1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
|
Dovecot Configuration File
==========================
Contents
1. Dovecot Configuration File
1. Basic syntax
2. Sections
3. Filters
4. Including config files
5. External config files
6. Long lines
7. Reading value from file
8. Variable expansion
Basic syntax
------------
The syntax generally looks like this:
---%<-------------------------------------------------------------------------
# this is a comment
settings_key = settings_value
---%<-------------------------------------------------------------------------
If Dovecot doesn't seem to be reading your configuration correctly, use
'doveconf -n' to check how Dovecot actually parses it. You can also check more
complex configurations by providing filters, for example:'doveconf -n -f
service=imap -f local=10.0.0.1 -f remote=1.2.3.4'
Sections
--------
Sections look like this:
---%<-------------------------------------------------------------------------
section optional_name {
section_setting_key = section_setting_value
subsection optional_subname {
subkey = subvalue
}
}
---%<-------------------------------------------------------------------------
Note that sections must be currently written with the linefeeds as shown above.
So for example this doesn't work:
---%<-------------------------------------------------------------------------
section optional_name { key = value } # DOES NOT WORK
---%<-------------------------------------------------------------------------
The sections can be optionally named. This is especially useful if you want to
update the same section later on in the config. For example:
---%<-------------------------------------------------------------------------
namespace inbox {
inbox = yes
}
# ...
# possibly included from another file:
namespace inbox {
mailbox Trash {
special_use = \Trash
}
}
# The namespaces get merged into the same inbox namespace.
---%<-------------------------------------------------------------------------
Without naming the namespace it would have created a new namespace. The section
name may also sometimes be used as part of the settings instead of simply a
name. For example:
---%<-------------------------------------------------------------------------
service auth {
unix_listener auth-master {
# ..
}
}
---%<-------------------------------------------------------------------------
Above the "auth-master" both uniquely identifies the section name, but also it
names the UNIX socket path.
Filters
-------
There are a few different filters that can be used to apply settings
conditionally. The filters look exactly like sections, which may be a bit
confusing. The currently supported filters are:
* protocol <name>: Name of the service/protocol that is reading the settings.
For example: imap, pop3, doveadm, lmtp, lda
* remote <ip/network>: Remote client's IP/network. For non-TCP connections
this will never match. For example 10.0.0.1 or 10.0.0.0/16.
* local_name <name>: Matches TLS connection's SNI
[https://en.wikipedia.org/wiki/Server_Name_Indication] name, if it's sent by
the client. Commonly used to <configure multiple TLS certificates>
[SSL.DovecotConfiguration.txt].
* local <ip/range>: Locally connected IP/network. For non-TCP connections this
will never match. For example 127.0.0.1 or 10.0.0.0/16.
These filters work for most of the settings, but most importantly auth settings
currently only support the protocol filter. Some of the other settings are also
global and can't be filtered, such as log_path.
An example, which uses all of the filters:
---%<-------------------------------------------------------------------------
local 127.0.0.1 {
local_name imap.example.com {
remote 10.0.0.0/24 {
protocol imap {
# ...
}
}
}
}
---%<-------------------------------------------------------------------------
The nesting of the filters must be exactly in that order or the config parsing
will fail.
When applying the settings, the settings within the most-specific filters
override the less-specific filter's settings, so the order of the filters in
config file doesn't matter. For example:
---%<-------------------------------------------------------------------------
local 127.0.0.2 {
key = 127.0.0.2
}
local 127.0.0.0/24 {
key = 127.0.0.0/24
}
local 127.0.0.1 {
key = 127.0.0.1
}
# The order of the above blocks doesn't matter:
# If local IP=127.0.0.1, key=127.0.0.1
# If local IP=127.0.0.2, key=127.0.0.2
# If local IP=127.0.0.3, key=127.0.0.0/24
---%<-------------------------------------------------------------------------
Similarly remote local filters override remote filters, which override
local_name filters, which override protocol filters. In some situations Dovecot
may also return an error if it detects that the same setting is being
ambiguously set by multiple matching filters.
Including config files
----------------------
The main dovecot.conf file can also include other config files:
---%<-------------------------------------------------------------------------
!include local.conf
!include /path/to/another.conf
!include conf.d/*.conf
---%<-------------------------------------------------------------------------
The paths are relative to the currently parsed config file's directory. For
example:
---%<-------------------------------------------------------------------------
# /etc/dovecot/dovecot.conf:
!include conf.d/imap.conf
# /etc/dovecot/conf.d/imap.conf:
!include imap2.conf
# /etc/dovecot/conf.d/imap2.conf is being included
---%<-------------------------------------------------------------------------
If any of the includes fail (e.g. file doesn't exist or permission denied), it
results in an error. It's not an error if wildcards don't result in any
matching files. To avoid these errors, you can use !include_try instead:
---%<-------------------------------------------------------------------------
!include_try passwords.conf
---%<-------------------------------------------------------------------------
Including a file preserves the context where it's included from. For example:
---%<-------------------------------------------------------------------------
protocol imap {
plugin {
!include imap-plugin-settings.conf
}
}
---%<-------------------------------------------------------------------------
External config files
---------------------
Due to historical reasons there are still some config files that are external
to the main dovecot.conf, which are typically named '*.conf.ext'. For example:
* passdb/userdb { args } for ldap/sql points to a dovecot-ldap.conf.ext and
dovecot-sql.conf.ext.
* dict { .. } points to dovecot-dict-*.conf.ext
Although these external config files look similar to the main dovecot.conf
file, they have quite a lot of differences in details. Their parsing is done
with a completely different config parser, so things like filters, $variables,
!includes and<files don't work.
The external config files are also not loaded by the config process at startup,
but instead they're parsed whenever the value is being used. So the external
passdb/userdb files are loaded by auth process at startup, while the dict
config is loaded by dict process at startup.
Eventually these external config files will hopefully be removed.
Long lines
----------
It's possible to split the setting values into multiple lines. Unfortunately
this was broken for a long time, so outside *.conf.ext files this works only in
v2.2.22+:
---%<-------------------------------------------------------------------------
# This works in *.conf.ext files, but in the main dovecot.conf only with
v2.2.22+:
setting_key = \
long \
value
# equivalent to: "long value"
---%<-------------------------------------------------------------------------
All the whitespace between lines is converted to a single space regardless of
how many spaces or tabs are at the beginning of the line or before the '\'.
Even if there is zero whitespace a single space is added.
Reading value from file
-----------------------
It's possible to read the value for a setting from a file:
---%<-------------------------------------------------------------------------
key = </path/to/file
---%<-------------------------------------------------------------------------
The value is read exactly as the entire contents of the file. This includes all
the whitespace and newlines. The paths are relative to the currently parsed
config file's directory, similar to how !include works. The file is read
immediately whenever parsing the configuration file, so if it changes
afterwards it requires a configuration reload to see the changes. This
functionality is especially useful for reading SSL certificates and keys.
Variable expansion
------------------
It's possible to refer to other earlier settings as $name. For example:
---%<-------------------------------------------------------------------------
key = value1
key2 = $key value2
# Equivalent to key2 = value1 value2
---%<-------------------------------------------------------------------------
This is commonly used with mail_plugins settings to easily add more plugins
e.g. inside imap protocol:
---%<-------------------------------------------------------------------------
mail_plugins = acl quota
protocol imap {
mail_plugins = $mail_plugins imap_acl imap_quota
}
---%<-------------------------------------------------------------------------
However, you must be careful with the ordering of these in the configuration
file, because the $variables are expanded immediately while parsing the config
file and they're not updated later. For example this is a common problem:
---%<-------------------------------------------------------------------------
# NON-WORKING EXAMPLE
# Enable ACL plugin:
mail_plugins = $mail_plugins acl
protocol imap {
mail_plugins = $mail_plugins imap_acl
}
# Enable quota plugin:
mail_plugins = $mail_plugins quota
protocol imap {
mail_plugins = $mail_plugins imap_quota
}
# The end result is:
# mail_plugins = " acl quota" - OK
# protocol imap {
# mail_plugins = " acl imap_acl imap_quota" - NOT OK
# }
# v2.2.24+ also gives a warning about this:
# doveconf: Warning: /etc/dovecot/dovecot.conf line 8: Global setting
mail_plugins won't change the setting inside an earlier filter at
/etc/dovecot/dovecot.conf line 5 (if this is intentional, avoid this warning by
moving the global setting before /etc/dovecot/dovecot.conf line 5)
---%<-------------------------------------------------------------------------
This is because the second mail_plugins change that added "quota" globally
didn't update anything inside the existing 'protocol { .. }' or other filters.
Some variables exist in the plugin section only, such as sieve_extensions.
Those variables *cannot* be referred to, that is '$sieve_extensions' won't
work.
(This file was created from the wiki on 2019-06-19 12:42)
|
