 tion to set preferred mechanisms for a specific host
957 fulldirhash: 0
959 If enabled, uses an improved directory hashing scheme which
960 hashes on the entire username instead of using just the first
961 letter as the hash. This changes hash algorithm used for quota
962 and user directories and if hashimapspool is enabled, the entire
963 mail spool.
964 Note that this option CANNOT be changed on a live system. The
966 server must be quiesced and then the directories moved with the
967 rehash utility.
968 hashimapspool: 0
970 If enabled, the partitions will also be hashed, in addition to
971 the hashing done on configuration directories. This is recom‐
972 mended if one partition has a very bushy mailbox tree.
973 hostname_mechs: <none>
975 Force a particular list of SASL mechanisms to be used when au‐
976 thenticating to the backend server hostname (where hostname is
977 the short hostname of the server in question). If it is not
978 specified it will query the server for available mechanisms and
979 pick one to use. - Cyrus Murder
980 hostname_password: <none>
982 The password to use for authentication to the backend server
983 hostname (where hostname is the short hostname of the server) -
984 Cyrus Murder
985 httpallowcompress: 1
987 If enabled, the server will compress response payloads if the
988 client indicates that it can accept them. Note that the com‐
989 pressed data will appear in telemetry logs, leaving only the re‐
990 sponse headers as human-readable.
991 httpallowcors: <none>
993 A wildmat pattern specifying a list of origin URIs ( scheme
994 “://” host [ “:” port ] ) that are allowed to make Cross-Origin
995 Resource Sharing (CORS) requests on the server. By default,
996 CORS requests are disabled.
997 Note that the scheme and host should both be lowercase, the port
999 should be omitted if using the default for the scheme (80 for
1000 http, 443 for https), and there should be no trailing ‘/’ (e.g.:
1001 “http://www.example.com:8080”, “https://example.org”).
1002 httpallowtrace: 0
1004 Allow use of the TRACE method.
1005 Note that sensitive data might be disclosed by the response.
1007 httpallowedurls: <none>
1009 Space-separated list of relative URLs (paths) rooted at “http‐
1010 docroot” (see below) to be served by httpd. If set, this option
1011 will limit served static content to only those paths specified
1012 (returning “404 Not Found” to any other client requested URLs).
1013 Otherwise, httpd will serve any content found in “httpdocroot”.
1014 Note that any path specified by “rss_feedlist_template” is an
1016 exception to this rule.
1017 httpcontentmd5: 0
1019 If enabled, HTTP responses will include a Content-MD5 header for
1020 the purpose of providing an end-to-end message integrity check
1021 (MIC) of the payload body. Note that enabling this option will
1022 use additional CPU to generate the MD5 digest, which may be ig‐
1023 nored by clients anyways.
1024 httpdocroot: <none>
1026 If set, http will serve the static content (html/text/jpeg/gif
1027 files, etc) rooted at this directory. Otherwise, httpd will not
1028 serve any static content.
1029 httpkeepalive: 20s
1031 Set the length of the HTTP server’s keepalive heartbeat. The
1032 default is 20 seconds. The minimum value is 0, which will dis‐
1033 able the keepalive heartbeat. When enabled, if a request takes
1034 longer than httpkeepalive to process, the server will send the
1035 client provisional responses every httpkeepalive until the final
1036 response can be sent.
1037 For backward compatibility, if no unit is specified, seconds is
1039 assumed.
1040 httplogheaders: <none>
1042 Space-separated list of HTTP header fields that will be included
1043 in the requests logged by httpd(8).
1044 httpmodules: <empty string>
1046 Space-separated list of HTTP modules that will be enabled in
1047 httpd(8). This option has no effect on modules that are dis‐
1048 abled at compile time due to missing dependencies (e.g. libi‐
1049 cal).
1050 Note that “domainkey” depends on “ischedule” being enabled, and
1052 that both “freebusy” and “ischedule” depend on “caldav” being
1053 enabled. Allowed values: admin, caldav, carddav, cgi, do‐
1054 mainkey, freebusy, ischedule, jmap, prometheus, rss, tzdist,
1055 webdav
1056 httpprettytelemetry: 0
1058 If enabled, HTTP response payloads including server-generated
1059 markup languages (HTML, XML) will utilize line breaks and inden‐
1060 tation to promote better human-readability in telemetry logs.
1061 Note that enabling this option will increase the amount of data
1062 sent across the wire.
1063 httptimeout: 5m
1065 Set the length of the HTTP server’s inactivity autologout timer.
1066 The default is 5 minutes. The minimum value is 0, which will
1067 disable persistent connections.
1068 For backwards compatibility, if no unit is specified, minutes is
1070 assumed.
1071 http_h2_altsvc: <none>
1073 If set, HTTP/2 (over TLS) will be advertised as being available
1074 on the specified [host]:port.
1075 http_jwt_key_dir: <none>
1077 The absolute path to a directory containing one or more key
1078 files to authenticate JSON Web Tokens (RFC 7519) for HTTP con‐
1079 nections. Keys for the following JWS algorithms are supported:
1080 “HS256”, “HS384”, “HS512”, “RS256”, “RS384”, “RS512”.
1081 A key file consists of one or more keys encoded in PEM format.
1083 RSA keys must be embedded between the lines “—–BEGIN PUBLIC
1084 KEY—–” and “—–END PUBLIC KEY—–” HMAC digest keys must be embed‐
1085 ded between the lines “—–BEGIN HMAC KEY—–” and “—–END HMAC
1086 KEY—–”, encoded in base64. Any lines before or after a PEM key
1087 definition are ignored, empty lines are ignored anywhere in the
1088 file.
1089 The JSON Web Token must be the value of the HTTP “Authorization”
1091 header, using the “Bearer” authentication scheme. The JWS Header
1092 must include the “alg” and “typ” parameter. A header with any
1093 other parameter is rejected. The JWS Payload must include the
1094 “sub” claim with the Cyrus user identifier as value. It may in‐
1095 clude the “iat” claim (see http_jwt_max_age). A payload with
1096 any other claim is rejected.
1097 http_jwt_max_age: 0s
1099 Defines the timespan in which a JSON Web Token is valid (see
1100 http_jwt_key). The value must be zero or positive.
1101 If non-zero, the timespan starts at the point in time specified
1103 in the “iat” claim of the JWS Payload and ends after the dura‐
1104 tion of this option value has passed. Tokens without an “iat”
1105 claim, or with an issue date in the future, are rejected. There
1106 is no leeway for clock skew.
1107 The zero value disables validation of the “iat” JWS claim.
1109 icalendar_max_size: 0
1111 Maximum allowed iCalendar size. If non-zero, CalDAV and JMAP
1112 will reject storage of resources whose iCalendar representation
1113 is larger than icalendar_max_size bytes. If set to 0, this will
1114 allow iCalendar resources of any size (the default).
1115 idlesocket: {configdirectory}/socket/idle
1117 Unix domain socket that idled listens on.
1118 ignorereference: 0
1120 For backwards compatibility with Cyrus 1.5.10 and earlier – ig‐
1121 nore the reference argument in LIST or LSUB commands.
1122 imapidlepoll: 60s
1124 The interval for polling for mailbox changes and ALERTs while
1125 running the IDLE command. This option is used when idled is not
1126 enabled or cannot be contacted. The minimum value is 1 second.
1127 A value of 0 will disable IDLE.
1128 For backward compatibility, if no unit is specified, seconds is
1130 assumed.
1131 imapidresponse: 1
1133 If enabled, the server responds to an ID command with a parame‐
1134 ter list containing: version, vendor, support-url, os, os-ver‐
1135 sion, command, arguments, environment. Otherwise the server re‐
1136 turns NIL.
1137 imapmagicplus: 0
1139 Only list a restricted set of mailboxes via IMAP by using
1140 userid+namespace syntax as the authentication/authorization id.
1141 Using userid+ (with an empty namespace) will list only sub‐
1142 scribed mailboxes.
1143 imipnotifier: <none>
1145 Notifyd(8) method to use for “IMIP” notifications which are
1146 based on the RFC 6047. If not set, “IMIP” notifications are
1147 disabled.
1148 implicit_owner_rights: lkxan
1150 The implicit Access Control List (ACL) for the owner of a mail‐
1151 box.
1152 @include: <none>
1154 Directive which includes the specified file as part of the con‐
1155 figuration. If the path to the file is not absolute, CYRUS_PATH
1156 is prepended.
1157 improved_mboxlist_sort: 0
1159 If enabled, a special comparator will be used which will cor‐
1160 rectly sort mailbox names that contain characters such as ‘ ‘
1161 and ‘-‘.
1162 Note that this option SHOULD NOT be changed on a live system.
1164 The mailboxes database should be dumped (ctl_mboxlist) before
1165 the option is changed, removed, and then undumped after changing
1166 the option. When not using flat files for the subscriptions
1167 databases the same has to be done (cyr_dbtool) for each sub‐
1168 scription database See improved_mboxlist_sort.html.
1169 jmap_emailsearch_db_path: <none>
1171 The absolute path to the JMAP email search cache file. If not
1172 specified, JMAP Email/query and Email/queryChanges will not
1173 cache email search results.
1174 jmap_querycache_max_age: 0m
1176 The duration after which unused cached JMAP query results must
1177 be evicted from process memory. If non-zero, then the full re‐
1178 sult of the last query (before windowing) is stored in-memory.
1179 Subsequent queries with the same expression and query state can
1180 then page through the cached result. A zero value disables
1181 query result caching.
1182 If no unit is specified, minutes is assumed.
1184 This feature currently only is enabled for Email/query.
1186 jmap_preview_annot: <none>
1188 The name of the per-message annotation, if any, to store message
1189 previews.
1190 jmap_imagesize_annot: <none>
1192 The name of the per-message annotation, if any, that stores a
1193 JSON object, mapping message part numbers of MIME image types to
1194 an array of their image dimensions. The array must have at least
1195 two entries, where the first entry denotes the width and the
1196 second entry the height of the image. Any additional values are
1197 ignored.
1198 For example, if message part 1.2 contains an image of width 300
1200 and height 200, then the value of this annotation would be:
1201 { “1.2” : [ 300, 200 ] }
1203 jmap_inlinedcids_annot: <none>
1205 The name of the per-message annotation, if any, that stores a
1206 JSON object, mapping RFC 2392 Content-IDs referenced in HTML
1207 bodies to the respective HTML body part number.
1208 For example, if message part 1.2 contains HTML and references an
1210 inlined image at “cid:foo”, then the value of this annotation
1211 would be:
1212 { “<foo>” : “1.2” }
1214 Note that the Content-ID key must be URL-unescaped and enclosed
1216 in angular brackets, as defined in RFC 2392.
1217 jmap_preview_length: 64
1219 The maximum byte length of dynamically generated message pre‐
1220 views. Previews stored in jmap_preview_annot take precedence.
1221 jmap_max_catenate_items: 100
1223 The maximum number of items that can be catenated together by a
1224 JMAP Blob/set action. Returned as the maxCatenateItems property
1225 value of the JMAP “urn:ietf:params:jmap:blob” capabilities ob‐
1226 ject. Default value is 100.
1227 jmap_max_size_upload: 1048576
1229 The maximum size (in kilobytes) that the JMAP API accepts for
1230 blob uploads. Returned as the maxSizeUpload property value of
1231 the JMAP “urn:ietf:params:jmap:core” capabilities object. De‐
1232 fault is 1Gb.
1233 jmap_max_size_blob_set: 4096
1235 The maximum size (in kilobytes) that the JMAP API accepts for
1236 Blob/set. Returned as the maxSizeBlobSet property value of the
1237 JMAP “https://cyrusimap.org/ns/jmap/blob” capabilities object.
1238 Default is 4Mb.
1239 jmap_max_concurrent_upload: 5
1241 The value to return for the maxConcurrentUpload property of the
1242 JMAP “urn:ietf:params:jmap:core” capabilities object. The Cyrus
1243 JMAP implementation does not enforce this rate-limit.
1244 jmap_max_size_request: 10240
1246 The maximum size (in kilobytes) that the JMAP API accepts for
1247 requests at the API endpoint. Returned as the maxSizeRequest
1248 property value of the JMAP “urn:ietf:params:jmap:core” capabili‐
1249 ties object. Default is 10Mb.
1250 jmap_max_concurrent_requests: 5
1252 The value to return for the maxConcurrentRequests property of
1253 the JMAP “urn:ietf:params:jmap:core” capabilities object. The
1254 Cyrus JMAP implementation does not enforce this rate-limit.
1255 jmap_max_calls_in_request: 50
1257 The maximum number of calls per JMAP request object. Returned
1258 as the maxCallsInRequest property value of the JMAP “‐
1259 urn:ietf:params:jmap:core” capabilities object.
1260 jmap_max_delayed_send: 512d
1262 The value to return for the maxDelayedSend property of the JMAP
1263 “urn:ietf:params:jmap:emailsubmission” capabilities object. The
1264 Cyrus JMAP implementation does not enforce this limit.
1265 For backward compatibility, if no unit is specified, seconds is
1267 assumed.
1268 jmap_max_objects_in_get: 4096
1270 The maximum number of ids that a JMAP client may request in a
1271 single “/get” type method call. The actual number of returned
1272 objects in the response may exceed this number if the JMAP ob‐
1273 ject type supports unbounded “/get” calls. Returned as the
1274 maxObjectsInGet property value of the JMAP “‐
1275 urn:ietf:params:jmap:core” capabilities object.
1276 jmap_max_objects_in_set: 4096
1278 The maximum number of objects a JMAP client may send to create,
1279 update or destroy in a single /set type method call. Returned
1280 as the maxObjectsInSet property value of the JMAP “‐
1281 urn:ietf:params:jmap:core” capabilities object.
1282 jmap_mail_max_size_attachments_per_email: 10240
1284 The value (in kilobytes) to return for the maxSizeAttach‐
1285 mentsPerEmail property of the JMAP “urn:ietf:params:jmap:mail”
1286 capabilities object. The Cyrus JMAP implementation does not en‐
1287 force this size limit. Default is 10 Mb.
1288 jmap_nonstandard_extensions: 0
1290 If enabled, support non-standard JMAP extensions. If not en‐
1291 abled, only IETF standard JMAP functionality is supported.
1292 jmap_pushpoll: 60s
1294 The interval for polling for changes on an EventSource connec‐
1295 tion or when push has been ennabled on a WebSocket channel. The
1296 minimum value is 1 second. A value of 0 will disable push.
1297 If no unit is specified, seconds is assumed.
1299 jmap_set_has_attachment: 1
1301 If enabled, the $hasAttachment flag is determined and set for
1302 new messages created with the JMAP Email/set or Email/import
1303 methods. This option should typically be enabled, but installa‐
1304 tions using Cyrus-external message annatotors to determine the
1305 $hasAttachment flag might want to disable it.
1306 jmap_vacation: 1
1308 If enabled, support the JMAP vacation extension
1309 jmapuploadfolder: #jmap
1311 the name of the folder for JMAP uploads (#jmap)
1312 jmapsubmission_deleteonsend: 1
1314 If enabled (the default) then delete the EmailSubmission as soon
1315 as the email * has been sent
1316 jmapsubmissionfolder: #jmapsubmission
1318 the name of the folder for JMAP Submissions (#jmapsubmission)
1319 jmappushsubscriptionfolder: #jmappushsubscription
1321 the name of the folder for JMAP Push Subscriptions (#jmappush‐
1322 subscription)
1323 iolog: 0
1325 Should cyrus output I/O log entries
1326 ldap_authz: <none>
1328 SASL authorization ID for the LDAP server
1329 ldap_base: <empty string>
1331 Contains the LDAP base dn for the LDAP ptloader module
1332 ldap_bind_dn: <none>
1334 Bind DN for the connection to the LDAP server (simple bind). Do
1335 not use for anonymous simple binds
1336 ldap_deref: never
1338 Specify how aliases dereferencing is handled during search.
1339 Allowed values: search, find, always, never
1341 ldap_domain_base_dn: <empty string>
1343 Base DN to search for domain name spaces.
1344 ldap_domain_filter: (&(objectclass=domainrelatedobject)(associated‐
1346 domain=%s))
1347 Filter to use searching for domains
1348 ldap_domain_name_attribute: associateddomain
1350 The attribute name for domains.
1351 ldap_domain_scope: sub
1353 Search scope
1354 Allowed values: sub, one, base
1356 ldap_domain_result_attribute: inetdomainbasedn
1358 Result attribute
1359 ldap_filter: (uid=%u)
1361 Specify a filter that searches user identifiers. The following
1362 tokens can be used in the filter string:
1363 %% = % %u = user %U = user portion of %u (%U = test when
1365 %u = test@domain.tld) %d = domain portion of %u if available
1366 (%d = domain.tld when %u = test@domain.tld), otherwise same as
1367 %R %R = domain portion of %u starting with @ (%R = @domain.tld
1368 when %u = test@domain.tld) %D = user dn. (use when ldap_mem‐
1369 ber_method: filter) %1-9 = domain tokens (%1 = tld, %2 = domain
1370 when %d = domain.tld)
1371 ldap_filter is not used when ldap_sasl is enabled.
1373 ldap_group_base: <empty string>
1375 LDAP base dn for ldap_group_filter.
1376 ldap_group_filter: (cn=%u)
1378 Specify a filter that searches for group identifiers. See
1379 ldap_filter for more options.
1380 ldap_group_scope: sub
1382 Specify search scope for ldap_group_filter.
1383 Allowed values: sub, one, base
1385 ldap_id: <none>
1387 SASL authentication ID for the LDAP server
1388 ldap_mech: <none>
1390 SASL mechanism for LDAP authentication
1391 ldap_user_attribute: <none>
1393 Specify LDAP attribute to use as canonical user id
1394 ldap_member_attribute: <none>
1396 See ldap_member_method.
1397 ldap_member_base: <empty string>
1399 LDAP base dn for ldap_member_filter.
1400 ldap_member_filter: (member=%D)
1402 Specify a filter for “ldap_member_method: filter”. See
1403 ldap_filter for more options.
1404 ldap_member_method: attribute
1406 Specify a group method. The “attribute” method retrieves groups
1407 from a multi-valued attribute specified in ldap_member_attri‐
1408 bute.
1409 The “filter” method uses a filter, specified by ldap_member_fil‐
1411 ter, to find groups; ldap_member_attribute is a single-value at‐
1412 tribute group name. Allowed values: attribute, filter
1413 ldap_member_scope: sub
1415 Specify search scope for ldap_member_filter.
1416 Allowed values: sub, one, base
1418 ldap_password: <none>
1420 Password for the connection to the LDAP server (SASL and simple
1421 bind). Do not use for anonymous simple binds
1422 ldap_realm: <none>
1424 SASL realm for LDAP authentication
1425 ldap_referrals: 0
1427 Specify whether or not the client should follow referrals.
1428 ldap_restart: 1
1430 Specify whether or not LDAP I/O operations are automatically
1431 restarted if they abort prematurely.
1432 ldap_sasl: 1
1434 Use SASL for LDAP binds in the LDAP PTS module.
1435 ldap_sasl_authc: <none>
1437 Deprecated. Use ldap_id
1438 ldap_sasl_authz: <none>
1440 Deprecated. Use ldap_authz
1441 ldap_sasl_mech: <none>
1443 Deprecated. Use ldap_mech
1444 ldap_sasl_password: <none>
1446 Deprecated. User ldap_password
1447 ldap_sasl_realm: <none>
1449 Deprecated. Use ldap_realm
1450 ldap_scope: sub
1452 Specify search scope.
1453 Allowed values: sub, one, base
1455 ldap_servers: ldap://localhost/
1457 Deprecated. Use ldap_uri
1458 ldap_size_limit: 1
1460 Specify a number of entries for a search request to return.
1461 ldap_start_tls: 0
1463 Use transport layer security for ldap:// using STARTTLS. Do not
1464 use ldaps:// in ‘ldap_uri’ with this option enabled.
1465 ldap_time_limit: 5s
1467 How long to wait for a search request to complete.
1468 For backward compatibility, if no unit is specified, seconds is
1470 assumed.
1471 ldap_timeout: 5s
1473 How long a search can take before timing out.
1474 For backward compatibility, if no unit is specified, seconds is
1476 assumed.
1477 ldap_ca_dir: <none>
1479 Path to a directory with CA (Certificate Authority) certifi‐
1480 cates.
1481 ldap_ca_file: <none>
1483 Path to a file containing CA (Certificate Authority) certifi‐
1484 cate(s).
1485 ldap_ciphers: <none>
1487 List of SSL/TLS ciphers to allow. The format of the string is
1488 described in ciphers(1).
1489 ldap_client_cert: <none>
1491 File containing the client certificate.
1492 ldap_client_key: <none>
1494 File containing the private client key.
1495 ldap_verify_peer: 0
1497 Require and verify server certificate. If this option is yes,
1498 you must specify ldap_ca_file or ldap_ca_dir.
1499 ldap_tls_cacert_dir: <none>
1501 Deprecated in favor of ldap_ca_dir.
1502 ldap_tls_cacert_file: <none>
1504 Deprecated in favor of ldap_ca_file.
1505 ldap_tls_cert: <none>
1507 Deprecated in favor of ldap_client_cert.
1508 ldap_tls_key: <none>
1510 Deprecated in favor of ldap_client_key.
1511 ldap_tls_check_peer: 0
1513 Deprecated in favor of ldap_verify_peer.
1514 ldap_tls_ciphers: <none>
1516 Deprecated in favor of ldap_ciphers.
1517 ldap_uri: <none>
1519 Contains a list of the URLs of all the LDAP servers when using
1520 the LDAP PTS module.
1521 ldap_version: 3
1523 Specify the LDAP protocol version. If ldap_start_tls and/or
1524 ldap_use_sasl are enabled, ldap_version will be automatically
1525 set to 3.
1526 literalminus: 0
1528 if enabled, CAPABILITIES will reply with LITERAL- rather than
1529 LITERAL+ (RFC 7888). Doesn’t actually size-restrict uploads
1530 though
1531 lmtp_downcase_rcpt: 1
1533 If enabled, lmtpd will convert the recipient addresses to lower‐
1534 case (up to a ‘+’ character, if present).
1535 lmtp_exclude_specialuse: \Snoozed
1537 Don’t allow delivery to folders with given special-use at‐
1538 tributes.
1539 Note that “snoozing” of emails can currently only be done via
1541 the JMAP protocol, so delivery directly to the Snoozed mailbox
1542 is prohibited by default as it will not be moved back into INBOX
1543 automatically.
1544 lmtp_fuzzy_mailbox_match: 0
1546 If enabled, and the mailbox specified in the detail part of the
1547 recipient (everything after the ‘+’) does not exist, lmtpd will
1548 try to find the closest match (ignoring case, ignoring white‐
1549 space, falling back to parent) to the specified mailbox name.
1550 lmtp_over_quota_perm_failure: 0
1552 If enabled, lmtpd returns a permanent failure code when a user’s
1553 mailbox is over quota. By default, the failure is temporary,
1554 causing the MTA to queue the message and retry later.
1555 lmtp_preparse: 0
1557 If enabled, lmtpd will map in the email and parse the xapian
1558 data for jmapsearch. The advantage is that the parsing is done
1559 without holding any locks. The disadvantage is that the parsing
1560 is done even if it winds up not being needed.
1561 lmtp_strict_quota: 0
1563 If enabled, lmtpd returns a failure code when the incoming mes‐
1564 sage will cause the user’s mailbox to exceed its quota. By de‐
1565 fault, the failure won’t occur until the mailbox is already over
1566 quota.
1567 lmtp_strict_rfc2821: 1
1569 By default, lmtpd will be strict (per RFC 2821) with regards to
1570 which envelope addresses are allowed. If this option is set to
1571 false, 8bit characters in the local-part of envelope addresses
1572 are changed to ‘X’ instead. This is useful to avoid generating
1573 backscatter with certain MTAs like Postfix or Exim which accept
1574 such messages.
1575 lmtpsocket: {configdirectory}/socket/lmtp
1577 Unix domain socket that lmtpd listens on, used by deliver(8).
1578 This should match the path specified in cyrus.conf(5).
1579 lmtptxn_timeout: 5m
1581 Timeout used during a lmtp transaction to a remote backend (e.g.
1582 in a murder environment). Can be used to prevent hung lmtpds on
1583 proxy hosts when a backend server becomes unresponsive during a
1584 lmtp transaction. The default is 5 minutes - change to zero for
1585 infinite.
1586 For backward compatibility, if no unit is specified, seconds is
1588 assumed.
1589 lock_debugtime: <none>
1591 A floating point number of seconds. If set, time how long we
1592 wait for any lock, and syslog the filename and time if it’s
1593 longer than this value. The default of NULL means not to time
1594 locks.
1595 loginrealms: <empty string>
1597 The list of remote realms whose users may authenticate using
1598 cross-realm authentication identifiers. Separate each realm
1599 name by a space. (A cross-realm identity is considered any
1600 identity returned by SASL with an “@” in it.).
1601 loginuseacl: 0
1603 If enabled, any authentication identity which has a rights on a
1604 user’s INBOX may log in as that user.
1605 logtimestamps: 0
1607 Include notations in the protocol telemetry logs indicating the
1608 number of seconds since the last command or response.
1609 mailbox_default_options: 0
1611 Default “options” field for the mailbox on create. You’ll want
1612 to know what you’re doing before setting this, but it can apply
1613 some default annotations like duplicate suppression
1614 mailbox_initial_flags: <none>
1616 space-separated list of permanent flags which will be pre-set in
1617 every newly created mailbox. If you know you will require par‐
1618 ticular flag names then this avoids a possible race condition
1619 against a client that fills the entire 128 available slots. De‐
1620 fault is NULL, which is no flags. Example: $Label1 $Label2 $La‐
1621 bel3 NotSpam Spam
1622 mailbox_legacy_dirs: 0
1624 if enabled, new mailboxes without parents will be created with
1625 legacy paths. sub mailboxes of users will still inherit the
1626 parent legacy setting
1627 mailbox_maxmessages_addressbook: 0
1629 Limit the number of messages that may exist in a single mailbox
1630 of “addressbook” type. Default (0) means no limit. This limit
1631 applies after quotas are checked, so if you have both quota lim‐
1632 its and this set, then you will be denied if you are either over
1633 quota or over this per-mailbox count.
1634 mailbox_maxmessages_calendar: 0
1636 Limit the number of messages that may exist in a single mailbox
1637 of “calendar” type. Default (0) means no limit. This limit ap‐
1638 plies after quotas are checked, so if you have both quota limits
1639 and this set, then you will be denied if you are either over
1640 quota or over this per-mailbox count.
1641 mailbox_maxmessages_email: 0
1643 Limit the number of messages that may exist in a single mailbox
1644 of “email” (normal) type. Default (0) means no limit. This
1645 limit applies after quotas are checked, so if you have both
1646 quota limits and this set, then you will be denied if you are
1647 either over quota or over this per-mailbox count.
1648 mailnotifier: <none>
1650 Notifyd(8) method to use for “MAIL” notifications. If not set,
1651 “MAIL” notifications are disabled.
1652 master_bind_errors_fatal: 0
1654 If enabled, failure to bind a port during startup is treated as
1655 a fatal error, causing master to shut down immediately. The de‐
1656 fault is to keep running, with the affected service disabled un‐
1657 til the next SIGHUP causes it to retry.
1658 Note that this only applies during startup. New services that
1660 fail to come up in response to a reconfig+SIGHUP will just be
1661 logged and disabled like the default behaviour, without causing
1662 master to exit.
1663 maxheaderlines: 1000
1665 Maximum number of lines of header that will be processed into
1666 cache records. Default 1000. If set to zero, it is unlimited.
1667 If a message hits the limit, an error will be logged and the
1668 rest of the lines in the header will be skipped. This is to
1669 avoid malformed messages causing giant cache records
1670 maxlogins_per_host: 0
1672 Maximum number of logged in sessions allowed per host, zero
1673 means no limit
1674 maxlogins_per_user: 0
1676 Maximum number of logged in sessions allowed per user, zero
1677 means no limit
1678 maxmessagesize: 0
1680 Maximum incoming LMTP message size. If non-zero, lmtpd will re‐
1681 ject messages larger than maxmessagesize bytes. If set to 0,
1682 this will allow messages of any size (the default).
1683 maxquoted: 131072
1685 Maximum size of a single quoted string for the parser. Default
1686 128k
1687 maxword: 131072
1689 Maximum size of a single word for the parser. Default 128k
1690 mboxkey_db: twoskip
1692 The cyrusdb backend to use for mailbox keys.
1693 Allowed values: skiplist, twoskip, zeroskip
1695 mboxlist_db: twoskip
1697 The cyrusdb backend to use for the mailbox list.
1698 Allowed values: flat, skiplist, sql, twoskip, zeroskip
1700 mboxlist_db_path: <none>
1702 The absolute path to the mailboxes db file. If not specified
1703 will be configdirectory/mailboxes.db
1704 mboxname_lockpath: <none>
1706 Path to mailbox name lock files (default $conf/lock)
1707 metapartition_files: <empty string>
1709 Space-separated list of metadata files to be stored on a meta‐
1710 partition rather than in the mailbox directory on a spool parti‐
1711 tion. Allowed values: header, index, cache, expunge, squat, an‐
1712 notations, lock, dav, archivecache
1713 metapartition-name: <none>
1715 The pathname of the metadata partition name, corresponding to
1716 spool partition partition-name. For any mailbox residing in a
1717 directory on partition-name, the metadata files listed in meta‐
1718 partition_files will be stored in a corresponding directory on
1719 metapartition-name. Note that not every partition-name option
1720 is required to have a corresponding metapartition-name option,
1721 so that you can selectively choose which spool partitions will
1722 have separate metadata partitions.
1723 mupdate_authname: <none>
1725 The SASL username (Authentication Name) to use when authenticat‐
1726 ing to the mupdate server (if needed).
1727 mupdate_config: standard
1729 The configuration of the mupdate servers in the Cyrus Murder.
1730 The “standard” config is one in which there are discreet front‐
1731 end (proxy) and backend servers. The “unified” config is one in
1732 which a server can be both a frontend and backend. The “repli‐
1733 cated” config is one in which multiple backend servers all share
1734 the same mailspool, but each have their own “replicated” copy of
1735 mailboxes.db. Allowed values: standard, unified, replicated
1736 munge8bit: 1
1738 If enabled, lmtpd munges messages with 8-bit characters in the
1739 headers. The 8-bit characters are changed to `X’. If re‐
1740 ject8bit is enabled, setting munge8bit has no effect. (A proper
1741 solution to non-ASCII characters in headers is offered by RFC
1742 2047 and its predecessors.)
1743 mupdate_connections_max: 128
1745 The max number of connections that a mupdate process will allow,
1746 this is related to the number of file descriptors in the mupdate
1747 process. Beyond this number connections will be immediately is‐
1748 sued a BYE response.
1749 mupdate_password: <none>
1751 The SASL password (if needed) to use when authenticating to the
1752 mupdate server.
1753 mupdate_port: 3905
1755 The port of the mupdate server for the Cyrus Murder
1756 mupdate_realm: <none>
1758 The SASL realm (if needed) to use when authenticating to the
1759 mupdate server.
1760 mupdate_retry_delay: 20
1762 The base time to wait between connection retries to the mupdate
1763 server.
1764 mupdate_server: <none>
1766 The mupdate server for the Cyrus Murder
1767 mupdate_username: <empty string>
1769 The SASL username (Authorization Name) to use when authenticat‐
1770 ing to the mupdate server
1771 mupdate_workers_max: 50
1773 The maximum number of mupdate worker threads (overall)
1774 mupdate_workers_maxspare: 10
1776 The maximum number of idle mupdate worker threads
1777 mupdate_workers_minspare: 2
1779 The minimum number of idle mupdate worker threads
1780 mupdate_workers_start: 5
1782 The number of mupdate worker threads to start
1783 netscapeurl: <none>
1785 If enabled at compile time, this specifies a URL to reply when
1786 Netscape asks the server where the mail administration HTTP
1787 server is. Administrators should set this to a local resource.
1788 newsaddheaders: to
1790 Space-separated list of headers to be added to incoming usenet
1791 articles. Added To: headers will contain email delivery ad‐
1792 dresses corresponding to each newsgroup in the Newsgroups:
1793 header. Added Reply-To: headers will contain email delivery ad‐
1794 dresses corresponding to each newsgroup in the Followup-To: or
1795 Newsgroups: header. If the specified header(s) already exist in
1796 an article, the email delivery addresses will be appended to the
1797 original header body(s).
1798 This option applies if and only if the newspostuser option is
1800 set. Allowed values: to, replyto
1801 newsgroups: *
1803 A wildmat pattern specifying which mailbox hierarchies should be
1804 treated as newsgroups. Only mailboxes matching the wildmat will
1805 accept and/or serve articles via NNTP. If not set, a default
1806 wildmat of “*” (ALL shared mailboxes) will be used. If the
1807 newsprefix option is also set, the default wildmat will be
1808 translated to “<newsprefix>.*”
1809 newsmaster: news
1811 Userid that is used for checking access controls when executing
1812 Usenet control messages. For instance, to allow articles to be
1813 automatically deleted by cancel messages, give the “news” user
1814 the ‘d’ right on the desired mailboxes. To allow newsgroups to
1815 be automatically created, deleted and renamed by the correspond‐
1816 ing control messages, give the “news” user the ‘c’ right on the
1817 desired mailbox hierarchies.
1818 newspeer: <none>
1820 A list of whitespace-separated news server specifications to
1821 which articles should be fed. Each server specification is a
1822 string of the form [user[:pass]@]host[:port][/wildmat] where
1823 ‘host’ is the fully qualified hostname of the server, ‘port’ is
1824 the port on which the server is listening, ‘user’ and ‘pass’ are
1825 the authentication credentials and ‘wildmat’ is a pattern that
1826 specifies which groups should be fed. If no ‘port’ is speci‐
1827 fied, port 119 is used. If no ‘wildmat’ is specified, all
1828 groups are fed. If ‘user’ is specified (even if empty), then
1829 the NNTP POST command will be used to feed the article to the
1830 server, otherwise the IHAVE command will be used.
1831 A ‘@’ may be used in place of ‘!’ in the wildmat to prevent
1833 feeding articles cross-posted to the given group, otherwise
1834 cross-posted articles are fed if any part of the wildmat
1835 matches. For example, the string “peer.example.com:*,!con‐
1836 trol.*,@local.*” would feed all groups except control messages
1837 and local groups to peer.example.com. In the case of
1838 cross-posting to local groups, these articles would not be fed.
1839 newspostuser: <none>
1841 Userid used to deliver usenet articles to newsgroup folders
1842 (usually via lmtp2nntp). For example, if set to “post”, email
1843 sent to “post+comp.mail.imap” would be delivered to the
1844 “comp.mail.imap” folder.
1845 When set, the Cyrus NNTP server will add the header(s) specified
1847 in the newsaddheaders option to each incoming usenet article.
1848 The added header(s) will contain email delivery addresses corre‐
1849 sponding to each relevant newsgroup. If not set, no headers are
1850 added to usenet articles.
1851 newsprefix: <none>
1853 Prefix to be prepended to newsgroup names to make the corre‐
1854 sponding IMAP mailbox names.
1855 newsrc_db_path: <none>
1857 The absolute path to the newsrc db file. If not specified, will
1858 be configdirectory/fetchnews.db
1859 nntptimeout: 3m
1861 Set the length of the NNTP server’s inactivity autologout timer.
1862 The minimum value is 3 minutes, also the default.
1863 For backward compatibility, if no unit is specified, minutes is
1865 assumed.
1866 notesmailbox: <none>
1868 The top level mailbox in each user’s account which is used to
1869 store * Apple-style Notes. Default is blank (disabled)
1870 notifysocket: {configdirectory}/socket/notify
1872 Unix domain socket that the mail notification daemon listens on.
1873 notify_external: <none>
1875 Path to the external program that notifyd(8) will call to send
1876 mail notifications.
1877 The external program will be called with the following command
1879 line options:
1880 -c class
1882 -p priority
1884 -u user
1886 -m mailbox
1888 And the notification message will be available on stdin.
1890 partition-name: <none>
1892 The pathname of the partition name. At least one partition
1893 pathname MUST be specified. If the defaultpartition option is
1894 used, then its pathname MUST be specified. For example, if the
1895 value of the defaultpartion option is part1, then the parti‐
1896 tion-part1 field is required.
1897 partition_select_mode: freespace-most
1899 Partition selection mode.
1900 random (pseudo-)random selection
1902 freespace-most
1904 partition with the most free space (KiB)
1905 freespace-percent-most
1907 partition with the most free space (%)
1908 freespace-percent-weighted
1910 each partition is weighted according to its free space
1911 (%); the more free space the partition has, the more
1912 chances it has to be selected
1913 freespace-percent-weighted-delta
1915 each partition is weighted according to its difference of
1916 free space (%) compared to the most used partition; the
1917 more the partition is lagging behind the most used parti‐
1918 tion, the more chances it has to be selected
1919 Note that actually even the most used partition has a few
1921 chances to be selected, and those chances increase when
1922 other partitions get closer
1923 Allowed values: random, freespace-most, freespace-per‐
1925 cent-most, freespace-percent-weighted, freespace-per‐
1926 cent-weighted-delta
1927 partition_select_exclude: <none>
1929 List of partitions to exclude from selection mode.
1930 partition_select_usage_reinit: 0
1932 For a given session, number of operations (e.g. partition selec‐
1933 tion) for which partitions usage data are cached.
1934 partition_select_soft_usage_limit: 0
1936 Limit of partition usage (%): if a partition is over that limit,
1937 it is automatically excluded from selection mode.
1938 If all partitions are over that limit, this feature is not used
1940 anymore.
1941 plaintextloginpause: <none>
1943 Time to pause after a successful plaintext login. For systems
1944 that support strong authentication, this permits users to per‐
1945 ceive a cost of using plaintext passwords. (This does not af‐
1946 fect the use of PLAIN in SASL authentications.)
1947 For backward compatibility, if no unit is specified, seconds is
1949 assumed.
1950 plaintextloginalert: <none>
1952 Message to send to client after a successful plaintext login.
1953 popexpiretime: -1
1955 The duration advertised as being the minimum a message may be
1956 left on the POP server before it is deleted (via the CAPA com‐
1957 mand, defined in the POP3 Extension Mechanism, which some
1958 clients may support). This duration has a granularity of whole
1959 days, with partial days truncated (so e.g. “45m” is effectively
1960 “0d”). “NEVER”, the default, may be specified with a negative
1961 number.
1962 The Cyrus POP3 server never deletes mail, no matter what the
1964 value of this parameter is. However, if a site implements a
1965 less liberal policy, it needs to change this parameter accord‐
1966 ingly.
1967 For backward compatibility, if no unit is specified, days is as‐
1969 sumed.
1970 popminpoll: <none>
1972 Set the minimum amount of time the server forces users to wait
1973 between successive POP logins.
1974 For backward compatibility, if no unit is specified, minutes is
1976 assumed.
1977 popsubfolders: 0
1979 Allow access to subfolders of INBOX via POP3 by using
1980 userid+subfolder syntax as the authentication/authorization id.
1981 poppollpadding: 1
1983 Create a softer minimum poll restriction. Allows poppollpadding
1984 connections before the minpoll restriction is triggered. Addi‐
1985 tionally, one padding entry is recovered every popminpoll min‐
1986 utes. This allows for the occasional polling rate faster than
1987 popminpoll, (i.e., for clients that require a send/receive to
1988 send mail) but still enforces the rate long-term. Default is 1
1989 (disabled).
1990 The easiest way to think of it is a queue of past connections,
1992 with one slot being filled for every connection, and one slot
1993 being cleared every popminpoll minutes. When the queue is full,
1994 the user will not be able to check mail again until a slot is
1995 cleared. If the user waits a sufficient amount of time, they
1996 will get back many or all of the slots.
1997 poptimeout: 10m
1999 Set the length of the POP server’s inactivity autologout timer.
2000 The minimum value is 10 minutes, the default.
2001 For backward compatibility, if no unit is specified, minutes is
2003 assumed.
2004 popuseacl: 0
2006 Enforce IMAP ACLs in the pop server. Due to the nature of the
2007 POP3 protocol, the only rights which are used by the pop server
2008 are ‘r’, ‘t’, and ‘s’ for the owner of the mailbox. The ‘r’
2009 right allows the user to open the mailbox and list/retrieve mes‐
2010 sages. The ‘t’ right allows the user to delete messages. The
2011 ‘s’ right allows messages retrieved by the user to have the
2012 \Seen flag set (only if popuseimapflags is also enabled).
2013 popuseimapflags: 0
2015 If enabled, the pop server will set and obey IMAP flags. Mes‐
2016 sages having the \Deleted flag are ignored as if they do not ex‐
2017 ist. Messages that are retrieved by the client will have the
2018 \Seen flag set. All messages will have the \Recent flag unset.
2019 postmaster: postmaster
2021 Username that is used as the ‘From’ address in rejection MDNs
2022 produced by sieve.
2023 postuser: <empty string>
2025 Userid used to deliver messages to shared folders. For example,
2026 if set to “bb”, email sent to “bb+shared.blah” would be deliv‐
2027 ered to the “shared.blah” folder. By default, an email address
2028 of “+shared.blah” would be used.
2029 proc_path: <none>
2031 Path to proc directory. Default is NULL - must be an absolute
2032 path if specified. If not specified, the path $configdirec‐
2033 tory/proc/ will be used.
2034 prometheus_enabled: 0
2036 Whether tracking of service metrics for Prometheus is enabled.
2037 prometheus_need_auth: admin
2039 Authentication level required to fetch Prometheus metrics.
2040 Allowed values: none, user, admin
2042 prometheus_update_freq: 10s
2044 Frequency in at which promstatsd should re-collate its statis‐
2045 tics report. The minimum value is 1 second, the default is 10
2046 seconds.
2047 For backward compatibility, if no unit is specified, seconds is
2049 assumed.
2050 prometheus_stats_dir: <none>
2052 Directory to use for gathering prometheus statistics. If speci‐
2053 fied, must be an absolute path. If not specified, the default
2054 path $configdirectory/stats/ will be used. It may be advanta‐
2055 geous to locate this directory on ephemeral storage.
2056 proxy_authname: proxy
2058 The authentication name to use when authenticating to a backend
2059 server in the Cyrus Murder.
2060 proxy_compress: 0
2062 Try to enable protocol-specific compression when performing a
2063 client connection to a backend server in the Cyrus Murder.
2064 Note that this should only be necessary over slow network con‐
2066 nections. Also note that currently only IMAP and MUPDATE sup‐
2067 port compression.
2068 proxy_password: <none>
2070 The default password to use when authenticating to a backend
2071 server in the Cyrus Murder. May be overridden on a host-spe‐
2072 cific basis using the hostname_password option.
2073 proxy_realm: <none>
2075 The authentication realm to use when authenticating to a backend
2076 server in the Cyrus Murder
2077 proxyd_allow_status_referral: 0
2079 Set to true to allow proxyd to issue referrals to clients that
2080 support it when answering the STATUS command. This is disabled
2081 by default since some clients issue many STATUS commands in a
2082 row, and do not cache the connections that these referrals would
2083 cause, thus resulting in a higher authentication load on the re‐
2084 spective backend server.
2085 proxyd_disable_mailbox_referrals: 0
2087 Set to true to disable the use of mailbox-referrals on the proxy
2088 servers.
2089 proxyservers: <none>
2091 A list of users and groups that are allowed to proxy for other
2092 users, separated by spaces. Any user listed in this will be al‐
2093 lowed to login for any other user: use with caution. In a stan‐
2094 dard murder this option should ONLY be set on backends. DO NOT
2095 SET on frontends or things won’t work properly.
2096 pts_module: afskrb
2098 The PTS module to use.
2099 Allowed values: afskrb, ldap
2101 ptloader_sock: <none>
2103 Unix domain socket that ptloader listens on. (defaults to con‐
2104 figdirectory/ptclient/ptsock)
2105 ptscache_db: twoskip
2107 The cyrusdb backend to use for the pts cache.
2108 Allowed values: skiplist, twoskip, zeroskip
2110 ptscache_db_path: <none>
2112 The absolute path to the ptscache db file. If not specified,
2113 will be configdirectory/ptscache.db
2114 ptscache_timeout: 3h
2116 The timeout for the PTS cache database when using the
2117 auth_krb_pts authorization method (default: 3 hours).
2118 For backward compatibility, if no unit is specified, seconds is
2120 assumed.
2121 ptskrb5_convert524: 1
2123 When using the AFSKRB ptloader module with Kerberos 5 canonical‐
2124 ization, do the final 524 conversion to get a n AFS style name
2125 (using ‘.’ instead of ‘/’, and using short names
2126 ptskrb5_strip_default_realm: 1
2128 When using the AFSKRB ptloader module with Kerberos 5 canonical‐
2129 ization, strip the default realm from the userid (this does not
2130 affect the stripping of realms specified by the afspts_local‐
2131 realms option)
2132 qosmarking: cs0
2134 This specifies the Class Selector or Differentiated Services
2135 Code Point designation on IP headers (in the ToS field). Al‐
2136 lowed values: cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11,
2137 af12, af13, af21, af22, af23, af31, af32, af33, af41, af42,
2138 af43, ef
2139 quota_db: quotalegacy
2141 The cyrusdb backend to use for quotas.
2142 Allowed values: flat, skiplist, sql, quotalegacy, twoskip, ze‐
2144 roskip
2145 quota_db_path: <none>
2147 The absolute path for the quota database (if you choose a sin‐
2148 gle-file quota DB type - or the base path if you choose quotale‐
2149 gacy). If not specified will be configdirectory/quotas.db or
2150 configdirectory/quota/
2151 quota_use_conversations: 0
2153 If conversations it enabled and quotaroot is a user folder, use
2154 the conversations quota counts, which count multiple copies of
2155 exactly the same message (by GUID) as only one
2156 quotawarn: 90
2158 The percent of quota utilization over which the server generates
2159 warnings.
2160 quotawarnkb: 0
2162 The maximum amount of free space (in kB) at which to give a
2163 quota warning (if this value is 0, or if the quota is smaller
2164 than this amount, then warnings are always given).
2165 quotawarnmsg: 0
2167 The maximum amount of messages at which to give a quota warning
2168 (if this value is 0, or if the quota is smaller than this
2169 amount, then warnings are always given).
2170 readonly: 0
2172 If enabled, all IMAP, POP and JMAP connections are read-only, *
2173 no writes allowed
2174 reject8bit: 0
2176 If enabled, lmtpd rejects messages with 8-bit characters in the
2177 headers.
2178 restore_authname: <none>
2180 The authentication used by the restore tool when authenticating
2181 to an IMAP/sync server.
2182 restore_password: <none>
2184 The password used by the restore tool when authenticating to an
2185 IMAP/sync server.
2186 restore_realm: <none>
2188 The authentication realm used by the restore tool when authenti‐
2189 cating to an IMAP/sync server.
2190 reverseacls: 0
2192 At startup time, ctl_cyrusdb -r will check this value and it
2193 will either add or remove reverse ACL pointers from mailboxes.db
2194 reverseuniqueids: 1
2196 Deprecated. No longer used
2197 rfc2046_strict: 0
2199 If enabled, imapd will be strict (per RFC 2046) when matching
2200 MIME boundary strings. This means that boundaries containing
2201 other boundaries as substrings will be treated as identical.
2202 Since enabling this option will break some messages created by
2203 Eudora 5.1 (and earlier), it is recommended that it be left dis‐
2204 abled unless there is good reason to do otherwise.
2205 rfc2047_utf8: 0
2207 If enabled, imapd will parse any non-encoded character sequence
2208 in MIME header values as UTF8. This is useful for installations
2209 that either advertise the UTF8SMTP (RFC 5335) extension or re‐
2210 ceive mails with improperly escaped UTF-8 byte sequences. It is
2211 recommended that this option is left disabled unless there is
2212 good reason to do otherwise.
2213 rfc3028_strict: 1
2215 If enabled, Sieve will be strict (per RFC 3028) with regards to
2216 which headers are allowed to be used in address and envelope
2217 tests. This means that only those headers which are defined to
2218 contain addresses will be allowed in address tests and only “to”
2219 and “from” will be allowed in envelope tests. When disabled,
2220 ANY grammatically correct header will be allowed.
2221 rss_feedlist_template: <none>
2223 File containing HTML that will be used as a template for dis‐
2224 playing the list of available RSS feeds. A single instance of
2225 the variable %RSS_FEEDLIST% should appear in the file, which
2226 will be replaced by a nested unordered list of feeds. The
2227 toplevel unordered list will be tagged with an id of “feed” (<ul
2228 id=’feed’>) which can be used by stylesheet(s) in your template.
2229 The dynamically created list of feeds based on the HTML template
2230 will be accessible at the “/rss” URL on the server.
2231 rss_feeds: *
2233 A wildmat pattern specifying which mailbox hierarchies should be
2234 treated as RSS feeds. Only mailboxes matching the wildmat will
2235 have their messages available via RSS. If not set, a default
2236 wildmat of “*” (ALL mailboxes) will be used.
2237 rss_maxage: <none>
2239 Maximum age of items to display in an RSS channel. If non-zero,
2240 httpd will only display items received within this time period.
2241 If set to 0, all available items will be displayed (the de‐
2242 fault).
2243 For backward compatibility, if no unit is specified, days is as‐
2245 sumed.
2246 rss_maxitems: 0
2248 Maximum number of items to display in an RSS channel. If
2249 non-zero, httpd will display no more than the rss_maxitems most
2250 recent items. If set to 0, all available items will be dis‐
2251 played (the default).
2252 rss_maxsynopsis: 0
2254 Maximum RSS item synopsis length. If non-zero, httpd will dis‐
2255 play no more than the first rss_maxsynopsis characters of an
2256 item’s synopsis. If set to 0, the entire synopsis will be dis‐
2257 played (the default).
2258 rss_realm: <none>
2260 The realm to present for HTTP authentication of RSS feeds. If
2261 not set (the default), the value of the “servername” option will
2262 be used.
2263 sasl_auto_transition: 0
2265 If enabled, the SASL library will automatically create authenti‐
2266 cation secrets when given a plaintext password. See the SASL
2267 documentation.
2268 sasl_maximum_layer: 256
2270 Maximum SSF (security strength factor) that the server will al‐
2271 low a client to negotiate.
2272 sasl_minimum_layer: 0
2274 The minimum SSF that the server will allow a client to negoti‐
2275 ate. A value of 1 requires integrity protection; any higher
2276 value requires some amount of encryption.
2277 sasl_option: 0
2279 Any SASL option can be set by preceding it with sasl_. This
2280 file overrides the SASL configuration file.
2281 sasl_pwcheck_method: <none>
2283 The mechanism used by the server to verify plaintext passwords.
2284 Possible values include “auxprop”, “saslauthd”, and “pwcheck”.
2285 search_batchsize: 20
2287 The number of messages to be indexed in one batch (default 20).
2288 Note that long batches may delay user commands or mail delivery.
2289 search_attachment_extractor_url: <none>
2291 A HTTP or HTTPS URL to extract search text from rich text at‐
2292 tachments and other media during search indexing. The server at
2293 this URL must implement the following protocol:
2294 1. For each attachment of an email, Cyrus sends a GET request to
2296 the URL <extractor-url>/<cyrus-id>, where <extractor-url> is the
2297 configured URL and <cyrus-id> is a Cyrus-chosen path segment
2298 that uniquely identifies this attachment.
2299 2. If the extractor already has a cached plain text extract of
2301 the attachment identified by <cyrus-id> then it may return HTTP
2302 status code 200 (OK) and the plain text extract with a Con‐
2303 tent-Type “text/plain” header. Otherwise it must return HTTP
2304 status 404 (Not Found).
2305 3. If Cyrus receives the HTTP status code 404 (Not Found), then
2307 it sends a PUT request to the same URL as previously. The PUT
2308 request body contains the decoded, binary body of the attach‐
2309 ment. The Content-Type request header has the same value as de‐
2310 clared in the MIME part headers, including any type parameters.
2311 4. The extractor must return the plain text extract with either
2313 HTTP status 200 (OK) or 201 (Created) and a Content-Type
2314 “text/plain” header. If no text can be extracted, then the ex‐
2315 tractor may return any return code in the range 4xx, or 200 and
2316 an empty response body.
2317 Any other HTTP status code is treated as an error. For perfor‐
2319 mance reasons, the Cyrus indexer attempts to keep-alive the TCP
2320 connection to the extractor. Xapian only.
2321 search_index_language: 0
2323 If enabled, then messages bodies are stemmed by detected lan‐
2324 guage in addition to the default English stemmer. Xapian only.
2325 search_index_parts: 0
2327 Deprecated. No longer used.
2328 search_index_skip_domains: <none>
2330 A space separated list of domains - if set, any users in the
2331 listed domains will be skipped when indexing.
2332 search_index_skip_users: <none>
2334 A space separated list of usernames - if set, any users in the
2335 list will be skipped when indexing.
2336 search_query_language: 0
2338 Deprecated. No longer used.
2339 search_normalisation_max: 1000
2341 A resource bound for the combinatorial explosion of search ex‐
2342 pression tree complexity caused by normalising expressions with
2343 many OR nodes. These can use more CPU time to optimise than
2344 they save IO time in scanning folders.
2345 search_engine: none
2347 The indexing engine used to speed up searching.
2348 Allowed values: none, squat, xapian
2350 search_fuzzy_always: 0
2352 Whether to enable RFC 6203 FUZZY search for all IMAP SEARCH. If
2353 turned on, search attributes will be searched using FUZZY search
2354 by default. If turned off, clients have to explicitly use the
2355 FUZZY search key to enable fuzzy search for regular SEARCH com‐
2356 mands.
2357 search_index_headers: 1
2359 Whether to index headers other than From, To, Cc, Bcc, and Sub‐
2360 ject. Experiment shows that some headers such as Received and
2361 DKIM-Signature can contribute up to 2/3rds of the index size but
2362 almost nothing to the utility of searching. Note that if header
2363 indexing is disabled, headers can still be searched, the
2364 searches will just be slower.
2365 search_indexed_db: twoskip
2367 The cyrusdb backend to use for the search latest indexed uid
2368 state. Xapian only.
2369 Allowed values: flat, skiplist, twoskip, zeroskip
2371 search_maxtime: <none>
2373 The maximum number of seconds to run a search for before abort‐
2374 ing. Default of no value means search “forever” until other
2375 timeouts.
2376 search_maxsize: 4096
2378 The maximum size in kilobytes to index for each message part.
2379 Message contents that occur after this byte offset will not be
2380 indexed or search snippets generated from. Default is 4Mb.
2381 Xapian-only.
2382 search_queryscan: 5000
2384 The minimum number of records require to do a direct scan of all
2385 G keys * rather than indexed lookups. A value of 0 means always
2386 do indexed lookups.
2387 search_skipdiacrit: 1
2389 When searching, should diacriticals be stripped from the search
2390 terms. The default is “true”, a search for “hav” will match
2391 “Håvard”. This is not RFC 5051 compliant, but it backwards com‐
2392 patible, and may be preferred by some sites.
2393 search_skiphtml: 0
2395 If enabled, HTML parts of messages are skipped, i.e. not indexed
2396 and not searchable. Otherwise, they’re indexed.
2397 search_whitespace: merge
2399 When searching, how whitespace should be handled. Options are:
2400 “skip” (default in 2.3 and earlier series) - where a search for
2401 “equi” would match “the quick brown fox”. “merge” - the de‐
2402 fault, where “he qu” would match “the quick brownfox”, and
2403 “keep”, where whitespace must match exactly. The default of
2404 “merge” is recommended for most cases - it’s a good compromise
2405 which keeps words separate. Allowed values: skip, merge, keep
2406 search_snippet_length: 255
2408 The maximum byte length of a snippet generated by the XSNIPPETS
2409 command. Only supported by the Xapian search backend, which at‐
2410 tempts to always fill search_snippet_length bytes in the gener‐
2411 ated snippet.
2412 search_stopword_path: <none>
2414 The absolute base path to the search stopword lists. If not
2415 specified, no stopwords will be taken into account during search
2416 indexing. Currently, the only supported and default stop word
2417 file is english.txt.
2418 searchpartition-name: <none>
2420 The pathname where to store the xapian search indexes of
2421 searchtier for mailboxes of partition name. This must be config‐
2422 ured for the defaultsearchtier and any additional search tier
2423 (see squatter for details).
2424 For example: if defaultpartition is defined as part1 and de‐
2426 faultsearchtier as tier1 then the configuration must contain an
2427 entry tier1searchpartition-part1 that defines the path where to
2428 store this tier1’s search index for the part1 partition.
2429 This option MUST be specified for xapian search.
2431 seenstate_db: twoskip
2433 The cyrusdb backend to use for the seen state.
2434 Allowed values: flat, skiplist, twoskip, zeroskip
2436 sendmail: /usr/lib/sendmail
2438 The pathname of the sendmail executable. Sieve invokes sendmail
2439 for sending rejections, redirects and vacation responses.
2440 sendmail_auth_id: CYRUS_SENDMAIL_AUTH_ID
2442 The name of an environment variable to set when invoking send‐
2443 mail. The value of this environment variable will contain the
2444 user id of the currently authenticated user. If no user is au‐
2445 thenticated the environment variable is not set.
2446 serverlist: <none>
2448 Whitespace separated list of backend server names. Used for
2449 finding server with the most available free space for proxying
2450 CREATE.
2451 serverlist_select_mode: freespace-most
2453 Server selection mode.
2454 random (pseudo-)random selection
2456 freespace-most
2458 backend with the most (total) free space (KiB)
2459 freespace-percent-most
2461 backend whose partition has the most free space (%)
2462 freespace-percent-weighted
2464 same as for partition selection, comparing the free space
2465 (%) of the least used partition of each backend
2466 freespace-percent-weighted-delta
2468 same as for partition selection, comparing the free space
2469 (%) of the least used partition of each backend.
2470 Allowed values: random, freespace-most, freespace-per‐
2472 cent-most, freespace-percent-weighted, freespace-per‐
2473 cent-weighted-delta
2474 serverlist_select_usage_reinit: 0
2476 For a given session, number of operations (e.g. backend selec‐
2477 tion) for which backend usage data are cached.
2478 serverlist_select_soft_usage_limit: 0
2480 Limit of backend usage (%): if a backend is over that limit, it
2481 is automatically excluded from selection mode.
2482 If all backends are over that limit, this feature is not used
2484 anymore.
2485 servername: <none>
2487 This is the hostname visible in the greeting messages of the
2488 POP, IMAP and LMTP daemons. If it is unset, then the result re‐
2489 turned from gethostname(2) is used. This is also the value used
2490 by murder clusters to identify the host name. It should be re‐
2491 solvable by DNS to the correct host, and unique within an active
2492 cluster. If you are using low level replication (e.g. drbd)
2493 then it should be the same on each copy and the DNS name should
2494 also be moved to the new master on failover.
2495 serverinfo: on
2497 The server information to display in the greeting and capability
2498 responses. Information is displayed as follows:
2499 “off” = no server information in the greeting or capabilities
2500 “min” = servername in the greeting; no server information in
2502 the capabilities
2503 “on” = servername and product version in the greeting; prod‐
2505 uct version in the capabilities
2506 Allowed values: off, min, on
2508 sharedprefix: Shared Folders
2510 If using the alternate IMAP namespace, the prefix for the shared
2511 namespace. The hierarchy delimiter will be automatically ap‐
2512 pended.
2513 sieve_allowreferrals: 1
2515 If enabled, timsieved will issue referrals to clients when the
2516 user’s scripts reside on a remote server (in a Murder). Other‐
2517 wise, timsieved will proxy traffic to the remote server.
2518 sieve_duplicate_max_expiration: 90d
2520 Maximum expiration time for duplicate message tracking records.
2521 For backward compatibility, if no unit is specified, seconds is
2523 assumed.
2524 sieve_extensions: fileinto reject vacation vacation-seconds notify
2526 include envelope environment body relational regex subaddress copy
2527 date index imap4flags mailbox mboxmetadata servermetadata variables
2528 editheader extlists duplicate ihave fcc special-use redirect-dsn re‐
2529 direct-deliverby mailboxid vnd.cyrus.log vnd.cyrus.jmapquery
2530 vnd.cyrus.imip snooze
2531 Space-separated list of Sieve extensions allowed to be used in
2532 sieve scripts, enforced at submission by timsieved(8). Any pre‐
2533 viously installed script will be unaffected by this option and
2534 will continue to execute regardless of the extensions used.
2535 This option has no effect on options that are disabled at com‐
2536 pile time (e.g., “regex”). Allowed values: fileinto, reject,
2537 vacation, vacation-seconds, notify, include, envelope, environ‐
2538 ment, body, relational, regex, subaddress, copy, date, index,
2539 imap4flags=imapflags, mailbox, mboxmetadata, servermetadata,
2540 variables, editheader, extlists, duplicate, ihave, fcc, spe‐
2541 cial-use, redirect-dsn, redirect-deliverby, mailboxid,
2542 vnd.cyrus.log=x-cyrus-log, vnd.cyrus.jmapquery=x-cyrus-jmap‐
2543 query, vnd.cyrus.imip, snooze=vnd.cyrus.snooze=x-cyrus-snooze
2544 sieve_folder: #sieve
2546 The name of the folder for storing Sieve scripts (#sieve)
2547 sieve_maxscriptsize: 32
2549 Maximum size (in kilobytes) any sieve script can be, enforced at
2550 submission by timsieved(8).
2551 sieve_maxscripts: 5
2553 Maximum number of sieve scripts any user may have, enforced at
2554 submission by timsieved(8).
2555 sieve_utf8fileinto: 0
2557 If enabled, the sieve engine expects folder names for the
2558 fileinto action in scripts to use UTF8 encoding. Otherwise,
2559 modified UTF7 encoding should be used.
2560 sieve_sasl_send_unsolicited_capability: 0
2562 If enabled, timsieved will emit a capability response after a
2563 successful SASL authentication, per draft-martin-manage‐
2564 sieve-12.txt .
2565 sieve_use_lmtp_reject: 1
2567 Enabled by default. If reject can be done via LMTP, then return
2568 a 550 rather than generating the bounce message in Cyrus.
2569 sieve_vacation_min_response: 3d
2571 Minimum time interval between consecutive vacation responses,
2572 per draft-ietf-vacation-seconds.txt. The default is 3 days.
2573 For backward compatibility, if no unit is specified, seconds is
2575 assumed.
2576 sieve_vacation_max_response: 90d
2578 Maximum time interval between consecutive vacation responses,
2579 per draft-ietf-vacation-seconds.txt. The default is 90 days.
2580 The minimum is 7 days.
2581 For backward compatibility, if no unit is specified, seconds is
2583 assumed.
2584 sievedir: /usr/sieve
2586 If sieveusehomedir is false, this directory is searched for
2587 Sieve scripts.
2588 sievenotifier: <none>
2590 Notifyd(8) method to use for “SIEVE” notifications. If not set,
2591 “SIEVE” notifications are disabled.
2592 This method is only used when no method is specified in the
2594 script.
2595 sieveusehomedir: 0
2597 If enabled, lmtpd will look for Sieve scripts in user’s home di‐
2598 rectories: ~user/.sieve.
2599 anysievefolder: 0
2601 It must be “yes” in order to permit the autocreation of any IN‐
2602 BOX subfolder requested by a sieve filter, through the
2603 “fileinto” action. (default = no)
2604 singleinstancestore: 1
2606 If enabled, imapd, lmtpd and nntpd attempt to only write one
2607 copy of a message per partition and create hard links, resulting
2608 in a potentially large disk savings.
2609 skiplist_always_checkpoint: 1
2611 If enabled, this option forces the skiplist cyrusdb backend to
2612 always checkpoint when doing a recovery. This causes slightly
2613 more IO, but on the other hand leads to more efficient data‐
2614 bases, and the entire file is already “hot”.
2615 skiplist_unsafe: 0
2617 If enabled, this option forces the skiplist cyrusdb backend to
2618 not sync writes to the disk. Enabling this option is NOT RECOM‐
2619 MENDED.
2620 smtp_backend: sendmail
2622 The SMTP backend to use for sending email.
2623 The “host” backend sends message submissions via a TCP socket to
2625 the SMTP host defined in the config option smtp_host.
2626 The “sendmail” backend forks the Cyrus process into the exe‐
2628 cutable defined in the config option sendmail. The executable
2629 must accept “-bs” as command line argument, read from stdin and
2630 must implement the minimum SMTP protocol as defined in section
2631 4.5.1 of RFC 5321.
2632 If the SMTP EHLO command reports AUTH (RFC 4954) as a supported
2634 extension, then the MAIL FROM command includes the AUTH parame‐
2635 ter, with its value set to the name of any authenticated user
2636 which triggered the email. The AUTH parameter is omitted if the
2637 user is unknown to the calling process.
2638 If the directory configdirectory/log/smtpclient.smtp_backend ex‐
2640 ists, then telemetry logs for outgoing SMTP sessions will be
2641 created in this directory.
2642 Allowed values: host, sendmail
2644 smtp_host: localhost:587
2646 The SMTP host to use for sending mail (also see the smtp_backend
2647 option). The value of this option must the name or IP address of
2648 a TCP host, followed optionally by a colon and the port or ser‐
2649 vice to use. The default port is 587. TLS may be activated by
2650 appending “/tls” to the value. Authentication is enabled if
2651 smtp_auth_authname is set. Authentication can be explicitly dis‐
2652 abled by appending “/noauth” to the host address.
2653 smtp_auth_authname: <none>
2655 The authentication name to use when authenticating to the SMTP
2656 server defined in smtp_host.
2657 smtp_auth_password: <none>
2659 The password to use when authenticating to the SMTP server de‐
2660 fined in smtp_host.
2661 smtp_auth_realm: <none>
2663 The authentication SASL realm to use when authenticating to a
2664 SMTP server.
2665 soft_noauth: 1
2667 If enabled, lmtpd returns temporary failures if the client does
2668 not successfully authenticate. Otherwise lmtpd returns perma‐
2669 nent failures (causing the mail to bounce immediately).
2670 sortcache_db: twoskip
2672 The cyrusdb backend to use for caching sort results (currently
2673 only used for xconvmultisort) Allowed values: skiplist, twoskip,
2674 zeroskip
2675 specialuse_extra: <none>
2677 Whitespace separated list of extra special-use attributes that
2678 can be set on a mailbox. RFC 6154 currently lists what spe‐
2679 cial-use attributes can be set. This allows extending that list
2680 in the future or adding your own if needed.
2681 specialuse_nochildren: <none>
2683 Whitespace separated list of special-use attributes that may not
2684 contain child folders. If set, mailboxes with any of these at‐
2685 tributes may not have child folders created, and these at‐
2686 tributes cannot be added to mailboxes that already have chil‐
2687 dren..
2688 specialuse_protect: \Archive \Drafts \Important \Junk \Sent \Trash
2690 Whitespace separated list of special-use attributes to protect
2691 the mailboxes for. If set, don’t allow mailboxes with these
2692 special use attributes to be deleted or renamed to have a dif‐
2693 ferent parent. Default is the built-in list
2694 specialusealways: 1
2696 If enabled, this option causes LIST and LSUB output to always
2697 include the XLIST “special-use” flags
2698 sql_database: <none>
2700 Name of the database which contains the cyrusdb table(s).
2701 sql_engine: <none>
2703 Name of the SQL engine to use.
2704 Allowed values: mysql, pgsql, sqlite
2706 sql_hostnames: <empty string>
2708 Comma separated list of SQL servers (in host[:port] format).
2709 sql_passwd: <none>
2711 Password to use for authentication to the SQL server.
2712 sql_user: <none>
2714 Username to use for authentication to the SQL server.
2715 sql_usessl: 0
2717 If enabled, a secure connection will be made to the SQL server.
2718 srs_alwaysrewrite: 0
2720 If true, perform SRS rewriting for ALL forwarding, even when not
2721 required.
2722 srs_domain: <none>
2724 The domain to use in rewritten addresses. This must point only
2725 to machines which know the encoding secret used by this system.
2726 When present, SRS is enabled.
2727 srs_hashlength: 0
2729 The hash length to generate in a rewritten address.
2730 srs_secrets: <none>
2732 A list of secrets with which to generate addresses.
2733 srs_separator: <none>
2735 The separator to appear immediately after SRS[01] in rewritten
2736 addresses.
2737 srvtab: <empty string>
2739 The pathname of srvtab file containing the server’s private key.
2740 This option is passed to the SASL library and overrides its de‐
2741 fault setting.
2742 submitservers: <none>
2744 A list of users and groups that are allowed to resolve
2745 “urlauth=submit+” IMAP URLs, separated by spaces. Any user
2746 listed in this will be allowed to fetch the contents of any
2747 valid “urlauth=submit+” IMAP URL: use with caution.
2748 subscription_db: flat
2750 The cyrusdb backend to use for the subscriptions list.
2751 Allowed values: flat, skiplist, twoskip, zeroskip
2753 suppress_capabilities: <none>
2755 Suppress the named capabilities from any capability response.
2756 Use the exact case as it appears in the response, e.g. “sup‐
2757 press_capabilities: ESEARCH QRESYNC WITHIN XLIST LIST-EXTENDED”
2758 if you have a murder with 2.3.x backends and don’t want clients
2759 being confused by new capabilities that some backends don’t sup‐
2760 port.
2761 statuscache: 0
2763 Enable/disable the imap status cache.
2764 statuscache_db: twoskip
2766 The cyrusdb backend to use for the imap status cache.
2767 Allowed values: skiplist, sql, twoskip, zeroskip
2769 statuscache_db_path: <none>
2771 The absolute path to the statuscache db file. If not specified,
2772 will be configdirectory/statuscache.db
2773 sync_authname: <none>
2775 The authentication name to use when authenticating to a sync
2776 server. Prefix with a channel name to only apply for that chan‐
2777 nel
2778 sync_batchsize: 8192
2780 the number of messages to upload in a single mailbox replica‐
2781 tion. Default is 8192. If there are more than this many mes‐
2782 sages appended to the mailbox, generate a synthetic partial
2783 state and send that.
2784 sync_cache_db: twoskip
2786 The cyrusdb backend to use for the replication cache.
2787 Allowed values: skiplist, sql, twoskip, zeroskip
2789 sync_cache_db_path: <none>
2791 The path for the replication cache. Prefix with a channel name
2792 to apply for that channel. NOTE, it’s quite important to have a
2793 different one per backend!
2794 sync_host: <none>
2796 Name of the host (replica running sync_server(8)) to which
2797 replication actions will be sent by sync_client(8). Prefix with
2798 a channel name to only apply for that channel
2799 sync_log: 0
2801 Enable replication action logging by lmtpd(8), imapd(8),
2802 pop3d(8), and nntpd(8). The log {configdirectory}/sync/log is
2803 used by sync_client(8) for “rolling” replication.
2804 sync_log_chain: 0
2806 Enable replication action logging by sync_server as well, allow‐
2807 ing chaining of replicas. Use this on ‘B’ for A => B => C
2808 replication layout
2809 sync_log_channels: <none>
2811 If specified, log all events to multiple log files in directo‐
2812 ries specified by each “channel”. Each channel can then be pro‐
2813 cessed separately, such as by multiple sync_client(8)s in a mesh
2814 replication scheme, or by squatter(8) for rolling search index
2815 updates.
2816 You can use “” (the two-character string U+22 U+22) to mean the
2818 default sync channel.
2819 sync_log_unsuppressable_channels: squatter
2821 If specified, the named channels are exempt from the effect of
2822 setting sync_log_chain:off, i.e. they are always logged to by
2823 the sync_server process. This is only really useful to allow
2824 rolling search indexing on a replica.
2825 sync_password: <none>
2827 The default password to use when authenticating to a sync
2828 server. Prefix with a channel name to only apply for that chan‐
2829 nel
2830 sync_port: <none>
2832 Name of the service (or port number) of the replication service
2833 on replica host. Prefix with a channel name to only apply for
2834 that channel. If not specified, and if sync_try_imap is set to
2835 “yes” (the default), then the replication client will first try
2836 “imap” (port 143) to check if imapd supports replication. Oth‐
2837 erwise it will default to “csync” (usually port 2005).
2838 sync_realm: <none>
2840 The authentication realm to use when authenticating to a sync
2841 server. Prefix with a channel name to only apply for that chan‐
2842 nel
2843 sync_reconnect_maxwait: 20m
2845 When a rolling sync_client cannot connect to the replica, it en‐
2846 ters a retry loop with an exponential backoff between attempts.
2847 This option sets the upper limit on that exponential backoff: no
2848 matter how long the replica has been down so far, sync_client
2849 will never wait longer than sync_reconnect_maxwait between re‐
2850 tries.
2851 If this is zero or negative, the backoff duration will be al‐
2853 lowed to increase indefinitely (not recommended).
2854 If no unit is specified, seconds is assumed.
2856 sync_repeat_interval: 1s
2858 Minimum interval between replication runs in rolling replication
2859 mode. If a replication run takes longer than this time, we re‐
2860 peat immediately. Prefix with a channel name to only apply for
2861 that channel.
2862 For backward compatibility, if no unit is specified, seconds is
2864 assumed.
2865 sync_rightnow_channel: <none>
2867 if set, run sync_client to this channel immediately. As with
2868 channels, set this value to ‘”“’ to sync the default channel!
2869 sync_shutdown_file: <none>
2871 Simple latch used to tell sync_client(8) that it should shut
2872 down at the next opportunity. Safer than sending signals to run‐
2873 ning processes. Prefix with a channel name to only apply for
2874 that channel
2875 sync_timeout: 30m
2877 How long to wait for a response before returning a timeout fail‐
2878 ure when talking to a replication peer (client or server). The
2879 minimum duration is 3 seconds, the default is 30 minutes.
2880 For backward compatibility, if no unit is specified, seconds is
2882 assumed.
2883 sync_try_imap: 1
2885 Whether sync_client should try to perform an IMAP connection be‐
2886 fore falling back to csync. If this is set to “no”, sync_client
2887 will only use csync. Prefix with a channel name to apply only
2888 for that channel
2889 syslog_prefix: <none>
2891 String to be prepended to the process name in syslog entries.
2892 Can be further overridden by setting the $CYRUS_SYSLOG_PREFIX
2893 environment variable.
2894 Using the $CYRUS_SYSLOG_PREFIX environment variable has the ad‐
2896 ditional advantage that it can be set before the imapd.conf is
2897 read, so errors while reading the config file can be syslogged
2898 with the correct prefix.
2899 syslog_facility: <none>
2901 Configure a syslog facility. The default is whatever is com‐
2902 piled in. Allowed values are: DAEMON, MAIL, NEWS, USER, and LO‐
2903 CAL0 through to LOCAL7
2904 tcp_keepalive: 0
2906 Enable keepalive on TCP connections
2907 tcp_keepalive_cnt: 0
2909 Number of TCP keepalive probes to send before declaring the con‐
2910 nection dead (0 == system default)
2911 tcp_keepalive_idle: 0
2913 How long a connection must be idle before keepalive probes are
2914 sent (0 == system default).
2915 For backward compatibility, if no unit is specified, seconds is
2917 assumed.
2918 tcp_keepalive_intvl: 0
2920 Time between keepalive probes (0 == system default).
2921 For backward compatibility, if no unit is specified, seconds is
2923 assumed.
2924 temp_path: /tmp
2926 The pathname to store temporary files in. It is recommended to
2927 use an in-memory filesystem such as tmpfs for this path.
2928 telemetry_bysessionid: 0
2930 If true, log by sessionid instead of PID for telemetry
2931 timeout: 32m
2933 The length of the IMAP server’s inactivity autologout timer.
2934 The minimum value is 30 minutes. The default is 32 minutes, to
2935 allow a bit of leeway for clients that try to NOOP every 30 min‐
2936 utes.
2937 For backward compatibility, if no unit is specified, minutes is
2939 assumed.
2940 imapidletimeout: <none>
2942 Timeout for idling clients (RFC 2177). If not set (the de‐
2943 fault), the value of “timeout” will be used instead.
2944 For backward compatibility, if no unit is specified, minutes is
2946 assumed.
2947 tls_ca_file: <none>
2949 Deprecated in favor of tls_client_ca_file.
2950 tls_ca_path: <none>
2952 Deprecated in favor of tls_client_ca_dir.
2953 tlscache_db: twoskip
2955 Deprecated in favor of tls_sessions_db.
2956 tlscache_db_path: <none>
2958 Deprecated in favor of tls_sessions_db_path.
2959 tls_cert_file: <none>
2961 Deprecated in favor of tls_server_cert.
2962 tls_cipher_list: DEFAULT
2964 Deprecated in favor of tls_ciphers.
2965 tls_ciphers: DEFAULT
2967 The list of SSL/TLS ciphers to allow. The format of the string
2968 (and definition of “DEFAULT”) is described in ciphers(1).
2969 See also Mozilla’s server-side TLS recommendations:
2971 https://wiki.mozilla.org/Security/Server_Side_TLS
2973 tls_crl_file: <none>
2975 Path to a file containing the Certificate Revocation List
2976 tls_client_ca_dir: <none>
2978 Path to a directory containing the CA certificates used to ver‐
2979 ify client SSL certificates used for authentication.
2980 tls_client_ca_file: <none>
2982 Path to a file containing the CA certificate(s) used to verify
2983 client SSL certificates used for authentication.
2984 tls_client_cert: <none>
2986 File containing the certificate presented to a server for au‐
2987 thentication during STARTTLS. A value of “disabled” will disable
2988 this server’s use of certificate-based authentication.
2989 tls_client_certs: optional
2991 Disable (“off”), allow (“optional”, default) or require (“re‐
2992 quire”) the use of SSL certificates by clients to authenticate
2993 themselves. Allowed values: off, optional, require
2994 tls_client_key: <none>
2996 File containing the private key belonging to the tls_client_cert
2997 certificate. A value of “disabled” will disable this server’s
2998 use of certificate-based authentication.
2999 tls_eccurve: prime256v1
3001 The elliptic curve used for ECDHE. Default is NIST Suite B
3002 prime256. See ‘openssl ecparam -list_curves’ for possible val‐
3003 ues.
3004 tls_key_file: <none>
3006 Deprecated in favor of tls_server_key.
3007 tls_required: 0
3009 If enabled, require a TLS/SSL encryption layer to be negotiated
3010 prior to ANY authentication mechanisms being advertised or al‐
3011 lowed.
3012 tls_prefer_server_ciphers: 0
3014 Prefer the ciphers on the server side instead of client side.
3015 tls_server_ca_dir: <none>
3017 Path to a directory with CA certificates used to verify certifi‐
3018 cates offered by the server, when cyrus acts as client. This di‐
3019 rectory must have filenames with the hashed value of the cer‐
3020 tificates (see openssl(1)).
3021 tls_server_ca_file: <none>
3023 Path to a file containing CA certificates used to verify cer‐
3024 tificates offered by the server, when cyrus acts as client.
3025 tls_server_cert: <none>
3027 File containing the certificate, including the full chain, pre‐
3028 sented to clients. Two certificates can be set, e.g RSA and EC,
3029 if the filenames are separated with comma without spaces.
3030 tls_server_dhparam: <none>
3032 File containing the DH parameters belonging to the certificate
3033 in tls_server_cert.
3034 tls_server_key: <none>
3036 File containing the private key belonging to the certificate in
3037 tls_server_cert. If not set, tls_server_cert must contain both
3038 private and public key. Two files with keys can be set, if two
3039 certificates are used, in which case the files must be separated
3040 with comma without spaces
3041 tls_sessions_db: twoskip
3043 The cyrusdb backend to use for the TLS cache.
3044 Allowed values: skiplist, sql, twoskip, zeroskip
3046 tls_sessions_db_path: <none>
3048 The absolute path to the TLS sessions db file. If not specified,
3049 will be configdirectory/tls_sessions.db
3050 tls_session_timeout: 24h
3052 The length of time that a TLS session will be cached for later
3053 reuse. The maximum value is 24 hours, also the default. A
3054 value of 0 will disable session caching.
3055 For backward compatibility, if no unit is specified, minutes is
3057 assumed.
3058 tls_versions: tls1_0 tls1_1 tls1_2 tls1_3
3060 A list of SSL/TLS versions to not disable. Cyrus IMAP SSL/TLS
3061 starts with all protocols, and subtracts protocols not in this
3062 list. Newer versions of SSL/TLS will need to be added here to
3063 allow them to get disabled.
3064 uidl_format: cyrus
3066 Choose the format for UIDLs in pop3. Possible values are
3067 “uidonly”, “cyrus”, “dovecot” and “courier”. “uidonly” forces
3068 the old default of UID, “cyrus” is UIDVALIDITY.UID. Dovecot is
3069 8 digits of leading hex (lower case) each UID UIDVALIDITY.
3070 Courier is UIDVALIDITY-UID. Allowed values: uidonly, cyrus,
3071 dovecot, courier
3072 umask: 077
3074 The umask value used by various Cyrus IMAP programs.
3075 userdeny_db: flat
3077 The cyrusdb backend to use for the user access list.
3078 Allowed values: flat, skiplist, sql, twoskip, zeroskip
3080 userdeny_db_path: <none>
3082 The absolute path to the userdeny db file. If not specified,
3083 will be configdirectory/user_deny.db
3084 username_tolower: 1
3086 Convert usernames to all lowercase before login/authentication.
3087 This is useful with authentication backends which ignore case
3088 during username lookups (such as LDAP).
3089 userprefix: Other Users
3091 If using the alternate IMAP namespace, the prefix for the other
3092 users namespace. The hierarchy delimiter will be automatically
3093 appended.
3094 unix_group_enable: 1
3096 Should we look up groups when using auth_unix (disable this if
3097 you are not using groups in ACLs for your IMAP server, and you
3098 are using auth_unix with a backend (such as LDAP) that can make
3099 getgrent() calls very slow)
3100 unixhierarchysep: 1
3102 Use the UNIX separator character ‘/’ for delimiting levels of
3103 mailbox hierarchy. Turn off to use the netnews separator char‐
3104 acter ‘.’. Note that with the newnews separator, no dots may oc‐
3105 cur in mailbox names. The default switched in 3.0 from off to
3106 on.
3107 vcard_max_size: 0
3109 Maximum allowed vCard size. If non-zero, CardDAV and JMAP will
3110 reject storage of contacts whose vCard representation is larger
3111 than vcard_max_size bytes. If set to 0, this will allow vCards
3112 of any size (the default).
3113 virtdomains: off
3115 Configure virtual domain support.
3116 off Cyrus does not know or care about domains. Only the local
3118 part of email addresses is ever considered. This is not
3119 recommended for any deployment, but is currently the de‐
3120 fault.
3121 userid The user’s domain is determined by splitting a fully
3123 qualified userid at the last ‘@’ or ‘%’ symbol. If the
3124 userid is unqualified, the defaultdomain will be used.
3125 This is the recommended configuration for all deploy‐
3126 ments. If you wish to provide calendaring services you
3127 must use this configuration.
3128 on Fully qualified userids are respected, as per “userid”.
3130 Unqualified userids will have their domain determined by
3131 doing a reverse lookup on the IP address of the incoming
3132 network interface, or if no record is found, the default‐
3133 domain will be used.
3134 Allowed values: off, userid, on
3136 virusscan_notification_subject: Automatically deleted mail
3138 The text used in the subject of email notifications created by
3139 cyr_virusscan(8) when deleting infected mail.
3140 virusscan_notification_template: <none>
3142 The absolute path to a file containing a template to use to de‐
3143 scribe infected messages that have been deleted by cyr_viruss‐
3144 can(8). See cyr_virusscan(8) for specification of the format of
3145 this file. If not specified, the builtin default template will
3146 be used.
3147 websocket_timeout: 30m
3149 Set the length of the HTTP server’s inactivity autologout timer
3150 when a WebSocket channel has been established. The default is
3151 30 minutes. The minimum value is 0, which will disable WebSock‐
3152 ets.
3153 If no unit is specified, minutes is assumed.
3155 xbackup_enabled: 0
3157 Enable support for the XBACKUP command in imapd. If enabled,
3158 admin users can use this command to provoke a replication of
3159 specified users to the named backup channel.
3160 xlist-flag: <none>
3162 Set the special-use flag flag on the specified folder when it is
3163 autocreated (see the autocreate_inbox_folders option). For ex‐
3164 ample, if xlist-junk: Spam is set, and the folder Spam is au‐
3165 tocreated, the special-use flag \Junk will be set on it.
3166 (This option is so named for backward compatibility with old
3168 config files.)
3169 lmtp_catchall_mailbox: <none>
3171 Mail sent to mailboxes which do not exist, will be delivered to
3172 this user. NOTE: This must be an existing local user name with
3173 an INBOX, NOT an email address!
3174 zoneinfo_db: twoskip
3176 The cyrusdb backend to use for zoneinfo. This database is used
3177 by the “tzdist” httpmodules, and is managed by ctl_zoneinfo(8).
3178 Allowed values: flat, skiplist, twoskip, zeroskip
3179 zoneinfo_db_path: <none>
3181 The absolute path to the zoneinfo db file. If not specified,
3182 will be configdirectory/zoneinfo.db
3183 zoneinfo_dir: <none>
3185 The absolute path to the zoneinfo directory, containing timezone
3186 definitions as generated by the vzic tool. If not specified,
3187 whatever definitions libical finds will be used.
3188 If you are providing a Time Zone Data Distribution Service (i.e.
3190 you have “tzdist” listed in httpmodules), then this configura‐
3191 tion option MUST be specified.
3192 object_storage_enabled: 0
3194 Is Object storage enabled for this server. You also need to
3195 have archiving enabled and archivepartition for the mailbox.
3196 Only email files will be stored on object Storage archive parti‐
3197 tion will be used to store any other files
3198 object_storage_dummy_spool: <none>
3200 Dummy object storage spool; this is for test only. Spool where
3201 user directory (container) will be created to store all emails
3202 in a flat structure
3203 openio_namespace: <none>
3205 The OpenIO namespace used to store archived email messages. A
3206 namespace identifies the physical platform cyrus must contact.
3207 This directive is used by the OpenIO’s SDK to locate its plat‐
3208 form entry point.
3209 openio_account: <none>
3211 The OpenIO account used to account for stored emails. Accounts
3212 are unique in their namespace. They provides virtual partitions,
3213 with quotas and QoS features.
3214 openio_rawx_timeout: 30s
3216 The OpenIO timeout to query to the RAWX services (default 30
3217 sec).
3218 openio_proxy_timeout: 5s
3220 The OpenIO timeout to query to the PROXY services (default 5
3221 sec).
3222 openio_autocreate: 0
3224 Allow the OpenIO SDK to autocreate containers. Mainly destined
3225 to be turned on development environments. In production, the
3226 container should have been provisioned with the mailboxes.
3227 openio_verbosity: <none>
3229 Sets the logging verbosity of the OpenIO’s internal behavior.
3230 Admissible values are: “warning”, “notice”, “info”, “debug”,
3231 “trace”, “quiet”. The default verbosity is “warning”. Set to
3232 “notice” for a few lines on a per-client basis. Set to “info”
3233 for a few lines on a per-request basis. Set to “debug” Set to
3234 “trace” to activate the underlying libcurl debug output. En‐
3235 abling a verbosity higher to equal than “debug” requires the
3236 cyrus to be set in debug mode. The special “quiet” value dis‐
3237 ables all kinds of logging at the GLib level.
3238 caringo_hostname: <none>
3240 The Caringo hostname used to store archived email messages. A
3241 hostname identifies the physical platform cyrus must contact.
3242 This directive is used by the Caringo’s SDK (CastorSDK: Caringo
3243 Simple Content Storage Protocol (SCSP) on HTTP 1.1 using a REST‐
3244 ful architecture
3245 caringo_port: 80
3247 The port of the caringo server (caringo_hostname); default is
3248 80.
3249 fastmailsharing: 0
3251 If enabled, use FastMail style sharing (oldschool full server
3252 paths)
3253
3255 imapd(8), pop3d(8), nntpd(8), lmtpd(8), httpd(8), timsieved(8),
3256 idled(8), notifyd(8), deliver(8), master(8), ciphers(1)
3257
3259 The Cyrus Team
3260
3262 1993–2022, The Cyrus Team
32633.6.0 December 12, 2022 IMAPD.CONF(5)