322 lines
12 KiB
Text
322 lines
12 KiB
Text
# Debian Cyrus imapd.conf
|
|
# See imapd.conf(5) for more information and more options
|
|
|
|
# Configuration directory
|
|
configdirectory: /var/lib/cyrus
|
|
|
|
# Directories for proc and lock files
|
|
proc_path: /run/cyrus/proc
|
|
mboxname_lockpath: /run/cyrus/lock
|
|
|
|
# Which partition to use for default mailboxes
|
|
defaultpartition: default
|
|
partition-default: /var/spool/cyrus/mail
|
|
|
|
# News setup
|
|
partition-news: /var/spool/cyrus/news
|
|
newsspool: /var/spool/news
|
|
|
|
# Alternate namespace
|
|
# If enabled, activate the alternate namespace as documented in
|
|
# /usr/share/doc/cyrus-doc-2.4/html/altnamespace.html, where an user's
|
|
# subfolders are in the same level as the INBOX
|
|
# See also userprefix and sharedprefix on imapd.conf(5)
|
|
altnamespace: no
|
|
|
|
# UNIX Hierarchy Convention
|
|
# Set to yes, and cyrus will accept dots in names, and use the forward
|
|
# slash "/" to delimit levels of the hierarchy. This is done by converting
|
|
# internally all dots to "^", and all "/" to dots. So the "rabbit.holes"
|
|
# mailbox of user "helmer.fudd" is stored in "user.elmer^fud.rabbit^holes"
|
|
unixhierarchysep: no
|
|
|
|
# Rejecting illegal characters in headers
|
|
# Headers of RFC2882 messages must not have characters with the 8th bit
|
|
# set. However, too many badly-written MUAs generate this, including most
|
|
# spamware. Enable this to reject such messages.
|
|
#reject8bit: yes
|
|
|
|
# Munging illegal characters in headers
|
|
# Headers of RFC2882 messages must not have characters with the 8th bit
|
|
# set. However, too many badly-written MUAs generate this, including most
|
|
# spamware. If you kept reject8bit disabled, you can choose to leave the
|
|
# crappage untouched by disabling this (if you don't care that IMAP SEARCH
|
|
# won't work right anymore.
|
|
#munge8bit: no
|
|
|
|
# Forcing recipient user to lowercase
|
|
# Cyrus IMAPD is case-sensitive. If all your mail users are in lowercase, it is
|
|
# probably a very good idea to set lmtp_downcase_rcpt to true. This is set by
|
|
# default, per RFC2821. This was not set by default in debian versions up to
|
|
# and including 2.2.12-4.
|
|
lmtp_downcase_rcpt: yes
|
|
|
|
# Uncomment the following and add the space-separated users who
|
|
# have admin rights for all services.
|
|
admins: <%= cyrus_admins %>
|
|
|
|
# Space-separated list of users that have lmtp "admin" status (i.e. that
|
|
# can deliver email through TCP/IP lmtp). If specified, this parameter
|
|
# overrides the "admins" parameter above
|
|
#lmtp_admins: postman
|
|
|
|
# Space-separated list of users that have mupdate "admin" status, in
|
|
# addition to those in the admins: entry above. Note that mupdate slaves and
|
|
# backends in a Murder cluster need to autenticate against the mupdate master
|
|
# as admin users.
|
|
#mupdate_admins: mupdateman
|
|
|
|
# Space-separated list of users that have imapd "admin" status, in
|
|
# addition to those in the admins: entry above
|
|
#imap_admins: cyrus
|
|
|
|
# Space-separated list of users that have sieve "admin" status, in
|
|
# addition to those in the admins: entry above
|
|
#sieve_admins: cyrus
|
|
|
|
# List of users and groups that are allowed to proxy for other users,
|
|
# seperated by spaces. Any user listed in this will be allowed to login
|
|
# for any other user. Like "admins:" above, you can have imap_proxyservers
|
|
# and sieve_proxyservers.
|
|
#proxyservers: cyrus
|
|
|
|
# No anonymous logins
|
|
allowanonymouslogin: no
|
|
|
|
# Minimum time between POP mail fetches in minutes
|
|
popminpoll: 1
|
|
|
|
# If nonzero, normal users may create their own IMAP accounts by creating
|
|
# the mailbox INBOX. The user's quota is set to the value if it is positive,
|
|
# otherwise the user has unlimited quota.
|
|
autocreatequota: 0
|
|
|
|
# umask used by Cyrus programs
|
|
umask: 077
|
|
|
|
# Sendmail binary location
|
|
# DUE TO A BUG, Cyrus sends CRLF EOLs to this program. This breaks Exim 3.
|
|
# For now, to work around the bug, set this to a wrapper that calls
|
|
# /usr/sbin/sendmail -dropcr instead if you use Exim 3.
|
|
#sendmail: /usr/sbin/sendmail
|
|
|
|
# If enabled, cyrdeliver will look for Sieve scripts in user's home
|
|
# directories: ~user/.sieve.
|
|
sieveusehomedir: false
|
|
|
|
# If sieveusehomedir is false, this directory is searched for Sieve scripts.
|
|
sievedir: /var/spool/sieve
|
|
|
|
# notifyd(8) method to use for "MAIL" notifications. If not set, "MAIL"
|
|
# notifications are disabled. Valid methods are: null, log, zephyr
|
|
#mailnotifier: zephyr
|
|
|
|
# notifyd(8) method to use for "SIEVE" notifications. If not set, "SIEVE"
|
|
# notifications are disabled. This method is only used when no method is
|
|
# specified in the script. Valid methods are null, log, zephyr, mailto
|
|
#sievenotifier: zephyr
|
|
|
|
# DRAC (pop-before-smtp, imap-before-smtp) support
|
|
# Set dracinterval to the time in minutes to call DRAC while a user is
|
|
# connected to the imap/pop services. Set to 0 to disable DRAC (default)
|
|
# Set drachost to the host where the rpc drac service is running
|
|
#dracinterval: 0
|
|
#drachost: localhost
|
|
|
|
# If enabled, the partitions will also be hashed, in addition to the hashing
|
|
# done on configuration directories. This is recommended if one partition has a
|
|
# very bushy mailbox tree.
|
|
hashimapspool: true
|
|
|
|
# Allow plaintext logins by default (SASL PLAIN)
|
|
allowplaintext: yes
|
|
|
|
# Force PLAIN/LOGIN authentication only
|
|
# (you need to uncomment this if you are not using an auxprop-based SASL
|
|
# mechanism. saslauthd users, that means you!). And pay attention to
|
|
# sasl_minimum_layer and allowapop below, too.
|
|
sasl_mech_list: PLAIN LOGIN
|
|
|
|
# Allow use of the POP3 APOP authentication command.
|
|
# Note that this command requires that the plaintext passwords are
|
|
# available in a SASL auxprop backend (eg. sasldb), and that the system
|
|
# can provide enough entropy (eg. from /dev/urandom) to create a challenge
|
|
# in the banner.
|
|
#allowapop: no
|
|
|
|
# The minimum SSF that the server will allow a client to negotiate. A
|
|
# value of 1 requires integrity protection; any higher value requires some
|
|
# amount of encryption.
|
|
#sasl_minimum_layer: 0
|
|
|
|
# The maximum SSF that the server will allow a client to negotiate. A
|
|
# value of 1 requires integrity protection; any higher value requires some
|
|
# amount of encryption.
|
|
#sasl_maximum_layer: 256
|
|
|
|
# List of remote realms whose users may log in using cross-realm
|
|
# authentications. Seperate each realm name by a space. A cross-realm
|
|
# identity is considered any identity returned by SASL with an "@" in it.
|
|
# NOTE: To support multiple virtual domains on the same interface/IP,
|
|
# you need to list them all as loginreals. If you don't list them here,
|
|
# (most of) your users probably won't be able to log in.
|
|
#loginrealms: example.com
|
|
|
|
# Enable virtual domain support. If enabled, the user's domain will
|
|
# be determined by splitting a fully qualified userid at the last '@'
|
|
# or '%' symbol. If the userid is unqualified, and the virtdomains
|
|
# option is set to "on", then the domain will be determined by doing
|
|
# a reverse lookup on the IP address of the incoming network
|
|
# interface, otherwise the user is assumed to be in the default
|
|
# domain (if set).
|
|
#virtdomains: userid
|
|
|
|
# The default domain for virtual domain support
|
|
# If the domain of a user can't be taken from its login and it can't
|
|
# be determined by doing a reverse lookup on the interface IP, this
|
|
# domain is used.
|
|
#defaultdomain:
|
|
|
|
#
|
|
# SASL library options (these are handled directly by the SASL libraries,
|
|
# refer to SASL documentation for an up-to-date list of these)
|
|
#
|
|
|
|
# The mechanism(s) used by the server to verify plaintext passwords. Possible
|
|
# values are "saslauthd", "auxprop", "pwcheck" and "alwaystrue". They
|
|
# are tried in order, you can specify more than one, separated by spaces.
|
|
#
|
|
# Do note that, since sasl will be run as user cyrus, you may have a lot of
|
|
# trouble to set this up right.
|
|
sasl_pwcheck_method: saslauthd
|
|
|
|
# What auxpropd plugins to load, if using sasl_pwcheck_method: auxprop
|
|
# by default, all plugins are tried (which is probably NOT what you want).
|
|
#sasl_auxprop_plugin: sasldb
|
|
|
|
# If enabled, the SASL library will automatically create authentication secrets
|
|
# when given a plaintext password. Refer to SASL documentation
|
|
sasl_auto_transition: no
|
|
|
|
#
|
|
# SSL/TLS Options
|
|
#
|
|
|
|
# File containing the global certificate used for ALL services (imap, pop3,
|
|
# lmtp, sieve)
|
|
tls_cert_file: <%= scope.lookupvar('ssl::certs') %>/cyrus.crt
|
|
|
|
# File containing the private key belonging to the global server certificate.
|
|
tls_key_file: <%= scope.lookupvar('ssl::private') %>/cyrus.key
|
|
|
|
# File containing the certificate used for imap. If not specified, the global
|
|
# certificate is used. A value of "disabled" will disable SSL/TLS for imap.
|
|
#imap_tls_cert_file: /etc/ssl/certs/cyrus-imap.pem
|
|
|
|
# File containing the private key belonging to the imap-specific server
|
|
# certificate. If not specified, the global private key is used. A value of
|
|
# "disabled" will disable SSL/TLS for imap.
|
|
#imap_tls_key_file: /etc/ssl/private/cyrus-imap.key
|
|
|
|
# File containing the certificate used for pop3. If not specified, the global
|
|
# certificate is used. A value of "disabled" will disable SSL/TLS for pop3.
|
|
#pop3_tls_cert_file: /etc/ssl/certs/cyrus-pop3.pem
|
|
|
|
# File containing the private key belonging to the pop3-specific server
|
|
# certificate. If not specified, the global private key is used. A value of
|
|
# "disabled" will disable SSL/TLS for pop3.
|
|
#pop3_tls_key_file: /etc/ssl/private/cyrus-pop3.key
|
|
|
|
# File containing the certificate used for lmtp. If not specified, the global
|
|
# certificate is used. A value of "disabled" will disable SSL/TLS for lmtp.
|
|
#lmtp_tls_cert_file: /etc/ssl/certs/cyrus-lmtp.pem
|
|
|
|
# File containing the private key belonging to the lmtp-specific server
|
|
# certificate. If not specified, the global private key is used. A value of
|
|
# "disabled" will disable SSL/TLS for lmtp.
|
|
#lmtp_tls_key_file: /etc/ssl/private/cyrus-lmtp.key
|
|
|
|
# File containing the certificate used for sieve. If not specified, the global
|
|
# certificate is used. A value of "disabled" will disable SSL/TLS for sieve.
|
|
#sieve_tls_cert_file: /etc/ssl/certs/cyrus-sieve.pem
|
|
|
|
# File containing the private key belonging to the sieve-specific server
|
|
# certificate. If not specified, the global private key is used. A value of
|
|
# "disabled" will disable SSL/TLS for sieve.
|
|
#sieve_tls_key_file: /etc/ssl/private/cyrus-sieve.key
|
|
|
|
# File containing one or more Certificate Authority (CA) certificates.
|
|
#tls_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem
|
|
|
|
# Path to directory with certificates of CAs.
|
|
tls_ca_path: /etc/ssl/certs
|
|
|
|
# The length of time (in minutes) that a TLS session will be cached for later
|
|
# reuse. The maximum value is 1440 (24 hours), the default. A value of 0 will
|
|
# disable session caching.
|
|
tls_session_timeout: 1440
|
|
|
|
# The list of SSL/TLS ciphers to allow, in decreasing order of precedence.
|
|
# The format of the string is described in ciphers(1). The Debian default
|
|
# selects TLSv1 high-security ciphers only, and removes all anonymous ciphers
|
|
# from the list (because they provide no defense against man-in-the-middle
|
|
# attacks). It also orders the list so that stronger ciphers come first.
|
|
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
|
|
|
|
# Require a client certificate for ALL services (imap, pop3, lmtp, sieve).
|
|
#tls_require_cert: false
|
|
|
|
# Require a client certificate for imap ONLY.
|
|
#imap_tls_require_cert: false
|
|
|
|
# Require a client certificate for pop3 ONLY.
|
|
#pop3_tls_require_cert: false
|
|
|
|
# Require a client certificate for lmtp ONLY.
|
|
#lmtp_tls_require_cert: false
|
|
|
|
# Require a client certificate for sieve ONLY.
|
|
#sieve_tls_require_cert: false
|
|
|
|
#
|
|
# Cyrus Murder cluster configuration
|
|
#
|
|
# Set the following options to the values needed for this server to
|
|
# autenticate against the mupdate master server:
|
|
# mupdate_server
|
|
# mupdate_port
|
|
# mupdate_username
|
|
# mupdate_authname
|
|
# mupdate_realm
|
|
# mupdate_password
|
|
# mupdate_retry_delay
|
|
|
|
##
|
|
## KEEP THESE IN SYNC WITH cyrus.conf
|
|
##
|
|
# Unix domain socket that lmtpd listens on.
|
|
lmtpsocket: /var/run/cyrus/socket/lmtp
|
|
|
|
# Unix domain socket that idled listens on.
|
|
idlesocket: /var/run/cyrus/socket/idle
|
|
|
|
# Unix domain socket that the new mail notification daemon listens on.
|
|
notifysocket: /var/run/cyrus/socket/notify
|
|
|
|
# Syslog prefix. Defaults to cyrus (so logging is done as cyrus/imap etc.)
|
|
syslog_prefix: cyrus
|
|
|
|
##
|
|
## DEBUGGING
|
|
##
|
|
# Debugging hook. See /usr/share/doc/cyrus-common-2.4/README.Debian.debug
|
|
# Keep the hook disabled when it is not in use
|
|
#
|
|
# gdb Back-traces
|
|
#debug_command: /usr/bin/gdb -batch -cd=/tmp -x /usr/lib/cyrus/get-backtrace.gdb /usr/lib/cyrus/bin/%s %d >/tmp/gdb-backtrace.cyrus.%1$s.%2$d <&- 2>&1 &
|
|
#
|
|
# system-call traces
|
|
#debug_command: /usr/bin/strace -tt -o /tmp/strace.cyrus.%s.%d -p %2$d <&- 2>&1 &
|
|
#
|
|
# library traces
|
|
#debug_command: /usr/bin/ltrace -tt -n 2 -o /tmp/ltrace.cyrus.%s.%d -p %2$d <&- 2>&1 &
|