Initial commit

##

## Authentication processes

##

# Disable LOGIN command and all other plaintext authentications unless

# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP

# matches the local IP (ie. you're connecting from the same computer), the

# connection is considered secure and plaintext authentication is allowed.

# See also ssl=required setting.

#disable_plaintext_auth = yes

# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that

# bsdauth and PAM require cache_key to be set for caching to be used.

auth_cache_size = 1M

# Time to live for cached data. After TTL expires the cached record is no

# longer used, *except* if the main database lookup returns internal failure.

# We also try to handle password changes automatically: If user's previous

# authentication was successful, but this one wasn't, the cache isn't used.

# For now this works only with plaintext authentication.

auth_cache_ttl = 3600 sec

# TTL for negative hits (user not found, password mismatch).

# 0 disables caching them completely.

auth_cache_negative_ttl = 3600 sec

# Space separated list of realms for SASL authentication mechanisms that need

# them. You can leave it empty if you don't want to support multiple realms.

# Many clients simply use the first one listed here, so keep the default realm

# first.

#auth_realms =

# Default realm/domain to use if none was specified. This is used for both

# SASL realms and appending @domain to username in plaintext logins.

#auth_default_realm = 

# List of allowed characters in username. If the user-given username contains

# a character not listed in here, the login automatically fails. This is just

# an extra check to make sure user can't exploit any potential quote escaping

# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,

# set this value to empty.

#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

# Username character translations before it's looked up from databases. The

# value contains series of from -> to characters. For example "#@/@" means

# that '#' and '/' characters are translated to '@'.

#auth_username_translation =

# Username formatting before it'slooked up from databases. You can us

# the standard variables here, eg. %Lu would lowercase the username, %n would

# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into

# "-AT-". This translation is done after auth_username_translation changes.

#auth_username_format = %Lu

# If you want to allow master users to log in by specifying the master

# username within the normal username string (ie. not using SASL mechanism's

# support for it), you can specify the separator character here. The format

# is then <username><separator><master username>. UW-IMAP uses "*" as the

# separator, so that could be a good choice.

#auth_master_user_separator =

# Username to use for users logging in with ANONYMOUS SASL mechanism

#auth_anonymous_username = anonymous

# Maximum number of dovecot-auth worker processes. They're used to execute

# blocking passdb and userdb queries (eg. MySQL and PAM). They're

# automatically created and destroyed as needed.

#auth_worker_max_count = 30

# Host name to use in GSSAPI principal names. The default is to use the

# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab

# entries.

#auth_gssapi_hostname =

# Kerberos keytab to use for the GSSAPI mechanism. Will use the system

# default (usually /etc/krb5.keytab) if not specified. You may need to change

# the auth service to run as root to be able to read this file.

#auth_krb5_keytab = 

# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and

# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>

#auth_use_winbind = no

# Path for Samba's ntlm_auth helper binary.

#auth_winbind_helper_path = /usr/bin/ntlm_auth

# Time to delay before replying to failed authentications.

#auth_failure_delay = 2 secs

# Require a valid SSL client certificate or the authentication fails.

#auth_ssl_require_client_cert = no

# Take the username from client's SSL certificate, using 

# X509_NAME_get_text_by_NID() which returns the subject's DN's

# CommonName. 

#auth_ssl_username_from_cert = no

# Space separated list of wanted authentication mechanisms:

#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp

#   gss-spnego

# NOTE: See also disable_plaintext_auth setting.

#auth_mechanisms = plain

##

## Password and user databases

##

#

# Password database is used to verify user's password (and nothing more).

# You can have multiple passdbs and userdbs. This is useful if you want to

# allow both system users (/etc/passwd) and virtual users to login without

# duplicating the system users into virtual database.

#

# <doc/wiki/PasswordDatabase.txt>

#

# User database specifies where mails are located and what user/group IDs

# own them. For single-UID configuration use "static" userdb.

#

# <doc/wiki/UserDatabase.txt>

#!include auth-deny.conf.ext

#!include auth-master.conf.ext

!include auth-system.conf.ext

#!include auth-sql.conf.ext

#!include auth-ldap.conf.ext

#!include auth-passwdfile.conf.ext

#!include auth-checkpassword.conf.ext

#!include auth-static.conf.ext

##

## Authentication processes

##

# Disable LOGIN command and all other plaintext authentications unless

# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP

# matches the local IP (ie. you're connecting from the same computer), the

# connection is considered secure and plaintext authentication is allowed.

# See also ssl=required setting.

# disable_plaintext_auth = yes

# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that

# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.

auth_cache_size = 1M

# Time to live for cached data. After TTL expires the cached record is no

# longer used, *except* if the main database lookup returns internal failure.

# We also try to handle password changes automatically: If user's previous

# authentication was successful, but this one wasn't, the cache isn't used.

# For now this works only with plaintext authentication.

auth_cache_ttl = 3600 sec

# TTL for negative hits (user not found, password mismatch).

# 0 disables caching them completely.

auth_cache_negative_ttl = 3600 sec

# Space separated list of realms for SASL authentication mechanisms that need

# them. You can leave it empty if you don't want to support multiple realms.

# Many clients simply use the first one listed here, so keep the default realm

# first.

#auth_realms =

# Default realm/domain to use if none was specified. This is used for both

# SASL realms and appending @domain to username in plaintext logins.

#auth_default_realm = 

# List of allowed characters in username. If the user-given username contains

# a character not listed in here, the login automatically fails. This is just

# an extra check to make sure user can't exploit any potential quote escaping

# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,

# set this value to empty.

#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

# Username character translations before it's looked up from databases. The

# value contains series of from -> to characters. For example "#@/@" means

# that '#' and '/' characters are translated to '@'.

#auth_username_translation =

# Username formatting before it's looked up from databases. You can use

# the standard variables here, eg. %Lu would lowercase the username, %n would

# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into

# "-AT-". This translation is done after auth_username_translation changes.

#auth_username_format = %Lu

# If you want to allow master users to log in by specifying the master

# username within the normal username string (ie. not using SASL mechanism's

# support for it), you can specify the separator character here. The format

# is then <username><separator><master username>. UW-IMAP uses "*" as the

# separator, so that could be a good choice.

#auth_master_user_separator =

# Username to use for users logging in with ANONYMOUS SASL mechanism

#auth_anonymous_username = anonymous

# Maximum number of dovecot-auth worker processes. They're used to execute

# blocking passdb and userdb queries (eg. MySQL and PAM). They're

# automatically created and destroyed as needed.

#auth_worker_max_count = 30

# Host name to use in GSSAPI principal names. The default is to use the

# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab

# entries.

#auth_gssapi_hostname =

# Kerberos keytab to use for the GSSAPI mechanism. Will use the system

# default (usually /etc/krb5.keytab) if not specified. You may need to change

# the auth service to run as root to be able to read this file.

#auth_krb5_keytab = 

# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and

# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>

#auth_use_winbind = no

# Path for Samba's ntlm_auth helper binary.

#auth_winbind_helper_path = /usr/bin/ntlm_auth

# Time to delay before replying to failed authentications.

#auth_failure_delay = 2 secs

# Require a valid SSL client certificate or the authentication fails.

#auth_ssl_require_client_cert = no

# Take the username from client's SSL certificate, using 

# X509_NAME_get_text_by_NID() which returns the subject's DN's

# CommonName. 

#auth_ssl_username_from_cert = no

# Space separated list of wanted authentication mechanisms:

#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey

#   gss-spnego

# NOTE: See also disable_plaintext_auth setting.

#auth_mechanisms = login cram-md5

##

## Password and user databases

##

#

# Password database is used to verify user's password (and nothing more).

# You can have multiple passdbs and userdbs. This is useful if you want to

# allow both system users (/etc/passwd) and virtual users to login without

# duplicating the system users into virtual database.

#

# <doc/wiki/PasswordDatabase.txt>

#

# User database specifies where mails are located and what user/group IDs

# own them. For single-UID configuration use "static" userdb.

#

# <doc/wiki/UserDatabase.txt>

#!include auth-deny.conf.ext

#!include auth-master.conf.ext

!include auth-system.conf.ext

#!include auth-sql.conf.ext

#!include auth-ldap.conf.ext

#!include auth-passwdfile.conf.ext

#!include auth-checkpassword.conf.ext

#!include auth-vpopmail.conf.ext

#!include auth-static.conf.ext

##

## Director-specific settings.

##

# Director can be used by Dovecot proxy to keep a temporary user -> mail server

# mapping. As long as user has simultaneous connections, the user is always

# redirected to the same server. Each proxy server is running its own director

# process, and the directors are communicating the state to each others.

# Directors are mainly useful with NFS-like setups.

# List of IPs or hostnames to all director servers, including ourself.

# Ports can be specified as ip:port. The default port is the same as

# what director service's inet_listener is using.

#director_servers = 

# List of IPs or hostnames to all backend mail servers. Ranges are allowed

# too, like 10.0.0.10-10.0.0.30.

#director_mail_servers = 

# How long to redirect users to a specific server after it no longer has

# any connections.

#director_user_expire = 15 min

# How the username is translated before being hashed. Useful values include

# %Ln if user can log in with or without @domain, %Ld if mailboxes are shared

# within domain.

#director_username_hash = %Lu

# To enable director service, uncomment the modes and assign a port.

service director {

  unix_listener login/director {

    #mode = 0666

  }

  fifo_listener login/proxy-notify {

    #mode = 0666

  }

  unix_listener director-userdb {

    #mode = 0600

  }

  inet_listener {

    #port = 

  }

}

# Enable director for the wanted login services by telling them to

# connect to director socket instead of the default login socket:

service imap-login {

  #executable = imap-login director

}

service pop3-login {

  #executable = pop3-login director

}

service submission-login {

  #executable = submission-login director

}

# Enable director for LMTP proxying:

protocol lmtp {

  #auth_socket_path = director-userdb

}

##

## Log destination.

##

# Log file to use for error messages. "syslog" logs to syslog,

# /dev/stderr logs to stderr.

#log_path = syslog

# Log file to use for informational messages. Defaults to log_path.

#info_log_path = 

# Log file to use for debug messages. Defaults to info_log_path.

#debug_log_path = 

# Syslog facility to use if you're logging to syslog. Usually if you don't

# want to use "mail", you'll use local0..local7. Also other standard

# facilities are supported.

#syslog_facility = mail

##

## Logging verbosity and debugging.

##

# Log filter is a space-separated list conditions. If any of the conditions

# match, the log filter matches (i.e. they're ORed together). Parenthesis

# are supported if multiple conditions need to be matched together.

#

# See https://doc.dovecot.org/configuration_manual/event_filter/ for details.

#

# For example: event=http_request_* AND category=error AND category=storage

#

# Filter to specify what debug logging to enable. This will eventually replace

# mail_debug and auth_debug settings.

#log_debug = 

# Crash after logging a matching event. For example category=error will crash

# any time an error is logged, which can be useful for debugging.

#log_core_filter = 

# Log unsuccessful authentication attempts and the reasons why they failed.

#auth_verbose = no

# In case of password mismatches, log the attempted password. Valid values are

# no, plain and sha1. sha1 can be useful for detecting brute force password

# attempts vs. user simply trying the same password over and over again.

# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).

#auth_verbose_passwords = no

# Even more verbose logging for debugging purposes. Shows for example SQL

# queries.

#auth_debug = no

# In case of password mismatches, log the passwords and used scheme so the

# problem can be debugged. Enabling this also enables auth_debug.

#auth_debug_passwords = no

# Enable mail process debugging. This can help you figure out why Dovecot

# isn't finding your mails.

#mail_debug = no

# Show protocol level SSL errors.

#verbose_ssl = no

# mail_log plugin provides more event logging for mail processes.

plugin {

  # Events to log. Also available: flag_change append

  #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename

  # Available fields: uid, box, msgid, from, subject, size, vsize, flags

  # size and vsize are available only for expunge and copy events.

  #mail_log_fields = uid box msgid size

}

##

## Log formatting.

##

# Prefix for each line written to log file. % codes are in strftime(3)

# format.

#log_timestamp = "%b %d %H:%M:%S "

# Space-separated list of elements we want to log. The elements which have

# a non-empty variable value are joined together to form a comma-separated

# string.

#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c

# Login log format. %s contains login_log_format_elements string, %$ contains

# the data we want to log.

#login_log_format = %$: %s

# Log prefix for mail processes. See doc/wiki/Variables.txt for list of

# possible variables you can use.

#mail_log_prefix = "%s(%u)<%{pid}><%{session}>: "

# Format to use for logging mail deliveries:

#  %$ - Delivery status message (e.g. "saved to INBOX")

#  %m / %{msgid} - Message-ID

#  %s / %{subject} - Subject

#  %f / %{from} - From address

#  %p / %{size} - Physical size

#  %w / %{vsize} - Virtual size

#  %e / %{from_envelope} - MAIL FROM envelope

#  %{to_envelope} - RCPT TO envelope

#  %{delivery_time} - How many milliseconds it took to deliver the mail

#  %{session_time} - How long LMTP session took, not including delivery_time

#  %{storage_id} - Backend-specific ID for mail, e.g. Maildir filename

#deliver_log_format = msgid=%m: %$