Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
IMAPD.CONF(5)			  Cyrus	IMAP			 IMAPD.CONF(5)

NAME
       imapd.conf - Cyrus IMAP documentation

       IMAP configuration file

DESCRIPTION
	  /etc/imapd.conf is the configuration file for	the Cyrus IMAP server.
	  It defines local parameters for IMAP.

	  Each line of the /etc/imapd.conf file	has the	form
		 option: value

	  where	option is the name of the configuration	option being  set  and
	  value	is the value that the configuration option is being set	to.

	  Although  there  is no limit to the length of	a line,	a ``\''	(back-
	  slash) character may be used as the last  character  on  a  line  to
	  force	 it  to	continue on the	next one.  No additional whitespace is
	  inserted before or after the ``\''.  Note that a line	that is	 split
	  using	``\'' character(s) is still considered a single	line.

	  For example
		 option:\
		     value1 value2 \
			value3

	  is equivalent	to
		 option: value1	value2	 value3

	  Blank	lines and lines	beginning with ``#'' are ignored.

	  For  boolean	and  enumerated	 options,  the values ``yes'', ``on'',
	  ``t'', ``true'' and ``1'' turn the option  on,  the  values  ``no'',
	  ``off'', ``f'', ``false'' and	``0'' turn the option off.

	  Duration  options  take the form of a	number followed	by a unit, for
	  example 32m (32 minutes).  Units are d (days), h  (hours),  m	 (min-
	  utes)	 and  s	(seconds).  Multiple units can be combined and will be
	  summed together, for example 1h30m is	equivalent to 90m.  If no unit
	  is specified,	an option-specific backward-compatible default unit is
	  assumed (documented on an option-by-option basis).  These are	simple
	  time	units:	1d=24h,	 1h=60m,  1m=60s (daylight savings, timezones,
	  leap adjustments, etc	are not	considered).

FIELD DESCRIPTIONS
	  The sections	below  detail  options	that  can  be  placed  in  the
	  /etc/imapd.conf  file,  and  show each option's default value.  Some
	  options have no default value,  these	 are  listed  with  ``<no  de-
	  fault>''.   Some  options  default  to  the  empty string, these are
	  listed with ``<none>''.

	  addressbookprefix: #addressbooks
	      The prefix for the addressbook mailboxes hierarchies.  The hier-
	      archy  delimiter will be automatically appended.	The public ad-
	      dressbook	hierarchy will be at the toplevel of the shared	 name-
	      space.   A user's	personal addressbook hierarchy will be a child
	      of their Inbox.

	  admins: <empty string>
	      The list of userids with administrative rights.	Separate  each
	      userid  with  a  space.  Sites using Kerberos authentication may
	      use separate "admin" instances.

	      Note that	accounts used by users should not  be  administrators.
	      Administrative  accounts	should	not receive mail.  That	is, if
	      user "jbRo" is a user reading mail, he should not	also be	in the
	      admins  line.   Some  problems may occur otherwise, most notably
	      the ability of administrators to create top-level	mailboxes vis-
	      ible to users, but not writable by users.

	  afspts_localrealms: <none>
	      The  list	 of  realms which are to be treated as local, and thus
	      stripped during identifier canonicalization (for the AFSPTS  pt-
	      loader  module).	 This is different from	loginrealms in that it
	      occurs later in the authorization	process	(as  the  user	id  is
	      canonified for PTS lookup)

	  afspts_mycell: <none>
	      Cell to use for AFS PTS lookups.	Defaults to the	local cell.

	  allowallsubscribe: 0
	      Allow  subscription  to  nonexistent  mailboxes.	This option is
	      typically	used on	backend	servers	in a Murder so that users  can
	      subscribe	to mailboxes that don't	reside on their	"home" server.
	      This option can also be used as a	workaround  for	 IMAP  clients
	      which don't play well with nonexistent or	unselectable mailboxes
	      (e.g., Microsoft Outlook).

	  allowanonymouslogin: 0
	      Permit logins by the user	"anonymous" using any password.	  Also
	      allows use of the	SASL ANONYMOUS mechanism.

	  allowapop: 1
	      Allow use	of the POP3 APOP authentication	command.

	      Note  that this command requires that SASL is compiled with APOP
	      support, that the	plaintext passwords are	available  in  a  SASL
	      auxprop  backend (e.g., sasldb), and that	the system can provide
	      enough entropy (e.g., from /dev/urandom) to create  a  challenge
	      in the banner.

	  allowdeleted:	0
	      Allow  access  to	deleted	and expunged data via vendor.cmu-* ac-
	      cess

	  allownewnews:	0
	      Allow use	of the NNTP NEWNEWS command.

	      Note that	this is	a very expensive command and  should  only  be
	      enabled when absolutely necessary.

	  allowplaintext: 0
	      If enabled, allows the use of cleartext passwords	on the wire.

	      By  default,  the	 use of	cleartext passwords requires a TLS/SSL
	      encryption layer to be negotiated	prior to any cleartext authen-
	      tication	mechanisms  being advertised or	allowed.  To require a
	      TLS/SSL encryption layer to be negotiated	prior to ANY authenti-
	      cation, see the tls_required option.

	  allowsetacl: 1
	      Defaults	to enabled.  If	disabled, disallows the	use of the SE-
	      TACL command at all via IMAP.

	  allowusermoves: 0
	      Allow moving user	accounts (with associated meta-data)  via  RE-
	      NAME or XFER.

	      Note  that  measures  should be taken to make sure that the user
	      being moved is not logged	in, and	cannot login during the	 move.
	      Failure to do so may result in the user's	meta-data (seen	state,
	      subscriptions, etc) being	corrupted or out of date.

	  altnamespace:	1
	      Use the alternate	IMAP namespace,	where personal folders	reside
	      at the same level	in the hierarchy as INBOX.

	      This  option ONLY	applies	where interaction takes	place with the
	      client/user.  Currently this is limited  to  the	IMAP  protocol
	      (imapd)  and  Sieve scripts (lmtpd).  This option	does NOT apply
	      to admin tools such as cyradm (admins ONLY), reconstruct,	quota,
	      etc.,  NOR  does it affect LMTP delivery of messages directly to
	      mailboxes	via plus-addressing.  The default changed in 3.0  from
	      off to on.

	  altprefix: Alt Folders
	      Alternative  INBOX spellings that	can't be accessed in altnames-
	      pace otherwise go	under here

	  annotation_db: twoskip
	      The cyrusdb backend to use for mailbox annotations.

	      Allowed values: skiplist,	twoskip, zeroskip

	  annotation_db_path: <none>
	      The absolute path	to the annotations db file.  If	not specified,
	      will be configdirectory/annotations.db

	  anyoneuseracl: 1
	      Should  non-admin	 users be allowed to set ACLs for the 'anyone'
	      user on their mailboxes?	In a large organization	this can cause
	      support problems,	but it's enabled by default.

	  annotation_allow_undefined: 0
	      Allow  clients to	store values for entries which are not defined
	      either by	Cyrus or in the	annotations_definitions	file.

	  annotation_definitions: <none>
	      File containing external (third-party) annotation	definitions.

	      Each line	of the file specifies the properties of	an  annotation
	      and has the following form:
		 name, scope, attrib-type, proxy-type, attrib-names, acl

	      name   is	 the  hierarchical name	as in RFC 5257 or RFC 5464 (in
		     the latter	case, without the  leading  /shared  or	 /pri-
		     vate).  For example, /vendor/acme/blurdybloop.

	      scope  specifies	whether	 the  annotation  is for the server, a
		     mailbox, or a message.

	      attrib-type
			specifies the attribute	data type, which is used  only
			to  check the string value passed by clients when set-
			ting annotations.  The attrib-type is one of:

		     string any	value is accepted.

		     content-type
			    this obsolete data	type,  which  was  useful  for
			    early  drafts  of  the  standard,  is accepted but
			    silently translated	to string.

		     boolean
			    only the strings "true" or "false"	are  accepted.
			    Checking  is  case-insensitive  but	 the  value is
			    forced to lowercase.

		     int    integers are accepted.

		     uint   non-negative integers are accepted.

	      proxy-type
		     specifies whether this attribute is for  the  backend  or
		     proxy servers or both (proxy_and_backend)

	      attrib-names
		     is	 the  space-separated list of available	attributes for
		     the   annotation.	 Possible    attribute	  names	   are
		     value.shared,  value.priv,	 and value (which permits both
		     value.priv	and value.shared).  The	attribute names	 size,
		     size.shared,  and	size.priv  are	accepted  but ignored;
		     these attributes are automatically	provided by the	server
		     if	 the corresponding value attribute is specified.  Some
		     obsolete attributes, which	were defined early  drafts  of
		     the standard, are accepted	and ignored with a warning.

	      extra-permissions
		     is	 the  extra  ACL  permission bits required for setting
		     this annotation, in  standard  IMAP  ACL  permission  bit
		     string format.  Note that this is in addition to the per-
		     mission bits specified in RFC 5257	and RFC	5464, so leav-
		     ing  this	field empty is harmless.  Note also that there
		     is	no way to specify that an annotation can only  be  set
		     by	an admin user; in particular the a permission bit does
		     not achieve this.

		     Blank lines and lines beginning with ``#''	are ignored.

	  annotation_callout: <none>
	      The pathname of a	callout	to be used to automatically add	 anno-
	      tations  or flags	to a message when it is	appended to a mailbox.
	      The path can be either an	executable (including a	script), or  a
	      UNIX domain socket.

	  annotation_callout_disable_append: 0
	      Disables annotations on append with xrunannotator

	  annotation_enable_legacy_commands: 0
	      Whether  to  enable  the legacy GETANNOTATION/SETANNOTATION com-
	      mands.  These commands are deprecated and	will be	removed	in the
	      future,  but  might be useful in the meantime for	supporting old
	      clients that do not implement the	RFC 5464 IMAP METADATA	exten-
	      sion.

	  aps_topic: <none>
	      Topic for	Apple Push Service registration.

	  aps_topic_caldav: <none>
	      Topic for	Apple Push Service registration	for CalDAV.

	  aps_topic_carddav: <none>
	      Topic for	Apple Push Service registration	for CardDAV.

	  archive_enabled: 0
	      Is  archiving enabled for	this server.  You also need to have an
	      archivepartition for the mailbox.	 Archiving allows older	 email
	      to  be  stored  on  slower, cheaper disks	- even within the same
	      mailbox, as distinct from	partitions.

	  archive_days:	<none>
	      Deprecated in favour of archive_after.

	  archive_after: 7d
	      The duration after which to move messages	to the archive	parti-
	      tion if archiving	is enabled.

	      For backward compatibility, if no	unit is	specified, days	is as-
	      sumed.

	  archive_maxsize: 1024
	      The size in kilobytes of	the  largest  message  that  won't  be
	      archived immediately.  Default is	1Mb

	  archive_keepflagged: 0
	      If  set,	messages  with	the  \Flagged  system  flag  won't  be
	      archived,	provided they are smaller than archive_maxsize.

	  archivepartition-name: <none>
	      The pathname of the archive  partition  name,  corresponding  to
	      spool  partition	partition-name.	 For any mailbox residing in a
	      directory	on  partition-name,  the  archived  messages  will  be
	      stored  in  a  corresponding directory on	archivepartition-name.
	      Note that	not every partition-name option	is  strictly  required
	      to  have	a corresponding	archivepartition-name option, but that
	      without one there's no benefit to	enabling archiving.

	  auditlog: 0
	      Should cyrus output log entries for every	action taken on	a mes-
	      sage  file  or  mailboxes	list entry?  It's noisy	so disabled by
	      default, but can be very useful for tracking down	what  happened
	      if things	look strange

	  auth_mech: unix
	      The authorization	mechanism to use.

	      Allowed values: unix, pts, krb, krb5

	  autocreateinboxfolders: <none>
	      Deprecated in favor of autocreate_inbox_folders.

	  autocreatequota: 0
	      Deprecated in favor of autocreate_quota.

	  autocreatequotamsg: -1
	      Deprecated in favor of autocreate_quota_messages.

	  autosievefolders: <none>
	      Deprecated in favor of autocreate_sieve_folders.

	  generate_compiled_sieve_script: 0
	      Deprecated in favor of autocreate_sieve_script_compile.

	  autocreate_sieve_compiled_script: <none>
	      Deprecated in favor of autocreate_sieve_script_compiled.

	  autosubscribeinboxfolders: <none>
	      Deprecated in favor of autocreate_subscribe_folders.

	  autosubscribesharedfolders: <none>
	      Deprecated in favor of autocreate_subscribe_sharedfolders.

	  autosubscribe_all_sharedfolders: 0
	      Deprecated in favor of autocreate_subscribe_sharedfolders_all.

	  autocreate_acl: <none>
	      If  folders  are to be created by	autocreate_inbox_folders, this
	      setting can be used to apply additional ACLs to the  autocreated
	      folders.	  The  syntax  is  "autocreate_acl  folder  identifier
	      rights", where folder  must  match  one  of  the	autocreate_in-
	      box_folders  folders,  identifier	 must be a valid cyrus identi-
	      fier, and	rights must be a valid cyrus rights string.   Multiple
	      identifier|rights	 pairs	can  be	assigned to a single folder by
	      providing	this setting multiple times.

	      For example, "autocreate_acl Plus	anyone p" would	allow lmtp de-
	      livery to	a folder named "Plus".

	  autocreate_inbox_folders: <none>
	      If a user	does not have an INBOX already,	and the	INBOX is to be
	      created, create the list of folders in  this  setting  as	 well.
	      autocreate_inbox_folders	is  a list of INBOX's subfolders sepa-
	      rated by a "|", that are automatically created by	the server un-
	      der the following	two scenarios. Leading and trailing whitespace
	      is stripped, so "Junk | Trash" results in	 two  folders:	"Junk"
	      and  "Trash".   See also the xlist-flag option, for setting spe-
	      cial-use flags on	autocreated folders.

	      INBOX folders are	created	under both the following conditions:

	      1. The user logins via the IMAP or the POP3 protocol.   autocre-
		 ate_quota option must have a value of zero or greater.

	      2. A  message  arrives  for  the user through the	lmtpd(8).  au-
		 tocreate_post option must be enabled.

	  autocreate_post: 0
	      If enabled, when lmtpd(8)	receives an incoming mail for an INBOX
	      that  does not exist, then the INBOX is automatically created by
	      lmtpd(8) and delivery of the message continues.

	  autocreate_quota: -1
	      If set to	a value	of zero	or  higher,  users  have  their	 INBOX
	      folders  created	upon a successful login	event or upon lmtpd(8)
	      message delivery if autocreate_post is enabled,  provided	 their
	      INBOX did	not yet	already	exist.

	      The user's quota is set to the value if it is greater than zero,
	      otherwise	the user has unlimited quota.

	      Note that	quota is specified in kilobytes.

	  autocreate_quota_messages: -1
	      If set to	a value	of zero	or higher, users who have their	 INBOX
	      folders  created	upon  a	 successful  login event (see autocre-
	      ate_quota), or upon lmtpd(8) message delivery if autocreate_post
	      is enabled, receive the message quota configured in this option.

	      The default of -1	disables assigning message quota.

	      For  consistency	with  autocreate_quota,	 a  value  of  zero is
	      treated as unlimited message quota, rather than a	message	 quota
	      of zero.

	  autocreate_sieve_folders: <none>
	      A	 "|"  separated	list of	subfolders of INBOX that will be auto-
	      matically	created, if requested by a sieve filter,  through  the
	      "fileinto" action. The default is	to create no folders automati-
	      cally.

	      Leading and trailing whitespace is stripped from each folder, so
	      a	 setting of "Junk | Trash" will	create two folders: "Junk" and
	      "Trash".

	  autocreate_sieve_script: <none>
	      The full path of a file  that  contains  a  sieve	 script.  This
	      script automatically becomes a user's initial default sieve fil-
	      ter script.

	      When this	option is not defined, no default sieve	filter is cre-
	      ated.  The file must be readable by the Cyrus daemon.

	  autocreate_sieve_script_compile: 0
	      If  set  to  yes	and  no	compiled sieve script file exists, the
	      sieve script which is compiled on	the fly	will be	saved  in  the
	      file name	that autocreate_sieve_compiledscript option points to.
	      In  order	 a  compiled  script   to   be	 generated,   autocre-
	      ate_sieve_script	and  autocreate_sieve_compiledscript must have
	      valid values

	  autocreate_sieve_script_compiled: <none>
	      The full path of a file that contains  a	compiled  in  bytecode
	      sieve script. This script	automatically becomes a	user's initial
	      default sieve filter script.  If this option is  not  specified,
	      or  the  filename	 doesn't  exist	then the script	defined	by au-
	      tocreate_sieve_script is compiled	on the fly  and	 installed  as
	      the user's default sieve script

	  autocreate_subscribe_folders:	<none>
	      A	list of	folder names, separated	by "|",	that the users get au-
	      tomatically subscribed to, when their INBOX  is  created.	 These
	      folder names must	have been included in the autocreateinboxfold-
	      ers option of the	imapd.conf.

	  autocreate_subscribe_sharedfolders: <none>
	      A	list of	shared folders (bulletin boards),  separated  by  "|",
	      that  the	users get automatically	subscribed to, after their IN-
	      BOX is created. The shared folder	must have been created and the
	      user must	have the required permissions to get subscribed	to it.
	      Otherwise, subscribing to	the shared folder fails.

	  autocreate_subscribe_sharedfolders_all: 0
	      If set to	yes, the  user	is  automatically  subscribed  to  all
	      shared folders, one has permission to subscribe to.

	  autocreate_users: anyone
	      A	 space	separated list of users	and/or groups that are allowed
	      their INBOX to be	automatically created.

	  autoexpunge: 0
	      If set to	yes, then all Deleted messages will  be	 automatically
	      expunged	whenever  an index is closed, whether CLOSE, UNSELECT,
	      SELECT or	on disconnect

	  backuppartition-name:	<none>
	      The pathname of the backup partition name.  At least one	backup
	      partition	 pathname  MUST	 be  specified	if backups are in use.
	      Note that	there is no relationship between spool partitions  and
	      backup partitions.

	  backup_compact_minsize: 0
	      The  minimum  size  in  kilobytes	of chunks in each backup.  The
	      compact tool will	 try  to  combine  adjacent  chunks  that  are
	      smaller than this.

	      Setting  this  value  to	zero or	negative disables combining of
	      chunks.

	  backup_compact_maxsize: 0
	      The maximum size in kilobytes of chunks  in  each	 backup.   The
	      compact  tool  will  try	to  split chunks larger	than this into
	      smaller chunks.

	      Setting this value to zero or  negative  disables	 splitting  of
	      chunks.

	  backup_compact_work_threshold: 1
	      The  number of chunks that must obviously	need compaction	before
	      the compact tool will go ahead with the compaction.  If  set  to
	      less than	one, the value is treated as being one.

	  backup_staging_path: <none>
	      The absolute path	of the backup staging area.  If	not specified,
	      will be temp_path/backup

	  backup_retention_days: <none>
	      Deprecated in favor of backup_retention.

	  backup_retention: 7d
	      How long to keep content in backup after	it  has	 been  deleted
	      from  the	 source.   If set to a negative	value or zero, deleted
	      content will be kept indefinitely.

	      For backward compatibility, if no	unit is	specified, days	is as-
	      sumed.

	  backup_db: twoskip
	      The cyrusdb backend to use for the backup	locations database.

	      Allowed values: skiplist,	sql, twoskip, zeroskip

	  backup_db_path: <none>
	      The absolute path	to the backup db file.	If not specified, will
	      be configdirectory/backups.db

	  backup_keep_previous:	0
	      Whether the ctl_backups compact and ctl_backups reindex commands
	      should  preserve	the  original file.  The original file will be
	      named with a timestamped suffix.	This is	mostly useful for  de-
	      bugging.

	      Note  that  with this enabled, compacting	a backup will actually
	      increase the disk	used by	it (because there will now be an extra
	      copy: the	original version, and the compacted version).

	  boundary_limit: 1000
	      messages are parsed recursively and a deep enough	MIME structure
	      can cause	a stack	overflow.  Do not parse	deeper than this  many
	      layers  of  MIME	structure.  The	default	of 1000	is much	higher
	      than any sane message should have.

	  caldav_allowattach: 1
	      Enable managed attachments support on the	CalDAV server.

	  caldav_allowcalendaradmin: 0
	      Enable per-user calendar administration web  UI  on  the	CalDAV
	      server.

	  caldav_allowscheduling: on
	      Enable  calendar	scheduling  operations.	If set to "apple", the
	      server will emulate Apple	CalendarServer behavior	as closely  as
	      possible.	 Allowed values: off, on, apple

	  caldav_create_attach:	1
	      Create the 'Attachments' collection if it	doesn't	already	exist

	  caldav_create_default: 1
	      Create the 'Default' calendar if it doesn't already exist

	  caldav_create_sched: 1
	      Create  the 'Inbox' and 'Outbox' calendars if they don't already
	      exist

	  caldav_historical_age: 7d
	      How long after an	occurrence of event or task has	concluded that
	      it  is  considered  'historical'.	  Changes to historical	occur-
	      rences of	events or tasks	WILL NOT have invite or	reply messages
	      sent for them.  A	negative value means that events and tasks are
	      NEVER considered historical.

	      For backward compatibility, if no	unit is	specified, days	is as-
	      sumed.

	  caldav_maxdatetime: 20380119T031407Z
	      The  latest  date	 and time accepted by the server (ISO format).
	      This value is also used for expanding non-terminating recurrence
	      rules.

	      Note  that  increasing this value	will require the DAV databases
	      for calendars to be reconstructed	with the dav_reconstruct util-
	      ity in order to see its effect on	serer-side time-based queries.

	  caldav_mindatetime: 19011213T204552Z
	      The earliest date	and time accepted by the server	(ISO format).

	  caldav_realm:	<none>
	      The  realm  to  present  for  HTTP  authentication of CalDAV re-
	      sources.	If not set (the	default), the value  of	 the  "server-
	      name" option will	be used.

	  calendarprefix: #calendars
	      The  prefix for the calendar mailboxes hierarchies.  The hierar-
	      chy delimiter will be automatically appended.  The public	calen-
	      dar  hierarchy  will be at the toplevel of the shared namespace.
	      A	user's personal	calendar hierarchy will	be a  child  of	 their
	      Inbox.

	  calendar_user_address_set: <none>
	      Space-separated  list  of	domains	corresponding to calendar user
	      addresses	for which the server is	responsible.  If not set  (the
	      default),	the value of the "servername" option will be used.

	  calendar_component_set:  VEVENT VTODO	VJOURNAL VFREEBUSY VAVAILABIL-
	  ITY VPOLL
	      Space-separated list of iCalendar	component types	that  calendar
	      object resources may contain in a	calendar collection.  This re-
	      striction	is only	set at calendar	creation time and only if  the
	      CalDAV client hasn't specified a restriction in the creation re-
	      quest.  Allowed  values:	VEVENT,	 VTODO,	 VJOURNAL,  VFREEBUSY,
	      VAVAILABILITY, VPOLL

	  carddav_allowaddmember: 0
	      Enable support for POST add-member on the	CardDAV	server.

	  carddav_allowaddressbookadmin: 0
	      Enable per-user addressbook administration web UI	on the CardDAV
	      server.

	  carddav_realm: <none>
	      The realm	to present for	HTTP  authentication  of  CardDAV  re-
	      sources.	 If  not  set (the default), the value of the "server-
	      name" option will	be used.

	  carddav_repair_vcard:	0
	      If enabled, VCARDs with invalid content are attempted to be  re-
	      paired during creation.

	  chatty: 0
	      If  yes,	syslog tags and	commands for every IMAP	command, mail-
	      boxes for	every lmtp connection, every POP3 command, etc

	  client_bind: 0
	      If enabled, a specific IP	will be	bound when performing a	client
	      connection.   client_bind_name  is  used if it is	set, otherwise
	      servername is used.  This	is useful on multi-homed servers where
	      Cyrus should not use other services' interfaces.

	      If not enabled (the default), no bind will be performed.	Client
	      connections will use an IP chosen	by the operating system.

	  client_bind_name: <none>
	      IPv4, IPv6 address or hostname to	bind  for  client  connections
	      when  client_bind	is enabled.  If	not set	(the default), server-
	      name will	be used.

	  client_timeout: 10s
	      Time to wait before returning a timeout failure when  performing
	      a	client connection (e.g.	in a murder environment).

	      For  backward compatibility, if no unit is specified, seconds is
	      assumed.

	  commandmintimer: <none>
	      Time in seconds. Any imap	command	that takes  longer  than  this
	      time is logged.

	  configdirectory: <none>
	      The pathname of the IMAP configuration directory.	 This field is
	      required.

	  createonpost:	0
	      Deprecated in favor of autocreate_post.

	  conversations: 0
	      Enable  the  XCONVERSATIONS  extensions.	 Extract  conversation
	      tracking	information  from  incoming messages and track them in
	      per-user databases.

	  conversations_counted_flags: <none>
	      space-separated list of flags for	which per-conversation	counts
	      will  be	kept.  Note that you need to reconstruct the conversa-
	      tions database with ctl_conversationsdb if you change  this  op-
	      tion on a	running	server,	or the counts will be wrong.

	  conversations_db: skiplist
	      The  cyrusdb backend to use for the per-user conversations data-
	      base.

	      Allowed values: skiplist,	sql, twoskip, zeroskip

	  conversations_expire_days: <none>
	      Deprecated in favor of conversations_expire_after.

	  conversations_expire_after: 90d
	      How long the conversations database keeps	the  message  tracking
	      information  needed  for receiving new messages in existing con-
	      versations.

	      For backward compatibility, if no	unit is	specified, days	is as-
	      sumed.

	  conversations_max_thread: 100
	      maximum  size  for  a single thread.  Threads will split if they
	      have this	many * messages	in them	and another message arrives

	  crossdomains:	0
	      Enable cross domain sharing.  This works best with alt namespace
	      and   unix   hierarchy   separators   on,	  so   you  get	 Other
	      Users/foo@example.com/...

	  crossdomains_onlyother: 0
	      only show	the domain for users in	other domains  than  your  own
	      (for backwards compatibility if you're already sharing

	  cyrus_group: <none>
	      The  name	 of the	group Cyrus services will run as.  If not con-
	      figured, the primary group of cyrus_user will be	used.  Can  be
	      further overridden by setting the	$CYRUS_GROUP environment vari-
	      able.

	  cyrus_user: <none>
	      The username to use as the 'cyrus' user.	If not configured, the
	      compile  time default will be used. Can be further overridden by
	      setting the $CYRUS_USER environment variable.

	  davdriveprefix: #drive
	      The prefix for the DAV storage mailboxes hierarchies.  The hier-
	      archy  delimiter	will  be  automatically	 appended.  The	public
	      storage hierarchy	will be	at the toplevel	of  the	 shared	 name-
	      space.   A  user's personal storage hierarchy will be a child of
	      their Inbox.

	  davnotificationsprefix: #notifications
	      The prefix for the DAV notifications hierarchy.	The  hierarchy
	      delimiter	 will be automatically appended.  The public notifica-
	      tions hierarchy will be at the toplevel of the shared namespace.
	      A	 user's	 personal  notifications  hierarchy will be a child of
	      their Inbox.

	  dav_realm: <none>
	      The realm	to present for HTTP authentication of generic DAV  re-
	      sources  (principals).   If  not set (the	default), the value of
	      the "servername" option will be used.

	  dav_lock_timeout: 20s
	      The maximum time to wait for a write lock	on  the	 per-user  DAV
	      database before timeout. For HTTP	requests, the HTTP status code
	      503 is returned if the lock can  not  be	obtained  within  this
	      time.

	      For  backward compatibility, if no unit is specified, seconds is
	      assumed.

	  debug_command: <none>
	      Debug command to be used by processes started  with  -D  option.
	      The  string  is a	C format string	that gets 3 options: the first
	      is the name of the executable (as	specified in the cmd parameter
	      in cyrus.conf). The second is the	pid (integer) and the third is
	      the service ID.  Example:	 /usr/local/bin/gdb  /usr/cyrus/bin/%s
	      %d

	  defaultacl: anyone lrs
	      The   Access  Control  List  (ACL)  placed  on  a	 newly-created
	      (non-user) mailbox that does not have a parent mailbox.

	  defaultdomain: internal
	      The default domain for virtual domain support

	  defaultpartition: <none>
	      The partition name used by default for new  mailboxes.   If  not
	      specified,  the  partition with the most free space will be used
	      for new mailboxes.

	      Note that	the partition specified	by this	option	must  also  be
	      specified	as partition-name, where you substitute	'name' for the
	      alphanumeric string you set defaultpartition to.

	  defaultsearchtier: <empty string>
	      Name of the default tier	that  messages	will  be  indexed  to.
	      Search  indexes can be organized in tiers	to allow index storage
	      in different directories and physical media. See the man page of
	      squatter	for details. The default search	tier also requires the
	      definition of an according searchtierpartition-name entry.

	      This option MUST be specified for	xapian search.

	  defaultserver: <none>
	      The backend server name used by default for new  mailboxes.   If
	      not  specified, the server with the most free space will be used
	      for new mailboxes.

	  deletedprefix: DELETED
	      With delete_mode set to delayed, the deletedprefix  setting  de-
	      fines the	prefix for the hierarchy of deleted mailboxes.

	      The hierarchy delimiter will be automatically appended.

	  delete_mode: delayed
	      The  manner  in  which mailboxes are deleted. In the default de-
	      layed mode, mailboxes that are being deleted are	renamed	 to  a
	      special mailbox hierarchy	under the deletedprefix, to be removed
	      later by cyr_expire(8).

	      In immediate mode, the mailbox is	removed	 from  the  filesystem
	      immediately.

	      Allowed values: immediate, delayed

	  delete_unsubscribe: 0
	      Whether  to  also	 unsubscribe  from  mailboxes  when  they  are
	      deleted.	Note that this behaviour contravenes RFC 3501  section
	      6.3.9,  but may be useful	for avoiding user/client software con-
	      fusion.  The default is 'no'.

	  deleteright: c
	      Deprecated - only	used for backwards compatibility with existing
	      installations.   Lists  the old RFC 2086 right which was used to
	      grant the	user the ability to delete a mailbox.  If a  user  has
	      this right, they will automatically be given the new 'x' right.

	  disable_user_namespace: 0
	      Preclude	list  command on user namespace.  If set to 'yes', the
	      LIST response will never include any other user's	mailbox.   Ad-
	      min users	will always see	all mailboxes.	The default is 'no'

	  disable_shared_namespace: 0
	      Preclude list command on shared namespace.  If set to 'yes', the
	      LIST response will never include any non-user mailboxes.	 Admin
	      users will always	see all	mailboxes.  The	default	is 'no'

	  disconnect_on_vanished_mailbox: 0
	      If  enabled,  IMAP/POP3/NNTP clients will	be disconnected	by the
	      server if	the currently selected mailbox is (re)moved by another
	      session.	 Otherwise,  the  missing  mailbox is treated as empty
	      while in use by the client.

	  ischedule_dkim_domain: <none>
	      The domain to be reported	as doing iSchedule DKIM	signing.

	  ischedule_dkim_key_file: <none>
	      File containing the private key for iSchedule DKIM signing.

	  ischedule_dkim_required: 1
	      A	DKIM signature is required on received iSchedule requests.

	  ischedule_dkim_selector: <none>
	      Name of the selector subdividing	the  domain  namespace.	  This
	      specifies	 the actual key	used for iSchedule DKIM	signing	within
	      the domain.

	  duplicate_db:	twoskip
	      The cyrusdb backend to use for the duplicate  delivery  suppres-
	      sion  and	 sieve.	  Allowed  values: skiplist, sql, twoskip, ze-
	      roskip

	  duplicate_db_path: <none>
	      The absolute path	to the duplicate db file.  If  not  specified,
	      will be configdirectory/deliver.db

	  duplicatesuppression:	1
	      If enabled, lmtpd	will suppress delivery of a message to a mail-
	      box if a message with the	same message-id	(or resent-message-id)
	      is  recorded  as	having	already	been delivered to the mailbox.
	      Records the mailbox and message-id/resent-message-id of all suc-
	      cessful deliveries.

	  event_content_inclusion_mode:	standard
	      The  mode	 in  which  message  content may be included with Mes-
	      sageAppend and MessageNew. "standard" mode is the	default	behav-
	      ior in which message is included up to a size with the notifica-
	      tion. In "message" mode, the message  is	included  and  may  be
	      truncated	to a size. In "header" mode, it	includes headers trun-
	      cated to a size. In "body" mode, it includes body	truncated to a
	      size.  In	 "headerbody"  mode, it	includes full headers and body
	      truncated	to a size Allowed values: standard,  message,  header,
	      body, headerbody

	  event_content_size: 0
	      Truncate	the  message  content  that  may be included with Mes-
	      sageAppend and MessageNew. Set 0 to include the  entire  message
	      itself

	  event_exclude_flags: <none>
	      Don't send event notification for	given IMAP flag(s)

	  event_exclude_specialuse: \Junk
	      Don't  send event	notification for folder	with given special-use
	      attributes.  Set ALL for any folder

	  event_extra_params: timestamp
	      Space-separated list of extra parameters to add to any appropri-
	      ated event.

	      Allowed	 values:   bodyStructure,   clientAddress,   diskUsed,
	      flagNames, messageContent, messageSize, messages,	 modseq,  ser-
	      vice,  timestamp,	 uidnext,  vnd.cmu.midset,  vnd.cmu.unseenMes-
	      sages, vnd.cmu.envelope, vnd.cmu.sessionId,  vnd.cmu.mailboxACL,
	      vnd.cmu.mbtype,  vnd.cmu.davFilename,  vnd.cmu.davUid, vnd.fast-
	      mail.clientId, vnd.fastmail.sessionId,  vnd.fastmail.convExists,
	      vnd.fastmail.convUnseen,	 vnd.fastmail.cid,  vnd.fastmail.coun-
	      ters, vnd.cmu.emailid, vnd.cmu.threadid

	  event_groups:	message	mailbox
	      Space-separated list of groups of	related	events to turn on  no-
	      tification

	      Allowed  values:	message,  quota,  flags, access, mailbox, sub-
	      scription, calendar, applepushservice

	  event_notifier: <none>
	      Notifyd(8) method	to use for  "EVENT"  notifications  which  are
	      based  on	 the  RFC 5423.	 If not	set, "EVENT" notifications are
	      disabled.

	  expunge_mode:	delayed
	      The mode in which	messages (and their  corresponding  cache  en-
	      tries)  are expunged.  "semidelayed" mode	is the old behavior in
	      which the	message	files are purged at the	time of	 the  EXPUNGE,
	      but  index and cache records are retained	to facilitate QRESYNC.
	      In "delayed" mode, which is the default since Cyrus  2.5.0,  the
	      message  files  are  also	retained, allowing unexpunge to	rescue
	      them.  In	"immediate" mode, both the message files and the index
	      records  are removed as soon as possible.	 In all	cases, nothing
	      will be finally purged until all other processes have closed the
	      mailbox  to ensure they never see	data disappear under them.  In
	      "semidelayed" or "delayed" mode, a  later	 run  of  "cyr_expire"
	      will  clean  out	the  retained  records	(and  possibly message
	      files).  This reduces the	amount of I/O that takes place at  the
	      time  of EXPUNGE and should result in greater responsiveness for
	      the client, especially when expunging a  large  number  of  mes-
	      sages.  Allowed values: immediate, semidelayed, delayed

	  failedloginpause: 3s
	      Time to pause after a failed login.

	      For  backward compatibility, if no unit is specified, seconds is
	      assumed.

	  flushseenstate: 1
	      Deprecated. No longer used

	  foolstupidclients: 0
	      If enabled, only list the	personal namespace when	a LIST "*"  is
	      performed	(it changes the	request	to a LIST "INBOX*").

	  force_sasl_client_mech: <none>
	      Force preference of a given SASL mechanism for client side oper-
	      ations (e.g., murder environments).  This	is separate from  (and
	      overridden by) the ability to use	the <host shortname>_mechs op-
	      tion to set preferred mechanisms for a specific host

	  fulldirhash: 0
	      If enabled, uses an  improved  directory	hashing	 scheme	 which
	      hashes  on  the  entire username instead of using	just the first
	      letter as	the hash.  This	changes	hash algorithm used for	 quota
	      and user directories and if hashimapspool	is enabled, the	entire
	      mail spool.

	      Note that	this option CANNOT be changed on a live	 system.   The
	      server  must be quiesced and then	the directories	moved with the
	      rehash utility.

	  hashimapspool: 0
	      If enabled, the partitions will also be hashed, in  addition  to
	      the  hashing  done on configuration directories.	This is	recom-
	      mended if	one partition has a very bushy mailbox tree.

	  debug: 0
	      If enabled, allow	syslog() to pass LOG_DEBUG messages.

	  hostname_mechs: <none>
	      Force a particular list of SASL mechanisms to be used  when  au-
	      thenticating  to	the backend server hostname (where hostname is
	      the short	hostname of the	server in  question).  If  it  is  not
	      specified	 it will query the server for available	mechanisms and
	      pick one to use. - Cyrus Murder

	  hostname_password: <none>
	      The password to use for authentication  to  the  backend	server
	      hostname	(where hostname	is the short hostname of the server) -
	      Cyrus Murder

	  httpallowcompress: 1
	      If enabled, the server will compress response  payloads  if  the
	      client  indicates	 that  it can accept them.  Note that the com-
	      pressed data will	appear in telemetry logs, leaving only the re-
	      sponse headers as	human-readable.

	  httpallowcors: <none>
	      A	 wildmat  pattern  specifying  a  list of origin URIs (	scheme
	      "://" host [ ":" port ] )	that are allowed to make  Cross-Origin
	      Resource	Sharing	 (CORS)	 requests  on the server.  By default,
	      CORS requests are	disabled.

	      Note that	the scheme and host should both	be lowercase, the port
	      should  be  omitted  if using the	default	for the	scheme (80 for
	      http, 443	for https), and	there should be	no trailing '/'	(e.g.:
	      "http://www.example.com:8080", "https://example.org").

	  httpallowtrace: 0
	      Allow use	of the TRACE method.

	      Note that	sensitive data might be	disclosed by the response.

	  httpallowedurls: <none>
	      Space-separated  list  of	relative URLs (paths) rooted at	"http-
	      docroot" (see below) to be served	by httpd.  If set, this	option
	      will  limit  served static content to only those paths specified
	      (returning "404 Not Found" to any	other client requested	URLs).
	      Otherwise, httpd will serve any content found in "httpdocroot".

	      Note  that  any  path specified by "rss_feedlist_template" is an
	      exception	to this	rule.

	  httpcontentmd5: 0
	      If enabled, HTTP responses will include a	Content-MD5 header for
	      the  purpose  of providing an end-to-end message integrity check
	      (MIC) of the payload body.  Note that enabling this option  will
	      use  additional CPU to generate the MD5 digest, which may	be ig-
	      nored by clients anyways.

	  httpdocroot: <none>
	      If set, http will	serve the static  content  (html/text/jpeg/gif
	      files, etc) rooted at this directory.  Otherwise,	httpd will not
	      serve any	static content.

	  httpkeepalive: 20s
	      Set the length of	the HTTP server's  keepalive  heartbeat.   The
	      default  is 20 seconds.  The minimum value is 0, which will dis-
	      able the keepalive heartbeat.  When enabled, if a	request	 takes
	      longer  than  httpkeepalive to process, the server will send the
	      client provisional responses every httpkeepalive until the final
	      response can be sent.

	      For  backward compatibility, if no unit is specified, seconds is
	      assumed.

	  httpmodules: <empty string>
	      Space-separated list of HTTP modules that	 will  be  enabled  in
	      httpd(8).	  This	option	has no effect on modules that are dis-
	      abled at compile time due	to missing  dependencies  (e.g.	 libi-
	      cal).

	      Note  that "domainkey" depends on	"ischedule" being enabled, and
	      that both	"freebusy" and "ischedule" depend  on  "caldav"	 being
	      enabled.	 Allowed  values:  admin,  caldav,  carddav,  cgi, do-
	      mainkey, freebusy, ischedule,  jmap,  prometheus,	 rss,  tzdist,
	      webdav

	  httpprettytelemetry: 0
	      If  enabled,  HTTP  response payloads including server-generated
	      markup languages (HTML, XML) will	utilize	line breaks and	inden-
	      tation  to  promote  better human-readability in telemetry logs.
	      Note that	enabling this option will increase the amount of  data
	      sent across the wire.

	  httptimeout: 5m
	      Set the length of	the HTTP server's inactivity autologout	timer.
	      The default is 5 minutes.	 The minimum value is  0,  which  will
	      disable persistent connections.

	      For backwards compatibility, if no unit is specified, minutes is
	      assumed.

	  idlesocket: {configdirectory}/socket/idle
	      Unix domain socket that idled listens on.

	  ignorereference: 0
	      For backwards compatibility with Cyrus 1.5.10 and	earlier	-- ig-
	      nore the reference argument in LIST or LSUB commands.

	  imapidlepoll:	60s
	      The  interval  for  polling for mailbox changes and ALERTs while
	      running the IDLE command.	 This option is	used when idled	is not
	      enabled  or cannot be contacted.	The minimum value is 1 second.
	      A	value of 0 will	disable	IDLE.

	      For backward compatibility, if no	unit is	specified, seconds  is
	      assumed.

	  imapidresponse: 1
	      If  enabled, the server responds to an ID	command	with a parame-
	      ter list containing: version, vendor, support-url,  os,  os-ver-
	      sion, command, arguments,	environment.  Otherwise	the server re-
	      turns NIL.

	  imapmagicplus: 0
	      Only list	a restricted  set  of  mailboxes  via  IMAP  by	 using
	      userid+namespace	syntax as the authentication/authorization id.
	      Using userid+ (with an empty  namespace)	will  list  only  sub-
	      scribed mailboxes.

	  imipnotifier:	<none>
	      Notifyd(8)  method  to  use  for	"IMIP" notifications which are
	      based on the RFC 6047.  If not  set,  "IMIP"  notifications  are
	      disabled.

	  implicit_owner_rights: lkxan
	      The  implicit Access Control List	(ACL) for the owner of a mail-
	      box.

	  @include: <none>
	      Directive	which includes the specified file as part of the  con-
	      figuration.  If the path to the file is not absolute, CYRUS_PATH
	      is prepended.

	  improved_mboxlist_sort: 0
	      If enabled, a special comparator will be used  which  will  cor-
	      rectly  sort  mailbox  names that	contain	characters such	as ' '
	      and '-'.

	      Note that	this option SHOULD NOT be changed on  a	 live  system.
	      The  mailboxes  database	should be dumped (ctl_mboxlist)	before
	      the option is changed, removed, and then undumped	after changing
	      the  option.   When  not	using flat files for the subscriptions
	      databases	the same has to	be done	 (cyr_dbtool)  for  each  sub-
	      scription	database See improved_mboxlist_sort.html.

	  jmap_emailsearch_db_path: <none>
	      The  absolute  path to the JMAP email search cache file.	If not
	      specified, JMAP  Email/query  and	 Email/queryChanges  will  not
	      cache email search results.

	  jmap_preview_annot: <none>
	      The name of the per-message annotation, if any, to store message
	      previews.

	  jmap_imagesize_annot:	<none>
	      The name of the per-message annotation, if any,  that  stores  a
	      JSON object, mapping message part	numbers	of MIME	image types to
	      an array of their	image dimensions. The array must have at least
	      two  entries,  where  the	 first entry denotes the width and the
	      second entry the height of the image. Any	additional values  are
	      ignored.

	      For  example, if message part 1.2	contains an image of width 300
	      and height 200, then the value of	this annotation	would be:

	      {	"1.2" :	[ 300, 200 ] }

	  jmap_inlinedcids_annot: <none>
	      The name of the per-message annotation, if any,  that  stores  a
	      JSON  object,  mapping  RFC  2392	Content-IDs referenced in HTML
	      bodies to	the respective HTML body part number.

	      For example, if message part 1.2 contains	HTML and references an
	      inlined  image  at  "cid:foo", then the value of this annotation
	      would be:

	      {	"<foo>"	: "1.2"	}

	      Note that	the Content-ID key must	be URL-unescaped and  enclosed
	      in angular brackets, as defined in RFC 2392.

	  jmap_preview_length: 64
	      The  maximum  byte  length of dynamically	generated message pre-
	      views. Previews stored in	jmap_preview_annot take	precedence.

	  jmap_max_size_upload:	1048576
	      The maximum size (in kilobytes) that the JMAP  API  accepts  for
	      blob  uploads.  Returned	as the maxSizeUpload property value of
	      the JMAP "urn:ietf:params:jmap:core" capabilities	 object.   De-
	      fault is 1Gb.

	  jmap_max_concurrent_upload: 5
	      The  value to return for the maxConcurrentUpload property	of the
	      JMAP "urn:ietf:params:jmap:core" capabilities object. The	 Cyrus
	      JMAP implementation does not enforce this	rate-limit.

	  jmap_max_size_request: 10240
	      The  maximum  size  (in kilobytes) that the JMAP API accepts for
	      requests at the API endpoint.  Returned  as  the	maxSizeRequest
	      property value of	the JMAP "urn:ietf:params:jmap:core" capabili-
	      ties object. Default is 10Mb.

	  jmap_max_concurrent_requests:	5
	      The value	to return for the  maxConcurrentRequests  property  of
	      the  JMAP	 "urn:ietf:params:jmap:core"  capabilities object. The
	      Cyrus JMAP implementation	does not enforce this rate-limit.

	  jmap_max_calls_in_request: 50
	      The maximum number of calls per JMAP request  object.   Returned
	      as   the	 maxCallsInRequest  property  value  of	 the  JMAP  "-
	      urn:ietf:params:jmap:core" capabilities object.

	  jmap_max_delayed_send: 512d
	      The value	to return for the maxDelayedSend property of the  JMAP
	      "urn:ietf:params:jmap:emailsubmission" capabilities object.  The
	      Cyrus JMAP implementation	does not enforce this limit.

	      For backward compatibility, if no	unit is	specified, seconds  is
	      assumed.

	  jmap_max_objects_in_get: 4096
	      The  maximum  number  of ids that	a JMAP client may request in a
	      single "/get" type method	call. The actual  number  of  returned
	      objects  in  the response	may exceed this	number if the JMAP ob-
	      ject type	supports unbounded  "/get"  calls.   Returned  as  the
	      maxObjectsInGet	  property    value    of    the    JMAP    "-
	      urn:ietf:params:jmap:core" capabilities object.

	  jmap_max_objects_in_set: 4096
	      The maximum number of objects a JMAP client may send to  create,
	      update  or  destroy in a single /set type	method call.  Returned
	      as  the  maxObjectsInSet	property  value	  of   the   JMAP   "-
	      urn:ietf:params:jmap:core" capabilities object.

	  jmap_mail_max_size_attachments_per_email: 10240
	      The  value  (in  kilobytes)  to  return  for  the	maxSizeAttach-
	      mentsPerEmail property of	the  JMAP  "urn:ietf:params:jmap:mail"
	      capabilities  object. The	Cyrus JMAP implementation does not en-
	      force this size limit. Default is	10 Mb.

	  jmap_nonstandard_extensions: 0
	      If enabled, support non-standard JMAP extensions.	  If  not  en-
	      abled, only IETF standard	JMAP functionality is supported.

	  jmap_set_has_attachment: 1
	      If  enabled,  the	 $hasAttachment	flag is	determined and set for
	      new messages created with	the  JMAP  Email/set  or  Email/import
	      methods.	This option should typically be	enabled, but installa-
	      tions using Cyrus-external message annatotors to	determine  the
	      $hasAttachment flag might	want to	disable	it.

	  jmap_vacation: 1
	      If enabled, support the JMAP vacation extension

	  jmapuploadfolder: #jmap
	      the name of the folder for JMAP uploads (#jmap)

	  jmapsubmission_deleteonsend: 1
	      If enabled (the default) then delete the EmailSubmission as soon
	      as the email * has been sent

	  jmapsubmissionfolder:	#jmapsubmission
	      the name of the folder for JMAP Submissions (#jmapsubmission)

	  jmappushsubscriptionfolder: #jmappushsubscription
	      the name of the folder for JMAP Push  Subscriptions  (#jmappush-
	      subscription)

	  iolog: 0
	      Should cyrus output I/O log entries

	  ldap_authz: <none>
	      SASL authorization ID for	the LDAP server

	  ldap_base: <empty string>
	      Contains the LDAP	base dn	for the	LDAP ptloader module

	  ldap_bind_dn:	<none>
	      Bind DN for the connection to the	LDAP server (simple bind).  Do
	      not use for anonymous simple binds

	  ldap_deref: never
	      Specify how aliases dereferencing	is handled during search.

	      Allowed values: search, find, always, never

	  ldap_domain_base_dn: <empty string>
	      Base DN to search	for domain name	spaces.

	  ldap_domain_filter:  (&(objectclass=domainrelatedobject)(associated-
	  domain=%s))
	      Filter to	use searching for domains

	  ldap_domain_name_attribute: associateddomain
	      The attribute name for domains.

	  ldap_domain_scope: sub
	      Search scope

	      Allowed values: sub, one,	base

	  ldap_domain_result_attribute:	inetdomainbasedn
	      Result attribute

	  ldap_filter: (uid=%u)
	      Specify  a filter	that searches user identifiers.	 The following
	      tokens can be used in the	filter string:

	      %%   = % %u   = user %U	= user portion of %u (%U =  test  when
	      %u  =  test@domain.tld) %d   = domain portion of %u if available
	      (%d = domain.tld when %u = test@domain.tld), otherwise  same  as
	      %R %R   =	domain portion of %u starting with @ (%R = @domain.tld
	      when %u =	test@domain.tld) %D   =	user dn.  (use when  ldap_mem-
	      ber_method:  filter) %1-9	= domain tokens	(%1 = tld, %2 =	domain
	      when %d =	domain.tld)

	      ldap_filter is not used when ldap_sasl is	enabled.

	  ldap_group_base: <empty string>
	      LDAP base	dn for ldap_group_filter.

	  ldap_group_filter: (cn=%u)
	      Specify a	filter	that  searches	for  group  identifiers.   See
	      ldap_filter for more options.

	  ldap_group_scope: sub
	      Specify search scope for ldap_group_filter.

	      Allowed values: sub, one,	base

	  ldap_id: <none>
	      SASL authentication ID for the LDAP server

	  ldap_mech: <none>
	      SASL mechanism for LDAP authentication

	  ldap_user_attribute: <none>
	      Specify LDAP attribute to	use as canonical user id

	  ldap_member_attribute: <none>
	      See ldap_member_method.

	  ldap_member_base: <empty string>
	      LDAP base	dn for ldap_member_filter.

	  ldap_member_filter: (member=%D)
	      Specify	a   filter   for  "ldap_member_method:	filter".   See
	      ldap_filter for more options.

	  ldap_member_method: attribute
	      Specify a	group method.  The "attribute" method retrieves	groups
	      from  a  multi-valued  attribute specified in ldap_member_attri-
	      bute.

	      The "filter" method uses a filter, specified by ldap_member_fil-
	      ter, to find groups; ldap_member_attribute is a single-value at-
	      tribute group name.  Allowed values: attribute, filter

	  ldap_member_scope: sub
	      Specify search scope for ldap_member_filter.

	      Allowed values: sub, one,	base

	  ldap_password: <none>
	      Password for the connection to the LDAP server (SASL and	simple
	      bind).  Do not use for anonymous simple binds

	  ldap_realm: <none>
	      SASL realm for LDAP authentication

	  ldap_referrals: 0
	      Specify whether or not the client	should follow referrals.

	  ldap_restart:	1
	      Specify  whether	or  not	 LDAP I/O operations are automatically
	      restarted	if they	abort prematurely.

	  ldap_sasl: 1
	      Use SASL for LDAP	binds in the LDAP PTS module.

	  ldap_sasl_authc: <none>
	      Deprecated.  Use ldap_id

	  ldap_sasl_authz: <none>
	      Deprecated.  Use ldap_authz

	  ldap_sasl_mech: <none>
	      Deprecated.  Use ldap_mech

	  ldap_sasl_password: <none>
	      Deprecated.  User	ldap_password

	  ldap_sasl_realm: <none>
	      Deprecated.  Use ldap_realm

	  ldap_scope: sub
	      Specify search scope.

	      Allowed values: sub, one,	base

	  ldap_servers:	ldap://localhost/
	      Deprecated.  Use ldap_uri

	  ldap_size_limit: 1
	      Specify a	number of entries for a	search request to return.

	  ldap_start_tls: 0
	      Use transport layer security for ldap:// using STARTTLS. Do  not
	      use ldaps:// in 'ldap_uri' with this option enabled.

	  ldap_time_limit: 5s
	      How long to wait for a search request to complete.

	      For  backward compatibility, if no unit is specified, seconds is
	      assumed.

	  ldap_timeout:	5s
	      How long a search	can take before	timing out.

	      For backward compatibility, if no	unit is	specified, seconds  is
	      assumed.

	  ldap_ca_dir: <none>
	      Path  to	a  directory  with CA (Certificate Authority) certifi-
	      cates.

	  ldap_ca_file:	<none>
	      Patch to a file containing CA (Certificate  Authority)  certifi-
	      cate(s).

	  ldap_ciphers:	<none>
	      List  of	SSL/TLS	ciphers	to allow.  The format of the string is
	      described	in ciphers(1).

	  ldap_client_cert: <none>
	      File containing the client certificate.

	  ldap_client_key: <none>
	      File containing the private client key.

	  ldap_verify_peer: 0
	      Require and verify server	certificate.  If this option  is  yes,
	      you must specify ldap_ca_file or ldap_ca_dir.

	  ldap_tls_cacert_dir: <none>
	      Deprecated in favor of ldap_ca_dir.

	  ldap_tls_cacert_file:	<none>
	      Deprecated in favor of ldap_ca_file.

	  ldap_tls_cert: <none>
	      Deprecated in favor of ldap_client_cert.

	  ldap_tls_key:	<none>
	      Deprecated in favor of ldap_client_key.

	  ldap_tls_check_peer: 0
	      Deprecated in favor of ldap_verify_peer.

	  ldap_tls_ciphers: <none>
	      Deprecated in favor of ldap_ciphers.

	  ldap_uri: <none>
	      Contains	a  list	of the URLs of all the LDAP servers when using
	      the LDAP PTS module.

	  ldap_version:	3
	      Specify the LDAP protocol	 version.   If	ldap_start_tls	and/or
	      ldap_use_sasl  are  enabled,  ldap_version will be automatically
	      set to 3.

	  literalminus:	0
	      if enabled, CAPABILITIES will reply with	LITERAL-  rather  than
	      LITERAL+	(RFC  7888).   Doesn't	actually size-restrict uploads
	      though

	  lmtp_downcase_rcpt: 1
	      If enabled, lmtpd	will convert the recipient addresses to	lower-
	      case (up to a '+'	character, if present).

	  lmtp_exclude_specialuse: \Snoozed
	      Don't  allow  delivery  to  folders  with	 given special-use at-
	      tributes.

	      Note that	"snoozing" of emails can currently only	 be  done  via
	      the  JMAP	 protocol, so delivery directly	to the Snoozed mailbox
	      is prohibited by default as it will not be moved back into INBOX
	      automatically.

	  lmtp_fuzzy_mailbox_match: 0
	      If  enabled, and the mailbox specified in	the detail part	of the
	      recipient	(everything after the '+') does	not exist, lmtpd  will
	      try  to  find  the closest match (ignoring case, ignoring	white-
	      space, falling back to parent) to	the specified mailbox name.

	  lmtp_over_quota_perm_failure:	0
	      If enabled, lmtpd	returns	a permanent failure code when a	user's
	      mailbox  is  over	 quota.	 By default, the failure is temporary,
	      causing the MTA to queue the message and retry later.

	  lmtp_strict_quota: 0
	      If enabled, lmtpd	returns	a failure code when the	incoming  mes-
	      sage  will cause the user's mailbox to exceed its	quota.	By de-
	      fault, the failure won't occur until the mailbox is already over
	      quota.

	  lmtp_strict_rfc2821: 1
	      By  default, lmtpd will be strict	(per RFC 2821) with regards to
	      which envelope addresses are allowed.  If	this option is set  to
	      false,  8bit  characters in the local-part of envelope addresses
	      are changed to 'X' instead.  This	is useful to avoid  generating
	      backscatter  with	certain	MTAs like Postfix or Exim which	accept
	      such messages.

	  lmtpsocket: {configdirectory}/socket/lmtp
	      Unix domain socket that lmtpd listens on,	 used  by  deliver(8).
	      This should match	the path specified in cyrus.conf(5).

	  lmtptxn_timeout: 5m
	      Timeout used during a lmtp transaction to	a remote backend (e.g.
	      in a murder environment).	 Can be	used to	prevent	hung lmtpds on
	      proxy  hosts when	a backend server becomes unresponsive during a
	      lmtp transaction.	 The default is	5 minutes - change to zero for
	      infinite.

	      For  backward compatibility, if no unit is specified, seconds is
	      assumed.

	  lock_debugtime: <none>
	      A	floating point number of seconds.  If set, time	 how  long  we
	      wait  for	 any  lock,  and  syslog the filename and time if it's
	      longer than this value.  The default of NULL means not  to  time
	      locks.

	  loginrealms: <empty string>
	      The  list	 of  remote  realms whose users	may authenticate using
	      cross-realm authentication  identifiers.	 Separate  each	 realm
	      name  by	a  space.   (A	cross-realm identity is	considered any
	      identity returned	by SASL	with an	"@" in it.).

	  loginuseacl: 0
	      If enabled, any authentication identity which has	a rights on  a
	      user's INBOX may log in as that user.

	  logtimestamps: 0
	      Include  notations in the	protocol telemetry logs	indicating the
	      number of	seconds	since the last command or response.

	  mailbox_default_options: 0
	      Default "options"	field for the mailbox on create.  You'll  want
	      to  know what you're doing before	setting	this, but it can apply
	      some default annotations like duplicate suppression

	  mailbox_initial_flags: <none>
	      space-separated list of permanent	flags which will be pre-set in
	      every  newly created mailbox.  If	you know you will require par-
	      ticular flag names then this avoids a  possible  race  condition
	      against a	client that fills the entire 128 available slots.  De-
	      fault is NULL, which is no flags.	 Example: $Label1 $Label2 $La-
	      bel3 NotSpam Spam

	  mailnotifier:	<none>
	      Notifyd(8)  method to use	for "MAIL" notifications.  If not set,
	      "MAIL" notifications are disabled.

	  master_bind_errors_fatal: 0
	      If enabled, failure to bind a port during	startup	is treated  as
	      a	fatal error, causing master to shut down immediately.  The de-
	      fault is to keep running,	with the affected service disabled un-
	      til the next SIGHUP causes it to retry.

	      Note  that  this only applies during startup.  New services that
	      fail to come up in response to a reconfig+SIGHUP	will  just  be
	      logged  and disabled like	the default behaviour, without causing
	      master to	exit.

	  maxheaderlines: 1000
	      Maximum number of	lines of header	that will  be  processed  into
	      cache  records.  Default 1000.  If set to	zero, it is unlimited.
	      If a message hits	the limit, an error will  be  logged  and  the
	      rest  of	the  lines  in the header will be skipped.  This is to
	      avoid malformed messages causing giant cache records

	  maxlogins_per_host: 0
	      Maximum number of	logged in  sessions  allowed  per  host,  zero
	      means no limit

	  maxlogins_per_user: 0
	      Maximum  number  of  logged  in  sessions	allowed	per user, zero
	      means no limit

	  maxmessagesize: 0
	      Maximum incoming LMTP message size.  If non-zero,	lmtpd will re-
	      ject  messages  larger  than maxmessagesize bytes.  If set to 0,
	      this will	allow messages of any size (the	default).

	  maxquoted: 131072
	      Maximum size of a	single quoted string for the parser.   Default
	      128k

	  maxword: 131072
	      Maximum size of a	single word for	the parser.  Default 128k

	  mboxkey_db: twoskip
	      The cyrusdb backend to use for mailbox keys.

	      Allowed values: skiplist,	twoskip, zeroskip

	  mboxlist_db: twoskip
	      The cyrusdb backend to use for the mailbox list.

	      Allowed values: flat, skiplist, sql, twoskip, zeroskip

	  mboxlist_db_path: <none>
	      The  absolute  path  to the mailboxes db file.  If not specified
	      will be configdirectory/mailboxes.db

	  mboxname_lockpath: <none>
	      Path to mailbox name lock	files (default $conf/lock)

	  metapartition_files: <empty string>
	      Space-separated list of metadata files to	be stored on  a	 meta-
	      partition	rather than in the mailbox directory on	a spool	parti-
	      tion.  Allowed values: header, index, cache, expunge, squat, an-
	      notations, lock, dav, archivecache

	  metapartition-name: <none>
	      The  pathname  of	 the metadata partition	name, corresponding to
	      spool partition partition-name.  For any mailbox residing	 in  a
	      directory	 on partition-name, the	metadata files listed in meta-
	      partition_files will be stored in	a corresponding	 directory  on
	      metapartition-name.    Note that not every partition-name	option
	      is required to have a corresponding  metapartition-name  option,
	      so  that	you can	selectively choose which spool partitions will
	      have separate metadata partitions.

	  mupdate_authname: <none>
	      The SASL username	(Authentication	Name) to use when authenticat-
	      ing to the mupdate server	(if needed).

	  mupdate_config: standard
	      The  configuration  of  the mupdate servers in the Cyrus Murder.
	      The "standard" config is one in which there are discreet	front-
	      end (proxy) and backend servers.	The "unified" config is	one in
	      which a server can be both a frontend and	backend.  The  "repli-
	      cated" config is one in which multiple backend servers all share
	      the same mailspool, but each have	their own "replicated" copy of
	      mailboxes.db.  Allowed values: standard, unified,	replicated

	  munge8bit: 1
	      If  enabled,  lmtpd munges messages with 8-bit characters	in the
	      headers.	The 8-bit characters  are  changed  to	`X'.   If  re-
	      ject8bit is enabled, setting munge8bit has no effect.  (A	proper
	      solution to non-ASCII characters in headers is  offered  by  RFC
	      2047 and its predecessors.)

	  mupdate_connections_max: 128
	      The max number of	connections that a mupdate process will	allow,
	      this is related to the number of file descriptors	in the mupdate
	      process.	Beyond this number connections will be immediately is-
	      sued a BYE response.

	  mupdate_password: <none>
	      The SASL password	(if needed) to use when	authenticating to  the
	      mupdate server.

	  mupdate_port:	3905
	      The port of the mupdate server for the Cyrus Murder

	  mupdate_realm: <none>
	      The  SASL	 realm	(if  needed) to	use when authenticating	to the
	      mupdate server.

	  mupdate_retry_delay: 20
	      The base time to wait between connection retries to the  mupdate
	      server.

	  mupdate_server: <none>
	      The mupdate server for the Cyrus Murder

	  mupdate_username: <empty string>
	      The  SASL	username (Authorization	Name) to use when authenticat-
	      ing to the mupdate server

	  mupdate_workers_max: 50
	      The maximum number of mupdate worker threads (overall)

	  mupdate_workers_maxspare: 10
	      The maximum number of idle mupdate worker	threads

	  mupdate_workers_minspare: 2
	      The minimum number of idle mupdate worker	threads

	  mupdate_workers_start: 5
	      The number of mupdate worker threads to start

	  netscapeurl: <none>
	      If enabled at compile time, this specifies a URL to  reply  when
	      Netscape	asks  the  server  where  the mail administration HTTP
	      server is.  Administrators should	set this to a local resource.

	  newsaddheaders: to
	      Space-separated list of headers to be added to  incoming	usenet
	      articles.	  Added	 To:  headers  will contain email delivery ad-
	      dresses corresponding  to	 each  newsgroup  in  the  Newsgroups:
	      header.  Added Reply-To: headers will contain email delivery ad-
	      dresses corresponding to each newsgroup in the  Followup-To:  or
	      Newsgroups: header.  If the specified header(s) already exist in
	      an article, the email delivery addresses will be appended	to the
	      original header body(s).

	      This  option  applies  if	and only if the	newspostuser option is
	      set.  Allowed values: to,	replyto

	  newsgroups: *
	      A	wildmat	pattern	specifying which mailbox hierarchies should be
	      treated as newsgroups.  Only mailboxes matching the wildmat will
	      accept and/or serve articles via NNTP.  If not  set,  a  default
	      wildmat  of  "*"	(ALL  shared  mailboxes) will be used.	If the
	      newsprefix option	is also	 set,  the  default  wildmat  will  be
	      translated to "<newsprefix>.*"

	  newsmaster: news
	      Userid  that is used for checking	access controls	when executing
	      Usenet control messages.	For instance, to allow articles	to  be
	      automatically  deleted  by cancel	messages, give the "news" user
	      the 'd' right on the desired mailboxes.  To allow	newsgroups  to
	      be automatically created,	deleted	and renamed by the correspond-
	      ing control messages, give the "news" user the 'c' right on  the
	      desired mailbox hierarchies.

	  newspeer: <none>
	      A	 list  of  whitespace-separated	 news server specifications to
	      which articles should be fed.  Each server  specification	 is  a
	      string  of  the  form  [user[:pass]@]host[:port][/wildmat] where
	      'host' is	the fully qualified hostname of	the server, 'port'  is
	      the port on which	the server is listening, 'user'	and 'pass' are
	      the authentication credentials and 'wildmat' is a	 pattern  that
	      specifies	 which	groups	should be fed.	If no 'port' is	speci-
	      fied, port 119 is	used.	If  no	'wildmat'  is  specified,  all
	      groups  are  fed.	  If 'user' is specified (even if empty), then
	      the NNTP POST command will be used to feed the  article  to  the
	      server, otherwise	the IHAVE command will be used.

	      A	 '@'  may  be  used  in	place of '!' in	the wildmat to prevent
	      feeding articles cross-posted  to	 the  given  group,  otherwise
	      cross-posted  articles  are  fed	if  any	 part  of  the wildmat
	      matches.	 For  example,	the  string  "peer.example.com:*,!con-
	      trol.*,@local.*"	would  feed all	groups except control messages
	      and  local  groups  to  peer.example.com.	  In   the   case   of
	      cross-posting to local groups, these articles would not be fed.

	  newspostuser:	<none>
	      Userid  used  to	deliver	 usenet	 articles to newsgroup folders
	      (usually via lmtp2nntp).	For example, if	set to	"post",	 email
	      sent   to	  "post+comp.mail.imap"	 would	be  delivered  to  the
	      "comp.mail.imap" folder.

	      When set,	the Cyrus NNTP server will add the header(s) specified
	      in  the  newsaddheaders  option to each incoming usenet article.
	      The added	header(s) will contain email delivery addresses	corre-
	      sponding to each relevant	newsgroup.  If not set,	no headers are
	      added to usenet articles.

	  newsprefix: <none>
	      Prefix to	be prepended to	newsgroup names	 to  make  the	corre-
	      sponding IMAP mailbox names.

	  newsrc_db_path: <none>
	      The absolute path	to the newsrc db file.	If not specified, will
	      be configdirectory/fetchnews.db

	  nntptimeout: 3m
	      Set the length of	the NNTP server's inactivity autologout	timer.
	      The minimum value	is 3 minutes, also the default.

	      For  backward compatibility, if no unit is specified, minutes is
	      assumed.

	  notesmailbox:	<none>
	      The top level mailbox in each user's account which  is  used  to
	      store * Apple-style Notes.  Default is blank (disabled)

	  notifysocket:	{configdirectory}/socket/notify
	      Unix domain socket that the mail notification daemon listens on.

	  notify_external: <none>
	      Path  to	the external program that notifyd(8) will call to send
	      mail notifications.

	      The external program will	be called with the  following  command
	      line options:

		 -c class

		 -p priority

		 -u user

		 -m mailbox

		 And the notification message will be available	on stdin.

	  partition-name: <none>
	      The  pathname  of	 the  partition	 name.	At least one partition
	      pathname MUST be specified.  If the defaultpartition  option  is
	      used,  then its pathname MUST be specified.  For example,	if the
	      value of the defaultpartion option is  part1,  then  the	parti-
	      tion-part1 field is required.

	  partition_select_mode: freespace-most
	      Partition	selection mode.

	      random (pseudo-)random selection

	      freespace-most
		     partition with the	most free space	(KiB)

	      freespace-percent-most
		     partition with the	most free space	(%)

	      freespace-percent-weighted
		     each  partition  is  weighted according to	its free space
		     (%); the more free	space  the  partition  has,  the  more
		     chances it	has to be selected

	      freespace-percent-weighted-delta
		     each partition is weighted	according to its difference of
		     free space	(%) compared to	the most used  partition;  the
		     more the partition	is lagging behind the most used	parti-
		     tion, the more chances it has to be selected

		     Note that actually	even the most used partition has a few
		     chances  to  be selected, and those chances increase when
		     other partitions get closer

		     Allowed values:  random,  freespace-most,	freespace-per-
		     cent-most,	  freespace-percent-weighted,	freespace-per-
		     cent-weighted-delta

	  partition_select_exclude: <none>
	      List of partitions to exclude from selection mode.

	  partition_select_usage_reinit: 0
	      For a given session, number of operations	(e.g. partition	selec-
	      tion) for	which partitions usage data are	cached.

	  partition_select_soft_usage_limit: 0
	      Limit of partition usage (%): if a partition is over that	limit,
	      it is automatically excluded from	selection mode.

	      If all partitions	are over that limit, this feature is not  used
	      anymore.

	  plaintextloginpause: <none>
	      Time  to	pause after a successful plaintext login.  For systems
	      that support strong authentication, this permits users  to  per-
	      ceive  a	cost of	using plaintext	passwords.  (This does not af-
	      fect the use of PLAIN in SASL authentications.)

	      For backward compatibility, if no	unit is	specified, seconds  is
	      assumed.

	  plaintextloginalert: <none>
	      Message to send to client	after a	successful plaintext login.

	  popexpiretime: -1
	      The  duration  advertised	 as being the minimum a	message	may be
	      left on the POP server before it is deleted (via the  CAPA  com-
	      mand,  defined  in  the  POP3  Extension	Mechanism,  which some
	      clients may support).  This duration has a granularity of	 whole
	      days,  with partial days truncated (so e.g. "45m"	is effectively
	      "0d").  "NEVER", the default, may	be specified with  a  negative
	      number.

	      The  Cyrus  POP3	server	never deletes mail, no matter what the
	      value of this parameter is.  However, if	a  site	 implements  a
	      less  liberal  policy, it	needs to change	this parameter accord-
	      ingly.

	      For backward compatibility, if no	unit is	specified, days	is as-
	      sumed.

	  popminpoll: <none>
	      Set  the	minimum	amount of time the server forces users to wait
	      between successive POP logins.

	      For backward compatibility, if no	unit is	specified, minutes  is
	      assumed.

	  popsubfolders: 0
	      Allow   access   to  subfolders  of  INBOX  via  POP3  by	 using
	      userid+subfolder syntax as the authentication/authorization id.

	  poppollpadding: 1
	      Create a softer minimum poll restriction.	 Allows	poppollpadding
	      connections  before the minpoll restriction is triggered.	 Addi-
	      tionally,	one padding entry is recovered every  popminpoll  min-
	      utes.   This  allows for the occasional polling rate faster than
	      popminpoll, (i.e., for clients that require  a  send/receive  to
	      send  mail) but still enforces the rate long-term.  Default is 1
	      (disabled).

	      The easiest way to think of it is	a queue	of  past  connections,
	      with  one	 slot  being filled for	every connection, and one slot
	      being cleared every popminpoll minutes. When the queue is	 full,
	      the  user	 will  not be able to check mail again until a slot is
	      cleared.	If the user waits a sufficient amount  of  time,  they
	      will get back many or all	of the slots.

	  poptimeout: 10m
	      Set  the length of the POP server's inactivity autologout	timer.
	      The minimum value	is 10 minutes, the default.

	      For backward compatibility, if no	unit is	specified, minutes  is
	      assumed.

	  popuseacl: 0
	      Enforce  IMAP  ACLs in the pop server.  Due to the nature	of the
	      POP3 protocol, the only rights which are used by the pop	server
	      are  'r',	 't',  and  's'	for the	owner of the mailbox.  The 'r'
	      right allows the user to open the	mailbox	and list/retrieve mes-
	      sages.   The  't'	right allows the user to delete	messages.  The
	      's' right	allows messages	retrieved by  the  user	 to  have  the
	      \Seen flag set (only if popuseimapflags is also enabled).

	  popuseimapflags: 0
	      If  enabled,  the	pop server will	set and	obey IMAP flags.  Mes-
	      sages having the \Deleted	flag are ignored as if they do not ex-
	      ist.   Messages  that  are retrieved by the client will have the
	      \Seen flag set.  All messages will have the \Recent flag unset.

	  postmaster: postmaster
	      Username that is used as the 'From' address  in  rejection  MDNs
	      produced by sieve.

	  postuser: <empty string>
	      Userid used to deliver messages to shared	folders.  For example,
	      if set to	"bb", email sent to "bb+shared.blah" would  be	deliv-
	      ered  to the "shared.blah" folder.  By default, an email address
	      of "+shared.blah"	would be used.

	  proc_path: <none>
	      Path to proc directory.  Default is NULL - must be  an  absolute
	      path  if	specified.   If	 not specified,	the path $configdirec-
	      tory/proc/ will be used.

	  prometheus_enabled: 0
	      Whether tracking of service metrics for Prometheus is enabled.

	  prometheus_need_auth:	admin
	      Authentication level required to fetch Prometheus	metrics.

	      Allowed values: none, user, admin

	  prometheus_update_freq: 10s
	      Frequency	in at which promstatsd should re-collate  its  statis-
	      tics  report.   The minimum value	is 1 second, the default is 10
	      seconds.

	      For backward compatibility, if no	unit is	specified, seconds  is
	      assumed.

	  prometheus_stats_dir:	<none>
	      Directory	to use for gathering prometheus	statistics.  If	speci-
	      fied, must be an absolute	path.  If not specified,  the  default
	      path  $configdirectory/stats/  will be used.  It may be advanta-
	      geous to locate this directory on	ephemeral storage.

	  proxy_authname: proxy
	      The authentication name to use when authenticating to a  backend
	      server in	the Cyrus Murder.

	  proxy_compress: 0
	      Try  to  enable  protocol-specific compression when performing a
	      client connection	to a backend server in the Cyrus Murder.

	      Note that	this should only be necessary over slow	 network  con-
	      nections.	  Also	note that currently only IMAP and MUPDATE sup-
	      port compression.

	  proxy_password: <none>
	      The default password to use when	authenticating	to  a  backend
	      server  in  the  Cyrus Murder.  May be overridden	on a host-spe-
	      cific basis using	the hostname_password option.

	  proxy_realm: <none>
	      The authentication realm to use when authenticating to a backend
	      server in	the Cyrus Murder

	  proxyd_allow_status_referral:	0
	      Set  to  true to allow proxyd to issue referrals to clients that
	      support it when answering	the STATUS command.  This is  disabled
	      by  default  since  some clients issue many STATUS commands in a
	      row, and do not cache the	connections that these referrals would
	      cause, thus resulting in a higher	authentication load on the re-
	      spective backend server.

	  proxyd_disable_mailbox_referrals: 0
	      Set to true to disable the use of	mailbox-referrals on the proxy
	      servers.

	  proxyservers:	<none>
	      A	 list  of users	and groups that	are allowed to proxy for other
	      users, separated by spaces.  Any user listed in this will	be al-
	      lowed to login for any other user: use with caution.  In a stan-
	      dard murder this option should ONLY be set on backends.  DO  NOT
	      SET on frontends or things won't work properly.

	  pts_module: afskrb
	      The PTS module to	use.

	      Allowed values: afskrb, ldap

	  ptloader_sock: <none>
	      Unix  domain socket that ptloader	listens	on.  (defaults to con-
	      figdirectory/ptclient/ptsock)

	  ptscache_db: twoskip
	      The cyrusdb backend to use for the pts cache.

	      Allowed values: skiplist,	twoskip, zeroskip

	  ptscache_db_path: <none>
	      The absolute path	to the ptscache	db file.   If  not  specified,
	      will be configdirectory/ptscache.db

	  ptscache_timeout: 3h
	      The   timeout   for  the	PTS  cache  database  when  using  the
	      auth_krb_pts authorization method	(default: 3 hours).

	      For backward compatibility, if no	unit is	specified, seconds  is
	      assumed.

	  ptskrb5_convert524: 1
	      When using the AFSKRB ptloader module with Kerberos 5 canonical-
	      ization, do the final 524	conversion to get a n AFS  style  name
	      (using '.' instead of '/', and using short names

	  ptskrb5_strip_default_realm: 1
	      When using the AFSKRB ptloader module with Kerberos 5 canonical-
	      ization, strip the default realm from the	userid (this does  not
	      affect  the  stripping  of realms	specified by the afspts_local-
	      realms option)

	  qosmarking: cs0
	      This specifies the Class	Selector  or  Differentiated  Services
	      Code  Point  designation	on IP headers (in the ToS field).  Al-
	      lowed values: cs0, cs1, cs2, cs3,	 cs4,  cs5,  cs6,  cs7,	 af11,
	      af12,  af13,  af21,  af22,  af23,	 af31, af32, af33, af41, af42,
	      af43, ef

	  quota_db: quotalegacy
	      The cyrusdb backend to use for quotas.

	      Allowed values: flat, skiplist, sql, quotalegacy,	 twoskip,  ze-
	      roskip

	  quota_db_path: <none>
	      The  absolute  path for the quota	database (if you choose	a sin-
	      gle-file quota DB	type - or the base path	if you choose quotale-
	      gacy).   If  not	specified will be configdirectory/quotas.db or
	      configdirectory/quota/

	  quotawarn: 90
	      The percent of quota utilization over which the server generates
	      warnings.

	  quotawarnkb: 0
	      The  maximum  amount  of	free  space (in	kB) at which to	give a
	      quota warning (if	this value is 0, or if the  quota  is  smaller
	      than this	amount,	then warnings are always given).

	  quotawarnmsg:	0
	      The  maximum amount of messages at which to give a quota warning
	      (if this value is	0, or  if  the	quota  is  smaller  than  this
	      amount, then warnings are	always given).

	  reject8bit: 0
	      If  enabled, lmtpd rejects messages with 8-bit characters	in the
	      headers.

	  restore_authname: <none>
	      The authentication used by the restore tool when	authenticating
	      to an IMAP/sync server.

	  restore_password: <none>
	      The  password used by the	restore	tool when authenticating to an
	      IMAP/sync	server.

	  restore_realm: <none>
	      The authentication realm used by the restore tool	when authenti-
	      cating to	an IMAP/sync server.

	  reverseacls: 0
	      At  startup  time,  ctl_cyrusdb  -r will check this value	and it
	      will either add or remove	reverse	ACL pointers from mailboxes.db

	  rfc2046_strict: 0
	      If enabled, imapd	will be	strict (per RFC	 2046)	when  matching
	      MIME  boundary  strings.	 This means that boundaries containing
	      other boundaries as substrings will  be  treated	as  identical.
	      Since  enabling  this option will	break some messages created by
	      Eudora 5.1 (and earlier),	it is recommended that it be left dis-
	      abled unless there is good reason	to do otherwise.

	  rfc2047_utf8:	0
	      If  enabled, imapd will parse any	non-encoded character sequence
	      in MIME header values as UTF8. This is useful for	 installations
	      that  either  advertise the UTF8SMTP (RFC	5335) extension	or re-
	      ceive mails with improperly escaped UTF-8	byte sequences.	It  is
	      recommended  that	 this  option is left disabled unless there is
	      good reason to do	otherwise.

	  rfc3028_strict: 1
	      If enabled, Sieve	will be	strict (per RFC	3028) with regards  to
	      which  headers  are  allowed  to be used in address and envelope
	      tests.  This means that only those headers which are defined  to
	      contain addresses	will be	allowed	in address tests and only "to"
	      and "from" will be allowed in envelope  tests.   When  disabled,
	      ANY grammatically	correct	header will be allowed.

	  rss_feedlist_template: <none>
	      File  containing	HTML  that will	be used	as a template for dis-
	      playing the list of available RSS	feeds.	A single  instance  of
	      the  variable  %RSS_FEEDLIST%  should  appear in the file, which
	      will be replaced by a  nested  unordered	list  of  feeds.   The
	      toplevel unordered list will be tagged with an id	of "feed" (<ul
	      id='feed'>) which	can be used by stylesheet(s) in	your template.
	      The dynamically created list of feeds based on the HTML template
	      will be accessible at the	"/rss" URL on the server.

	  rss_feeds: *
	      A	wildmat	pattern	specifying which mailbox hierarchies should be
	      treated  as RSS feeds.  Only mailboxes matching the wildmat will
	      have their messages available via	RSS.  If not  set,  a  default
	      wildmat of "*" (ALL mailboxes) will be used.

	  rss_maxage: <none>
	      Maximum age of items to display in an RSS	channel.  If non-zero,
	      httpd will only display items received within this time  period.
	      If  set  to  0,  all  available items will be displayed (the de-
	      fault).

	      For backward compatibility, if no	unit is	specified, days	is as-
	      sumed.

	  rss_maxitems:	0
	      Maximum  number  of  items  to  display  in  an RSS channel.  If
	      non-zero,	httpd will display no more than	the rss_maxitems  most
	      recent  items.   If  set	to 0, all available items will be dis-
	      played (the default).

	  rss_maxsynopsis: 0
	      Maximum RSS item synopsis	length.	 If non-zero, httpd will  dis-
	      play  no	more  than  the	first rss_maxsynopsis characters of an
	      item's synopsis.	If set to 0, the entire	synopsis will be  dis-
	      played (the default).

	  rss_realm: <none>
	      The  realm  to present for HTTP authentication of	RSS feeds.  If
	      not set (the default), the value of the "servername" option will
	      be used.

	  sasl_auto_transition:	0
	      If enabled, the SASL library will	automatically create authenti-
	      cation secrets when given	a plaintext password.	See  the  SASL
	      documentation.

	  sasl_maximum_layer: 256
	      Maximum  SSF (security strength factor) that the server will al-
	      low a client to negotiate.

	  sasl_minimum_layer: 0
	      The minimum SSF that the server will allow a client  to  negoti-
	      ate.   A	value  of  1 requires integrity	protection; any	higher
	      value requires some amount of encryption.

	  sasl_option: 0
	      Any SASL option can be set by preceding  it  with	 sasl_.	  This
	      file overrides the SASL configuration file.

	  sasl_pwcheck_method: <none>
	      The  mechanism used by the server	to verify plaintext passwords.
	      Possible values include "auxprop", "saslauthd", and "pwcheck".

	  search_batchsize: 20
	      The number of messages to	be indexed in one batch	(default  20).
	      Note that	long batches may delay user commands or	mail delivery.

	  search_attachment_extractor_url: <none>
	      Reserved for future use.

	  search_index_language: 0
	      Reserved for future use.

	  search_index_parts: 0
	      Deprecated. No longer used.

	  search_query_language: 0
	      Reserved for future use.

	  search_normalisation_max: 1000
	      A	 resource  bound for the combinatorial explosion of search ex-
	      pression tree complexity caused by normalising expressions  with
	      many  OR	nodes.	 These	can use	more CPU time to optimise than
	      they save	IO time	in scanning folders.

	  search_engine: none
	      The indexing engine used to speed	up searching.

	      Allowed values: none, squat, xapian

	  search_fuzzy_always: 0
	      Whether to enable	RFC 6203 FUZZY search for all IMAP SEARCH.  If
	      turned on, search	attributes will	be searched using FUZZY	search
	      by default.  If turned off, clients have to explicitly  use  the
	      FUZZY  search key	to enable fuzzy	search for regular SEARCH com-
	      mands.

	  search_index_headers:	1
	      Whether to index headers other than From,	To, Cc,	Bcc, and  Sub-
	      ject.   Experiment  shows	that some headers such as Received and
	      DKIM-Signature can contribute up to 2/3rds of the	index size but
	      almost nothing to	the utility of searching.  Note	that is	header
	      indexing	is  disabled,  headers	can  still  be	searched,  the
	      searches will just be slower.

	  search_indexed_db: twoskip
	      The  cyrusdb  backend  to	 use for the search latest indexed uid
	      state.  Xapian only.

	      Allowed values: flat, skiplist, twoskip, zeroskip

	  search_maxtime: <none>
	      The maximum number of seconds to run a search for	before	abort-
	      ing.   Default  of  no  value means search "forever" until other
	      timeouts.

	  search_queryscan: 5000
	      The minimum number of records require to do a direct scan	of all
	      G	keys * rather than indexed lookups.  A value of	0 means	always
	      do indexed lookups.

	  search_skipdiacrit: 1
	      When searching, should diacriticals be stripped from the	search
	      terms.   The  default  is	 "true", a search for "hav" will match
	      "HAYvard".  This is not RFC 5051	compliant,  but	 it  backwards
	      compatible, and may be preferred by some sites.

	  search_skiphtml: 0
	      If enabled, HTML parts of	messages are skipped, i.e. not indexed
	      and not searchable.  Otherwise, they're indexed.

	  search_whitespace: merge
	      When searching, how whitespace should be handled.	 Options  are:
	      "skip"  (default in 2.3 and earlier series) - where a search for
	      "equi" would match "the quick brown fox".	  "merge"  -  the  de-
	      fault,  where  "he   qu" would match "the	quick	brownfox", and
	      "keep", where whitespace must match  exactly.   The  default  of
	      "merge"  is  recommended for most	cases -	it's a good compromise
	      which keeps words	separate.  Allowed values: skip, merge,	keep

	  search_snippet_length: 255
	      The maximum byte length of a snippet generated by	the  XSNIPPETS
	      command.	Only supported by the Xapian search backend, which at-
	      tempts to	always fill search_snippet_length bytes	in the	gener-
	      ated snippet.

	  search_stopword_path:	<none>
	      The  absolute  base  path	 to  the search	stopword lists.	If not
	      specified, no stopwords will be taken into account during	search
	      indexing.	 Currently,  the  only supported and default stop word
	      file is english.txt.

	  searchpartition-name:	<none>
	      The pathname  where  to  store  the  xapian  search  indexes  of
	      searchtier for mailboxes of partition name. This must be config-
	      ured for the defaultsearchtier and any  additional  search  tier
	      (see squatter for	details).

	      For  example:  if	 defaultpartition  is defined as part1 and de-
	      faultsearchtier as tier1 then the	configuration must contain  an
	      entry  tier1searchpartition-part1	that defines the path where to
	      store this tier1's search	index for the part1 partition.

	      This option MUST be specified for	xapian search.

	  seenstate_db:	twoskip
	      The cyrusdb backend to use for the seen state.

	      Allowed values: flat, skiplist, twoskip, zeroskip

	  sendmail: /usr/lib/sendmail
	      The pathname of the sendmail executable.	Sieve invokes sendmail
	      for sending rejections, redirects	and vacation responses.

	  sendmail_auth_id: CYRUS_SENDMAIL_AUTH_ID
	      The  name	 of an environment variable to set when	invoking send-
	      mail.  The value of this environment variable will  contain  the
	      user  id	of the currently authenticated user. If	no user	is au-
	      thenticated the environment variable is not set.

	  serverlist: <none>
	      Whitespace separated list	of backend  server  names.   Used  for
	      finding  server  with the	most available free space for proxying
	      CREATE.

	  serverlist_select_mode: freespace-most
	      Server selection mode.

	      random (pseudo-)random selection

	      freespace-most
		     backend with the most (total) free	space (KiB)

	      freespace-percent-most
		     backend whose partition has the most free space (%)

	      freespace-percent-weighted
		     same as for partition selection, comparing	the free space
		     (%) of the	least used partition of	each backend

	      freespace-percent-weighted-delta
		     same as for partition selection, comparing	the free space
		     (%) of the	least used partition of	each backend.

		     Allowed values:  random,  freespace-most,	freespace-per-
		     cent-most,	  freespace-percent-weighted,	freespace-per-
		     cent-weighted-delta

	  serverlist_select_usage_reinit: 0
	      For a given session, number of operations	(e.g.  backend	selec-
	      tion) for	which backend usage data are cached.

	  serverlist_select_soft_usage_limit: 0
	      Limit  of	backend	usage (%): if a	backend	is over	that limit, it
	      is automatically excluded	from selection mode.

	      If all backends are over that limit, this	feature	 is  not  used
	      anymore.

	  servername: <none>
	      This  is	the  hostname  visible in the greeting messages	of the
	      POP, IMAP	and LMTP daemons. If it	is unset, then the result  re-
	      turned from gethostname(2) is used.  This	is also	the value used
	      by murder	clusters to identify the host name.  It	should be  re-
	      solvable by DNS to the correct host, and unique within an	active
	      cluster.	If you are using low  level  replication  (e.g.	 drbd)
	      then  it should be the same on each copy and the DNS name	should
	      also be moved to the new master on failover.

	  serverinfo: on
	      The server information to	display	in the greeting	and capability
	      responses. Information is	displayed as follows:
		 "off" = no server information in the greeting or capabilities

		 "min"	= servername in	the greeting; no server	information in
		 the capabilities

		 "on" =	servername and product version in the greeting;	 prod-
		 uct version in	the capabilities

		 Allowed values: off, min, on

	  sharedprefix:	Shared Folders
	      If using the alternate IMAP namespace, the prefix	for the	shared
	      namespace.  The hierarchy	delimiter will	be  automatically  ap-
	      pended.

	  sieve_allowreferrals:	1
	      If  enabled,  timsieved will issue referrals to clients when the
	      user's scripts reside on a remote	server (in a Murder).	Other-
	      wise, timsieved will proxy traffic to the	remote server.

	  sieve_duplicate_max_expiration: 90d
	      Maximum expiration time for duplicate message tracking records.

	      For  backward compatibility, if no unit is specified, seconds is
	      assumed.

	  sieve_extensions:   fileinto	 reject	  vacation    vacation-seconds
	  imapflags  notify include envelope environment body relational regex
	  subaddress copy date index imap4flags	mailbox	 mboxmetadata  server-
	  metadata  variables  editheader  extlists  duplicate	ihave fcc spe-
	  cial-use  redirect-dsn  redirect-deliverby   mailboxid   x-cyrus-log
	  x-cyrus-jmapquery x-cyrus-snooze
	      Space-separated  list  of	Sieve extensions allowed to be used in
	      sieve scripts, enforced at submission by timsieved(8).  Any pre-
	      viously  installed  script will be unaffected by this option and
	      will continue to execute	regardless  of	the  extensions	 used.
	      This  option  has	no effect on options that are disabled at com-
	      pile time	(e.g., "regex").  Allowed  values:  fileinto,  reject,
	      vacation,	 vacation-seconds,  imapflags,	notify,	include, enve-
	      lope, environment, body, relational,  regex,  subaddress,	 copy,
	      date,  index, imap4flags,	mailbox, mboxmetadata, servermetadata,
	      variables, editheader, extlists,	duplicate,  ihave,  fcc,  spe-
	      cial-use,	    redirect-dsn,    redirect-deliverby,    mailboxid,
	      x-cyrus-log, x-cyrus-jmapquery, x-cyrus-snooze

	  sieve_maxscriptsize: 32
	      Maximum size (in kilobytes) any sieve script can be, enforced at
	      submission by timsieved(8).

	  sieve_maxscripts: 5
	      Maximum  number  of sieve	scripts	any user may have, enforced at
	      submission by timsieved(8).

	  sieve_utf8fileinto: 0
	      If enabled, the  sieve  engine  expects  folder  names  for  the
	      fileinto	action	in  scripts  to	use UTF8 encoding.  Otherwise,
	      modified UTF7 encoding should be used.

	  sieve_sasl_send_unsolicited_capability: 0
	      If enabled, timsieved will emit a	capability  response  after  a
	      successful   SASL	  authentication,   per	  draft-martin-manage-
	      sieve-12.txt .

	  sieve_use_lmtp_reject: 1
	      Enabled by default.  If reject can be done via LMTP, then	return
	      a	550 rather than	generating the bounce message in Cyrus.

	  sieve_vacation_min_response: 3d
	      Minimum  time  interval  between consecutive vacation responses,
	      per draft-ietf-vacation-seconds.txt.  The	default	is 3 days.

	      For backward compatibility, if no	unit is	specified, seconds  is
	      assumed.

	  sieve_vacation_max_response: 90d
	      Maximum  time  interval  between consecutive vacation responses,
	      per draft-ietf-vacation-seconds.txt.  The	default	 is  90	 days.
	      The minimum is 7 days.

	      For  backward compatibility, if no unit is specified, seconds is
	      assumed.

	  sievedir: /usr/sieve
	      If sieveusehomedir is false,  this  directory  is	 searched  for
	      Sieve scripts.

	  sievenotifier: <none>
	      Notifyd(8) method	to use for "SIEVE" notifications.  If not set,
	      "SIEVE" notifications are	disabled.

	      This method is only used when no	method	is  specified  in  the
	      script.

	  sieveusehomedir: 0
	      If enabled, lmtpd	will look for Sieve scripts in user's home di-
	      rectories: ~user/.sieve.

	  anysievefolder: 0
	      It must be "yes" in order	to permit the autocreation of any  IN-
	      BOX   subfolder	requested  by  a  sieve	 filter,  through  the
	      "fileinto" action. (default = no)

	  singleinstancestore: 1
	      If enabled, imapd, lmtpd and nntpd attempt  to  only  write  one
	      copy of a	message	per partition and create hard links, resulting
	      in a potentially large disk savings.

	  skiplist_always_checkpoint: 1
	      If enabled, this option forces the skiplist cyrusdb  backend  to
	      always  checkpoint  when doing a recovery.  This causes slightly
	      more IO, but on the other	hand leads  to	more  efficient	 data-
	      bases, and the entire file is already "hot".

	  skiplist_unsafe: 0
	      If  enabled,  this option	forces the skiplist cyrusdb backend to
	      not sync writes to the disk.  Enabling this option is NOT	RECOM-
	      MENDED.

	  smtp_backend:	sendmail
	      The SMTP backend to use for sending email.

	      The "host" backend sends message submissions via a TCP socket to
	      the SMTP host defined in the config option smtp_host.

	      The "sendmail" backend forks the Cyrus  process  into  the  exe-
	      cutable  defined	in the config option sendmail.	The executable
	      must accept "-bs"	as command line	argument, read from stdin  and
	      must  implement  the minimum SMTP	protocol as defined in section
	      4.5.1 of RFC 5321.

	      If the SMTP EHLO command reports AUTH (RFC 4954) as a  supported
	      extension,  then the MAIL	FROM command includes the AUTH parame-
	      ter, with	its value set to the name of  any  authenticated  user
	      which  triggered the email. The AUTH parameter is	omitted	if the
	      user is unknown to the calling process.

	      If the directory configdirectory/log/smtpclient.smtp_backend ex-
	      ists,  then  telemetry  logs  for	outgoing SMTP sessions will be
	      created in this directory.

	      Allowed values: host, sendmail

	  smtp_host: localhost:587
	      The SMTP host to use for sending mail (also see the smtp_backend
	      option). The value of this option	must the name or IP address of
	      a	TCP host, followed optionally by a colon and the port or  ser-
	      vice  to	use.  The default port is 587. TLS may be activated by
	      appending	"/tls" to the  value.  Authentication  is  enabled  if
	      smtp_auth_authname is set. Authentication	can be explicitly dis-
	      abled by appending "/noauth" to the host address.

	  smtp_auth_authname: <none>
	      The authentication name to use when authenticating to  the  SMTP
	      server defined in	smtp_host.

	  smtp_auth_password: <none>
	      The  password  to	use when authenticating	to the SMTP server de-
	      fined in smtp_host.

	  smtp_auth_realm: <none>
	      The authentication SASL realm to use when	 authenticating	 to  a
	      SMTP server.

	  soft_noauth: 1
	      If  enabled, lmtpd returns temporary failures if the client does
	      not successfully authenticate.  Otherwise	lmtpd  returns	perma-
	      nent failures (causing the mail to bounce	immediately).

	  sortcache_db:	twoskip
	      The  cyrusdb  backend to use for caching sort results (currently
	      only used	for xconvmultisort) Allowed values: skiplist, twoskip,
	      zeroskip

	  specialuse_extra: <none>
	      Whitespace  separated  list of extra special-use attributes that
	      can be set on a mailbox. RFC  6154  currently  lists  what  spe-
	      cial-use	attributes can be set. This allows extending that list
	      in the future or adding your own if needed.

	  specialuse_protect: \Archive \Drafts \Important \Junk	\Sent \Trash
	      Whitespace separated list	of special-use attributes  to  protect
	      the  mailboxes  for.   If	 set, don't allow mailboxes with these
	      special use attributes to	be deleted or renamed to have  a  dif-
	      ferent parent. Default is	the built-in list

	  specialusealways: 1
	      If  enabled,  this  option causes	LIST and LSUB output to	always
	      include the XLIST	"special-use" flags

	  sql_database:	<none>
	      Name of the database which contains the cyrusdb table(s).

	  sql_engine: <none>
	      Name of the SQL engine to	use.

	      Allowed values: mysql, pgsql, sqlite

	  sql_hostnames: <empty	string>
	      Comma separated list of SQL servers (in host[:port] format).

	  sql_passwd: <none>
	      Password to use for authentication to the	SQL server.

	  sql_user: <none>
	      Username to use for authentication to the	SQL server.

	  sql_usessl: 0
	      If enabled, a secure connection will be made to the SQL server.

	  srs_alwaysrewrite: 0
	      If true, perform SRS rewriting for ALL forwarding, even when not
	      required.

	  srs_domain: <none>
	      The  domain  to use in rewritten addresses. This must point only
	      to machines which	know the encoding secret used by this  system.
	      When present, SRS	is enabled.

	  srs_hashlength: 0
	      The hash length to generate in a rewritten address.

	  srs_secrets: <none>
	      A	list of	secrets	with which to generate addresses.

	  srs_separator: <none>
	      The  separator  to appear	immediately after SRS[01] in rewritten
	      addresses.

	  srvtab: <empty string>
	      The pathname of srvtab file containing the server's private key.
	      This  option is passed to	the SASL library and overrides its de-
	      fault setting.

	  submitservers: <none>
	      A	 list  of  users  and  groups  that  are  allowed  to  resolve
	      "urlauth=submit+"	 IMAP  URLs,  separated	 by  spaces.  Any user
	      listed in	this will be allowed to	 fetch	the  contents  of  any
	      valid "urlauth=submit+" IMAP URL:	use with caution.

	  subscription_db: flat
	      The cyrusdb backend to use for the subscriptions list.

	      Allowed values: flat, skiplist, twoskip, zeroskip

	  suppress_capabilities: <none>
	      Suppress	the  named  capabilities from any capability response.
	      Use the exact case as it appears in the  response,  e.g.	 "sup-
	      press_capabilities:  ESEARCH QRESYNC WITHIN XLIST	LIST-EXTENDED"
	      if you have a murder with	2.3.x backends and don't want  clients
	      being confused by	new capabilities that some backends don't sup-
	      port.

	  statuscache: 0
	      Enable/disable the imap status cache.

	  statuscache_db: twoskip
	      The cyrusdb backend to use for the imap status cache.

	      Allowed values: skiplist,	sql, twoskip, zeroskip

	  statuscache_db_path: <none>
	      The absolute path	to the statuscache db file.  If	not specified,
	      will be configdirectory/statuscache.db

	  sync_authname: <none>
	      The  authentication  name	 to  use when authenticating to	a sync
	      server.  Prefix with a channel name to only apply	for that chan-
	      nel

	  sync_batchsize: 8192
	      the  number  of  messages	to upload in a single mailbox replica-
	      tion.  Default is	8192.  If there	are more than this  many  mes-
	      sages  appended  to  the	mailbox,  generate a synthetic partial
	      state and	send that.

	  sync_host: <none>
	      Name of the  host	 (replica  running  sync_server(8))  to	 which
	      replication actions will be sent by sync_client(8).  Prefix with
	      a	channel	name to	only apply for that channel

	  sync_log: 0
	      Enable  replication  action  logging  by	 lmtpd(8),   imapd(8),
	      pop3d(8),	 and  nntpd(8).	 The log {configdirectory}/sync/log is
	      used by sync_client(8) for "rolling" replication.

	  sync_log_chain: 0
	      Enable replication action	logging	by sync_server as well,	allow-
	      ing  chaining  of	 replicas.   Use  this	on 'B' for A =>	B => C
	      replication layout

	  sync_log_channels: <none>
	      If specified, log	all events to multiple log files  in  directo-
	      ries specified by	each "channel".	 Each channel can then be pro-
	      cessed separately, such as by multiple sync_client(8)s in	a mesh
	      replication  scheme,  or by squatter(8) for rolling search index
	      updates.

	      You can use "" (the two-character	string U+22 U+22) to mean  the
	      default sync channel.

	  sync_log_unsuppressable_channels: squatter
	      If  specified,  the named	channels are exempt from the effect of
	      setting sync_log_chain:off, i.e. they are	always	logged	to  by
	      the  sync_server	process.   This	is only	really useful to allow
	      rolling search indexing on a replica.

	  sync_password: <none>
	      The default password  to	use  when  authenticating  to  a  sync
	      server.  Prefix with a channel name to only apply	for that chan-
	      nel

	  sync_port: <none>
	      Name of the service (or port number) of the replication  service
	      on  replica  host.  Prefix with a	channel	name to	only apply for
	      that channel.  If	not specified, and if sync_try_imap is set  to
	      "yes"  (the default), then the replication client	will first try
	      "imap" (port 143)	to check if imapd supports replication.	  oth-
	      erwise it	will default to	"csync"	(usually port 2005).

	  sync_realm: <none>
	      The  authentication  realm  to use when authenticating to	a sync
	      server.  Prefix with a channel name to only apply	for that chan-
	      nel

	  sync_repeat_interval:	1s
	      Minimum interval between replication runs	in rolling replication
	      mode. If a replication run takes longer than this	time,  we  re-
	      peat  immediately.  Prefix with a	channel	name to	only apply for
	      that channel.

	      For backward compatibility, if no	unit is	specified, seconds  is
	      assumed.

	  sync_shutdown_file: <none>
	      Simple  latch  used  to  tell sync_client(8) that	it should shut
	      down at the next opportunity. Safer than sending signals to run-
	      ning  processes.	 Prefix	 with a	channel	name to	only apply for
	      that channel

	  sync_timeout:	30m
	      How long to wait for a response before returning a timeout fail-
	      ure  when	talking	to a replication peer (client or server).  The
	      minimum duration is 3 seconds, the default is 30 minutes.

	      For backward compatibility, if no	unit is	specified, seconds  is
	      assumed.

	  sync_try_imap: 1
	      Whether sync_client should try to	perform	an IMAP	connection be-
	      fore falling back	to csync.  If this is set to "no", sync_client
	      will  only  use csync.  Prefix with a channel name to apply only
	      for that channel

	  syslog_prefix: <none>
	      String to	be prepended to	the process name  in  syslog  entries.
	      Can  be  further	overridden by setting the $CYRUS_SYSLOG_PREFIX
	      environment variable.

	      Using the	$CYRUS_SYSLOG_PREFIX environment variable has the  ad-
	      ditional	advantage  that	it can be set before the imapd.conf is
	      read, so errors while reading the	config file can	 be  syslogged
	      with the correct prefix.

	  syslog_facility: <none>
	      Configure	 a  syslog  facility.  The default is whatever is com-
	      piled in.	 Allowed values	are: DAEMON, MAIL, NEWS, USER, and LO-
	      CAL0 through to LOCAL7

	  tcp_keepalive: 0
	      Enable keepalive on TCP connections

	  tcp_keepalive_cnt: 0
	      Number of	TCP keepalive probes to	send before declaring the con-
	      nection dead (0 == system	default)

	  tcp_keepalive_idle: 0
	      How long a connection must be idle before	keepalive  probes  are
	      sent (0 == system	default).

	      For  backward compatibility, if no unit is specified, seconds is
	      assumed.

	  tcp_keepalive_intvl: 0
	      Time between keepalive probes (0 == system default).

	      For backward compatibility, if no	unit is	specified, seconds  is
	      assumed.

	  temp_path: /tmp
	      The pathname to store temporary files in

	  telemetry_bysessionid: 0
	      If true, log by sessionid	instead	of PID for telemetry

	  timeout: 32m
	      The  length  of  the  IMAP server's inactivity autologout	timer.
	      The minimum value	is 30 minutes.	The default is 32 minutes,  to
	      allow a bit of leeway for	clients	that try to NOOP every 30 min-
	      utes.

	      For backward compatibility, if no	unit is	specified, minutes  is
	      assumed.

	  imapidletimeout: <none>
	      Timeout  for  idling  clients  (RFC  2177).  If not set (the de-
	      fault), the value	of "timeout" will be used instead.

	      For backward compatibility, if no	unit is	specified, minutes  is
	      assumed.

	  tls_ca_file: <none>
	      Deprecated in favor of tls_client_ca_file.

	  tls_ca_path: <none>
	      Deprecated in favor of tls_client_ca_dir.

	  tlscache_db: twoskip
	      Deprecated in favor of tls_sessions_db.

	  tlscache_db_path: <none>
	      Deprecated in favor of tls_sessions_db_path.

	  tls_cert_file: <none>
	      Deprecated in favor of tls_server_cert.

	  tls_cipher_list: DEFAULT
	      Deprecated in favor of tls_ciphers.

	  tls_ciphers: DEFAULT
	      The  list	of SSL/TLS ciphers to allow.  The format of the	string
	      (and definition of "DEFAULT") is described in ciphers(1).

	      See also Mozilla's server-side TLS recommendations:

	      https://wiki.mozilla.org/Security/Server_Side_TLS

	  tls_crl_file:	<none>
	      Path to a	file containing	the Certificate	Revocation List

	  tls_client_ca_dir: <none>
	      Path to a	directory containing the CA certificates used to  ver-
	      ify client SSL certificates used for authentication.

	  tls_client_ca_file: <none>
	      Path  to	a file containing the CA certificate(s)	used to	verify
	      client SSL certificates used for authentication.

	  tls_client_cert: <none>
	      File containing the certificate presented	to a  server  for  au-
	      thentication during STARTTLS. A value of "disabled" will disable
	      this server's use	of certificate-based authentication.

	  tls_client_certs: optional
	      Disable ("off"), allow ("optional", default)  or	require	 ("re-
	      quire")  the  use	of SSL certificates by clients to authenticate
	      themselves.  Allowed values: off,	optional, require

	  tls_client_key: <none>
	      File containing the private key belonging	to the tls_client_cert
	      certificate.  A  value  of "disabled" will disable this server's
	      use of certificate-based authentication.

	  tls_eccurve: prime256v1
	      The elliptic curve used for  ECDHE.  Default  is	NIST  Suite  B
	      prime256.	  See 'openssl ecparam -list_curves' for possible val-
	      ues.

	  tls_key_file:	<none>
	      Deprecated in favor of tls_server_key.

	  tls_required:	0
	      If enabled, require a TLS/SSL encryption layer to	be  negotiated
	      prior  to	 ANY authentication mechanisms being advertised	or al-
	      lowed.

	  tls_prefer_server_ciphers: 0
	      Prefer the ciphers on the	server side instead of client side.

	  tls_server_ca_dir: <none>
	      Path to a	directory with CA certificates used to verify certifi-
	      cates offered by the server, when	cyrus acts as client. This di-
	      rectory must have	filenames with the hashed value	 of  the  cer-
	      tificates	(see openssl(1)).

	  tls_server_ca_file: <none>
	      Path  to	a  file	containing CA certificates used	to verify cer-
	      tificates	offered	by the server, when cyrus acts as client.

	  tls_server_cert: <none>
	      File containing the certificate, including the full chain,  pre-
	      sented to	clients.  Two certificates can be set, e.g RSA and EC,
	      if the filenames are separated with comma	without	spaces.

	  tls_server_dhparam: <none>
	      File containing the DH parameters	belonging to  the  certificate
	      in tls_server_cert.

	  tls_server_key: <none>
	      File  containing the private key belonging to the	certificate in
	      tls_server_cert.	If not set, tls_server_cert must contain  both
	      private  and public key.	Two files with keys can	be set,	if two
	      certifates are used, in which case the files must	 be  separated
	      with comma without spaces

	  tls_sessions_db: twoskip
	      The cyrusdb backend to use for the TLS cache.

	      Allowed values: skiplist,	sql, twoskip, zeroskip

	  tls_sessions_db_path:	<none>
	      The absolute path	to the TLS sessions db file. If	not specified,
	      will be configdirectory/tls_sessions.db

	  tls_session_timeout: 24h
	      The length of time that a	TLS session will be cached  for	 later
	      reuse.   The  maximum  value  is	24 hours, also the default.  A
	      value of 0 will disable session caching.

	      For backward compatibility, if no	unit is	specified, minutes  is
	      assumed.

	  tls_versions:	tls1_0 tls1_1 tls1_2 tls1_3
	      A	 list  of  SSL/TLS versions to not disable. Cyrus IMAP SSL/TLS
	      starts with all protocols, and subtracts protocols not  in  this
	      list.  Newer  versions  of SSL/TLS will need to be added here to
	      allow them to get	disabled.

	  uidl_format: cyrus
	      Choose the format	 for  UIDLs  in	 pop3.	 Possible  values  are
	      "uidonly",  "cyrus",  "dovecot" and "courier".  "uidonly"	forces
	      the old default of UID, "cyrus" is UIDVALIDITY.UID.  Dovecot  is
	      8	 digits	 of  leading  hex  (lower  case) each UID UIDVALIDITY.
	      Courier is UIDVALIDITY-UID.   Allowed  values:  uidonly,	cyrus,
	      dovecot, courier

	  umask: 077
	      The umask	value used by various Cyrus IMAP programs.

	  userdeny_db: flat
	      The cyrusdb backend to use for the user access list.

	      Allowed values: flat, skiplist, sql, twoskip, zeroskip

	  userdeny_db_path: <none>
	      The  absolute  path  to the userdeny db file.  If	not specified,
	      will be configdirectory/user_deny.db

	  username_tolower: 1
	      Convert usernames	to all lowercase before	 login/authentication.
	      This  is	useful	with authentication backends which ignore case
	      during username lookups (such as LDAP).

	  userprefix: Other Users
	      If using the alternate IMAP namespace, the prefix	for the	 other
	      users  namespace.	 The hierarchy delimiter will be automatically
	      appended.

	  unix_group_enable: 1
	      Should we	look up	groups when using auth_unix (disable  this  if
	      you  are	not using groups in ACLs for your IMAP server, and you
	      are using	auth_unix with a backend (such as LDAP)	that can  make
	      getgrent() calls very slow)

	  unixhierarchysep: 1
	      Use  the	UNIX  separator	character '/' for delimiting levels of
	      mailbox hierarchy.  Turn off to use the netnews separator	 char-
	      acter '.'. Note that with	the newnews separator, no dots may oc-
	      cur in mailbox names.  The default switched in 3.0 from  off  to
	      on.

	  virtdomains: off
	      Configure	virtual	domain support.

	      off    Cyrus does	not know or care about domains.	Only the local
		     part of email addresses is	ever considered.  This is  not
		     recommended  for any deployment, but is currently the de-
		     fault.

	      userid The user's	domain is  determined  by  splitting  a	 fully
		     qualified	userid	at the last '@'	or '%' symbol.	If the
		     userid is unqualified, the	defaultdomain  will  be	 used.
		     This  is  the  recommended	 configuration for all deploy-
		     ments.  If	you wish to provide calendaring	 services  you
		     must use this configuration.

	      on     Fully  qualified  userids are respected, as per "userid".
		     Unqualified userids will have their domain	determined  by
		     doing  a reverse lookup on	the IP address of the incoming
		     network interface,	or if no record	is found, the default-
		     domain will be used.

		     Allowed values: off, userid, on

	  virusscan_notification_subject: Automatically	deleted	mail
	      The  text	 used in the subject of	email notifications created by
	      cyr_virusscan(8) when deleting infected mail.

	  virusscan_notification_template: <none>
	      The absolute path	to a file containing a template	to use to  de-
	      scribe  infected	messages that have been	deleted	by cyr_viruss-
	      can(8).  See cyr_virusscan(8) for	specification of the format of
	      this  file.  If not specified, the builtin default template will
	      be used.

	  xbackup_enabled: 0
	      Enable support for the XBACKUP command in	 imapd.	  If  enabled,
	      admin  users  can	 use  this command to provoke a	replication of
	      specified	users to the named backup channel.

	  xlist-flag: <none>
	      Set the special-use flag flag on the specified folder when it is
	      autocreated  (see	the autocreate_inbox_folders option).  For ex-
	      ample, if	xlist-junk: Spam is set, and the folder	 Spam  is  au-
	      tocreated, the special-use flag \Junk will be set	on it.

	      (This  option  is	 so  named for backward	compatibility with old
	      config files.)

	  lmtp_catchall_mailbox: <none>
	      Mail sent	to mailboxes which do not exist, will be delivered  to
	      this  user.  NOTE: This must be an existing local	user name with
	      an INBOX,	NOT an email address!

	  zoneinfo_db: twoskip
	      The cyrusdb backend to use for zoneinfo.	This database is  used
	      by  the "tzdist" httpmodules, and	is managed by ctl_zoneinfo(8).
	      Allowed values: flat, skiplist, twoskip, zeroskip

	  zoneinfo_db_path: <none>
	      The absolute path	to the zoneinfo	db file.   If  not  specified,
	      will be configdirectory/zoneinfo.db

	  zoneinfo_dir:	<none>
	      The absolute path	to the zoneinfo	directory, containing timezone
	      definitions as generated by the vzic tool.   If  not  specified,
	      whatever definitions libical finds will be used.

	      If you are providing a Time Zone Data Distribution Service (i.e.
	      you have "tzdist"	listed in httpmodules),	then  this  configura-
	      tion option MUST be specified.

	  object_storage_enabled: 0
	      Is  Object  storage  enabled  for	this server.  You also need to
	      have archiving enabled and  archivepartition  for	 the  mailbox.
	      Only email files will be stored on object	Storage	archive	parti-
	      tion will	be used	to store any other files

	  object_storage_dummy_spool: <none>
	      Dummy object storage spool; this is for test only.  Spool	 where
	      user  directory  (container) will	be created to store all	emails
	      in a flat	structure

	  openio_namespace: <none>
	      The OpenIO namespace used	to store archived  email  messages.  A
	      namespace	 identifies  the physical platform cyrus must contact.
	      This directive is	used by	the OpenIO's SDK to locate  its	 plat-
	      form entry point.

	  openio_account: <none>
	      The  OpenIO  account used	to account for stored emails. Accounts
	      are unique in their namespace. They provides virtual partitions,
	      with quotas and QoS features.

	  openio_rawx_timeout: 30s
	      The  OpenIO  timeout  to	query to the RAWX services (default 30
	      sec).

	  openio_proxy_timeout:	5s
	      The OpenIO timeout to query to the  PROXY	 services  (default  5
	      sec).

	  openio_autocreate: 0
	      Allow  the  OpenIO SDK to	autocreate containers. Mainly destined
	      to be turned on development  environments.  In  production,  the
	      container	should have been provisioned with the mailboxes.

	  openio_verbosity: <none>
	      Sets  the	 logging  verbosity of the OpenIO's internal behavior.
	      Admissible values	are:  "warning",  "notice",  "info",  "debug",
	      "trace",	"quiet".   The	default	verbosity is "warning".	Set to
	      "notice" for a few lines on a per-client basis.  Set  to	"info"
	      for  a  few  lines on a per-request basis. Set to	"debug"	Set to
	      "trace" to activate the underlying  libcurl  debug  output.  En-
	      abling  a	 verbosity  higher  to equal than "debug" requires the
	      cyrus to be set in debug mode. The special  "quiet"  value  dis-
	      ables all	kinds of logging at the	GLib level.

	  caringo_hostname: <none>
	      The  Caringo  hostname  used to store archived email messages. A
	      hostname identifies the physical platform	 cyrus	must  contact.
	      This  directive is used by the Caringo's SDK (CastorSDK: Caringo
	      Simple Content Storage Protocol (SCSP) on	HTTP 1.1 using a REST-
	      ful architecture

	  caringo_port:	80
	      The  port	 of  the caringo server	(caringo_hostname); default is
	      80.

	  fastmailsharing: 0
	      If enabled, use FastMail style sharing  (oldschool  full	server
	      paths)

SEE ALSO
	  imapd(8),  pop3d(8),	nntpd(8),  lmtpd(8),  httpd(8),	 timsieved(8),
	  idled(8), notifyd(8),	deliver(8), master(8), ciphers(1)

AUTHOR
       The Cyrus Team

COPYRIGHT
       1993-2018, The Cyrus Team

3.2.3				August 28, 2020			 IMAPD.CONF(5)

NAME | DESCRIPTION | FIELD DESCRIPTIONS | SEE ALSO | AUTHOR | COPYRIGHT

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=imapd.conf&sektion=5&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help