Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /etc/dovecot/conf.d/10-auth
- ##
- ## Authentication processes
- ##
- # Disable LOGIN command and all other plaintext authentications unless
- # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
- # matches the local IP (ie. you're connecting from the same computer), the
- # connection is considered secure and plaintext authentication is allowed.
- #disable_plaintext_auth = yes
- # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
- # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
- #auth_cache_size = 0
- # Time to live for cached data. After TTL expires the cached record is no
- # longer used, *except* if the main database lookup returns internal failure.
- # We also try to handle password changes automatically: If user's previous
- # authentication was successful, but this one wasn't, the cache isn't used.
- # For now this works only with plaintext authentication.
- #auth_cache_ttl = 1 hour
- # TTL for negative hits (user not found, password mismatch).
- # 0 disables caching them completely.
- #auth_cache_negative_ttl = 1 hour
- # Space separated list of realms for SASL authentication mechanisms that need
- # them. You can leave it empty if you don't want to support multiple realms.
- # Many clients simply use the first one listed here, so keep the default realm
- # first.
- #auth_realms =
- # Default realm/domain to use if none was specified. This is used for both
- # SASL realms and appending @domain to username in plaintext logins.
- #auth_default_realm =
- # List of allowed characters in username. If the user-given username contains
- # a character not listed in here, the login automatically fails. This is just
- # an extra check to make sure user can't exploit any potential quote escaping
- # vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
- # set this value to empty.
- #auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
- # Username character translations before it's looked up from databases. The
- # value contains series of from -> to characters. For example "#@/@" means
- # that '#' and '/' characters are translated to '@'.
- #auth_username_translation =
- # Username formatting before it's looked up from databases. You can use
- # the standard variables here, eg. %Lu would lowercase the username, %n would
- # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
- # "-AT-". This translation is done after auth_username_translation changes.
- #auth_username_format = %Lu
- # If you want to allow master users to log in by specifying the master
- # username within the normal username string (ie. not using SASL mechanism's
- # support for it), you can specify the separator character here. The format
- # is then <username><separator><master username>. UW-IMAP uses "*" as the
- # separator, so that could be a good choice.
- #auth_master_user_separator =
- # Username to use for users logging in with ANONYMOUS SASL mechanism
- #auth_anonymous_username = anonymous
- # Maximum number of dovecot-auth worker processes. They're used to execute
- # blocking passdb and userdb queries (eg. MySQL and PAM). They're
- # automatically created and destroyed as needed.
- #auth_worker_max_count = 30
- # Host name to use in GSSAPI principal names. The default is to use the
- # name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
- # entries.
- #auth_gssapi_hostname =
- # Kerberos keytab to use for the GSSAPI mechanism. Will use the system
- # default (usually /etc/krb5.keytab) if not specified. You may need to change
- # the auth service to run as root to be able to read this file.
- #auth_krb5_keytab =
- # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
- # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
- #auth_use_winbind = no
- # Path for Samba's ntlm_auth helper binary.
- #auth_winbind_helper_path = /usr/bin/ntlm_auth
- # Time to delay before replying to failed authentications.
- #auth_failure_delay = 2 secs
- # Require a valid SSL client certificate or the authentication fails.
- #auth_ssl_require_client_cert = no
- # Take the username from client's SSL certificate, using
- # X509_NAME_get_text_by_NID() which returns the subject's DN's
- # CommonName.
- #auth_ssl_username_from_cert = no
- # Space separated list of wanted authentication mechanisms:
- # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
- # gss-spnego
- # NOTE: See also disable_plaintext_auth setting.
- auth_mechanisms = plain login
- ##
- ## Password and user databases
- ##
- #
- # Password database is used to verify user's password (and nothing more).
- # You can have multiple passdbs and userdbs. This is useful if you want to
- # allow both system users (/etc/passwd) and virtual users to login without
- # duplicating the system users into virtual database.
- #
- # <doc/wiki/PasswordDatabase.txt>
- #
- # User database specifies where mails are located and what user/group IDs
- # own them. For single-UID configuration use "static" userdb.
- #
- # <doc/wiki/UserDatabase.txt>
- #!include auth-deny.conf.ext
- #!include auth-master.conf.ext
- #!include auth-system.conf.ext
- !include auth-sql.conf.ext
- #!include auth-ldap.conf.ext
- #!include auth-passwdfile.conf.ext
- #!include auth-checkpassword.conf.ext
- #!include auth-vpopmail.conf.ext
- #!include auth-static.conf.ext
- # DOPLNENO
- mail_location = maildir:/home/mail/%d/%n/Maildir
- mail_uid = vmail
- mail_gid = vmail
- first_valid_uid = 999
- last_valid_uid = 999
- first_valid_gid = 999
- last_valid_gid = 999
- auth_socket_path = /var/run/dovecot/auth-userdb
- maildir_copy_with_hardlinks = yes
- mbox_write_locks = fcntl
- /etc/dovecot/auth.d/10-master
- #default_process_limit = 100
- #default_client_limit = 1000
- # Default VSZ (virtual memory size) limit for service processes. This is mainly
- # intended to catch and kill processes that leak memory before they eat up
- # everything.
- #default_vsz_limit = 256M
- # Login user is internally used by login processes. This is the most untrusted
- # user in Dovecot system. It shouldn't have access to anything at all.
- #default_login_user = dovenull
- # Internal user is used by unprivileged processes. It should be separate from
- # login user, so that login processes can't disturb other processes.
- #default_internal_user = dovecot
- service imap-login {
- inet_listener imap {
- #port = 143
- }
- inet_listener imaps {
- #port = 993
- #ssl = yes
- }
- # Number of connections to handle before starting a new process. Typically
- # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
- # is faster. <doc/wiki/LoginProcess.txt>
- #service_count = 1
- # Number of processes to always keep waiting for more connections.
- #process_min_avail = 0
- # If you set service_count=0, you probably need to grow this.
- #vsz_limit = $default_vsz_limit
- }
- service pop3-login {
- inet_listener pop3 {
- #port = 110
- }
- inet_listener pop3s {
- #port = 995
- #ssl = yes
- }
- }
- service lmtp {
- unix_listener lmtp {
- #mode = 0666
- }
- # Create inet listener only if you can't use the above UNIX socket
- #inet_listener lmtp {
- # Avoid making LMTP visible for the entire internet
- #address =
- #port =
- #}
- }
- service imap {
- # Most of the memory goes to mmap()ing files. You may need to increase this
- # limit if you have huge mailboxes.
- #vsz_limit = $default_vsz_limit
- # Max. number of IMAP processes (connections)
- #process_limit = 1024
- }
- service pop3 {
- # Max. number of POP3 processes (connections)
- #process_limit = 1024
- }
- service auth {
- # auth_socket_path points to this userdb socket by default. It's typically
- # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
- # full permissions to this socket are able to get a list of all usernames and
- # get the results of everyone's userdb lookups.
- #
- # The default 0666 mode allows anyone to connect to the socket, but the
- # userdb lookups will succeed only if the userdb returns an "uid" field that
- # matches the caller process's UID. Also if caller's uid or gid matches the
- # socket's uid or gid the lookup succeeds. Anything else causes a failure.
- #
- # To give the caller full permissions to lookup all users, set the mode to
- # something else than 0666 and Dovecot lets the kernel enforce the
- # permissions (e.g. 0777 allows everyone full permissions).
- #unix_listener auth-userdb {
- #mode = 0666
- # user = postfix
- # group = postfix
- #}
- # Postfix smtp-auth
- unix_listener /var/spool/postfix/private/auth {
- mode = 0666
- user = postfix
- group = postfix
- }
- # Auth process is run as this user.
- #user = $default_internal_user
- }
- service auth-worker {
- # Auth worker process is run as root by default, so that it can access
- # /etc/shadow. If this isn't necessary, the user should be changed to
- # $default_internal_user.
- #user = root
- }
- service dict {
- # If dict proxy is used, mail processes should have access to its socket.
- # For example: mode=0660, group=vmail and global mail_access_groups=vmail
- unix_listener dict {
- #mode = 0600
- #user =
- #group =
- }
- }
- /etc/dovecot/main.cf
- ## Dovecot configuration file
- # If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
- # "doveconf -n" command gives a clean output of the changed settings. Use it
- # instead of copy&pasting files when posting to the Dovecot mailing list.
- # '#' character and everything after it is treated as comments. Extra spaces
- # and tabs are ignored. If you want to use either of these explicitly, put the
- # value inside quotes, eg.: key = "# char and trailing whitespace "
- # Default values are shown for each setting, it's not required to uncomment
- # those. These are exceptions to this though: No sections (e.g. namespace {})
- # or plugin settings are added by default, they're listed only as examples.
- # Paths are also just examples with the real defaults being based on configure
- # options. The paths listed here are for configure --prefix=/usr
- # --sysconfdir=/etc --localstatedir=/var
- # Enable installed protocols
- !include_try /usr/share/dovecot/protocols.d/*.protocol
- # A comma separated list of IPs or hosts where to listen in for connections.
- # "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
- # If you want to specify non-default ports or anything more complex,
- # edit conf.d/master.conf.
- #listen = *, ::
- # Base directory where to store runtime data.
- #base_dir = /var/run/dovecot/
- # Name of this instance. In multi-instance setup doveadm and other commands
- # can use -i <instance_name> to select which instance is used (an alternative
- # to -c <config_path>). The instance name is also added to Dovecot processes
- # in ps output.
- #instance_name = dovecot
- # Greeting message for clients.
- #login_greeting = Dovecot ready.
- # Space separated list of trusted network ranges. Connections from these
- # IPs are allowed to override their IP addresses and ports (for logging and
- # for authentication checks). disable_plaintext_auth is also ignored for
- # these networks. Typically you'd specify your IMAP proxy servers here.
- #login_trusted_networks =
- # Sepace separated list of login access check sockets (e.g. tcpwrap)
- #login_access_sockets =
- # With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
- # proxying. This isn't necessary normally, but may be useful if the destination
- # IP is e.g. a load balancer's IP.
- #auth_proxy_self =
- # Show more verbose process titles (in ps). Currently shows user name and
- # IP address. Useful for seeing who are actually using the IMAP processes
- # (eg. shared mailboxes or if same uid is used for multiple accounts).
- #verbose_proctitle = no
- # Should all processes be killed when Dovecot master process shuts down.
- # Setting this to "no" means that Dovecot can be upgraded without
- # forcing existing client connections to close (although that could also be
- # a problem if the upgrade is e.g. because of a security fix).
- #shutdown_clients = yes
- # If non-zero, run mail commands via this many connections to doveadm server,
- # instead of running them directly in the same process.
- #doveadm_worker_count = 0
- # UNIX socket or host:port used for connecting to doveadm server
- #doveadm_socket_path = doveadm-server
- # Space separated list of environment variables that are preserved on Dovecot
- # startup and passed down to all of its child processes. You can also give
- # key=value pairs to always set specific settings.
- #import_environment = TZ
- ##
- ## Dictionary server settings
- ##
- # Dictionary can be used to store key=value lists. This is used by several
- # plugins. The dictionary can be accessed either directly or though a
- # dictionary server. The following dict block maps dictionary names to URIs
- # when the server is used. These can then be referenced using URIs in format
- # "proxy::<name>".
- dict {
- #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
- #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
- }
- # Most of the actual configuration gets included below. The filenames are
- # first sorted by their ASCII value and parsed in that order. The 00-prefixes
- # in filenames are intended to make it easier to understand the ordering.
- !include conf.d/*.conf
- # A config file can also tried to be included without giving an error if
- # it's not found:
- #!include_try local.conf
- /etc/postfix/main.cf
- # See /usr/share/postfix/main.cf.dist for a commented, more complete version
- # Debian specific: Specifying a file name will cause the first
- # line of that file to be used as the name. The Debian default
- # is /etc/mailname.
- #myorigin = /etc/mailname
- smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
- biff = no
- # appending .domain is the MUA's job.
- append_dot_mydomain = no
- # Uncomment the next line to generate "delayed mail" warnings
- #delay_warning_time = 4h
- readme_directory = no
- # TLS parameters
- smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
- smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
- smtpd_use_tls=yes
- smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
- smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
- # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
- # information on enabling SSL in the smtp client.
- myhostname = srv.domena.cz
- alias_maps = hash:/etc/aliases
- alias_database = hash:/etc/aliases
- myorigin = /etc/mailname
- mydestination = domena.cz, srv.domena.cz, localhost
- relayhost =
- mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
- mailbox_command = procmail -a "$EXTENSION"
- mailbox_size_limit = 0
- recipient_delimiter = +
- inet_interfaces = all
- inet_protocols = all
- message_size_limit = 20480000
- # SASL
- #smtpd_sasl_auth_enable = yes
- #smtpd_sasl_security_options = noanonymous
- #broken_sasl_auth_clients = no
- #smtpd_sasl_authenticated_header = yes
- #smtpd_sasl_auth_enable = yes
- #smtpd_sasl_type = dovecot
- #smtpd_sasl_path = private/auth
- #smtpd_sasl_local_domain = srv.domena.cz
- #smtpd_sasl_security_options = noanonymous
- #smtpd_sasl_tls_security_options = noanonymous
- #smtpd_sasl_authenticated_header = yes
- #broken_sasl_auth_clients = yes
- # postfixadmin
- virtual_uid_maps = static:5000
- virtual_gid_maps = static:5000
- virtual_mailbox_base = /home/vmail
- virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf
- virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
- virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
- relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf
- smtpd_recipient_restrictions =
- permit_mynetworks,
- permit_sasl_authenticated,
- reject_non_fqdn_hostname,
- reject_non_fqdn_sender,
- reject_non_fqdn_recipient,
- reject_unauth_destination,
- reject_unauth_pipelining,
- reject_invalid_hostname
- smtpd_sasl_auth_enable = yes
- smtpd_sasl_security_options = noanonymous
- # DOVECOT
- smtpd_sasl_type = dovecot
- smtp_sasl_path = private/auth
- virtual_transport = dovecot
- /etc/postfix/master.cf
- #
- # Postfix master process configuration file. For details on the format
- # of the file, see the master(5) manual page (command: "man 5 master").
- #
- # Do not forget to execute "postfix reload" after editing this file.
- #
- # ==========================================================================
- # service type private unpriv chroot wakeup maxproc command + args
- # (yes) (yes) (yes) (never) (100)
- # ==========================================================================
- smtp inet n - - - - smtpd
- #smtp inet n - - - 1 postscreen
- #smtpd pass - - - - - smtpd
- #dnsblog unix - - - - 0 dnsblog
- #tlsproxy unix - - - - 0 tlsproxy
- #submission inet n - - - - smtpd
- # -o syslog_name=postfix/submission
- # -o smtpd_tls_security_level=encrypt
- # -o smtpd_sasl_auth_enable=yes
- # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
- # -o milter_macro_daemon_name=ORIGINATING
- #smtps inet n - - - - smtpd
- # -o syslog_name=postfix/smtps
- # -o smtpd_tls_wrappermode=yes
- # -o smtpd_sasl_auth_enable=yes
- # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
- # -o milter_macro_daemon_name=ORIGINATING
- #628 inet n - - - - qmqpd
- pickup fifo n - - 60 1 pickup
- cleanup unix n - - - 0 cleanup
- qmgr fifo n - n 300 1 qmgr
- #qmgr fifo n - n 300 1 oqmgr
- tlsmgr unix - - - 1000? 1 tlsmgr
- rewrite unix - - - - - trivial-rewrite
- bounce unix - - - - 0 bounce
- defer unix - - - - 0 bounce
- trace unix - - - - 0 bounce
- verify unix - - - - 1 verify
- flush unix n - - 1000? 0 flush
- proxymap unix - - n - - proxymap
- proxywrite unix - - n - 1 proxymap
- smtp unix - - - - - smtp
- relay unix - - - - - smtp
- # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
- showq unix n - - - - showq
- error unix - - - - - error
- retry unix - - - - - error
- discard unix - - - - - discard
- local unix - n n - - local
- virtual unix - n n - - virtual
- lmtp unix - - - - - lmtp
- anvil unix - - - - 1 anvil
- scache unix - - - - 1 scache
- #
- # ====================================================================
- # Interfaces to non-Postfix software. Be sure to examine the manual
- # pages of the non-Postfix software to find out what options it wants.
- #
- # Many of the following services use the Postfix pipe(8) delivery
- # agent. See the pipe(8) man page for information about ${recipient}
- # and other message envelope options.
- # ====================================================================
- #
- # maildrop. See the Postfix MAILDROP_README file for details.
- # Also specify in main.cf: maildrop_destination_recipient_limit=1
- #
- maildrop unix - n n - - pipe
- flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
- #
- # ====================================================================
- #
- # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
- #
- # Specify in cyrus.conf:
- # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
- #
- # Specify in main.cf one or more of the following:
- # mailbox_transport = lmtp:inet:localhost
- # virtual_transport = lmtp:inet:localhost
- #
- # ====================================================================
- #
- # Cyrus 2.1.5 (Amos Gouaux)
- # Also specify in main.cf: cyrus_destination_recipient_limit=1
- #
- #cyrus unix - n n - - pipe
- # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
- #
- # ====================================================================
- # Old example of delivery via Cyrus.
- #
- #old-cyrus unix - n n - - pipe
- # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
- #
- # ====================================================================
- #
- # See the Postfix UUCP_README file for configuration details.
- #
- uucp unix - n n - - pipe
- flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
- #
- # Other external delivery methods.
- #
- ifmail unix - n n - - pipe
- flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
- bsmtp unix - n n - - pipe
- flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
- scalemail-backend unix - n n - 2 pipe
- flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
- mailman unix - n n - - pipe
- flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
- ${nexthop} ${user}
- # DOVECOT CFG
- dovecot unix - n n - - pipe
- flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} -m ${extension}
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement