CONFIG

1. /etc/dovecot/conf.d/10-auth
2.  
3. ##
4. ## Authentication processes
5. ##
6.  
7. # Disable LOGIN command and all other plaintext authentications unless
8. # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
9. # matches the local IP (ie. you're connecting from the same computer), the
10. # connection is considered secure and plaintext authentication is allowed.
11. #disable_plaintext_auth = yes
12.  
13. # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
14. # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
15. #auth_cache_size = 0
16. # Time to live for cached data. After TTL expires the cached record is no
17. # longer used, *except* if the main database lookup returns internal failure.
18. # We also try to handle password changes automatically: If user's previous
19. # authentication was successful, but this one wasn't, the cache isn't used.
20. # For now this works only with plaintext authentication.
21. #auth_cache_ttl = 1 hour
22. # TTL for negative hits (user not found, password mismatch).
23. # 0 disables caching them completely.
24. #auth_cache_negative_ttl = 1 hour
25.  
26. # Space separated list of realms for SASL authentication mechanisms that need
27. # them. You can leave it empty if you don't want to support multiple realms.
28. # Many clients simply use the first one listed here, so keep the default realm
29. # first.
30. #auth_realms =
31.  
32. # Default realm/domain to use if none was specified. This is used for both
33. # SASL realms and appending @domain to username in plaintext logins.
34. #auth_default_realm =
35.  
36. # List of allowed characters in username. If the user-given username contains
37. # a character not listed in here, the login automatically fails. This is just
38. # an extra check to make sure user can't exploit any potential quote escaping
39. # vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
40. # set this value to empty.
41. #auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
42.  
43. # Username character translations before it's looked up from databases. The
44. # value contains series of from -> to characters. For example "#@/@" means
45. # that '#' and '/' characters are translated to '@'.
46. #auth_username_translation =
47.  
48. # Username formatting before it's looked up from databases. You can use
49. # the standard variables here, eg. %Lu would lowercase the username, %n would
50. # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
51. # "-AT-". This translation is done after auth_username_translation changes.
52. #auth_username_format = %Lu
53.  
54. # If you want to allow master users to log in by specifying the master
55. # username within the normal username string (ie. not using SASL mechanism's
56. # support for it), you can specify the separator character here. The format
57. # is then <username><separator><master username>. UW-IMAP uses "*" as the
58. # separator, so that could be a good choice.
59. #auth_master_user_separator =
60.  
61. # Username to use for users logging in with ANONYMOUS SASL mechanism
62. #auth_anonymous_username = anonymous
63.  
64. # Maximum number of dovecot-auth worker processes. They're used to execute
65. # blocking passdb and userdb queries (eg. MySQL and PAM). They're
66. # automatically created and destroyed as needed.
67. #auth_worker_max_count = 30
68.  
69. # Host name to use in GSSAPI principal names. The default is to use the
70. # name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
71. # entries.
72. #auth_gssapi_hostname =
73.  
74. # Kerberos keytab to use for the GSSAPI mechanism. Will use the system
75. # default (usually /etc/krb5.keytab) if not specified. You may need to change
76. # the auth service to run as root to be able to read this file.
77. #auth_krb5_keytab =
78.  
79. # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
80. # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
81. #auth_use_winbind = no
82.  
83. # Path for Samba's ntlm_auth helper binary.
84. #auth_winbind_helper_path = /usr/bin/ntlm_auth
85.  
86. # Time to delay before replying to failed authentications.
87. #auth_failure_delay = 2 secs
88.  
89. # Require a valid SSL client certificate or the authentication fails.
90. #auth_ssl_require_client_cert = no
91.  
92. # Take the username from client's SSL certificate, using
93. # X509_NAME_get_text_by_NID() which returns the subject's DN's
94. # CommonName.
95. #auth_ssl_username_from_cert = no
96.  
97. # Space separated list of wanted authentication mechanisms:
98. # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
99. # gss-spnego
100. # NOTE: See also disable_plaintext_auth setting.
101. auth_mechanisms = plain login
102.  
103. ##
104. ## Password and user databases
105. ##
106.  
107. #
108. # Password database is used to verify user's password (and nothing more).
109. # You can have multiple passdbs and userdbs. This is useful if you want to
110. # allow both system users (/etc/passwd) and virtual users to login without
111. # duplicating the system users into virtual database.
112. #
113. # <doc/wiki/PasswordDatabase.txt>
114. #
115. # User database specifies where mails are located and what user/group IDs
116. # own them. For single-UID configuration use "static" userdb.
117. #
118. # <doc/wiki/UserDatabase.txt>
119.  
120. #!include auth-deny.conf.ext
121. #!include auth-master.conf.ext
122.  
123. #!include auth-system.conf.ext
124. !include auth-sql.conf.ext
125. #!include auth-ldap.conf.ext
126. #!include auth-passwdfile.conf.ext
127. #!include auth-checkpassword.conf.ext
128. #!include auth-vpopmail.conf.ext
129. #!include auth-static.conf.ext
130.  
131.  
132.  
133. # DOPLNENO
134.  
135. mail_location = maildir:/home/mail/%d/%n/Maildir
136. mail_uid = vmail
137. mail_gid = vmail
138. first_valid_uid = 999
139. last_valid_uid = 999
140. first_valid_gid = 999
141. last_valid_gid = 999
142. auth_socket_path = /var/run/dovecot/auth-userdb
143. maildir_copy_with_hardlinks = yes
144. mbox_write_locks = fcntl
145.  
146.  
147.  
148.  
149.  
150.  
151.  
152.  
153.  
154. /etc/dovecot/auth.d/10-master
155.  
156. #default_process_limit = 100
157. #default_client_limit = 1000
158.  
159. # Default VSZ (virtual memory size) limit for service processes. This is mainly
160. # intended to catch and kill processes that leak memory before they eat up
161. # everything.
162. #default_vsz_limit = 256M
163.  
164. # Login user is internally used by login processes. This is the most untrusted
165. # user in Dovecot system. It shouldn't have access to anything at all.
166. #default_login_user = dovenull
167.  
168. # Internal user is used by unprivileged processes. It should be separate from
169. # login user, so that login processes can't disturb other processes.
170. #default_internal_user = dovecot
171.  
172. service imap-login {
173. inet_listener imap {
174. #port = 143
175. }
176. inet_listener imaps {
177. #port = 993
178. #ssl = yes
179. }
180.  
181. # Number of connections to handle before starting a new process. Typically
182. # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
183. # is faster. <doc/wiki/LoginProcess.txt>
184. #service_count = 1
185.  
186. # Number of processes to always keep waiting for more connections.
187. #process_min_avail = 0
188.  
189. # If you set service_count=0, you probably need to grow this.
190. #vsz_limit = $default_vsz_limit
191. }
192.  
193. service pop3-login {
194. inet_listener pop3 {
195. #port = 110
196. }
197. inet_listener pop3s {
198. #port = 995
199. #ssl = yes
200. }
201. }
202.  
203. service lmtp {
204. unix_listener lmtp {
205. #mode = 0666
206. }
207.  
208. # Create inet listener only if you can't use the above UNIX socket
209. #inet_listener lmtp {
210. # Avoid making LMTP visible for the entire internet
211. #address =
212. #port =
213. #}
214. }
215.  
216. service imap {
217. # Most of the memory goes to mmap()ing files. You may need to increase this
218. # limit if you have huge mailboxes.
219. #vsz_limit = $default_vsz_limit
220.  
221. # Max. number of IMAP processes (connections)
222. #process_limit = 1024
223. }
224.  
225. service pop3 {
226. # Max. number of POP3 processes (connections)
227. #process_limit = 1024
228. }
229.  
230. service auth {
231. # auth_socket_path points to this userdb socket by default. It's typically
232. # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
233. # full permissions to this socket are able to get a list of all usernames and
234. # get the results of everyone's userdb lookups.
235. #
236. # The default 0666 mode allows anyone to connect to the socket, but the
237. # userdb lookups will succeed only if the userdb returns an "uid" field that
238. # matches the caller process's UID. Also if caller's uid or gid matches the
239. # socket's uid or gid the lookup succeeds. Anything else causes a failure.
240. #
241. # To give the caller full permissions to lookup all users, set the mode to
242. # something else than 0666 and Dovecot lets the kernel enforce the
243. # permissions (e.g. 0777 allows everyone full permissions).
244. #unix_listener auth-userdb {
245.  
246. #mode = 0666
247. # user = postfix
248. # group = postfix
249. #}
250.  
251. # Postfix smtp-auth
252. unix_listener /var/spool/postfix/private/auth {
253. mode = 0666
254. user = postfix
255. group = postfix
256. }
257.  
258. # Auth process is run as this user.
259. #user = $default_internal_user
260. }
261.  
262. service auth-worker {
263. # Auth worker process is run as root by default, so that it can access
264. # /etc/shadow. If this isn't necessary, the user should be changed to
265. # $default_internal_user.
266. #user = root
267. }
268.  
269. service dict {
270. # If dict proxy is used, mail processes should have access to its socket.
271. # For example: mode=0660, group=vmail and global mail_access_groups=vmail
272. unix_listener dict {
273. #mode = 0600
274. #user =
275. #group =
276. }
277. }
278.  
279.  
280.  
281.  
282.  
283. /etc/dovecot/main.cf
284.  
285.  
286. ## Dovecot configuration file
287.  
288. # If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
289.  
290. # "doveconf -n" command gives a clean output of the changed settings. Use it
291. # instead of copy&pasting files when posting to the Dovecot mailing list.
292.  
293. # '#' character and everything after it is treated as comments. Extra spaces
294. # and tabs are ignored. If you want to use either of these explicitly, put the
295. # value inside quotes, eg.: key = "# char and trailing whitespace "
296.  
297. # Default values are shown for each setting, it's not required to uncomment
298. # those. These are exceptions to this though: No sections (e.g. namespace {})
299. # or plugin settings are added by default, they're listed only as examples.
300. # Paths are also just examples with the real defaults being based on configure
301. # options. The paths listed here are for configure --prefix=/usr
302. # --sysconfdir=/etc --localstatedir=/var
303.  
304. # Enable installed protocols
305. !include_try /usr/share/dovecot/protocols.d/*.protocol
306.  
307. # A comma separated list of IPs or hosts where to listen in for connections.
308. # "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
309. # If you want to specify non-default ports or anything more complex,
310. # edit conf.d/master.conf.
311. #listen = *, ::
312.  
313. # Base directory where to store runtime data.
314. #base_dir = /var/run/dovecot/
315.  
316. # Name of this instance. In multi-instance setup doveadm and other commands
317. # can use -i <instance_name> to select which instance is used (an alternative
318. # to -c <config_path>). The instance name is also added to Dovecot processes
319. # in ps output.
320. #instance_name = dovecot
321.  
322. # Greeting message for clients.
323. #login_greeting = Dovecot ready.
324.  
325. # Space separated list of trusted network ranges. Connections from these
326. # IPs are allowed to override their IP addresses and ports (for logging and
327. # for authentication checks). disable_plaintext_auth is also ignored for
328. # these networks. Typically you'd specify your IMAP proxy servers here.
329. #login_trusted_networks =
330.  
331. # Sepace separated list of login access check sockets (e.g. tcpwrap)
332. #login_access_sockets =
333.  
334. # With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
335. # proxying. This isn't necessary normally, but may be useful if the destination
336. # IP is e.g. a load balancer's IP.
337. #auth_proxy_self =
338.  
339. # Show more verbose process titles (in ps). Currently shows user name and
340. # IP address. Useful for seeing who are actually using the IMAP processes
341. # (eg. shared mailboxes or if same uid is used for multiple accounts).
342. #verbose_proctitle = no
343.  
344. # Should all processes be killed when Dovecot master process shuts down.
345. # Setting this to "no" means that Dovecot can be upgraded without
346. # forcing existing client connections to close (although that could also be
347. # a problem if the upgrade is e.g. because of a security fix).
348. #shutdown_clients = yes
349.  
350. # If non-zero, run mail commands via this many connections to doveadm server,
351. # instead of running them directly in the same process.
352. #doveadm_worker_count = 0
353. # UNIX socket or host:port used for connecting to doveadm server
354. #doveadm_socket_path = doveadm-server
355.  
356. # Space separated list of environment variables that are preserved on Dovecot
357. # startup and passed down to all of its child processes. You can also give
358. # key=value pairs to always set specific settings.
359. #import_environment = TZ
360.  
361. ##
362. ## Dictionary server settings
363. ##
364.  
365. # Dictionary can be used to store key=value lists. This is used by several
366. # plugins. The dictionary can be accessed either directly or though a
367. # dictionary server. The following dict block maps dictionary names to URIs
368. # when the server is used. These can then be referenced using URIs in format
369. # "proxy::<name>".
370.  
371. dict {
372. #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
373. #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
374. }
375.  
376. # Most of the actual configuration gets included below. The filenames are
377. # first sorted by their ASCII value and parsed in that order. The 00-prefixes
378. # in filenames are intended to make it easier to understand the ordering.
379. !include conf.d/*.conf
380.  
381. # A config file can also tried to be included without giving an error if
382. # it's not found:
383. #!include_try local.conf
384.  
385.  
386.  
387.  
388. /etc/postfix/main.cf
389.  
390. # See /usr/share/postfix/main.cf.dist for a commented, more complete version
391.  
392.  
393. # Debian specific: Specifying a file name will cause the first
394. # line of that file to be used as the name. The Debian default
395. # is /etc/mailname.
396. #myorigin = /etc/mailname
397.  
398. smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
399. biff = no
400.  
401. # appending .domain is the MUA's job.
402. append_dot_mydomain = no
403.  
404. # Uncomment the next line to generate "delayed mail" warnings
405. #delay_warning_time = 4h
406.  
407. readme_directory = no
408.  
409. # TLS parameters
410. smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
411. smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
412. smtpd_use_tls=yes
413. smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
414. smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
415.  
416. # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
417. # information on enabling SSL in the smtp client.
418.  
419. myhostname = srv.domena.cz
420. alias_maps = hash:/etc/aliases
421. alias_database = hash:/etc/aliases
422. myorigin = /etc/mailname
423. mydestination = domena.cz, srv.domena.cz, localhost
424. relayhost =
425. mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
426. mailbox_command = procmail -a "$EXTENSION"
427. mailbox_size_limit = 0
428. recipient_delimiter = +
429. inet_interfaces = all
430. inet_protocols = all
431. message_size_limit = 20480000
432.  
433.  
434.  
435.  
436.  
437. # SASL
438.  
439. #smtpd_sasl_auth_enable = yes
440. #smtpd_sasl_security_options = noanonymous
441. #broken_sasl_auth_clients = no
442. #smtpd_sasl_authenticated_header = yes
443.  
444. #smtpd_sasl_auth_enable = yes
445. #smtpd_sasl_type = dovecot
446. #smtpd_sasl_path = private/auth
447. #smtpd_sasl_local_domain = srv.domena.cz
448. #smtpd_sasl_security_options = noanonymous
449. #smtpd_sasl_tls_security_options = noanonymous
450. #smtpd_sasl_authenticated_header = yes
451. #broken_sasl_auth_clients = yes
452.  
453.  
454. # postfixadmin
455.  
456. virtual_uid_maps = static:5000
457. virtual_gid_maps = static:5000
458. virtual_mailbox_base = /home/vmail
459. virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf
460. virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
461. virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
462. relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf
463. smtpd_recipient_restrictions =
464. permit_mynetworks,
465. permit_sasl_authenticated,
466. reject_non_fqdn_hostname,
467. reject_non_fqdn_sender,
468. reject_non_fqdn_recipient,
469. reject_unauth_destination,
470. reject_unauth_pipelining,
471. reject_invalid_hostname
472. smtpd_sasl_auth_enable = yes
473. smtpd_sasl_security_options = noanonymous
474.  
475. # DOVECOT
476. smtpd_sasl_type = dovecot
477. smtp_sasl_path = private/auth
478. virtual_transport = dovecot
479.  
480.  
481.  
482.  
483. /etc/postfix/master.cf
484.  
485.  
486. #
487. # Postfix master process configuration file. For details on the format
488. # of the file, see the master(5) manual page (command: "man 5 master").
489. #
490. # Do not forget to execute "postfix reload" after editing this file.
491. #
492. # ==========================================================================
493. # service type private unpriv chroot wakeup maxproc command + args
494. # (yes) (yes) (yes) (never) (100)
495. # ==========================================================================
496. smtp inet n - - - - smtpd
497. #smtp inet n - - - 1 postscreen
498. #smtpd pass - - - - - smtpd
499. #dnsblog unix - - - - 0 dnsblog
500. #tlsproxy unix - - - - 0 tlsproxy
501. #submission inet n - - - - smtpd
502. # -o syslog_name=postfix/submission
503. # -o smtpd_tls_security_level=encrypt
504. # -o smtpd_sasl_auth_enable=yes
505. # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
506. # -o milter_macro_daemon_name=ORIGINATING
507. #smtps inet n - - - - smtpd
508. # -o syslog_name=postfix/smtps
509. # -o smtpd_tls_wrappermode=yes
510. # -o smtpd_sasl_auth_enable=yes
511. # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
512. # -o milter_macro_daemon_name=ORIGINATING
513. #628 inet n - - - - qmqpd
514. pickup fifo n - - 60 1 pickup
515. cleanup unix n - - - 0 cleanup
516. qmgr fifo n - n 300 1 qmgr
517. #qmgr fifo n - n 300 1 oqmgr
518. tlsmgr unix - - - 1000? 1 tlsmgr
519. rewrite unix - - - - - trivial-rewrite
520. bounce unix - - - - 0 bounce
521. defer unix - - - - 0 bounce
522. trace unix - - - - 0 bounce
523. verify unix - - - - 1 verify
524. flush unix n - - 1000? 0 flush
525. proxymap unix - - n - - proxymap
526. proxywrite unix - - n - 1 proxymap
527. smtp unix - - - - - smtp
528. relay unix - - - - - smtp
529. # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
530. showq unix n - - - - showq
531. error unix - - - - - error
532. retry unix - - - - - error
533. discard unix - - - - - discard
534. local unix - n n - - local
535. virtual unix - n n - - virtual
536. lmtp unix - - - - - lmtp
537. anvil unix - - - - 1 anvil
538. scache unix - - - - 1 scache
539. #
540. # ====================================================================
541. # Interfaces to non-Postfix software. Be sure to examine the manual
542. # pages of the non-Postfix software to find out what options it wants.
543. #
544. # Many of the following services use the Postfix pipe(8) delivery
545. # agent. See the pipe(8) man page for information about ${recipient}
546. # and other message envelope options.
547. # ====================================================================
548. #
549. # maildrop. See the Postfix MAILDROP_README file for details.
550. # Also specify in main.cf: maildrop_destination_recipient_limit=1
551. #
552. maildrop unix - n n - - pipe
553. flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
554. #
555. # ====================================================================
556. #
557. # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
558. #
559. # Specify in cyrus.conf:
560. # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
561. #
562. # Specify in main.cf one or more of the following:
563. # mailbox_transport = lmtp:inet:localhost
564. # virtual_transport = lmtp:inet:localhost
565. #
566. # ====================================================================
567. #
568. # Cyrus 2.1.5 (Amos Gouaux)
569. # Also specify in main.cf: cyrus_destination_recipient_limit=1
570. #
571. #cyrus unix - n n - - pipe
572. # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
573. #
574. # ====================================================================
575. # Old example of delivery via Cyrus.
576. #
577. #old-cyrus unix - n n - - pipe
578. # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
579. #
580. # ====================================================================
581. #
582. # See the Postfix UUCP_README file for configuration details.
583. #
584. uucp unix - n n - - pipe
585. flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
586. #
587. # Other external delivery methods.
588. #
589. ifmail unix - n n - - pipe
590. flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
591. bsmtp unix - n n - - pipe
592. flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
593. scalemail-backend unix - n n - 2 pipe
594. flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
595. mailman unix - n n - - pipe
596. flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
597. ${nexthop} ${user}
598.  
599. # DOVECOT CFG
600.  
601. dovecot unix - n n - - pipe
602. flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} -m ${extension}