conf.d/10-auth.conf

1. ##
2. ## Authentication processes
3. ##
4.  
5. # Disable LOGIN command and all other plaintext authentications unless
6. # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
7. # matches the local IP (ie. you're connecting from the same computer), the
8. # connection is considered secure and plaintext authentication is allowed.
9. disable_plaintext_auth = yes
10.  
11. # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
12. # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
13. #auth_cache_size = 0
14. # Time to live for cached data. After TTL expires the cached record is no
15. # longer used, *except* if the main database lookup returns internal failure.
16. # We also try to handle password changes automatically: If user's previous
17. # authentication was successful, but this one wasn't, the cache isn't used.
18. # For now this works only with plaintext authentication.
19. #auth_cache_ttl = 1 hour
20. # TTL for negative hits (user not found, password mismatch).
21. # 0 disables caching them completely.
22. #auth_cache_negative_ttl = 1 hour
23.  
24. # Space separated list of realms for SASL authentication mechanisms that need
25. # them. You can leave it empty if you don't want to support multiple realms.
26. # Many clients simply use the first one listed here, so keep the default realm
27. # first.
28. #auth_realms =
29.  
30. # Default realm/domain to use if none was specified. This is used for both
31. # SASL realms and appending @domain to username in plaintext logins.
32. #auth_default_realm =
33.  
34. # List of allowed characters in username. If the user-given username contains
35. # a character not listed in here, the login automatically fails. This is just
36. # an extra check to make sure user can't exploit any potential quote escaping
37. # vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
38. # set this value to empty.
39. #auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
40.  
41. # Username character translations before it's looked up from databases. The
42. # value contains series of from -> to characters. For example "#@/@" means
43. # that '#' and '/' characters are translated to '@'.
44. #auth_username_translation =
45.  
46. # Username formatting before it's looked up from databases. You can use
47. # the standard variables here, eg. %Lu would lowercase the username, %n would
48. # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
49. # "-AT-". This translation is done after auth_username_translation changes.
50. #auth_username_format =
51.  
52. # If you want to allow master users to log in by specifying the master
53. # username within the normal username string (ie. not using SASL mechanism's
54. # support for it), you can specify the separator character here. The format
55. # is then <username><separator><master username>. UW-IMAP uses "*" as the
56. # separator, so that could be a good choice.
57. #auth_master_user_separator =
58.  
59. # Username to use for users logging in with ANONYMOUS SASL mechanism
60. #auth_anonymous_username = anonymous
61.  
62. # Maximum number of dovecot-auth worker processes. They're used to execute
63. # blocking passdb and userdb queries (eg. MySQL and PAM). They're
64. # automatically created and destroyed as needed.
65. #auth_worker_max_count = 30
66.  
67. # Host name to use in GSSAPI principal names. The default is to use the
68. # name returned by gethostname(). Use "$ALL" to allow all keytab entries.
69. #auth_gssapi_hostname =
70.  
71. # Kerberos keytab to use for the GSSAPI mechanism. Will use the system
72. # default (usually /etc/krb5.keytab) if not specified.
73. #auth_krb5_keytab =
74.  
75. # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
76. # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
77. #auth_use_winbind = no
78.  
79. # Path for Samba's ntlm_auth helper binary.
80. #auth_winbind_helper_path = /usr/bin/ntlm_auth
81.  
82. # Time to delay before replying to failed authentications.
83. #auth_failure_delay = 2 secs
84.  
85. # Require a valid SSL client certificate or the authentication fails.
86. #auth_ssl_require_client_cert = no
87.  
88. # Take the username from client's SSL certificate, using
89. # X509_NAME_get_text_by_NID() which returns the subject's DN's
90. # CommonName.
91. #auth_ssl_username_from_cert = no
92.  
93. # Space separated list of wanted authentication mechanisms:
94. # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
95. # gss-spnego
96. # NOTE: See also disable_plaintext_auth setting.
97. auth_mechanisms = plain login
98.  
99. ##
100. ## Password and user databases
101. ##
102.  
103. #
104. # Password database is used to verify user's password (and nothing more).
105. # You can have multiple passdbs and userdbs. This is useful if you want to
106. # allow both system users (/etc/passwd) and virtual users to login without
107. # duplicating the system users into virtual database.
108. #
109. # <doc/wiki/PasswordDatabase.txt>
110. #
111. # User database specifies where mails are located and what user/group IDs
112. # own them. For single-UID configuration use "static" userdb.
113. #
114. # <doc/wiki/UserDatabase.txt>
115.  
116. #!include auth-deny.conf.ext
117. #!include auth-master.conf.ext
118.  
119. !include auth-system.conf.ext
120. #!include auth-sql.conf.ext
121. #!include auth-ldap.conf.ext
122. #!include auth-passwdfile.conf.ext
123. #!include auth-checkpassword.conf.ext
124. #!include auth-vpopmail.conf.ext
125. #!include auth-static.conf.ext