設定マスターファイル。
このファイルで他設定ファイルをまとめてIncludeしている。
## Dovecot configuration file # Protocols we want to be serving. #protocols = imap pop3 lmtp 規定値でこの3つ。 #listen = *, :: ListenするIPアドレス(IPv4/v6)。規定値はall。 # Base directory where to store runtime data. #base_dir = /var/run/dovecot/ 規定値はconfigure時の$prefix/var/run/dovecot/ #instance_name = dovecot インスタンス名。複数サーバ時は要ユニーク。 ウチは単体サーバなので規定値で。 #login_greeting = Dovecot ready. グリーティングメッセージ。 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. +OK Dovecot ready. <xx.x.xxxx.XXXXXXXXXXXXXXXXXXX==@xxxxx> ↑これ。 #login_trusted_networks = "普通はIMAP Proxy鯖のIPアドレスとか入れるよね"とある。 disable_plaintext_authの設定無視して平文おkになるので取扱注意。 #login_access_sockets = TCP Wrapperなどのソケット指定。 サービスの設定も忘れずに。 TCP Wrapper使用時は要--with-libwrap。 #auth_proxy_self = プロキシ動作時に、該当IPアドレスはプロキシしない(?) "普通は要らないと思うけど、ロードバランサのIPアドレスとか入れると便利よ。"とある。 #verbose_proctitle = no yesにすると、psコマンド実行時に以下のような情報が付与される。 /usr/local/sbin/dovecot dovecot/anvil [2 connections] dovecot/log dovecot/config dovecot/imap-login [1 connections (1 TLS)] dovecot/auth [0 wait, 0 passdb, 0 userdb] dovecot/ssl-params dovecot/imap [hoge xxx.xxx.xxx.xxx] #shutdown_clients = yes noにすると、マスタープロセスを殺したときにクライアントは強制切断されなくなるが、 "セキュリティアップデートのときとか問題あるよね多分。"とある。 # If non-zero, run mail commands via this many connections to doveadm server, # instead of running them directly in the same process. #doveadm_worker_count = 0 # UNIX socket or host:port used for connecting to doveadm server #doveadm_socket_path = doveadm-server #import_environment = TZ 子プロセスに渡したい環境変数をスペース区切りでどうぞ。 dict { #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext } dict(ionary)というかindexというかlistというかの参照設定。 !include conf.d/*.conf 設定ファイルのインクルード設定。 !include_try local.conf こっちだと、もしファイルがなくてもエラーにならない。
プロキシんときに使うらしいが、わからないのでパス(´・ω・`)
## ## Director-specific settings. ## # Director can be used by Dovecot proxy to keep a temporary user -> mail server # mapping. As long as user has simultaneous connections, the user is always # redirected to the same server. Each proxy server is running its own director # process, and the directors are communicating the state to each others. # Directors are mainly useful with NFS-like setups. # List of IPs or hostnames to all director servers, including ourself. # Ports can be specified as ip:port. The default port is the same as # what director service's inet_listener is using. #director_servers = # List of IPs or hostnames to all backend mail servers. Ranges are allowed # too, like 10.0.0.10-10.0.0.30. #director_mail_servers = # How long to redirect users to a specific server after it no longer has # any connections. #director_user_expire = 15 min # TCP/IP port that accepts doveadm connections (instead of director connections) # If you enable this, you'll also need to add inet_listener for the port. #director_doveadm_port = 0 # To enable director service, uncomment the modes and assign a port. service director { unix_listener login/director { #mode = 0666 } fifo_listener login/proxy-notify { #mode = 0666 } unix_listener director-userdb { #mode = 0600 } inet_listener { #port = } } # Enable director for the wanted login services by telling them to # connect to director socket instead of the default login socket: service imap-login { #executable = imap-login director } service pop3-login { #executable = pop3-login director } # Enable director for LMTP proxying: protocol lmtp { #auth_socket_path = director-userdb }
認証に関する設定。
## ## 認証処理 ## disable_plaintext_auth = yes yesで、TLS/SSLじゃない平文認証を無効にする。 ただしサーバと同IPアドレスからのアクセスは平文おkになるモヨリ。 あとlogin_trusted_networksのIPアドレスも。 #auth_cache_size = 0 0で、認証時キャッシュ無効。単位はkb。 キャッシュ有効時はbsdauth,PAM,vpopmailはcache_keyパラメタ設定(auth-system.conf.ext内)が必要。 #auth_cache_ttl = 1 hour キャッシュのTTL。 "今のところ平文認証だけね。"とある。 #auth_cache_negative_ttl = 1 hour ユーザが居ない、パスワード違う、などのキャッシュTTL。 0だとそういうのはキャッシュしない。 #auth_realms = SASL認証機構のレルムリスト。 #auth_default_realm = レルムの規定値指定。 #auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ ユーザ名に使える文字リスト。SQLインジェクション防止の一手立てとして。 #auth_username_translation = ユーザ名の文字列変換リスト。元先元先・・・でリストする。 "例えば#@/@だと#と/を@に変換するよ。"とある。 #auth_username_format = ユーザ名書式。 %Luは全部小文字に、%nはユーザ名、%dはドメイン。 # If you want to allow master users to log in by specifying the master # username within the normal username string (ie. not using SASL mechanism's # support for it), you can specify the separator character here. The format # is then <username><separator><master username>. UW-IMAP uses "*" as the # separator, so that could be a good choice. #auth_master_user_separator = #auth_anonymous_username = anonymous 匿名SASLのときのユーザ名。 #auth_worker_max_count = 30 authプロセスの最大数。 #auth_gssapi_hostname = GSSAPIプリンシパル名。 "未指定のときはgethostname()の戻り値、$ALLで全部のkeytabね。"とある。 #auth_krb5_keytab = Kerberos認証のkeytabファイル指定。 "未指定時はシステム規定値ね。"とある。 #auth_use_winbind = no yesで、NTLMおよびGSS-SPENGO認証のときにSambaのwinbindを使う。 #auth_winbind_helper_path = /usr/bin/ntlm_auth Sambaのntlm_authヘルパコマンドの指定。 #auth_failure_delay = 2 secs 認証失敗時に返事するまでの遅延値。 #auth_ssl_require_client_cert = no yesで、SSLクライアント証明書がなければ認証失敗。 #auth_ssl_username_from_cert = no yesで、SSLクライアント証明書からユーザ名引っ張る。 auth_mechanisms = cram-md5 apop 認証機構のリスト。 ウチではIMAPにcram-md5、POP3にAPOPを使用。 APOPは平文を使うことに注意。 "使えるのは plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey gss-spnego ね。"とある。 ## ## パスワードとユーザーデータベース ## ユーザ名とパスワードのリストやDB。 必要なファイルをIncludeする。 #!include auth-deny.conf.ext #!include auth-master.conf.ext #!include auth-system.conf.ext #!include auth-sql.conf.ext #!include auth-ldap.conf.ext !include auth-passwdfile.conf.ext #!include auth-checkpassword.conf.ext #!include auth-vpopmail.conf.ext #!include auth-static.conf.ext
ログに関する設定。
## ## ログ吐き先 ## #log_path = syslog エラーメッセージ用ログファイル指定。 "syslogならsyslogに、/dev/stderrなら標準エラー出力にだすよ。"とある。 #info_log_path = 情報用ログファイル指定。 "規定値はlog_pathだよ。"とある。 #debug_log_path = デバッグ情報用ログファイル指定。 "規定値はlog_pathだよ。"とある。 #syslog_facility = mail syslogのファシリティ指定。 ## ## 冗長出力とデバッグ出力 ## #auth_verbose = no yesで、認証失敗時の理由も出力する。らしい。 #auth_verbose_passwords = no パスワードが違ったとき、試したパスワードを出力する。らしい。 "no plain sha1のどれかね。sha1だとブルートフォースがすぐわかって便利よ。"とある。 #auth_debug = no yesで、認証時のデバッグ出力を行う。 #auth_debug_passwords = no yesで、パスワードが違ったとき、パスワードとスキームを出力する。らしい。 "auth_debugも有効にしてね。"とある。 #mail_debug = no yesで、メールプロセス(?)のデバッグログを有効にする。 #verbose_ssl = no yesで、SSL/TLSプロトコルの冗長出力を行う。 ログに変化はあるものの、今ひとつわからないので「らしい」とした(´・ω・`) # mail_log plugin はもっと多くのメール処理イベントをログに出すよ。 plugin { # Events to log. Also available: flag_change append #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename # Available fields: uid, box, msgid, from, subject, size, vsize, flags # size and vsize are available only for expunge and copy events. #mail_log_fields = uid box msgid size } ## ## ログ書式 ## #log_timestamp = "%b %d %H:%M:%S " ログのプレフィクス。 "%書式はman 3 strftimeで。"的な。 #login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c ログインログの要素。 #login_log_format = %$: %s ログインログの書式。 "%$はlogin_log_format_elements、%sはデータね。"とある。 #mail_log_prefix = "%s(%u): " メールプロセスログのプレフィクス。 "変数はVariables.txt読んでね。"とある。 $prefix/share/doc/dovecot/wiki/Variables.txt参照。 # Format to use for logging mail deliveries. You can use variables: # %$ - Delivery status message (e.g. "saved to INBOX") # %m - Message-ID # %s - Subject # %f - From address # %p - Physical size # %w - Virtual size #deliver_log_format = msgid=%m: %$ LDA(Local Delivery Agent)のログ書式。
メールボックスに関する設定。
## ## Mailboxの場所とネームスペース ## #mail_location = 規定値は空。以下の順番で自動で見つけてくれるモヨリ。 1. maildir: ~/Maildir 2. mbox: ~/mail, and /var/mail/%u if it exists 3. mbox: ~/Mail, and /var/mail/%u if it exists ダメだった場合は明示してね。だそうで。 namespace inbox { # Namespace type: private, shared or public #type = private # Hierarchy separator to use. You should use the same separator for all # namespaces or some clients get confused. '/' is usually a good one. # The default however depends on the underlying mail storage format. #separator = # Prefix required to access this namespace. This needs to be different for # all namespaces. For example "Public/". #prefix = # Physical location of the mailbox. This is in same format as # mail_location, which is also the default for it. #location = # There can be only one INBOX, and this setting defines which namespace # has it. inbox = yes # If namespace is hidden, it's not advertised to clients via NAMESPACE # extension. You'll most likely also want to set list=no. This is mostly # useful when converting from another server with different namespaces which # you want to deprecate but still keep working. For example you can create # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/". #hidden = no # Show the mailboxes under this namespace with LIST command. This makes the # namespace visible for clients that don't support NAMESPACE extension. # "children" value lists child mailboxes, but hides the namespace prefix. #list = yes # Namespace handles its own subscriptions. If set to "no", the parent # namespace handles them (empty prefix should always have this as "yes") #subscriptions = yes } # Example shared namespace configuration #namespace { #type = shared #separator = / # Mailboxes are visible under "shared/user@domain/" # %%n, %%d and %%u are expanded to the destination user. #prefix = shared/%%u/ # Mail location for other users' mailboxes. Note that %variables and ~/ # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the # destination user's data. #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u # Use the default namespace for saving subscriptions. #subscriptions = no # List the shared/ namespace only if there are visible shared mailboxes. #list = children #} # Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"? #mail_shared_explicit_inbox = yes # System user and group used to access mails. If you use multiple, userdb # can override these by returning uid or gid fields. You can use either numbers # or names. <doc/wiki/UserIds.txt> #mail_uid = #mail_gid = # Group to enable temporarily for privileged operations. Currently this is # used only with INBOX when either its initial creation or dotlocking fails. # Typically this is set to "mail" to give access to /var/mail. #mail_privileged_group = # Grant access to these supplementary groups for mail processes. Typically # these are used to set up access to shared mailboxes. Note that it may be # dangerous to set these if users can create symlinks (e.g. if "mail" group is # set here, ln -s /var/mail ~/mail/var could allow a user to delete others' # mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). #mail_access_groups = # Allow full filesystem access to clients. There's no access checks other than # what the operating system does for the active UID/GID. It works with both # maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/ # or ~user/. #mail_full_filesystem_access = no ## ## Mailプロセス ## #mmap_disable = no yesでmmap()を使わない。 IndexをNFSやクラスタFSに載せてる場合にdisableにする必要があるよ。とのこと。 #dotlock_use_excl = yes yesでO_EXCLでロックファイルを作る。 今時のNFSは規定値だよね。とのこと。 #mail_fsync = optimized fsync()するかどうか。規定値はoptimized。 alwaysはNFSで使うといい感じ。 neverは高速だけどなんかあったらデータ消失ね。とのこと。 #mail_nfs_storage = no NFSにメールデータがあるならyes。NFSキャッシュを必要に応じてフラッシュする。 メールサーバが一つのときは要らないよ。とのこと。 # Mail index files also exist in NFS. Setting this to yes requires # mmap_disable=yes and fsync_disable=no. #mail_nfs_index = no IndexもNFSにあるならyes。 yesで使うならmmap_disable=yes、fsync_disable=noにしないとだめだよ。とのこと。 # Locking method for index files. Alternatives are fcntl, flock and dotlock. # Dotlocking uses some tricks which may create more disk I/O than other locking # methods. NFS users: flock doesn't work, remember to change mmap_disable. #lock_method = fcntl Indexのロック方法。fcntl、flock、dotlock。 #mail_temp_dir = /tmp LDA/LMTPが使う、128kb以上のメールの一時保管場所。 # Valid UID range for users, defaults to 500 and above. This is mostly # to make sure that users can't log in as daemons or other system users. # Note that denying root logins is hardcoded to dovecot binary and can't # be done even if first_valid_uid is set to 0. #first_valid_uid = 500 #last_valid_uid = 0 # Valid GID range for users, defaults to non-root/wheel. Users having # non-valid GID as primary group ID aren't allowed to log in. If user # belongs to supplementary groups with non-valid GIDs, those groups are # not set. #first_valid_gid = 1 #last_valid_gid = 0 # Maximum allowed length for mail keyword name. It's only forced when trying # to create new keywords. #mail_max_keyword_length = 50 # ':' separated list of directories under which chrooting is allowed for mail # processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too). # This setting doesn't affect login_chroot, mail_chroot or auth chroot # settings. If this setting is empty, "/./" in home dirs are ignored. # WARNING: Never add directories here which local users can modify, that # may lead to root exploit. Usually this should be done only if you don't # allow shell access for users. <doc/wiki/Chrooting.txt> #valid_chroot_dirs = # Default chroot directory for mail processes. This can be overridden for # specific users in user database by giving /./ in user's home directory # (eg. /home/./user chroots into /home). Note that usually there is no real # need to do chrooting, Dovecot doesn't allow users to access files outside # their mail directory anyway. If your home directories are prefixed with # the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt> #mail_chroot = # UNIX socket path to master authentication server to find users. # This is used by imap (for shared users) and lda. #auth_socket_path = /var/run/dovecot/auth-userdb # Directory where to look up mail plugins. #mail_plugin_dir = /usr/lib/dovecot # Space separated list of plugins to load for all services. Plugins specific to # IMAP, LDA, etc. are added to this list in their own .conf files. #mail_plugins = ## ## Mailbox取扱最適化 ## # The minimum number of mails in a mailbox before updates are done to cache # file. This allows optimizing Dovecot's behavior to do less disk writes at # the cost of more disk reads. #mail_cache_min_mail_count = 0 # When IDLE command is running, mailbox is checked once in a while to see if # there are any new mails or other changes. This setting defines the minimum # time to wait between those checks. Dovecot can also use dnotify, inotify and # kqueue to find out immediately when changes occur. #mailbox_idle_check_interval = 30 secs # Save mails with CR+LF instead of plain LF. This makes sending those mails # take less CPU, especially with sendfile() syscall with Linux and FreeBSD. # But it also creates a bit more disk I/O which may just make it slower. # Also note that if other software reads the mboxes/maildirs, they may handle # the extra CRs wrong and cause problems. #mail_save_crlf = no # Max number of mails to keep open and prefetch to memory. This only works with # some mailbox formats and/or operating systems. #mail_prefetch_count = 0 # How often to scan for stale temporary files and delete them (0 = never). # These should exist only after Dovecot dies in the middle of saving mails. #mail_temp_scan_interval = 1w ## ## Maildir仕様設定 ## # By default LIST command returns all entries in maildir beginning with a dot. # Enabling this option makes Dovecot return only entries which are directories. # This is done by stat()ing each entry, so it causes more disk I/O. # (For systems setting struct dirent->d_type, this check is free and it's # done always regardless of this setting) #maildir_stat_dirs = no # When copying a message, do it with hard links whenever possible. This makes # the performance much better, and it's unlikely to have any side effects. #maildir_copy_with_hardlinks = yes # Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only # when its mtime changes unexpectedly or when we can't find the mail otherwise. #maildir_very_dirty_syncs = no # If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for # getting the mail's physical size, except when recalculating Maildir++ quota. # This can be useful in systems where a lot of the Maildir filenames have a # broken size. The performance hit for enabling this is very small. #maildir_broken_filename_sizes = no ## ## mbox仕様設定 ## # Which locking methods to use for locking mbox. There are four available: # dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe # solution. If you want to use /var/mail/ like directory, the users # will need write access to that directory. # dotlock_try: Same as dotlock, but if it fails because of permissions or # because there isn't enough disk space, just skip it. # fcntl : Use this if possible. Works with NFS too if lockd is used. # flock : May not exist in all systems. Doesn't work with NFS. # lockf : May not exist in all systems. Doesn't work with NFS. # # You can use multiple locking methods; if you do the order they're declared # in is important to avoid deadlocks if other MTAs/MUAs are using multiple # locking methods as well. Some operating systems don't allow using some of # them simultaneously. #mbox_read_locks = fcntl #mbox_write_locks = dotlock fcntl # Maximum time to wait for lock (all of them) before aborting. #mbox_lock_timeout = 5 mins # If dotlock exists but the mailbox isn't modified in any way, override the # lock file after this much time. #mbox_dotlock_change_timeout = 2 mins # When mbox changes unexpectedly we have to fully read it to find out what # changed. If the mbox is large this can take a long time. Since the change # is usually just a newly appended mail, it'd be faster to simply read the # new mails. If this setting is enabled, Dovecot does this but still safely # fallbacks to re-reading the whole mbox file whenever something in mbox isn't # how it's expected to be. The only real downside to this setting is that if # some other MUA changes message flags, Dovecot doesn't notice it immediately. # Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK # commands. #mbox_dirty_syncs = yes # Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE, # EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored. #mbox_very_dirty_syncs = no # Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK # commands and when closing the mailbox). This is especially useful for POP3 # where clients often delete all mails. The downside is that our changes # aren't immediately visible to other MUAs. #mbox_lazy_writes = yes # If mbox size is smaller than this (e.g. 100k), don't write index files. # If an index file already exists it's still read, just not updated. #mbox_min_index_size = 0 # Mail header selection algorithm to use for MD5 POP3 UIDLs when # pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired # algorithm, but it fails if the first Received: header isn't unique in all # mails. An alternative algorithm is "all" that selects all headers. #mbox_md5 = apop3d ## ## mdbox仕様設定 ## # Maximum dbox file size until it's rotated. #mdbox_rotate_size = 2M # Maximum dbox file age until it's rotated. Typically in days. Day begins # from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled. #mdbox_rotate_interval = 0 # When creating new mdbox files, immediately preallocate their size to # mdbox_rotate_size. This setting currently works only in Linux with some # filesystems (ext4, xfs). #mdbox_preallocate_space = no ## ## 添付ファイル ## # sdbox と mdbox は添付ファイルを外部ファイルに保存できます。 # 他のバックエンドはサポートしてないです、今のところ。 # 警告:この機能はまだ十分にテストされてないので自己責任で使ってね。 # Directory root where to store mail attachments. Disabled, if empty. #mail_attachment_dir = # Attachments smaller than this aren't saved externally. It's also possible to # write a plugin to disable saving specific attachments externally. #mail_attachment_min_size = 128k # Filesystem backend to use for saving attachments: # posix : No SiS done by Dovecot (but this might help FS's own deduplication) # sis posix : SiS with immediate byte-by-byte comparison during saving # sis-queue posix : SiS with delayed comparison and deduplication #mail_attachment_fs = sis posix # Hash format to use in attachment filenames. You can add any text and # variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}. # Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits #mail_attachment_hash = %{sha1}
各種プロセスの設定。
#default_process_limit = 100 プロセス数の規定値。 #default_client_limit = 1000 接続クライアント数の規定値。 #default_vsz_limit = 256M プロセスのVSZ(VirtualMemorySize)上限。 メモリリークして食いつぶす前にプロセス殺すよ。とのこと。 #default_login_user = dovenull 各loginプロセスが内部で使うシステムユーザ。 Dovecotで一番信用できないユーザです。他にアクセスできないようなユーザにすること。とのこと。 #default_internal_user = dovecot loginプロセス以外で使うシステムユーザ。 service imap-login { inet_listener imap { #port = 143 IMAPのListenPort。標準は143。 } inet_listener imaps { #port = 993 #ssl = yes IMAPSのListenPort。標準は993。 } #service_count = 1 1で接続ごとにプロセス生成する(安全)。規定値。 0で全部の接続を相手する(高速だが安全ではない) #process_min_avail = 0 最小待ち受けアイドルプロセス数。 プロセス生成コストと接続数をみて調整。 #vsz_limit = $default_vsz_limit もしservice_count=0にするなら、増やさないとダメかもね。とのこと。 } service pop3-login { inet_listener pop3 { #port = 110 POP3のListenPort。標準は110。 } inet_listener pop3s { #port = 995 #ssl = yes POP3SのListenPort。標準は995。 } } 使ってないのでパス。 service lmtp { unix_listener lmtp { #mode = 0666 } # Create inet listener only if you can't use the above UNIX socket #inet_listener lmtp { # Avoid making LMTP visible for the entire internet #address = #port = #} } service imap { #vsz_limit = $default_vsz_limit 巨大なメールボックスのときは増やした方がいいかもね。とのこと。 #process_limit = 1024 ログイン後の処理をするプロセスの最大数。 } service pop3 { #process_limit = 1024 ログイン後の処理をするプロセスの最大数。 } service auth { # auth_socket_path points to this userdb socket by default. It's typically # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have # full permissions to this socket are able to get a list of all usernames and # get the results of everyone's userdb lookups. # # The default 0666 mode allows anyone to connect to the socket, but the # userdb lookups will succeed only if the userdb returns an "uid" field that # matches the caller process's UID. Also if caller's uid or gid matches the # socket's uid or gid the lookup succeeds. Anything else causes a failure. # # To give the caller full permissions to lookup all users, set the mode to # something else than 0666 and Dovecot lets the kernel enforce the # permissions (e.g. 0777 allows everyone full permissions). unix_listener auth-userdb { #mode = 0666 #user = #group = } PostfixでDovecotSASLを使用するときの設定。 # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } # Auth process is run as this user. #user = $default_internal_user } service auth-worker { # Auth worker process is run as root by default, so that it can access # /etc/shadow. If this isn't necessary, the user should be changed to # $default_internal_user. #user = root } service dict { # If dict proxy is used, mail processes should have access to its socket. # For example: mode=0660, group=vmail and global mail_access_groups=vmail unix_listener dict { #mode = 0600 #user = #group = } }
SSLに関する設定。
## ## SSL設定 ## #ssl = yes yesでSSL/TLSを使う。 requiredは平文でない認証機構でもSSL/TLSを使う? ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem 鍵と証明書。 #ssl_key_password = 鍵にパスワードつけた場合、ここに書いておく。 #ssl_ca = CA証明書。クライアント証明書認証を使うときだけ必要。 #ssl_require_crl = yes yesで、クライアント証明書認証でCRLチェックに成功する必要がある。 #ssl_verify_client_cert = no クライアント証明書を検証する。 auth_ssl_require_client_cert=yesにする必要がある。 #ssl_cert_username_field = commonName ユーザ名が証明書のどのフィールドか定義する。 auth_ssl_username_from_cert=yesにする必要がある。 #ssl_parameters_regenerate = 168 SSLパラメータファイルを再生成する時間(hour)。0で再生成しない。 #ssl_protocols = !SSLv2 使用プロトコル。↑でTLSv1 SSLv3と同じかと。 TLSv1.1とか1.2は指定できなかった(´・ω・`) #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL 使用Chipherリスト。 #ssl_crypto_device = SSLハードウェアエンジンの指定。
LDA(Local Delivery Agent)の設定。
LDAはコマンドとして呼ばれるのに対し、
LMTPはソケット待ち受けする。
ウチはバックエンドもないのでPostfixのLMTP共々使っていない。
## ## LDA仕様設定(LMTPでも使うよ) ## #postmaster_address = リジェクションメールなどの送信元メールアドレス。 規定値はpostmaster@<your domain> #hostname = ヘッダなどで使われるホスト名。 規定値はシステムのホスト名。 #quota_full_tempfail = no Quotaフルのとき、バウンスの代わりにTemporary Failureを送る。 #sendmail_path = /usr/sbin/sendmail メール送信コマンド。 #submission_host = sendmailを使う代わりにSMTPで送付するためのホスト[:ポート]指定。 空だとsendmailを使う。 #rejection_subject = Rejected: %s リジェクションメールのSubject:。 #rejection_reason = Your message to <%t> was automatically rejected:%n%r メール本文。 %n = CRLF, %r = reason, %s = original subject, %t = recipient #recipient_delimiter = + メールアドレスのローカルパートと詳細のデリミタ。 #lda_original_recipient_header = オリジナルの送信先アドレスが取れなかったときのアドレス。 X-Original-To:で使う。 dovecot-lda -aで上書き。 #lda_mailbox_autocreate = no メールボックスがない時、自動的に作るか。 yesで、作る。 #lda_mailbox_autosubscribe = no 自動的に作ったメールボックスを自動的に購読するか。 yesで、購読する プラグインを使うならここで設定。 規定値は$mail_plugins(10-mail.conf)。 protocol lda { # Space separated list of plugins to load (default is global mail_plugins). #mail_plugins = $mail_plugins }
メールボックスの定義。
ウチでは規定値のままいじってない。
## ## メールボックス定義 ## # 注意:前提として10-mail.confで"namespace inbox"が定義済みとします。 namespace inbox { #mailbox name { # auto=create will automatically create this mailbox. # auto=subscribe will both create and subscribe to the mailbox. #auto = no # Space separated list of IMAP SPECIAL-USE attributes as specified by # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash #special_use = #} # These mailboxes are widely used and could perhaps be created automatically: mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Trash { special_use = \Trash } # For \Sent mailboxes there are two widely used names. We'll mark both of # them as \Sent. User typically deletes one of them if duplicates are created. mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } # If you have a virtual "All messages" mailbox: #mailbox virtual/All { # special_use = \All #} # If you have a virtual "Flagged" mailbox: #mailbox virtual/Flagged { # special_use = \Flagged #} }
IMAPの設定。
## ## IMAP仕様設定 ## protocol imap { #imap_max_line_length = 64k IMAPコマンドラインの最大長。 いくつかのクライアントは巨大メールボックスに対し超長いの送ってくるから そういうときは"Too long argument" とか "IMAP command line too large" みたいな エラー出るから値を大きくしてね。とのこと。 #mail_max_userip_connections = 10 同じIPアドレスからの最大接続数。 #mail_plugins = $mail_plugins プラグインの設定。規定値はmail_plugins(10-mail.conf) #imap_logout_format = in=%i out=%o ログアウト時の書式。 %i 合計受信byte数 %o 合計送信byte数 #imap_capability = IMAP CAPABILITYの指定。+をつけると追記。 #imap_idle_notify_interval = 2 mins IDLE時の"OK Still here"通知間隔。 # ID field names and values to send to clients. Using * as the value makes # Dovecot use the default value. The following fields have default values # currently: name, version, os, os-version, support-url, support-email. #imap_id_send = # ID fields sent by client to log. * means everything. #imap_id_log = # いろんなクライアントのバグ回避策: # delay-newmail: # NOOPとCHECKの応答でのみEXISTSとRECENTで新着メールを通知します。 # いくつかのクライアント、例えばOS X Mail(<v2.1)などは新着メール通知を無視します。 # Outlook Expressはもっと酷くて、delay-newmailオプションをつけない場合 # "Message no longer in server"エラーを表示するかも。 # 注意:OE6で同期を"ヘッダのみ"にしている場合、このオプションを使用してもダメちゃんです。 # tb-extra-mailbox-sep: # mboxとdboxでLAYOUT=fsを使うとThunderbirdは混乱して、メールボックス名に'/'を付与します。 # このオプションはDovecotに不正なメールボックス名として扱わず、余計な'/'を無視させます。 # tb-lsub-flags: # mboxなどでLAYOUT=fsを使うとLSUBで\Noselectフラグをつけても表示しちゃいます。 # tb-lsub-flagsは"not selectable"ポップアップエラーのかわりに # グレーアウトして選択できなくします。 # # 半角スペースで区切って並べてね。 #imap_client_workarounds = }
LMTPの設定。
LDAの設定もつかうよ。
## ## LMTP仕様設定 ## # Support proxying to other LMTP/SMTP servers by performing passdb lookups. #lmtp_proxy = no # When recipient address includes the detail (e.g. user+detail), try to save # the mail to the detail mailbox. See also recipient_delimiter and # lda_mailbox_autocreate settings. #lmtp_save_to_detail_mailbox = no protocol lmtp { # Space separated list of plugins to load (default is global mail_plugins). #mail_plugins = $mail_plugins }
POP3の設定。
## ## POP3 specific settings ## protocol pop3 { # Don't try to set mails non-recent or seen with POP3 sessions. This is # mostly intended to reduce disk I/O. With maildir it doesn't move files # from new/ to cur/, with mbox it doesn't write Status-header. #pop3_no_flag_updates = no # Support LAST command which exists in old POP3 specs, but has been removed # from new ones. Some clients still wish to use this though. Enabling this # makes RSET command clear all \Seen flags from messages. #pop3_enable_last = no # If mail has X-UIDL header, use it as the mail's UIDL. #pop3_reuse_xuidl = no # Keep the mailbox locked for the entire POP3 session. #pop3_lock_session = no # POP3 requires message sizes to be listed as if they had CR+LF linefeeds. # Many POP3 servers violate this by returning the sizes with LF linefeeds, # because it's faster to get. When this setting is enabled, Dovecot still # tries to do the right thing first, but if that requires opening the # message, it fallbacks to the easier (but incorrect) size. #pop3_fast_size_lookups = no # POP3 UIDL (unique mail identifier) format to use. You can use following # variables, along with the variable modifiers described in # doc/wiki/Variables.txt (e.g. %Uf for the filename in uppercase) # # %v - Mailbox's IMAP UIDVALIDITY # %u - Mail's IMAP UID # %m - MD5 sum of the mailbox headers in hex (mbox only) # %f - filename (maildir only) # %g - Mail's GUID # # If you want UIDL compatibility with other POP3 servers, use: # UW's ipop3d : %08Xv%08Xu # Courier : %f or %v-%u (both might be used simultaneosly) # Cyrus (<= 2.1.3) : %u # Cyrus (>= 2.1.4) : %v.%u # Dovecot v0.99.x : %v.%u # tpop3d : %Mf # # Note that Outlook 2003 seems to have problems with %v.%u format which was # Dovecot's default, so if you're building a new server it would be a good # idea to change this. %08Xu%08Xv should be pretty fail-safe. # #pop3_uidl_format = %08Xu%08Xv # Permanently save UIDLs sent to POP3 clients, so pop3_uidl_format changes # won't change those UIDLs. Currently this works only with Maildir. #pop3_save_uidl = no # What to do about duplicate UIDLs if they exist? # allow: Show duplicates to clients. # rename: Append a temporary -2, -3, etc. counter after the UIDL. #pop3_uidl_duplicates = allow # POP3 logout format string: # %i - total number of bytes read from client # %o - total number of bytes sent to client # %t - number of TOP commands # %p - number of bytes sent to client as a result of TOP command # %r - number of RETR commands # %b - number of bytes sent to client as a result of RETR command # %d - number of deleted messages # %m - number of messages (before deletion) # %s - mailbox size in bytes (before deletion) # %u - old/new UIDL hash. may help finding out if UIDLs changed unexpectedly #pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s # Maximum number of POP3 connections allowed for a user from each IP address. # NOTE: The username is compared case-sensitively. #mail_max_userip_connections = 10 # Space separated list of plugins to load (default is global mail_plugins). #mail_plugins = $mail_plugins # Workarounds for various client bugs: # outlook-no-nuls: # Outlook and Outlook Express hang if mails contain NUL characters. # This setting replaces them with 0x80 character. # oe-ns-eoh: # Outlook Express and Netscape Mail breaks if end of headers-line is # missing. This option simply sends it if it's missing. # The list is space-separated. #pop3_client_workarounds = }
ACLの設定。
## ## メールボックスアクセスコントロールリスト ## # vfile backend reads ACLs from "dovecot-acl" file from mail directory. # You can also optionally give a global ACL directory path where ACLs are # applied to all users' mailboxes. The global ACL directory contains # one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter # specifies how many seconds to wait between stat()ing dovecot-acl file # to see if it changed. plugin { #acl = vfile:/etc/dovecot/global-acls:cache_secs=300 } # To let users LIST mailboxes shared by other users, Dovecot needs a # shared mailbox dictionary. For example: plugin { #acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes }
Pluginの設定。
QuotaとかFullTextSearchとかなんかいっぱい。
## ## Plugin settings ## # All wanted plugins must be listed in mail_plugins setting before any of the # settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and # their configuration. Note that %variable expansion is done for all values. plugin { #setting_name = value }
Quotaについては別途ファイルがある。
## ## Quota configuration. ## # Note that you also have to enable quota plugin in mail_plugins setting. # <doc/wiki/Quota.txt> ## ## Quota limits ## # Quota limits are set using "quota_rule" parameters. To get per-user quota # limits, you can set/override them by returning "quota_rule" extra field # from userdb. It's also possible to give mailbox-specific limits, for example # to give additional 100 MB when saving to Trash: plugin { #quota_rule = *:storage=1G #quota_rule2 = Trash:storage=+100M } ## ## Quota warnings ## # You can execute a given command when user exceeds a specified quota limit. # Each quota root has separate limits. Only the command for the first # exceeded limit is excecuted, so put the highest limit first. # The commands are executed via script service by connecting to the named # UNIX socket (quota-warning below). # Note that % needs to be escaped as %%, otherwise "% " expands to empty. plugin { #quota_warning = storage=95%% quota-warning 95 %u #quota_warning2 = storage=80%% quota-warning 80 %u } # Example quota-warning service. The unix listener's permissions should be # set in a way that mail processes can connect to it. Below example assumes # that mail processes run as vmail user. If you use mode=0666, all system users # can generate quota warnings to anyone. #service quota-warning { # executable = script /usr/local/bin/quota-warning.sh # user = dovecot # unix_listener quota-warning { # user = vmail # } #} ## ## Quota backends ## # Multiple backends are supported: # dirsize: Find and sum all the files found from mail directory. # Extremely SLOW with Maildir. It'll eat your CPU and disk I/O. # dict: Keep quota stored in dictionary (eg. SQL) # maildir: Maildir++ quota # fs: Read-only support for filesystem quota plugin { #quota = dirsize:User quota #quota = maildir:User quota #quota = dict:User quota::proxy::quota #quota = fs:User quota } # Multiple quota roots are also possible, for example this gives each user # their own 100MB quota and one shared 1GB quota within the domain: plugin { #quota = dict:user::proxy::quota #quota2 = dict:domain:%d:proxy::quota_domain #quota_rule = *:storage=102400 #quota2_rule = *:storage=1048576 }