Provided by: kolab-cyrus-common_2.2.13-3ubuntu2_i386 bug


       imapd.conf - IMAP configuration file


       /etc/imapd.conf  is  the  configuration file for the Cyrus IMAP server.
       It defines local parameters for IMAP.

       Each line of the /etc/imapd.conf file has the form

              option: value

       where option is the name of the  configuration  option  being  set  and
       value is the value that the configuration option is being set to.

       Blank lines and lines beginning with ‘‘#’’ are ignored.

       For  boolean and enumerated options, the values ‘‘yes’’, ‘‘on’’, ‘‘t’’,
       ‘‘true’’ and ‘‘1’’ turn the option  on,  the  values  ‘‘no’’,  ‘‘off’’,
       ‘‘f’’, ‘‘false’’ and ‘‘0’’ turn the option off.


       The   sections   below  detail  options  that  can  be  placed  in  the
       /etc/imapd.conf file, and  show  each  option’s  default  value.   Some
       options  have no default value, these are listed with ‘‘<no default>’’.
       Some options default  to  the  empty  string,  these  are  listed  with
       ‘‘<none>’’.  It is also possible to override options by specifying them
       as <service_id>_<optionname>. One  example  is  ‘‘lmtp_admins’’,  which
       overrides ‘‘admins’’ just for the lmtp service. The <service_id> is the
       one you specified in the /etc/cyrus.conf file.

       admins: <empty string>
            The list of userids with  administrative  rights.   Separate  each
            userid  with a space.  Sites using Kerberos authentication may use
            separate "admin" instances.

       Note  that  accounts  used  by  users  should  not  be  administrators.
       Administrative  accounts  should  not  receive  mail.  That is, if user
       "jbRo" is a user reading mail, he should not  also  be  in  the  admins
       line.   Some  problems may occur otherwise, most notably the ability of
       administrators to create top-level mailboxes visible to users, but  not
       writable by users.

       afspts_localrealms: <none>
            The  list  of  realms  which  are to be treated as local, and thus
            stripped  during  identifier  canoicalization  (for   the   AFSPTS
            ptloader  module).   This is different from loginrealms in that it
            occurs later in the authorization  process  (as  the  user  id  is
            canonified for PTS lookup)

       afspts_mycell: <none>
            Cell to use for AFS PTS lookups.  Defaults to the local cell.

       allowallsubscribe: 0
            Allow  subscription  to  nonexistent  mailboxes.   This  option is
            typically used on backend servers in a Murder so  that  users  can
            subscribe  to  mailboxes that don’t reside on their "home" server.
            This option can also be used as  a  workaround  for  IMAP  clients
            which  don’t  play well with nonexistent or unselectable mailboxes
            (eg.  Microsoft Outlook).

       allowanonymouslogin: 0
            Permit logins by the user "anonymous" using  any  password.   Also
            allows use of the SASL ANONYMOUS mechanism.

       allowapop: 1
            Allow use of the POP3 APOP authentication command.

       Note  that  this  command  requires  that  SASL  is  compiled with APOP
       support, that the plaintext passwords are available in a  SASL  auxprop
       backend  (eg.  sasldb),  and that the system can provide enough entropy
       (eg. from /dev/urandom) to create a challenge in the banner.

       allownewnews: 0
            Allow use of the NNTP NEWNEWS command.

       Note that this is a very expensive command and should only  be  enabled
       when absolutely necessary.

       allowplaintext: 1
            Allow the use of cleartext passwords on the wire.

       To  disallow the use of plaintext passwords for authentication, you can
       set ‘‘allowplaintext: no’’ in imapd.conf. This will still  allow  PLAIN
       under TLS, but IMAP LOGIN commands will now fail.

       If    you    only   list   plaintext   authentication   mechanisms   in
       ‘‘sasl_mech_list’’  and  set  ‘‘allowplaintext:  no’’,  only  users  on
       encrypted  sessions  (TLS  or SSL) will be able to authenticate. On the
       other  hand,  if  you  list  no  plaintext  authentication  options  in
       ‘‘sasl_mech_list’’, ‘‘allowplaintext: yes’’ would have no effect.

       allowusermoves: 0
            Allow  moving user accounts (with associated meta-data) via RENAME
            or XFER.

       Note that measures should be taken to make sure  that  the  user  being
       moved  is not logged in, and can not login during the move.  Failure to
       do so may result in the user’s meta-data  (seen  state,  subscriptions,
       etc) being corrupted or out of date.

       altnamespace: 0
            Use the alternate IMAP namespace, where personal folders reside at
            the same level in the hierarchy as INBOX.

       This option  ONLY  applies  where  interaction  takes  place  with  the
       client/user.   Currently  this  is limited to the IMAP protocol (imapd)
       and Sieve scripts (lmtpd).  This option does NOT apply to  admin  tools
       such  as  cyradm  (admins  ONLY), reconstruct, quota, etc., NOR does it
       affect LMTP delivery  of  messages  directly  to  mailboxes  via  plus-

       annotation_db: skiplist
            The cyrusdb backend to use for mailbox annotations.

            Allowed values: berkeley, berkeley-hash, skiplist

       auth_mech: unix
            The authorization mechanism to use.

            Allowed values: unix, pts, krb, krb5

       autocreatequota: 0
            If  nonzero,  normal  users  may create their own IMAP accounts by
            creating the mailbox INBOX.  The user’s quota is set to the  value
            if it is positive, otherwise the user has unlimited quota.

       berkeley_cachesize: 512
            Size  (in kilobytes) of the shared memory buffer pool (cache) used
            by the berkeley environment.  The minimum  allowed  value  is  20.
            The maximum allowed value is 4194303 (4GB).

       berkeley_locks_max: 50000
            Maximum  number  of  locks to be held or requested in the berkeley

       berkeley_txns_max: 100
            Maximum number of transactions to be  supported  in  the  berkeley

       client_timeout: 10
            Number  of seconds to wait before returning a timeout failure when
            performing a client connection (e.g. in a murder enviornment)

       configdirectory: <none>
            The pathname of the IMAP configuration directory.  This  field  is

       debug_command: <none>
            Debug command to be used by processes started with -D option.  The
            string is a C format string that gets 3 options: the first is  the
            name  of  the  executable  (without  path).  The second is the pid
            (integer)  and  the   third   is   the   service   ID.    Example:
            /usr/local/bin/gdb /usr/cyrus/bin/%s %d

       defaultacl: anyone lrs
            The Access Control List (ACL) placed on a newly-created (non-user)
            mailbox that does not have a parent mailbox.

       defaultdomain: <none>
            The default domain for virtual  domain  support.  Note  that  this
            domain  is stripped from the email-address transmitted using LMTP,
            but  it  is  not  stripped  from  usernames  at  login-time.   For
            imapd/pop3d, "user" and "user@defaultdomain" specify two different
            users.  Please check install-virtdomains.html for details.

       defaultpartition: default
            The partition name used by default for new mailboxes.

       deleteright: c
            The right that a user needs to delete a mailbox.

       duplicate_db: berkeley-nosync
            The cyrusdb backend to use for the duplicate delivery  suppression
            and sieve.

            Allowed    values:   berkeley,   berkeley-nosync,   berkeley-hash,
            berkeley-hash-nosync, skiplist

       duplicatesuppression: 1
            If enabled, lmtpd will suppress delivery of a message to a mailbox
            if  a  message  with the same message-id (or resent-message-id) is
            recorded as having already been delivered to the mailbox.  Records
            the  mailbox  and  message-id/resent-message-id  of all successful

       foolstupidclients: 0
            If enabled, only list the personal namespace when a  LIST  "*"  is
            performed.  (it changes the request to a LIST "INBOX*"

       force_sasl_client_mech: <none>
            Force  preference  of  a  given  SASL  mechanism  for  client side
            operations (e.g. murder enviornments).  This is separate from (and
            overridden  by)  the  ability  to  use  the <host shortname>_mechs
            option to set prefered mechanisms for a specific host

       fulldirhash: 0
            If enabled, uses an improved directory hashing scheme which hashes
            the  entire username instead of using just the first letter.  This
            changes hash algorithm used for quota and user directories and  if
            hashimapspool is enabled, the entire mail spool.

       Note  that this option can NOT be changed on a live system.  The server
       must be quiesced  and  then  the  directories  moved  with  the  rehash

       hashimapspool: 0
            If enabled, the partitions will also be hashed, in addition to the
            hashing done on configuration directories.  This is recommended if
            one partition has a very bushy mailbox tree.

       hostname_mechs: <none>
            Force  a  particuar  list  of  SASL  mechanisms  to  be  used when
            authenticating to the backend server hostname (where  hostname  is
            the  short  hostname  of  the  server  in  question). If it is not
            specified it will query the server for  available  mechanisms  and
            pick one to use. - Cyrus Murder

       hostname_password: <none>
            The  password  to  use  for  authentication  to the backend server
            hostname (where hostname is the short hostname of  the  server)  -
            Cyrus Murder

       idlemethod: %IDLE%
            The idle backend to use for IDLE command.

            Allowed values: no, poll, idled

       idlesocket: {configdirectory}/socket/idle
            Unix domain socket that idled listens on.

       ignorereference: 0
            For  backwards  compatibility  with  Cyrus  1.5.10  and earlier --
            ignore the reference argument in LIST or LSUB commands.

       imapidlepoll: 60
            The interval (in seconds) for  polling  the  mailbox  for  changes
            while  running  the  IDLE command.  This option is used when idled
            can not be contacted or when polling  is  used  exclusively.   The
            minimum  value  is  1.   A  value  of  0 will disable polling (and
            disable IDLE if polling is the only method available).

       imapidresponse: 1
            If enabled, the server responds to an ID command with a  parameter
            list  containing:  version,  vendor,  support-url, os, os-version,
            command, arguments, environment.   Otherwise  the  server  returns

       imapmagicplus: 0
            Only  list  a  restricted  set  of  mailboxes  via  IMAP  by using
            userid+namespace syntax as  the  authentication/authorization  id.
            Using  userid+ (with an empty namespace) will list only subscribed

       implicit_owner_rights: lca
            The implicit Access Control List (ACL) for the owner of a mailbox.

       @include: <none>
            Directive  which  includes  the  specified  file  as  part  of the
            configuration.   If  the  path  to  the  file  is  not   absolute,
            CYRUS_PATH is prepended.

       ldap_authz: <none>
            SASL authorization ID for the LDAP server

       ldap_base: <empty string>
            Contains the LDAP base dn for the LDAP ptloader module

       ldap_bind_dn: <none>
            Bind  DN  for the connection to the LDAP server (simple bind).  Do
            not use for anonymous simple binds

       ldap_deref: never
            Specify how aliases dereferencing is handled during search.

            Allowed values: search, find, always, never

       ldap_filter: (uid=%u)
            Specify a filter that searches user  identifiers.   The  following
            tokens can be used in the filter string:

            %%    = % %u   = user %U   = user portion of %u (%U = test when %u
            = test@domain.tld) %d   = domain portion of %u if available (%d  =
            domain.tld  when  %u  = %test@domain.tld), otherwise same as %r %D
            = user dn.  (use when ldap_member_method: filter)  %1-9  =  domain
            tokens (%1 = tld, %2 = domain when %d = domain.tld)

            ldap_filter is not used when ldap_sasl is enabled.

       ldap_group_base: <empty string>
            LDAP base dn for ldap_group_filter.

       ldap_group_filter: (cn=%u)
            Specify  a  filter  that  searches  for  group  identifiers.   See
            ldap_filter for more options.

       ldap_group_scope: sub
            Specify search scope for ldap_group_filter.

            Allowed values: sub, one, base

       ldap_id: <none>
            SASL authentication ID for the LDAP server

       ldap_mech: <none>
            SASL mechanism for LDAP authentication

       ldap_member_attribute: <none>
            See ldap_member_method.

       ldap_member_base: <empty string>
            LDAP base dn for ldap_member_filter.

       ldap_member_filter: (member=%D)
            Specify  a   filter   for   "ldap_member_method:   filter".    See
            ldap_filter for more options.

       ldap_member_method: attribute
            Specify  a  group method.  The "attribute" method retrieves groups
            from a multi-valued attribute specified in  ldap_member_attribute.

            The    "filter"    method    uses    a    filter,   specified   by
            ldap_member_filter, to find  groups;  ldap_member_attribute  is  a
            single-value attribute group name.

            Allowed values: attribute, filter

       ldap_member_scope: sub
            Specify search scope for ldap_member_filter.

            Allowed values: sub, one, base

       ldap_password: <none>
            Password  for  the  connection to the LDAP server (SASL and simple
            bind).  Do not use for anonymous simple binds

       ldap_realm: <none>
            SASL realm for LDAP authentication

       ldap_referrals: 0
            Specify whether or not the client should follow referrals.

       ldap_restart: 1
            Specify whether or  not  LDAP  I/O  operations  are  automatically
            restarted if they abort prematurely.

       ldap_sasl: 1
            Use SASL for LDAP binds in the LDAP PTS module.

       ldap_sasl_authc: <none>
            Depricated.  Use ldap_id

       ldap_sasl_authz: <none>
            Depricated.  Use ldap_authz

       ldap_sasl_mech: <none>
            Depricated.  Use ldap_mech

       ldap_sasl_password: <none>
            Depricated.  User ldap_password

       ldap_sasl_realm: <none>
            Depricated.  Use ldap_realm

       ldap_scope: sub
            Specify search scope.

            Allowed values: sub, one, base

       ldap_servers: ldap://localhost/
            Depricated.  Use ldap_uri

       ldap_size_limit: 1
            Specify a number of entries for a search request to return.

       ldap_start_tls: 0
            Use  StartTLS extended operation.  Do not use ldaps: ldap_uri when
            this option is enabled.

       ldap_time_limit: 5
            Specify a number of seconds for a search request to complete.

       ldap_timeout: 5
            Specify a number of seconds a search can take before timing out.

       ldap_tls_cacert_dir: <none>
            Path to directory with CA (Certificate Authority) certificates.

       ldap_tls_cacert_file: <none>
            File containing CA (Certificate Authority) certificate(s).

       ldap_tls_cert: <none>
            File containing the client certificate.

       ldap_tls_check_peer: 0
            Require and verify server certificate.  If this option is yes, you
            must specify ldap_tls_cacert_file or ldap_tls_cacert_dir.

       ldap_tls_ciphers: <none>
            List  of  SSL/TLS  ciphers  to allow.  The format of the string is
            described in ciphers(1).

       ldap_tls_key: <none>
            File containing the private client key.

       ldap_uri: <none>
            Contains a list of the URLs of all the LDAP servers when using the
            LDAP PTS module.

       ldap_version: 3
            Specify  the  LDAP  protocol  version.   If  ldap_start_tls and/or
            ldap_use_sasl are enabled, ldap_version will be automatiacally set
            to 3.

       lmtp_downcase_rcpt: 0
            If  enabled, lmtpd will convert the recipient address to lowercase
            (up to a ’+’ character, if present).

       lmtp_over_quota_perm_failure: 0
            If enabled, lmtpd returns a permanent failure code when  a  user’s
            mailbox  is  over  quota.   By  default, the failure is temporary,
            causing the MTA to queue the message and retry later.

       lmtpsocket: {configdirectory}/socket/lmtp
            Unix domain socket that lmtpd listens on, used by deliver(8). This
            should match the path specified in cyrus.conf(5).

       loginrealms: <empty string>
            The  list  of  remote  realms  whose  users may authenticate using
            cross-realm authentication identifiers.  Seperate each realm  name
            by  a  space.   (A cross-realm identity is considered any identity
            returned by SASL with an "@" in it.) Note that to support multiple
            virtual  domains  on  the same interface/IP, you need to list them
            all as loginreals.  If  you  don’t  list  them  here,  your  users
            probably won’t be able to log in.

       loginuseacl: 0
            If  enabled,  any  authentication identity which has a rights on a
            user’s INBOX may log in as that user.

       logtimestamps: 0
            Include notations in the protocol telemetry  logs  indicating  the
            number of seconds since the last command or response.

       mailnotifier: <none>
            Notifyd(8)  method  to  use for "MAIL" notifications.  If not set,
            "MAIL" notifications are disabled.

       maxmessagesize: 0
            Maximum incoming LMTP  message  size.   If  non-zero,  lmtpd  will
            reject  messages  larger  than maxmessagesize bytes.  If set to 0,
            this will allow messages of any size (the default).

       mboxlist_db: skiplist
            The cyrusdb backend to use for the mailbox list.

            Allowed values: flat, berkeley, berkeley-hash, skiplist

       munge8bit: 1
            If enabled, lmtpd  changes  8-bit  characters  to  ‘X’.  Also  see
            reject8bit.  (A proper soultion to non-ASCII characters in headers
            is offered by RFC 2047 and its predecessors.)

       mupdate_connections_max: 128
            The max number of connections that a mupdate process  will  allow,
            this  is  related to the number of file descriptors in the mupdate
            process.  Beyond this number connections will be immedately issued
            a BYE response.

       mupdate_authname: <none>
            The SASL username (Authentication Name) to use when authenticating
            to the mupdate server (if needed).

       mupdate_password: <none>
            The SASL password (if needed) to use when  authenticating  to  the
            mupdate server.

       mupdate_port: 3905
            The port of the mupdate server for the Cyrus Murder

       mupdate_realm: <none>
            The  SASL  realm  (if  needed)  to  use when authenticating to the
            mupdate server.

       mupdate_retry_delay: 20
            The base time to wait between connection retries  to  the  mupdate

       mupdate_server: <none>
            The mupdate server for the Cyrus Murder

       mupdate_workers_start: 5
            The number of mupdate worker threads to start

       mupdate_workers_minspare: 2
            The minimum number of idle mupdate worker threads

       mupdate_workers_maxspare: 10
            The maximum number of idle mupdate worker threads

       mupdate_workers_max: 50
            The maximum number of mupdate worker threads (overall)

       mupdate_username: <empty string>
            The  SASL username (Authorization Name) to use when authenticating
            to the mupdate server

            If enabled at compile time, this specifies a  URL  to  reply  when
            Netscape asks the server where the mail administration HTTP server
            is.  The default is a site at CMU  with  a  hopefully  informative
            message;  administrators  should set this to a local resource with
            some information of greater use.

       newsmaster: news
            Userid that is used for checking access  controls  when  executing
            Usenet  control  messages.   For instance, to allow articles to be
            automatically deleted by cancel messages, give the "news" user the
            ’d’  right  on  the  desired mailboxes.  To allow newsgroups to be
            automatically created, deleted and renamed  by  the  corresponding
            control  messages,  give  the  "news"  user  the  ’c’ right on the
            desired mailbox hierarchies.

       newspeer: <none>
            A list of whitespace-separated news server specifications to which
            articles  should be fed.  Each server specification is a string of
            the form [user[:pass]@]host[:port][/wildmat] where ’host’  is  the
            fully  qualified  hostname  of  the  server, ’port’ is the port on
            which  the  server  is  listening,  ’user’  and  ’pass’  are   the
            authentication   credentials  and  ’wildmat’  is  a  pattern  that
            specifies which groups should be fed.  If no ’port’ is  specified,
            port  119  is  used.  If no ’wildmat’ is specified, all groups are
            fed.  If ’user’ is specified (even if empty), then the  NNTP  POST
            command  will be used to feed the article to the server, otherwise
            the IHAVE command will be used.

            A ’@’ may be used in place  of  ’!’  in  the  wildmat  to  prevent
            feeding articles cross-posted to the given group, otherwise cross-
            posted articles are fed if any part of the wildmat  matches.   For
            example, the string "*,!control.*,@local.*" would
            feed all groups  except  control  messages  and  local  groups  to
     In  the case of cross-posting to local groups,
            these articles would not be fed.

       newspostuser: <none>
            Userid used  to  deliver  usenet  articles  to  newsgroup  folders
            (usually  via  lmtp2nntp).   For  example, if set to "post", email
            sent  to  "post+comp.mail.imap"  would   be   delivered   to   the
            "comp.mail.imap" folder.

            When  set,  the  Cyrus  NNTP  server will add a To: header to each
            incoming usenet article.   This  To:  header  will  contain  email
            delivery   addresses   corresponding  to  each  newsgroup  in  the
            Newsgroups: header.  By default, a To:  header  is  not  added  to
            usenet articles.

       newsprefix: <none>
            Prefix   to   be   prepended   to  newsgroup  names  to  make  the
            corresponding IMAP mailbox names.

       notifysocket: {configdirectory}/socket/notify
            Unix domain socket that the mail notification daemon listens on.

       partition-name: <none>
            The pathname of the partition name.  At least one field,  for  the
            partition  named in the defaultpartition option, is required.  For
            example, if the value of the  defaultpartion  option  is  default,
            then the partition-default field is required.

       plaintextloginpause: 0
            Number  of  seconds  to  pause after a successful plaintext login.
            For systems that support strong authentication, this permits users
            to  perceive  a cost of using plaintext passwords.  (This does not
            affect the use of PLAIN in SASL authentications.)

       plaintextloginalert: <none>
            Message to send to client after a successful plaintext login.

       popexpiretime: -1
            The number of days advertised as being the minimum a  message  may
            be  left  on  the  POP  server  before it is deleted (via the CAPA
            command, defined in  the  POP3  Extension  Mechanism,  which  some
            clients may support).  "NEVER", the default, may be specified with
            a negative number.  The Cyrus POP3 server never deletes  mail,  no
            matter  what  the  value of this parameter is.  However, if a site
            implements  a  less  liberal  policy,  it  needs  to  change  this
            parameter accordingly.

       popminpoll: 0
            Set  the  minimum  amount  of time the server forces users to wait
            between successive POP logins, in minutes.

       poppollpadding: 1
            Create a softer minimum poll restriction.   Allows  poppollpadding
            connections   before   the   minpoll   restriction  is  triggered.
            Additionally, one padding  entry  is  recovered  every  popminpoll
            minutes.   This allows for the occasional polling rate faster than
            popminpoll, (i.e. for clients that require a send/recieve to  send
            mail)  but  still  enforces  the  rate  long-term.   Default  is 1

            The easiest way to think of it is a  queue  of  past  connections,
            with  one  slot  being  filled  for every connection, and one slot
            being cleared every popminpoll minutes. When the  queue  is  full,
            the  user  will  not  be  able to check mail again until a slot is
            cleared.  If the user waits a sufficent amount of time, they  will
            get back many or all of the slots.

       poptimeout: 10
            Set the length of the POP server’s inactivity autologout timer, in
            minutes.  The minimum value is 10, the default.

       popuseacl: 0
            Enforce IMAP ACLs in the pop server.  Due to  the  nature  of  the
            POP3  protocol,  the  only rights which are used by the pop server
            are ’r’ and ’d’ for the owner  of  the  mailbox.   The  ’r’  right
            allows  the  user  to open the mailbox and list/retrieve messages.
            The ’d’ right allows the user to delete messages.

       postmaster: postmaster
            Username that is used as the  ’From’  address  in  rejection  MDNs
            produced by sieve.

       postuser: <empty string>
            Userid  used  to deliver messages to shared folders.  For example,
            if set to "bb", email sent to "bb+shared.blah" would be  delivered
            to  the  "shared.blah"  folder.   By  default, an email address of
            "+shared.blah" would be used.

       proxy_authname: proxy
            The authentication name to use when authenticating  to  a  backend
            server in the Cyrus Murder.

       proxy_password: <none>
            The  default  password  to  use  when  authenticating to a backend
            server in the Cyrus Murder.  May be overridden on a  host-specific
            basis using the hostname_password option.

       proxy_realm: <none>
            The  authentication  realm to use when authenticating to a backend
            server in the Cyrus Murder

       proxyd_allow_status_referral: 0
            Set to true to allow proxyd to issue  referrals  to  clients  that
            support it when answering the STATUS command.  This is disabled by
            default since some clients issue many STATUS commands  in  a  row,
            and do not cache the connections that these referrals would cause,
            thus resulting in a higher authentication load on  the  respective
            backend server.

       proxyservers: <none>
            A  list  of  users  and groups that are allowed to proxy for other
            users, seperated by spaces.  Any  user  listed  in  this  will  be
            allowed to login for any other user: use with caution.

       pts_module: afskrb
            The PTS module to use.

            Allowed values: afskrb, ldap

       ptloader_sock: <none>
            Unix  domain  socket  that  ptloader  listens  on.   (defaults  to

       ptscache_db: berkeley
            The cyrusdb backend to use for the pts cache.

            Allowed values: berkeley, berkeley-hash, skiplist

       ptscache_timeout: 10800
            The timeout (in seconds) for the PTS cache database when using the
            auth_krb_pts authorization method (default: 3 hours).

       ptskrb5_convert524: 1
            When   using   the   AFSKRB   ptloader   module  with  Kerberos  5
            canonicalization, do the final 524 conversion to get a n AFS style
            name (using ’.’ instead of ’/’, and using short names

       ptskrb5_strip_default_realm: 1
            When   using   the   AFSKRB   ptloader   module  with  Kerberos  5
            canonicalization, strip the default realm from  the  userid  (this
            does   not  affect  the  stripping  of  realms  specified  by  the
            afspts_localrealms option)

       quota_db: quotalegacy
            The cyrusdb backend to use for quotas.

            Allowed   values:   flat,   berkeley,   berkeley-hash,   skiplist,

       quotawarn: 90
            The  percent  of quota utilization over which the server generates

       quotawarnkb: 0
            The maximum amount of free space (in kB) in which to give a  quota
            warning  (if this value is 0, or if the quota is smaller than this
            amount, than warnings are always given).

       reject8bit: 0
            If enabled, lmtpd rejects messages with 8-bit  characters  in  the
            headers.  Also  see munge8bit, which is only applied if reject8bit
            is not activated. (A proper soultion to  non-ASCII  characters  in
            headers is offered by RFC 2047 and its predecessors.)

       rfc2046_strict: 0
            If enabled, imapd will be strict (per RFC 2046) when matching MIME
            boundary strings.  This means  that  boundaries  containing  other
            boundaries  as  substrings  will  be  treated as identical.  Since
            enabling this option will break some messages  created  by  Eudora
            5.1  (and  earlier),  it  is  recommended that it be left disabled
            unless there is good reason to do otherwise.

       rfc3028_strict: 1
            If enabled, Sieve will be strict (per RFC 3028)  with  regards  to
            which  headers  are  allowed  to  be  used in address and envelope
            tests.  This means that only those headers which  are  defined  to
            contain  addresses  will be allowed in address tests and only "to"
            and "from" will be allowed in envelope tests.  When disabled,  ANY
            grammatically correct header will be allowed.

       sasl_auto_transition: 0
            If   enabled,   the   SASL   library   will  automatically  create
            authentication secrets when given a plaintext password.   See  the
            SASL documentation.

       sasl_maximum_layer: 256
            Maximum  SSF (security strength factor) that the server will allow
            a client to negotiate.

       sasl_minimum_layer: 0
            The minimum SSF that the server will allow a client to  negotiate.
            A  value  of  1  requires  integrity  protection; any higher value
            requires some amount of encryption.

       sasl_option: 0
            Any SASL option can be set by preceeding it  with  "sasl_".   This
            file overrides the SASL configuration file.

       sasl_pwcheck_method: <none>
            The  mechanism  used  by the server to verify plaintext passwords.
            Possible values include "auxprop", "saslauthd", and "pwcheck".

       seenstate_db: skiplist
            The cyrusdb backend to use for the seen state.

            Allowed values: flat, berkeley, berkeley-hash, skiplist

       sendmail: /usr/lib/sendmail
            The pathname of the sendmail executable.  Sieve  invokes  sendmail
            for sending rejections, redirects and vacation responses.

       servername: <none>
            This  is the hostname visible in the greeting messages of the POP,
            IMAP and LMTP daemons. If it is unset, then  the  result  returned
            from gethostname(2) is used.

       sharedprefix: Shared Folders
            If  using  the alternate IMAP namespace, the prefix for the shared
            namespace.   The  hierarchy  delimiter   will   be   automatically

       sieve_maxscriptsize: 32
            Maximum  size  (in kilobytes) any sieve script can be, enforced at
            submission by timsieved(8).

       sieve_maxscripts: 5
            Maximum number of sieve scripts any user  may  have,  enforced  at
            submission by timsieved(8).

       sievedir: /usr/sieve
            If  sieveusehomedir is false, this directory is searched for Sieve

       sievenotifier: <none>
            Notifyd(8) method to use for "SIEVE" notifications.  If  not  set,
            "SIEVE" notifications are disabled.

       This method is only used when no method is specified in the script.

       sieveusehomedir: 0
            If  enabled,  lmtpd  will  look  for  Sieve scripts in user’s home
            directories: ~user/.sieve.

       singleinstancestore: 1
            If enabled, imapd, lmtpd and nntpd attempt to only write one  copy
            of  a  message per partition and create hard links, resulting in a
            potentially large disk savings.

       skiplist_unsafe: 0
            If enabled, this option forces the skiplist cyrusdb backend to not
            sync writes to the disk.  Enabling this option is NOT RECOMMENDED.

       soft_noauth: 1
            If enabled, lmtpd returns temporary failures if  the  client  does
            not  successfully authenticate.  Otherwise lmtpd returns permanant
            failures (causing the mail to bounce immediately).

       srvtab: <empty string>
            The pathname of srvtab file containing the server’s  private  key.
            This  option  is  passed  to  the  SASL  library and overrides its
            default setting.

       subscription_db: flat
            The cyrusdb backend to use for the subscriptions list.

            Allowed values: flat, berkeley, berkeley-hash, skiplist

       syslog_prefix: <none>
            String to be prepended to the process name in syslog entries.

       temp_path: /tmp
            The pathname to store temporary files in

       timeout: 30
            The length of the IMAP server’s inactivity  autologout  timer,  in
            minutes.  The minimum value is 30, the default.

       tls_ca_file: <none>
            File   containing   one   or   more   Certificate  Authority  (CA)

       tls_ca_path: <none>
            Path to directory with certificates of CAs.  This  directory  must
            have  filenames  with  the  hashed  value  of the certificate (see

       tlscache_db: berkeley-nosync
            The cyrusdb backend to use for the TLS cache.

            Allowed   values:   berkeley,   berkeley-nosync,    berkeley-hash,
            berkeley-hash-nosync, skiplist

       tls_cert_file: <none>
            File    containing    the   certificate   presented   for   server
            authentication  during  STARTTLS.   A  value  of  "disabled"  will
            disable SSL/TLS.

       tls_cipher_list: DEFAULT
            The list of SSL/TLS ciphers to allow.  The format of the string is
            described in ciphers(1).

       tls_key_file: <none>
            File  containing  the  private  key  belonging   to   the   server
            certificate.  A value of "disabled" will disable SSL/TLS.

       tls_require_cert: 0
            Require  a  client certificate for ALL services (imap, pop3, lmtp,

       tls_session_timeout: 1440
            The length of time (in minutes) that a TLS session will be  cached
            for  later  reuse.   The  maximum  value  is  1440 (24 hours), the
            default.  A value of 0 will disable session caching.

       umask: 077
            The umask value used by various Cyrus IMAP programs.

       username_tolower: 1
            Convert usernames  to  all  lowercase  before  login/authenticate.
            This  is  useful  with  authentication  backends which ignore case
            during username lookups (such as LDAP).

       userprefix: Other Users
            If using the alternate IMAP namespace, the prefix  for  the  other
            users  namespace.   The  hierarchy delimiter will be automatically

       unix_group_enable: 1
            Should we look up groups when using auth_unix (disable this if you
            are  not  using  groups  in ACLs for your IMAP server, and you are
            using auth_unix with a  backend  (such  as  LDAP)  that  can  make
            getgrent() calls very slow)

       unixhierarchysep: 0
            Use  the  UNIX  separator  character  ’/’ for delimiting levels of
            mailbox hierarchy.  The default is to use  the  netnews  separator
            character ’.’.

       virtdomains: off
            Enable virtual domain support.  If enabled, the user’s domain will
            be determined by splitting a fully qualified userid  at  the  last
            ’@’  or  ’%’  symbol.   If  the  userid  is  unqualified,  and the
            virtdomains option is  set  to  "on",  then  the  domain  will  be
            determined  by  doing  a  reverse  lookup on the IP address of the
            incoming network interface, otherwise the user is assumed to be in
            the default domain (if set).

            Allowed values: off, userid, ldap, on


       imapd(8),   pop3d(8),   nntpd(8),   lmtpd(8),  timsieved(8),  idled(8),
       notifyd(8), deliver(8), master(8), ciphers(1)

       Allowed values: off, userid, ldap, on