Provided by: kolab-cyrus-common_2.2.12-7_i386 bug


       imapd.conf - IMAP configuration file


       /etc/imapd.conf  is  the  configuration file for the Cyrus IMAP server.
       It defines local parameters for IMAP.

       Each line of the /etc/imapd.conf file has the form

              option: value

       where option is the name of the  configuration  option  being  set  and
       value is the value that the configuration option is being set to.

       Blank lines and lines beginning with ‘‘#’’ are ignored.

       For  boolean and enumerated options, the values ‘‘yes’’, ‘‘on’’, ‘‘t’’,
       ‘‘true’’ and ‘‘1’’ turn the option  on,  the  values  ‘‘no’’,  ‘‘off’’,
       ‘‘f’’, ‘‘false’’ and ‘‘0’’ turn the option off.


       The   sections   below  detail  options  that  can  be  placed  in  the
       /etc/imapd.conf file, and  show  each  option’s  default  value.   Some
       options  have no default value, these are listed with ‘‘<no default>’’.
       Some options default  to  the  empty  string,  these  are  listed  with

       admins: <empty string>
            The  list  of  userids  with administrative rights.  Separate each
            userid with a space.  Sites using Kerberos authentication may  use
            separate "admin" instances.

       Note  that  accounts  used  by  users  should  not  be  administrators.
       Administrative accounts should not receive  mail.   That  is,  if  user
       "jbRo"  is  a  user  reading  mail, he should not also be in the admins
       line.  Some problems may occur otherwise, most notably the  ability  of
       administrators  to create top-level mailboxes visible to users, but not
       writable by users.

       afspts_localrealms: <none>
            The list of realms which are to be  treated  as  local,  and  thus
            stripped   during   identifier  canoicalization  (for  the  AFSPTS
            ptloader module).  This is different from loginrealms in  that  it
            occurs  later  in  the  authorization  process  (as the user id is
            canonified for PTS lookup)

       afspts_mycell: <none>
            Cell to use for AFS PTS lookups.  Defaults to the local cell.

       allowallsubscribe: 0
            Allow subscription  to  nonexistent  mailboxes.   This  option  is
            typically  used  on  backend servers in a Murder so that users can
            subscribe to mailboxes that don’t reside on their  "home"  server.
            This  option  can  also  be  used as a workaround for IMAP clients
            which don’t play well with nonexistent or  unselectable  mailboxes
            (eg.  Microsoft Outlook).

       allowanonymouslogin: 0
            Permit  logins  by  the user "anonymous" using any password.  Also
            allows use of the SASL ANONYMOUS mechanism.

       allowapop: 1
            Allow use of the POP3 APOP authentication command.

       Note that this  command  requires  that  SASL  is  compiled  with  APOP
       support,  that  the plaintext passwords are available in a SASL auxprop
       backend (eg. sasldb), and that the system can  provide  enough  entropy
       (eg. from /dev/urandom) to create a challenge in the banner.

       allownewnews: 0
            Allow use of the NNTP NEWNEWS command.

       Note  that  this is a very expensive command and should only be enabled
       when absolutely necessary.

       allowplaintext: 1
            Allow the use of cleartext passwords on the wire.

       allowusermoves: 0
            Allow moving user accounts (with associated meta-data) via  RENAME
            or XFER.

       Note  that  measures  should  be taken to make sure that the user being
       moved is not logged in, and can not login during the move.  Failure  to
       do  so  may  result in the user’s meta-data (seen state, subscriptions,
       etc) being corrupted or out of date.

       altnamespace: 0
            Use the alternate IMAP namespace, where personal folders reside at
            the same level in the hierarchy as INBOX.

       This  option  ONLY  applies  where  interaction  takes  place  with the
       client/user.  Currently this is limited to the  IMAP  protocol  (imapd)
       and  Sieve  scripts (lmtpd).  This option does NOT apply to admin tools
       such as cyradm (admins ONLY), reconstruct, quota,  etc.,  NOR  does  it
       affect  LMTP  delivery  of  messages  directly  to  mailboxes via plus-

       annotation_db: skiplist
            The cyrusdb backend to use for mailbox annotations.

            Allowed values: berkeley, skiplist

       autocreatequota: 0
            If nonzero, normal users may create their  own  IMAP  accounts  by
            creating  the mailbox INBOX.  The user’s quota is set to the value
            if it is positive, otherwise the user has unlimited quota.

       berkeley_cachesize: 512
            Size (in kilobytes) of the shared memory buffer pool (cache)  used
            by  the  berkeley  environment.   The minimum allowed value is 20.
            The maximum allowed value is 4194303 (4GB).

       berkeley_locks_max: 50000
            Maximum number of locks to be held or requested  in  the  berkeley

       berkeley_txns_max: 100
            Maximum  number  of  transactions  to be supported in the berkeley

       client_timeout: 10
            Number of seconds to wait before returning a timeout failure  when
            performing a client connection (e.g. in a murder enviornment)

       configdirectory: <none>
            The  pathname  of the IMAP configuration directory.  This field is

       debug_command: <none>
            Debug command to be used by processes started with -D option.  The
            string  is a C format string that gets 3 options: the first is the
            name of the executable (without path).   The  second  is  the  pid
            (integer)   and   the   third   is   the   service  ID.   Example:
            /usr/local/bin/gdb /usr/cyrus/bin/%s %d

       defaultacl: anyone lrs
            The Access Control List (ACL) placed on a newly-created (non-user)
            mailbox that does not have a parent mailbox.

       defaultdomain: <none>
            The  default  domain  for  virtual  domain support. Note that this
            domain is stripped from the email-address transmitted using  LMTP,
            but   it  is  not  stripped  from  usernames  at  login-time.  For
            imapd/pop3d, "user" and "user@defaultdomain" specify two different
            users.  Please check install-virtdomains.html for details.

       defaultpartition: default
            The partition name used by default for new mailboxes.

       deleteright: c
            The right that a user needs to delete a mailbox.

       dracinterval: 0
            If  nonzero,  enables the use of DRAC (Dynamic Relay Authorization
            Control) by the pop3d and imapd daemons.  Also sets  the  interval
            (in  minutes)  between  re-authorization  requests  made by imapd.
            Default is 0, sensible Value when enabling it is 5.

       drachost: localhost
            Hostname of the RPC dracd server. Default: localhost

       duplicate_db: berkeley-nosync
            The cyrusdb backend to use for the duplicate delivery  suppression
            and sieve.

            Allowed values: berkeley, berkeley-nosync, skiplist

       duplicatesuppression: 1
            If enabled, lmtpd will suppress delivery of a message to a mailbox
            if a message with the same message-id  (or  resent-message-id)  is
            recorded as having already been delivered to the mailbox.  Records
            the mailbox and  message-id/resent-message-id  of  all  successful

       foolstupidclients: 0
            If  enabled,  only  list the personal namespace when a LIST "*" is
            performed.  (it changes the request to a LIST "INBOX*"

       force_sasl_client_mech: <none>
            Force preference  of  a  given  SASL  mechanism  for  client  side
            operations (e.g. murder enviornments).  This is separate from (and
            overridden by) the  ability  to  use  the  <host  shortname>_mechs
            option to set prefered mechanisms for a specific host

       fulldirhash: 0
            If enabled, uses an improved directory hashing scheme which hashes
            the entire username instead of using just the first letter.   This
            changes  hash algorithm used for quota and user directories and if
            hashimapspool is enabled, the entire mail spool.

       Note that this option can NOT be changed on a live system.  The  server
       must  be  quiesced  and  then  the  directories  moved  with the rehash

       hashimapspool: 0
            If enabled, the partitions will also be hashed, in addition to the
            hashing done on configuration directories.  This is recommended if
            one partition has a very bushy mailbox tree.

       hostname_mechs: <none>
            Force a  particuar  list  of  SASL  mechanisms  to  be  used  when
            authenticating  to  the backend server hostname (where hostname is
            the short hostname of the  server  in  question).  If  it  is  not
            specified  it  will  query the server for available mechanisms and
            pick one to use. - Cyrus Murder

       hostname_password: <none>
            The password to use  for  authentication  to  the  backend  server
            hostname  (where  hostname  is the short hostname of the server) -
            Cyrus Murder

       idlesocket: {configdirectory}/socket/idle
            Unix domain socket that idled listens on.

       ignorereference: 0
            For backwards compatibility  with  Cyrus  1.5.10  and  earlier  --
            ignore the reference argument in LIST or LSUB commands.

       imapidlepoll: 60
            The  interval  (in  seconds)  for  polling the mailbox for changes
            while running the IDLE command.  This option is  used  when  idled
            can  not  be  contacted  or when polling is used exclusively.  The
            minimum value is 1.  A  value  of  0  will  disable  polling  (and
            disable IDLE if polling is the only method available).

       imapidresponse: 1
            If  enabled, the server responds to an ID command with a parameter
            list containing: version,  vendor,  support-url,  os,  os-version,
            command,  arguments,  environment.   Otherwise  the server returns

       imapmagicplus: 0
            Only list  a  restricted  set  of  mailboxes  via  IMAP  by  using
            userid+namespace  syntax  as  the authentication/authorization id.
            Using userid+ (with an empty namespace) will list only  subscribed

       implicit_owner_rights: lca
            The implicit Access Control List (ACL) for the owner of a mailbox.

       @include: <none>
            Directive which  includes  the  specified  file  as  part  of  the
            configuration.    If  the  path  to  the  file  is  not  absolute,
            CYRUS_PATH is prepended.

       ldap_authz: <none>
            SASL authorization ID for the LDAP server

       ldap_base: <empty string>
            Contains the LDAP base dn for the LDAP ptloader module

       ldap_bind_dn: <none>
            Bind DN for the connection to the LDAP server (simple  bind).   Do
            not use for anonymous simple binds

       ldap_deref: never
            Specify how aliases dereferencing is handled during search.

            Allowed values: search, find, always, never

       ldap_filter: (uid=%u)
            Specify  a  filter  that searches user identifiers.  The following
            tokens can be used in the filter string:

            %%   = % %u   = user %U   = user portion of %u (%U = test when  %u
            =  test@domain.tld) %d   = domain portion of %u if available (%d =
            domain.tld when %u = %test@domain.tld), otherwise same  as  %r  %D
            =  user  dn.   (use when ldap_member_method: filter) %1-9 = domain
            tokens (%1 = tld, %2 = domain when %d = domain.tld)

            ldap_filter is not used when ldap_sasl is enabled.

       ldap_group_base: <empty string>
            LDAP base dn for ldap_group_filter.

       ldap_group_filter: (cn=%u)
            Specify  a  filter  that  searches  for  group  identifiers.   See
            ldap_filter for more options.

       ldap_group_scope: sub
            Specify search scope for ldap_group_filter.

            Allowed values: sub, one, base

       ldap_id: <none>
            SASL authentication ID for the LDAP server

       ldap_mech: <none>
            SASL mechanism for LDAP authentication

       ldap_member_attribute: <none>
            See ldap_member_method.

       ldap_member_base: <empty string>
            LDAP base dn for ldap_member_filter.

       ldap_member_filter: (member=%D)
            Specify   a   filter   for   "ldap_member_method:   filter".   See
            ldap_filter for more options.

       ldap_member_method: attribute
            Specify a group method.  The "attribute" method  retrieves  groups
            from a multi-valued attributed specified in ldap_member_attribute.
            The "filter" method uses a  filter,  ldap_member_filter,  to  find
            groups;  ldap_member_attribute  is  a single-value attribute group

            Allowed values: attribute, filter

       ldap_member_scope: sub
            Specify search scope for ldap_member_filter.

            Allowed values: sub, one, base

       ldap_password: <none>
            Password for the connection to the LDAP server  (SASL  and  simple
            bind).  Do not use for anonymous simple binds

       ldap_realm: <none>
            SASL realm for LDAP authentication

       ldap_referrals: 0
            Specify whether or not the client should follow referrals.

       ldap_restart: 1
            Specify  whether  or  not  LDAP  I/O  operations are automatically
            restarted if they abort prematurely.

       ldap_sasl: 1
            Use SASL for LDAP binds in the LDAP PTS module.

       ldap_sasl_authc: <none>
            Depricated.  Use ldap_id

       ldap_sasl_authz: <none>
            Depricated.  Use ldap_authz

       ldap_sasl_mech: <none>
            Depricated.  Use ldap_mech

       ldap_sasl_password: <none>
            Depricated.  User ldap_password

       ldap_sasl_realm: <none>
            Depricated.  Use ldap_realm

       ldap_scope: sub
            Specify search scope.

            Allowed values: sub, one, base

       ldap_servers: ldap://localhost/
            Depricated.  Use ldap_uri

       ldap_size_limit: 1
            Specify a number of entries for a search request to return.

       ldap_start_tls: 0
            Use StartTLS extended operation.  Do not use ldaps: ldap_uri  when
            this option is enabled.

       ldap_time_limit: 5
            Specify a number of seconds for a search request to complete.

       ldap_timeout: 5
            Specify a number of seconds a search can take before timing out.

       ldap_tls_cacert_dir: <none>
            Path to directory with CA (Certificate Authority) certificates.

       ldap_tls_cacert_file: <none>
            File containing CA (Certificate Authority) certificate(s).

       ldap_tls_cert: <none>
            File containing the client certificate.

       ldap_tls_check_peer: 0
            Require and verify server certificate.  If this option is yes, you
            must specify ldap_tls_cacert_file or ldap_tls_cacert_dir.

       ldap_tls_ciphers: <none>
            List of SSL/TLS ciphers to allow.  The format  of  the  string  is
            described in ciphers(1).

       ldap_tls_key: <none>
            File containing the private client key.

       ldap_uri: <none>
            Contains a list of the URLs of all the LDAP servers when using the
            LDAP PTS module.

       ldap_version: 3
            Specify the  LDAP  protocol  version.   If  ldap_start_tls  and/or
            ldap_use_sasl are enabled, ldap_version will be automatiacally set
            to 3.

       lmtp_downcase_rcpt: 0
            If enabled, lmtpd will convert the recipient address to  lowercase
            (up to a ’+’ character, if present).

       lmtp_over_quota_perm_failure: 0
            If  enabled,  lmtpd returns a permanent failure code when a user’s
            mailbox is over quota.  By  default,  the  failure  is  temporary,
            causing the MTA to queue the message and retry later.

       lmtpsocket: {configdirectory}/socket/lmtp
            Unix domain socket that lmtpd listens on, used by deliver(8). This
            should match the path specified in cyrus.conf(5).

       loginrealms: <empty string>
            The list of remote  realms  whose  users  may  authenticate  using
            cross-realm  authentication identifiers.  Seperate each realm name
            by a space.  (A cross-realm identity is  considered  any  identity
            returned by SASL with an "@" in it.) Note that to support multiple
            virtual domains on the same interface/IP, you need  to  list  them
            all  as  loginreals.   If  you  don’t  list  them here, your users
            probably won’t be able to log in.

       loginuseacl: 0
            If enabled, any authentication identity which has a  rights  on  a
            user’s INBOX may log in as that user.

       logtimestamps: 0
            Include  notations  in  the protocol telemetry logs indicating the
            number of seconds since the last command or response.

       mailnotifier: <none>
            Notifyd(8) method to use for "MAIL" notifications.   If  not  set,
            "MAIL" notifications are disabled.

       maxmessagesize: 0
            Maximum  incoming  LMTP  message  size.   If  non-zero, lmtpd will
            reject messages larger than maxmessagesize bytes.  If  set  to  0,
            this will allow messages of any size (the default).

       mboxlist_db: skiplist
            The cyrusdb backend to use for the mailbox list.

            Allowed values: flat, berkeley, skiplist

       munge8bit: 1
            If  enabled,  lmtpd  changes  8-bit  characters  to  ‘X’. Also see
            reject8bit.  (A proper soultion to non-ASCII characters in headers
            is offered by RFC 2047 and its predecessors.)

       mupdate_connections_max: 128
            The  max  number of connections that a mupdate process will allow,
            this is related to the number of file descriptors in  the  mupdate
            process.  Beyond this number connections will be immedately issued
            a BYE response.

       mupdate_authname: <none>
            The SASL username (Authentication Name) to use when authenticating
            to the mupdate server (if needed).

       mupdate_password: <none>
            The  SASL  password  (if needed) to use when authenticating to the
            mupdate server.

       mupdate_port: 3905
            The port of the mupdate server for the Cyrus Murder

       mupdate_realm: <none>
            The SASL realm (if needed)  to  use  when  authenticating  to  the
            mupdate server.

       mupdate_retry_delay: 20
            The  base  time  to wait between connection retries to the mupdate

       mupdate_server: <none>
            The mupdate server for the Cyrus Murder

       mupdate_workers_start: 5
            The number of mupdate worker threads to start

       mupdate_workers_minspare: 2
            The minimum number of idle mupdate worker threads

       mupdate_workers_maxspare: 10
            The maximum number of idle mupdate worker threads

       mupdate_workers_max: 50
            The maximum number of mupdate worker threads (overall)

       mupdate_username: <empty string>
            The SASL username (Authorization Name) to use when  authenticating
            to the mupdate server

            If  enabled  at  compile  time, this specifies a URL to reply when
            Netscape asks the server where the mail administration HTTP server
            is.   The  default  is  a site at CMU with a hopefully informative
            message; administrators should set this to a local  resource  with
            some information of greater use.

       newsmaster: news
            Userid  that  is  used for checking access controls when executing
            Usenet control messages.  For instance, to allow  articles  to  be
            automatically deleted by cancel messages, give the "news" user the
            ’d’ right on the desired mailboxes.  To  allow  newsgroups  to  be
            automatically  created,  deleted  and renamed by the corresponding
            control messages, give the  "news"  user  the  ’c’  right  on  the
            desired mailbox hierarchies.

       newspeer: <none>
            A list of whitespace-separated news server specifications to which
            articles should be fed.  Each server specification is a string  of
            the  form  [user[:pass]@]host[:port][/wildmat] where ’host’ is the
            fully qualified hostname of the server,  ’port’  is  the  port  on
            which   the  server  is  listening,  ’user’  and  ’pass’  are  the
            authentication  credentials  and  ’wildmat’  is  a  pattern   that
            specifies  which groups should be fed.  If no ’port’ is specified,
            port 119 is used.  If no ’wildmat’ is specified,  all  groups  are
            fed.   If  ’user’ is specified (even if empty), then the NNTP POST
            command will be used to feed the article to the server,  otherwise
            the IHAVE command will be used.

            A  ’@’  may  be  used  in  place  of ’!’ in the wildmat to prevent
            feeding articles cross-posted to the given group, otherwise cross-
            posted  articles  are fed if any part of the wildmat matches.  For
            example, the string "*,!control.*,@local.*" would
            feed  all  groups  except  control  messages  and  local groups to
    In the case of cross-posting to  local  groups,
            these articles would not be fed.

       newspostuser: <none>
            Userid  used  to  deliver  usenet  articles  to  newsgroup folders
            (usually via lmtp2nntp).  For example, if  set  to  "post",  email
            sent   to   "post+comp.mail.imap"   would   be  delivered  to  the
            "comp.mail.imap" folder.

            When set, the Cyrus NNTP server will add  a  To:  header  to  each
            incoming  usenet  article.   This  To:  header  will contain email
            delivery  addresses  corresponding  to  each  newsgroup   in   the
            Newsgroups:  header.   By  default,  a  To: header is not added to
            usenet articles.

       newsprefix: <none>
            Prefix  to  be  prepended  to  newsgroup   names   to   make   the
            corresponding IMAP mailbox names.

       notifysocket: {configdirectory}/socket/notify
            Unix  domain  socket that the new mail notification daemon listens

       partition-name: <none>
            The pathname of the partition name.  At least one field,  for  the
            partition  named in the defaultpartition option, is required.  For
            example, if the value of the  defaultpartion  option  is  default,
            then the partition-default field is required.

       plaintextloginpause: 0
            Number  of  seconds  to  pause after a successful plaintext login.
            For systems that support strong authentication, this permits users
            to  perceive  a cost of using plaintext passwords.  (This does not
            affect the use of PLAIN in SASL authentications.)

       popexpiretime: -1
            The number of days advertised as being the minimum a  message  may
            be  left  on  the  POP  server  before it is deleted (via the CAPA
            command, defined in  the  POP3  Extension  Mechanism,  which  some
            clients may support).  "NEVER", the default, may be specified with
            a negative number.  The Cyrus POP3 server never deletes  mail,  no
            matter  what  the  value of this parameter is.  However, if a site
            implements  a  less  liberal  policy,  it  needs  to  change  this
            parameter accordingly.

       popminpoll: 0
            Set  the  minimum  amount  of time the server forces users to wait
            between successive POP logins, in minutes.

       poptimeout: 10
            Set the length of the POP server’s inactivity autologout timer, in
            minutes.  The minimum value is 10, the default.

       popuseacl: 0
            Enforce  IMAP  ACLs  in  the pop server.  Due to the nature of the
            POP3 protocol, the only rights which are used by  the  pop  server
            are  ’r’  and  ’d’  for  the  owner of the mailbox.  The ’r’ right
            allows the user to open the mailbox  and  list/retrieve  messages.
            The ’d’ right allows the user to delete messages.

       postmaster: postmaster
            Username  that  is  used  as  the ’From’ address in rejection MDNs
            produced by sieve.

       postuser: <empty string>
            Userid used to deliver messages to shared folders.   For  example,
            if  set to "bb", email sent to "bb+shared.blah" would be delivered
            to the "shared.blah" folder.  By  default,  an  email  address  of
            "+shared.blah" would be used.

       proxy_authname: proxy
            The  authentication  name  to use when authenticating to a backend
            server in the Cyrus Murder.

       proxy_password: <none>
            The default password to  use  when  authenticating  to  a  backend
            server  in the Cyrus Murder.  May be overridden on a host-specific
            basis using the hostname_password option.

       proxy_realm: <none>
            The authentication realm to use when authenticating to  a  backend
            server in the Cyrus Murder

       proxyd_allow_status_referral: 0
            Set  to  true  to  allow proxyd to issue referrals to clients that
            support it when answering the STATUS command.  This is disabled by
            default  since  some  clients issue many STATUS commands in a row,
            and do not cache the connections that these referrals would cause,
            thus  resulting  in a higher authentication load on the respective
            backend server.

       proxyservers: <none>
            A list of users and groups that are allowed  to  proxy  for  other
            users,  seperated  by  spaces.   Any  user  listed in this will be
            allowed to login for any other user: use with caution.

       ptloader_sock: <none>
            Unix  domain  socket  that  ptloader  listens  on.   (defaults  to

       ptscache_db: berkeley
            The cyrusdb backend to use for the pts cache.

            Allowed values: berkeley, skiplist

       ptscache_timeout: 10800
            The timeout (in seconds) for the PTS cache database when using the
            auth_krb_pts authorization method (default: 3 hours).

       ptskrb5_convert524: 1
            When  using  the  AFSKRB   ptloader   module   with   Kerberos   5
            canonicalization, do the final 524 conversion to get a n AFS style
            name (using ’.’ instead of ’/’, and using short names

       ptskrb5_strip_default_realm: 1
            When  using  the  AFSKRB   ptloader   module   with   Kerberos   5
            canonicalization,  strip  the  default realm from the userid (this
            does  not  affect  the  stripping  of  realms  specified  by   the
            afspts_localrealms option)

       quota_db: quotalegacy
            The cyrusdb backend to use for quotas.

            Allowed values: flat, berkeley, skiplist, quotalegacy

       quotawarn: 90
            The  percent  of quota utilization over which the server generates

       quotawarnkb: 0
            The maximum amount of free space (in kB) in which to give a  quota
            warning  (if this value is 0, or if the quota is smaller than this
            amount, than warnings are always given).

       reject8bit: 0
            If enabled, lmtpd rejects messages with 8-bit  characters  in  the
            headers.  Also  see munge8bit, which is only applied if reject8bit
            is not activated. (A proper soultion to  non-ASCII  characters  in
            headers is offered by RFC 2047 and its predecessors.)

       rfc2046_strict: 0
            If enabled, imapd will be strict (per RFC 2046) when matching MIME
            boundary strings.  This means  that  boundaries  containing  other
            boundaries  as  substrings  will  be  treated as identical.  Since
            enabling this option will break some messages  created  by  Eudora
            5.1  (and  earlier),  it  is  recommended that it be left disabled
            unless there is good reason to do otherwise.

       rfc3028_strict: 1
            If enabled, Sieve will be strict (per RFC 3028)  with  regards  to
            which  headers  are  allowed  to  be  used in address and envelope
            tests.  This means that only those headers which  are  defined  to
            contain  addresses  will be allowed in address tests and only "to"
            and "from" will be allowed in envelope tests.  When disabled,  ANY
            grammatically correct header will be allowed.

       sasl_auto_transition: 0
            If   enabled,   the   SASL   library   will  automatically  create
            authentication secrets when given a plaintext password.   See  the
            SASL documentation.

       sasl_maximum_layer: 256
            Maximum  SSF (security strength factor) that the server will allow
            a client to negotiate.

       sasl_minimum_layer: 0
            The minimum SSF that the server will allow a client to  negotiate.
            A  value  of  1  requires  integrity  protection; any higher value
            requires some amount of encryption.

       sasl_option: 0
            Any SASL option can be set by preceeding it  with  "sasl_".   This
            file overrides the SASL configuration file.

       sasl_pwcheck_method: <none>
            The  mechanism  used  by the server to verify plaintext passwords.
            Possible values include "auxprop", "saslauthd", and "pwcheck".

       seenstate_db: skiplist
            The cyrusdb backend to use for the seen state.

            Allowed values: flat, berkeley, skiplist

       sendmail: /usr/lib/sendmail
            The pathname of the sendmail executable.  Sieve  invokes  sendmail
            for sending rejections, redirects and vacation responses.

       servername: <none>
            This  is the hostname visible in the greeting messages of the POP,
            IMAP and LMTP daemons. If it is unset, then  the  result  returned
            from gethostname(2) is used.

       sharedprefix: Shared Folders
            If  using  the alternate IMAP namespace, the prefix for the shared
            namespace.   The  hierarchy  delimiter   will   be   automatically

       sieve_maxscriptsize: 32
            Maximum  size  (in kilobytes) any sieve script can be, enforced at
            submission by timsieved(8).

       sieve_maxscripts: 5
            Maximum number of sieve scripts any user  may  have,  enforced  at
            submission by timsieved(8).

       sievedir: /usr/sieve
            If  sieveusehomedir is false, this directory is searched for Sieve

       sievenotifier: <none>
            Notifyd(8) method to use for "SIEVE" notifications.  If  not  set,
            "SIEVE" notifications are disabled.

       This method is only used when no method is specified in the script.

       sieveusehomedir: 0
            If  enabled,  lmtpd  will  look  for  Sieve scripts in user’s home
            directories: ~user/.sieve.

       singleinstancestore: 1
            If enabled, lmtpd and nntpd attempt to only write one  copy  of  a
            message  per  partition  and  create  hard  links,  resulting in a
            potentially large disk savings.

       skiplist_unsafe: 0
            If enabled, this option forces the skiplist cyrusdb backend to not
            sync writes to the disk.  Enabling this option is NOT RECOMMENDED.

       soft_noauth: 1
            If enabled, lmtpd returns temporary failures if  the  client  does
            not  successfully authenticate.  Otherwise lmtpd returns permanant
            failures (causing the mail to bounce immediately).

       srvtab: <empty string>
            The pathname of srvtab file containing the server’s  private  key.
            This  option  is  passed  to  the  SASL  library and overrides its
            default setting.

       subscription_db: flat
            The cyrusdb backend to use for the subscriptions list.

            Allowed values: flat, berkeley, skiplist

       syslog_prefix: <none>
            String to be appended to the process name in syslog entries.

       temp_path: /tmp
            The pathname to store temporary files in

       timeout: 30
            The length of the IMAP server’s inactivity  autologout  timer,  in
            minutes.  The minimum value is 30, the default.

       tls_ca_file: <none>
            File   containing   one   or   more   Certificate  Authority  (CA)

       tls_ca_path: <none>
            Path to directory with certificates of CAs.  This  directory  must
            have  filenames  with  the  hashed  value  of the certificate (see

       tlscache_db: berkeley-nosync
            The cyrusdb backend to use for the TLS cache.

            Allowed values: berkeley, berkeley-nosync, skiplist

       tls_cert_file: <none>
            File   containing   the   certificate   presented    for    server
            authentication  during  STARTTLS.   A  value  of  "disabled"  will
            disable SSL/TLS.

       tls_cipher_list: DEFAULT
            The list of SSL/TLS ciphers to allow.  The format of the string is
            described in ciphers(1).

       tls_key_file: <none>
            File   containing   the   private  key  belonging  to  the  server
            certificate.  A value of "disabled" will disable SSL/TLS.

       tls_require_cert: 0
            Require a client certificate for ALL services (imap,  pop3,  lmtp,

       tls_session_timeout: 1440
            The  length of time (in minutes) that a TLS session will be cached
            for later reuse.  The  maximum  value  is  1440  (24  hours),  the
            default.  A value of 0 will disable session caching.

       umask: 077
            The umask value used by various Cyrus IMAP programs.

       username_tolower: 1
            Convert  usernames  to  all  lowercase  before login/authenticate.
            This is useful with  authentication  backends  which  ignore  case
            during username lookups (such as LDAP).

       userprefix: Other Users
            If  using  the  alternate IMAP namespace, the prefix for the other
            users namespace.  The hierarchy delimiter  will  be  automatically

       unix_group_enable: 1
            Should we look up groups when using auth_unix (disable this if you
            are not using groups in ACLs for your IMAP  server,  and  you  are
            using  auth_unix  with  a  backend  (such  as  LDAP) that can make
            getgrent() calls very slow)

       unixhierarchysep: 0
            Use the UNIX separator character  ’/’  for  delimiting  levels  of
            mailbox  hierarchy.   The  default is to use the netnews separator
            character ’.’.

       virtdomains: off
            Enable virtual domain support.  If enabled, the user’s domain will
            be  determined  by  splitting a fully qualified userid at the last
            ’@’ or  ’%’  symbol.   If  the  userid  is  unqualified,  and  the
            virtdomains  option  is  set  to  "on",  then  the  domain will be
            determined by doing a reverse lookup on  the  IP  address  of  the
            incoming network interface, otherwise the user is assumed to be in
            the default domain (if set).

            Allowed values: off, userid, ldap, on


       imapd(8),  pop3d(8),  nntpd(8),   lmtpd(8),   timsieved(8),   idled(8),
       notifyd(8), deliver(8), master(8), ciphers(1)

       Allowed values: off, userid, ldap, on