File: //etc/dovecot/dovecot.conf
## Dovecot configuration file
# NOTICE FOR CPANEL SYSTEMS
# On cPanel servers this file is generated by combining a
# template at /var/cpanel/templates/dovecot/main.default
# and a datastore at /var/cpanel/conf/dovecot/main
#
# The template may be customized by making a copy of it at
# /var/cpanel/templates/dovecot/main.local
# similar to the way in which httpd.conf can be customized
#
# Direct edits of the rendered dovecot.conf file will not
# be preserved when dovecot is updated. Use the
# "Mailserver Configuration" interface in WebHostManager instead.
# See https://doc.dovecot.org for config explanations and examples.
# We have removed most commentary from this file if a setting is unused
# for brevity's sake.
##
## GLOBAL settings
##
# NOTE: if dovecot_config_version does not equal the dovecot version,
# pigeonhole won't work and cause dovecot to fail to start.
dovecot_config_version =2.4.2
dovecot_storage_version = 2.3.21
# Protocols we want to be serving: imap pop3 sieve
# If you only want to use dovecot-auth, you can set this to "none".
protocols = lmtp imap pop3 sieve
verbose_proctitle = no
##
## Includes
##
# SSL & SNI hosts
!include_try /etc/dovecot/ssl.conf
!include_try /etc/dovecot/sni.conf
##
## Login processes
##
##
## Mailbox locations and namespaces
##
namespace inbox {
type = private
# Hierarchy separator to use. You should use the same separator for all
# namespaces or some clients get confused. '/' is usually a good one.
# The default however depends on the underlying mail storage format.
separator = .
# Prefix required to access this namespace. This needs to be different for
# all namespaces. For example "Public/".
prefix = INBOX.
# There can be only one INBOX, and this setting defines which namespace
# has it.
inbox = yes
mailbox Drafts {
special_use = \Drafts
auto = subscribe
}
mailbox spam {
special_use = \Junk
auto = subscribe
}
mailbox Trash {
special_use = \Trash
auto = subscribe
quota_ignore = yes
}
mailbox Sent {
special_use = \Sent
auto = subscribe
}
mailbox "Sent Messages" {
special_use = \Sent
auto = no
}
mailbox Archive {
special_use = \Archive
auto = create
}
mailbox "Archives" {
special_use = \Archive
auto = no
}
}
##
## Mail processes
##
# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
first_valid_uid = 201
# List of plugins that *specifically need to be initialized* in the global scope.
# Plugins specific to IMAP, LDA, etc. *replace* this list in their own
# configuration scopes on Dovecot 2.4.
mail_plugins {
mail_compress = yes
quota = yes
quota_clone = yes
}
# Set various plugin related settings we want globally after.
# Global quota configuration for Dovecot 2.4
# This stuff used to be over in Cpanel/MailAuth/Dovecot.pm, but you can't do
# that anymore per user on dovecot 2.4 other than overriding things like
# quota_driver.
quota Mailbox {
}
quota "cPanel Account" {
driver = fs
}
# Dovecot 2.4.2: quota_clone dict path uses %{userdb:X} format for variable expansion
# Note: Changed from ${userdb:X} to %{userdb:X} syntax for Dovecot 2.4.2 compatibility
# The userdb response can still override this with quota_clone_dict_file_path if needed
quota_clone {
dict file {
path = %{userdb:mail_path}/dovecot-quota
}
}
# You can execute a given command when user exceeds a specified quota limit.
# Each quota root has separate limits. Only the command for the first
# exceeded limit is executed, so put the highest limit first.
# Note that % needs to be escaped as %%, otherwise "% " expands to empty.
# quota_warning = storage=95%% /usr/local/bin/quota-warning.sh 95
# quota_warning2 = storage=80%% /usr/local/bin/quota-warning.sh 80
quota_exceeded_message = "Mailbox is full / Blocks limit exceeded / Inode limit exceeded"
# ACL plugin. vfile backend reads ACLs from "dovecot-acl" file from maildir
# directory. You can also optionally give a global ACL directory path where
# ACLs are applied to all users' mailboxes. The global ACL directory contains
# one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter
# specifies how many seconds to wait between stat()ing dovecot-acl file
# to see if it changed.
acl_driver = vfile
##
## Mailbox handling optimizations
##
# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
# also required for IMAP NOTIFY extension to be enabled.
mailbox_list_index = yes
# When IDLE command is running, mailbox is checked once in a while to see if
# there are any new mails or other changes. This setting defines the minimum
# time to wait between those checks. Dovecot can also use inotify and
# kqueue to find out immediately when changes occur.
mailbox_idle_check_interval = 30 secs
# Max number of mails to keep open and prefetch to memory. This only works with
# some mailbox formats and/or operating systems.
mail_prefetch_count = 20
protocol !indexer-worker {
}
##
## Maildir-specific settings
##
# When copying a message, do it with hard links whenever possible. This makes
# the performance much better, and it's unlikely to have any side effects.
maildir_copy_with_hardlinks = yes
# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
# when its mtime changes unexpectedly or when we can't find the mail otherwise.
maildir_very_dirty_syncs = yes
# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
# getting the mail's physical size, except when recalculating Maildir++ quota.
# This can be useful in systems where a lot of the Maildir filenames have a
# broken size. The performance hit for enabling this is very small.
maildir_broken_filename_sizes = yes
##
## mdbox-specific settings
##
# Maximum dbox file size until it's rotated.
mdbox_rotate_size = 10M
# Maximum dbox file age until it's rotated. Typically in days. Day begins
# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
# Defined but not truthy, thus 0.
mdbox_rotate_interval = 0
##
## IMAP specific settings
##
protocol imap {
# If nothing happens for this long while client is IDLEing, move the connection
# to imap-hibernate process and close the old imap process. This saves memory,
# because connections use very little memory in imap-hibernate process. The
# downside is that recreating the imap process back uses some resources.
imap_hibernate_timeout = 30s
# Maximum number of IMAP connections allowed for a user from each IP address.
# NOTE: The username is compared case-sensitively.
mail_max_userip_connections = 20
# Sadly, defining mail_plugins *overwrites* the global setting in this scope.
# It is not an "append only" operation. Thus if you want anything other than
# the globals, you need to specify what globals you want as well, making the
# global set seem somewhat wasteful but for the fact that not doing this
# usually leads to a broken config, as some plugins need to be *initialized*
# in the global scope first to work properly.
mail_plugins = acl quota imap_quota mail_compress virtual
# IMAP logout format string:
# %{input} - total number of bytes read from client
# %{output} - total number of bytes sent to client
# %{fetch_hdr_count} - Number of mails with mail header data sent to client
# %{fetch_hdr_bytes} - Number of bytes with mail header data sent to client
# %{fetch_body_count} - Number of mails with mail body data sent to client
# %{fetch_body_bytes} - Number of bytes with mail body data sent to client
# %{deleted} - Number of mails where client added \Deleted flag
# %{expunged} - Number of mails that client expunged, which does not
# include automatically expunged mails
# %{autoexpunged} - Number of mails that were automatically expunged after
# client disconnected
# %{trashed} - Number of mails that client copied/moved to the
# special_use=\Trash mailbox.
# %{appended} - Number of mails saved during the session
imap_logout_format = in=%{input}, out=%{output}, bytes=%{input}/%{output}
# How many seconds to wait between "OK Still here" notifications when
# client is IDLEing.
imap_idle_notify_interval = 24 min
namespace spam {
prefix = spam
separator = .
mail_driver = virtual
mail_path = /usr/local/cpanel/etc/dovecot/virtual/spam
mail_cache_path = ~/mail/virtual/%{user}/spam
list = no
hidden = yes
}
namespace sent {
prefix = sent
separator = .
mail_driver = virtual
mail_path = /usr/local/cpanel/etc/dovecot/virtual/sent
mail_cache_path = ~/mail/virtual/%{user}/sent
list = no
hidden = yes
}
}
##
## POP3 specific settings
##
protocol pop3 {
# cPanel used to set this in config to UID%v-%u, but the UI never exposed
# this to users to change it. As such, on dovecot 2.4 we just hardcode it
# to the 2.4 version of what our default used to be, as it isn't actually
# configurable in a meaningful way to users apart from custom templates
# anyways. See https://doc.dovecot.org/2.4.1/core/config/pop3.html#uidl-format
# for the latest var names for this if you do intend to customize it.
pop3_uidl_format = UID%{uid}-%{uidvalidity}
# POP3 logout format string:
# %{input} - total number of bytes read from client
# %{output} - total number of bytes sent to client
# %{top_count} - number of TOP commands
# %{top_bytes} - number of bytes sent to client as a result of TOP command
# %{retr_count} - number of RETR commands
# %{retr_bytes} - number of bytes sent to client as a result of RETR command
# %{deleted_count} - number of deleted messages
# %{deleted_bytes} - number of bytes in deleted messages
# %{message_count} - number of messages (before deletion)
# %{message_bytes} - mailbox size in bytes (before deletion)
# %{uidl_change} - old/new UIDL hash. may help finding out if UIDLs changed unexpectedly
pop3_logout_format = top=%{top_count}/%{top_bytes}, retr=%{retr_count}/%{retr_bytes}, del=%{deleted_count}/%{deleted_bytes}, size=%{message_bytes}, bytes=%{input}/%{output}
# Maximum number of POP3 connections allowed for a user from each IP address.
# NOTE: The username is compared case-sensitively.
mail_max_userip_connections = 3
mail_plugins = quota virtual mail_compress
namespace spam {
prefix = spam
separator = .
mail_driver = virtual
mail_path = /usr/local/cpanel/etc/dovecot/virtual/spam
mail_cache_path = ~/mail/virtual/%{user}/spam
list = no
hidden = yes
}
namespace sent {
prefix = sent
separator = .
mail_driver = virtual
mail_path = /usr/local/cpanel/etc/dovecot/virtual/sent
mail_cache_path = ~/mail/virtual/%{user}/sent
list = no
hidden = yes
}
}
##
## LMTP specific settings
##
protocol lmtp {
quota_full_tempfail = no
mail_plugins {
quota = yes
mail_compress = yes
sieve = yes
}
}
lmtp_save_to_detail_mailbox = yes
lmtp_user_concurrency_limit = 4
recipient_delimiter = +
# Verify quota before replying to RCPT TO. This adds a small overhead.
lmtp_rcpt_check_quota = yes
##
## LDA specific settings
##
protocol lda {
quota_full_tempfail = no
mail_plugins {
quota = yes
mail_compress = yes
sieve = yes
}
}
# Should saving a mail to a nonexistent mailbox automatically create it?
lda_mailbox_autocreate = yes
##
## Sieve specific settings
##
protocol sieve {
}
##
## Authentication processes
##
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
# Note: disable_plaintext_auth replaced by auth_allow_cleartext in Dovecot 2.4.1
auth_allow_cleartext = no
# Allow weak authentication schemes such as MD5.
# When set to "no", only secure password hashing will be permitted.
# See https://doc.dovecot.org/main/core/config/auth/schemes.html
# for more information.
auth_allow_weak_schemes = yes
# Auth cache settings
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
auth_cache_size = 1M
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
auth_cache_ttl = 3600 sec
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
auth_cache_negative_ttl = 3600 sec
# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#Allow + in usernames
auth_username_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!#$-=?^_{}~./@+%"
# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
# gss-spnego
# NOTE: See also auth_allow_cleartext setting.
auth_mechanisms = plain login
auth_policy_server_url = http://127.0.0.1:579/dovecot-auth-policy
http_client_request_timeout = 3000s
auth_policy_hash_mech = sha512
auth_policy_request_attributes {
auth_database=mail
database=mail
service=dovecot
username=%{original_user}
authtoken_hash=$0$0$%{hashed_password}
local_host=%{real_local_ip}
local_port=%{real_local_port}
remote_host=%{real_remote_ip}
remote_port=%{real_remote_port}
}
auth_policy_reject_on_fail = no
auth_policy_hash_truncate = 64
auth_policy_hash_nonce = "dummmy"
# auth_policy_hash_nonce and auth_policy_server_api_header
!include_try /etc/dovecot/auth_policy.conf
##
## Password and user databases
##
passdb cpauthd {
driver = lua
lua_file = /usr/local/cpanel/etc/dovecot/cpauthd.lua
lua_settings {
socket = /usr/local/cpanel/var/cpdoveauthd.sock
}
result_internalfail = continue
result_failure = return-fail
}
userdb cpauthd {
driver = lua
lua_file = /usr/local/cpanel/etc/dovecot/cpauthd.lua
lua_settings {
socket = /usr/local/cpanel/var/cpdoveauthd.sock
}
}
##
## Logging verbosity and debugging.
##
##
## Log formatting.
##
##
## Services
##
service config {
vsz_limit = 2048 M
}
service quota-status {
executable = quota-status -p postfix
unix_listener quota-status {
path = quota-status
mode = 0666
}
}
service auth {
unix_listener auth-client {
# auth-legacy Required for exim on Dovecot 2.4
type = auth-legacy
path = auth-client
mode = 0666
}
}
service stats {
unix_listener stats-writer {
mode = 0666
}
}
mail_access_groups = dovecot
service dict {
unix_listener dict {
mode = 0660
group = dovecot
}
}
service lmtp {
# Set max. process size in megabytes. Most of the memory goes to mmap()ing
# files, so it shouldn't harm much even if this limit is set pretty high.
vsz_limit = 512 M
#We always want this. Otherwise one connection could block another
#connection that shares the same process.
client_limit = 1
process_limit = 500
unix_listener lmtp {
user = mailnull
group = mail
mode = 0660
}
}
service imap-login {
# Maximum number of connections allowed per each login process. This setting
# is used only if login_process_per_connection=no. Once the limit is reached,
# the process notifies master so that it can create a new login process.
client_limit = 500
# Maximum number of login processes to create. The listening process count
# usually stays at login_processes_count, but when multiple users start logging
# in at the same time more extra processes are created. To prevent fork-bombing
# we check only once in a second if new processes should be created - if all
# of them are used at the time, we double their amount until the limit set by
# this setting is reached.
process_limit = 50
# Number of login processes to keep for listening new connections.
process_min_avail = 2
# Should each login be processed in its own process (yes), or should one
# login process be allowed to process multiple connections (no)? Yes is more
# secure, espcially with SSL/TLS enabled. No is faster since there's no need
# to create processes all the time.
service_restart_request_count = unlimited
# Set max. process size in megabytes. If you don't use
# login_process_per_connection you might need to grow this.
vsz_limit = 128 M
# IP or host address where to listen in for non-SSL connections. Defaults
# to above if not specified.
listen = *,::
# IP or host address where to listen in for SSL connections. Defaults
# to above if not specified.
listen = *,::
}
service imap {
# Maximum number of running mail processes. When this limit is reached,
# new users aren't allowed to log in.
process_limit = 512
# Set max. process size in megabytes. Most of the memory goes to mmap()ing
# files, so it shouldn't harm much even if this limit is set pretty high.
vsz_limit = 512 M
unix_listener imap-master {
user = dovecot
}
extra_groups = dovecot
}
service imap-hibernate {
unix_listener imap-hibernate {
mode = 0660
group = dovecot
}
}
service managesieve-login {
# Maximum number of connections allowed per each login process. This setting
# is used only if login_process_per_connection=no. Once the limit is reached,
# the process notifies master so that it can create a new login process.
client_limit = 500
# Maximum number of login processes to create. The listening process count
# usually stays at login_processes_count, but when multiple users start logging
# in at the same time more extra processes are created. To prevent fork-bombing
# we check only once in a second if new processes should be created - if all
# of them are used at the time, we double their amount until the limit set by
# this setting is reached.
process_limit = 50
# Number of login processes to keep for listening new connections.
process_min_avail = 2
# Should each login be processed in its own process (yes), or should one
# login process be allowed to process multiple connections (no)? Yes is more
# secure, espcially with SSL/TLS enabled. No is faster since there's no need
# to create processes all the time.
service_restart_request_count = unlimited
# Set max. process size in megabytes. If you don't use
# login_process_per_connection you might need to grow this.
vsz_limit = 128 M
listen = *,::
inet_listener sieve {
port = 4190
}
}
service managesieve {
# Maximum number of running mail processes. When this limit is reached,
# new users aren't allowed to log in.
process_limit = 512
# Set max. process size in megabytes. Most of the memory goes to mmap()ing
# files, so it shouldn't harm much even if this limit is set pretty high.
vsz_limit = 512 M
}
service pop3-login {
# Maximum number of connections allowed per each login process. This setting
# is used only if login_process_per_connection=no. Once the limit is reached,
# the process notifies master so that it can create a new login process.
client_limit = 500
# Maximum number of login processes to create. The listening process count
# usually stays at login_processes_count, but when multiple users start logging
# in at the same time more extra processes are created. To prevent fork-bombing
# we check only once in a second if new processes should be created - if all
# of them are used at the time, we double their amount until the limit set by
# this setting is reached.
process_limit = 50
# Number of login processes to keep for listening new connections.
process_min_avail = 2
# Should each login be processed in its own process (yes), or should one
# login process be allowed to process multiple connections (no)? Yes is more
# secure, espcially with SSL/TLS enabled. No is faster since there's no need
# to create processes all the time.
service_restart_request_count = unlimited
# Set max. process size in megabytes. If you don't use
# login_process_per_connection you might need to grow this.
vsz_limit = 128 M
# IP or host address where to listen in for non-SSL connections. Defaults
# to above if not specified.
listen = *,::
# IP or host address where to listen in for SSL connections. Defaults
# to above if not specified.
listen = *,::
}
service pop3 {
# Maximum number of running mail processes. When this limit is reached,
# new users aren't allowed to log in.
process_limit = 512
# Set max. process size in megabytes. Most of the memory goes to mmap()ing
# files, so it shouldn't harm much even if this limit is set pretty high.
vsz_limit = 512 M
}
# Setup doveadm
service doveadm {
unix_listener doveadm-server {
user = dovecot
}
}