dovecot.conf

a very userful email managing service

# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =

# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
#auth_username_format =

# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# support for it), you can specify the separator character here. The format
# is then <username><separator><master username>. UW-IMAP uses "*" as the
# separator, so that could be a good choice.
#auth_master_user_separator =

# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous

# More verbose logging. Useful for figuring out why authentication isn't
# working.
#auth_verbose = no

# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
#auth_debug = no

# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Requires auth_debug=yes to be set.
#auth_debug_passwords = no

# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30

# Kerberos keytab to use for the GSSAPI mechanism. Will use the system 
# default (usually /etc/krb5.keytab) if not specified.
#auth_krb5_keytab = 

auth default {
  # Space separated list of wanted authentication mechanisms:
  #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi
  mechanisms = plain

  #
  # Password database is used to verify user's password (and nothing more).
  # You can have multiple passdbs and userdbs. This is useful if you want to
  # allow both system users (/etc/passwd) and virtual users to login without
  # duplicating the system users into virtual database.
  #
  # http://wiki.dovecot.org/PasswordDatabase
  #
  # By adding master=yes setting inside a passdb you make the passdb a list
  # of "master users", who can log in as anyone else. Unless you're using PAM,
  # you probably still want the destination user to be looked up from passdb
  # that it really exists. This can be done by adding pass=yes setting to the
  # master passdb.
  #
  # http://wiki.dovecot.org/MasterPassword

  # Users can be temporarily disabled by adding a passdb with deny=yes.
  # If the user is found from that database, authentication will fail.
  # The deny passdb should always be specified before others, so it gets
  # checked first. Here's an example:

  #passdb passwd-file {
    # File contains a list of usernames, one per line
    #args = /etc/dovecot.deny
    #deny = yes
  #}

  # PAM authentication. Preferred nowadays by most systems. 
  # Note that PAM can only be used to verify if user's password is correct,
  # so it can't be used as userdb. If you don't want to use a separate user
  # database (passwd usually), you can use static userdb.
  # REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
  # authentication to actually work.
  # http://wiki.dovecot.org/PasswordDatabase/PAM
  passdb pam {
    #  [session=yes] [setcred=yes] [cache_key=<key>] [<service name>]
    #
    # session=yes makes Dovecot open and immediately close PAM session. Some
    # PAM plugins need this to work, such as pam_mkhomedir.
    #
    # setcred=yes makes Dovecot establish PAM credentials if some PAM plugins
    # need that. They aren't ever deleted though, so this isn't enabled by
    # default.
    #
    # cache_key can be used to enable authentication caching for PAM
    # (auth_cache_size also needs to be set). It isn't enabled by default
    # because PAM modules can do all kinds of checks besides checking password,
    # such as checking IP address. Dovecot can't know about these checks
    # without some help. cache_key is simply a list of variables (see
    # doc/variables.txt) which must match for the cached data to be used.
    # Here are some examples:
    #   %u - Username must match. Probably sufficient for most uses.
    #   %u%r - Username and remote IP address must match.
    #   %u%s - Username and service (ie. IMAP, POP3) must match.
    # 
    # If service name is "*", it means the authenticating service name
    # is used, eg. pop3 or imap (/etc/pam.d/pop3, /etc/pam.d/imap).
    #
    # Some examples:
    #   args = session=yes *
    #   args = cache_key=%u dovecot
    #args = dovecot
  }

  # /etc/passwd or similar, using getpwnam()
  # In many systems nowadays this uses Name Service Switch, which is
  # configured in /etc/nsswitch.conf.
  # http://wiki.dovecot.org/AuthDatabase/Passwd
  #passdb passwd {
  #}

  # /etc/shadow or similiar, using getspnam(). Deprecated by PAM nowadays.
  # http://wiki.dovecot.org/PasswordDatabase/Shadow
  #passdb shadow {
  #}

  # PAM-like authentication for OpenBSD.
  # http://wiki.dovecot.org/PasswordDatabase/BSDAuth
  #passdb bsdauth {
    # [cache_key=<key>] - See cache_key in PAM for explanation.
    #args =
  #}

  # passwd-like file with specified location
  # http://wiki.dovecot.org/AuthDatabase/PasswdFile
  #passdb passwd-file {
    # Path for passwd-file
    #args = 
  #}

  # checkpassword executable authentication
  # NOTE: You will probably want to use "userdb prefetch" with this.
  # http://wiki.dovecot.org/PasswordDatabase/CheckPassword
  #passdb checkpassword {
    # Path for checkpassword binary
    #args = 
  #}

  # SQL database
  # http://wiki.dovecot.org/AuthDatabase/SQL
  #passdb sql {
    # Path for SQL configuration file, see doc/dovecot-sql.conf for example
    #args = 
  #}

  # LDAP database
  # http://wiki.dovecot.org/AuthDatabase/LDAP
  #passdb ldap {
    # Path for LDAP configuration file, see doc/dovecot-ldap.conf for example
    #args = 
  #}

  # vpopmail authentication
  # http://wiki.dovecot.org/AuthDatabase/VPopMail
  #passdb vpopmail {
    # [cache_key=<key>] - See cache_key in PAM for explanation.
    #args =
  #}

  #
  # User database specifies where mails are located and what user/group IDs
  # own them. For single-UID configuration use "static".
  #
  # http://wiki.dovecot.org/UserDatabase
  #

  # /etc/passwd or similar, using getpwnam()
  # In many systems nowadays this uses Name Service Switch, which is
  # configured in /etc/nsswitch.conf. WARNING: nss_ldap is known to be broken
  # with Dovecot. Don't use it, or users might log in as each others!
  # http://wiki.dovecot.org/AuthDatabase/Passwd
  userdb passwd {
  }

  # passwd-like file with specified location
  # http://wiki.dovecot.org/AuthDatabase/PasswdFile
  #userdb passwd-file {
    # Path for passwd-file
    #args =
  #}

  # static settings generated from template
  # http://wiki.dovecot.org/UserDatabase/Static
  #userdb static {
    # Template for the fields. Can return anything a userdb could normally
    # return. For example:
    #
    #  args = uid=500 gid=500 home=/var/mail/%u
    #
    #args =
  #}

  # SQL database
  # http://wiki.dovecot.org/AuthDatabase/SQL
  #userdb sql {
    # Path for SQL configuration file, see doc/dovecot-sql.conf for example
    #args = 
  #}

  # LDAP database
  # http://wiki.dovecot.org/AuthDatabase/LDAP
  #userdb ldap {
    # Path for LDAP configuration file, see doc/dovecot-ldap.conf for example
    #args = 
  #}

  # vpopmail
  # http://wiki.dovecot.org/AuthDatabase/VPopMail
  #userdb vpopmail {
  #}

  # "prefetch" user database means that the passdb already provided the
  # needed information and there's no need to do a separate userdb lookup.
  # This can be made to work with SQL and LDAP databases, see their example
  # configuration files for more information how to do it.
  # http://wiki.dovecot.org/UserDatabase/Prefetch
  #userdb prefetch {
  #}

  # User to use for the process. This user needs access to only user and
  # password databases, nothing else. Only shadow and pam authentication
  # requires roots, so use something else if possible. Note that passwd
  # authentication with BSDs internally accesses shadow files, which also
  # requires roots. Note that this user is NOT used to access mails.
  # That user is specified by userdb above.
  user = root

  # Directory where to chroot the process. Most authentication backends don't
  # work if this is set, and there's no point chrooting if auth_user is root.
  # Note that valid_chroot_dirs isn't needed to use this setting.
  #chroot = 

  # Number of authentication processes to create
  #count = 1

  # Require a valid SSL client certificate or the authentication fails.
  #ssl_require_client_cert = no

  # Take the username from client's SSL certificate, using 
  # X509_NAME_get_text_by_NID() which returns the subject's DN's
  # CommonName. 
  #ssl_username_from_cert = no

  # It's possible to export the authentication interface to other programs:
  #socket listen {
    #master {
      # Master socket is typically used to give Dovecot's local delivery
      # agent access to userdb so it can find mailbox locations. It can
      # however also be used to disturb regular user authentications.
      # WARNING: Giving untrusted users access to master socket may be a 
      # security risk, don't give too wide permissions to it!
      #path = /var/run/dovecot/auth-master
      #mode = 0600
      # Default user/group is the one who started dovecot-auth (root)
      #user = 
      #group = 
    #}
    #client {
      # The client socket is generally safe to export to everyone. Typical use
      # is to export it to your SMTP server so it can do SMTP AUTH lookups
      # using it.
      #path = /var/run/dovecot/auth-client
      #mode = 0660
    #}
  #}
}

# If you wish to use another authentication server than dovecot-auth, you can
# use connect sockets. They assumed to be already running, Dovecot's master
# process only tries to connect to them. They don't need any other settings
# than the path for the master socket, as the configuration is done elsewhere.
# Note that the client sockets must exist in the login_dir.
#auth external {
#  socket connect {
#    master {
#      path = /var/run/dovecot/auth-master
#    }
#  }
#}

##
## Dictionary server settings
##

# Dictionary can be used by some plugins to store key=value lists.
# Currently this is only used by dict quota backend. The dictionary can be
# used either directly or though a dictionary server. The following dict block
# maps dictionary names to URIs when the server is used. These can then be
# referenced using URIs in format "proxy:<name>".

dict {
  #quota = mysql:/etc/dovecot-dict-quota.conf 
}

##
## Plugin settings
##

plugin {
  # Here you can give some extra environment variables to mail processes.
  # This is mostly meant for passing parameters to plugins. %variable
  # expansion is done for all values.

  # Quota plugin. Multiple backends are supported:
  #   dirsize: Find and sum all the files found from mail directory
  #   dict: Keep quota stored in dictionary (eg. SQL)
  #   maildir: Maildir++ quota
  #   fs: Read-only support for filesystem quota
  #quota = maildir

  # ACL plugin. vfile backend reads ACLs from "dovecot-acl" file from maildir
  # directory. You can also optionally give a global ACL directory path where
  # ACLs are applied to all users' mailboxes. The global ACL directory contains
  # one file for each mailbox, eg. INBOX or sub.mailbox.
  #acl = vfile:/etc/dovecot-acls

  # Convert plugin. If set, specifies the source storage path which is
  # converted to destination storage (mail_location).
  #convert_mail = mbox:%h/mail

  # Trash plugin. When saving a message would make user go over quota, this
  # plugin automatically deletes the oldest mails from configured mailboxes
  # until the message can be saved within quota limits. The configuration file
  # is a text file where each line is in format: <priority> <mailbox name>
  # Mails are first deleted in lowest -> highest priority number order
  #trash = /etc/dovecot-trash.conf
}