# # /usr/local/etc/dovecot/dovecot.conf # Dovecot configuration file # # References # ---------- # * Dovecot - Quick Configuration # http://wiki2.dovecot.org/QuickConfiguration # * Dovecot - SSL Configuration # https://wiki.dovecot.org/SSL/DovecotConfiguration # * Multiple domains and virtual users (Postfix/Dovecot/SASL) # http://void.ideabite.org/2013/07/28/multiple-domains-and-virtual-users/ # # Aaron LI # {% set mydomain = mail.domains[0] %} # NOTE # ---- # "doveconf -n" command gives a clean output of the changed settings. # Use it instead of copy/pasting files when posting to the mailing list. # Protocols want to be serving. protocols = imap # A comma separated list of IPs or hosts where to listen. # - "*" listens in all IPv4 interfaces # - "::" listens in all IPv6 interfaces listen = *, :: ## ## 10-auth.conf ## Authentication process, password and user database ## # Disable LOGIN command and all other plaintext authentications unless # SSL/TLS is used (LOGINDISABLED capability). disable_plaintext_auth = yes # Space separated list of realms for SASL authentication mechanisms # that need them. You can leave it empty if you don't want to support # multiple realms. #auth_realms = # Require a valid SSL client certificate or the authentication fails. #auth_ssl_require_client_cert = no # Take the username from client's SSL certificate, using # X509_NAME_get_text_by_NID() which returns the subject's DN's # CommonName. #auth_ssl_username_from_cert = no # Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous # gssapi otp skey gss-spnego # NOTE: See also disable_plaintext_auth setting. auth_mechanisms = plain login # The password database used by Dovecot to authenticate users. # # See: https://wiki2.dovecot.org/PasswordDatabase # # Generate the password with: # $ doveadm pw -s SSHA512 # passdb { driver = passwd-file args = scheme=SSHA512 username_format=%u /usr/local/etc/dovecot/passwd # This is not a database for denied users. deny = no # This is not a database for master users, which can log in as # other users. master = no pass = no skip = never result_failure = continue result_internalfail = continue result_success = return-ok } # User database, which will be looked up to obtain user's information # after the user has been successfully authenticated. The userdb lookup # is also done by LDA to find out how to deliver mails for the user. # # Dovecot doesn't need to verify the username or the password. # # See: https://wiki2.dovecot.org/UserDatabase # userdb { driver = static # # Set 'allow_all_users=yes' will make Dovecot ignore the user lookup # from the userdb and entirely rely on the passdb lookup. Therefore, # the username may be repeated to have multiple passwords, which can # be utilized to achieve device-specific passwords. # args = allow_all_users=yes } ## ## 10-logging.conf ## Log destination, verbosity, and debugging. ## # Log unsuccessful authentication attempts and the reasons why they # failed. auth_verbose = yes # In case of password mismatches, log the attempted password. # Valid values are no, plain and sha1. # sha1 can be useful for detecting brute force password attempts vs. # user simply trying the same password over and over again. auth_verbose_passwords = sha1 # Space-separated list of elements we want to log. The elements which # have a non-empty variable value are joined together to form a # comma-separated string. # # Since we set up device-specific passwords, therefore the full # username (%u) is the authenticated user after replacing by the auth # process. Use %{orig_user}, which expands to the original username # the client sent before any changes by auth process, to keep track of # the actual usages. # login_log_format_elements = user=<%{orig_user}> method=%m rip=%r lip=%l mpid=%e %c ## ## 10-mail.conf ## Mailbox settings and mail handling. ## # Home directories for virtual users, where Dovecot can save user-specific # files. Home directory shouldn't be the same as mail directory with mbox # or Maildir formats (but with dbox/obox it's fine). mail_home = {{ mail.user.home }}/%d/%n # Location for users' mailboxes. The default is empty, which means that Dovecot # tries to find the mailboxes automatically. This won't work if the user # doesn't yet have any mail, so you should explicitly tell Dovecot the full # location. # # If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u) # isn't enough. You'll also need to tell Dovecot where the other mailboxes are # kept. This is called the "root mail directory", and it must be the first # path given in the mail_location setting. # # There are a few special variables you can use, eg.: # # %u - username # %n - user part in user@domain, same as %u if there's no domain # %d - domain part in user@domain, empty if there's no domain # %h - home directory # # See doc/wiki/Variables.txt for full list. # mail_location = maildir:{{ mail.user.home }}/%d/%n/mail:LAYOUT=fs # System user and group used to access mails. If you use multiple, # userdb can override these by returning uid or gid fields. You can # use either numbers or names. mail_uid = {{ mail.user.name }} mail_gid = {{ mail.user.name }} # Use the dedicated virtual mail user to restrict the temporary # privileged operations. mail_privileged_group = {{ mail.user.name }} # Only allow Dovecot use the dedicated virtual mail user. first_valid_uid = {{ mail.user.id }} last_valid_uid = {{ mail.user.id }} first_valid_gid = {{ mail.user.id }} last_valid_gid = {{ mail.user.id }} # Mailbox list indexes can be used to optimize IMAP STATUS commands. # They are also required for IMAP NOTIFY extension to be enabled. mailbox_list_index = yes # Assume Dovecot is the only MUA accessing Maildir: # Scan cur/ directory only when its mtime changes unexpectedly or when # we can't find the mail otherwise. maildir_very_dirty_syncs = no # If enabled, Dovecot doesn't use the S= in the Maildir filenames # for getting the mail's physical size, except when recalculating # Maildir++ quota. This can be useful in systems where a lot of the # Maildir filenames have a broken size. The performance hit for # enabling this is very small. #maildir_broken_filename_sizes = no # If you need to set multiple mailbox locations or want to change default # namespace settings, you can do it by defining namespace sections. # namespace inbox { # There can be only one INBOX, and this setting defines which namespace # has it. inbox = yes # 15-mailboxes.conf # Mailbox definitions # # Each mailbox is specified in a separate mailbox section. The # section name specifies the mailbox name. If it has spaces, you can # put the name "in quotes". These sections can contain the following # mailbox settings: # # auto: # Indicates whether the mailbox with this name is automatically # created implicitly when it is first accessed. The user can also # be automatically subscribed to the mailbox after creation. The # following values are defined for this setting: # # no - Never created automatically. # create - Automatically created, but no automatic subscription. # subscribe - Automatically created and subscribed. # # special_use: # A space-separated list of SPECIAL-USE flags (RFC 6154) to use for # the mailbox. There are no validity checks, so you could specify # anything you want in here, but it's not a good idea to use flags # other than the standard ones specified in the RFC: # # \All - This (virtual) mailbox presents all messages in the # user's message store. # \Archive - This mailbox is used to archive messages. # \Drafts - This mailbox is used to hold draft messages. # \Flagged - This (virtual) mailbox presents all messages in the # user's message store marked with the IMAP \Flagged # flag. # \Junk - This mailbox is where messages deemed to be junk # mail are held. # \Sent - This mailbox is used to hold copies of messages that # have been sent. # \Trash - This mailbox is used to hold messages that have been # deleted. # # comment: # Defines a default comment or note associated with the mailbox. # This value is accessible through the IMAP METADATA mailbox entries # "/shared/comment" and "/private/comment". Users with sufficient # privileges can override the default value for entries with a custom # value. # mailbox Drafts { special_use = \Drafts # Automatically created and subscribed. auto = subscribe } mailbox Junk { special_use = \Junk auto = subscribe } mailbox Trash { special_use = \Trash auto = subscribe } mailbox Sent { special_use = \Sent auto = subscribe } mailbox Archive { special_use = \Archive auto = subscribe } # If you have a virtual "All messages" mailbox: #mailbox virtual/All { # special_use = \All # comment = All my messages #} # If you have a virtual "Flagged" mailbox: #mailbox virtual/Flagged { # special_use = \Flagged # comment = All my flagged messages #} } ## ## 10-master.conf ## service imap-login { inet_listener imap { # Disable non-SSL IMAP! port = 0 } inet_listener imaps { #port = 993 #ssl = yes } } service auth { # This userdb socket is typically used by dovecot-lda, doveadm, # possibly imap process, etc. Users that have full permissions to # this socket are able to get a list of all usernames and get the # results of everyone's userdb lookups. # # The default 0666 mode allows anyone to connect to the socket, but # the userdb lookups will succeed only if the userdb returns an "uid" # field that matches the caller process's UID. Also if caller's uid # or gid matches the socket's uid or gid the lookup succeeds. # Anything else causes a failure. unix_listener auth-userdb { mode = 0600 user = {{ mail.user.name }} group = {{ mail.user.name }} } # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } } ## ## 10-ssl.conf ## # SSL/TLS support: yes, no, required. # NOTE: If only plaintext auth mechanisms enabled (e.g., "plain", # "login"), "ssl=yes" and "ssl=required" is equivalent. ssl = required # PEM encoded X.509 SSL/TLS certificate and private key. # They're opened before dropping root privileges, so preferred # permissions is: root:root, 0400. ssl_cert =