Man Linux: Main Page and Category List

NAME

       imapd.conf - IMAP configuration file

DESCRIPTION

       /etc/imapd.conf  is  the  configuration file for the Cyrus IMAP server.
       It defines local parameters for IMAP.

       Each line of the /etc/imapd.conf file has the form

              option: value

       where option is the name of the  configuration  option  being  set  and
       value is the value that the configuration option is being set to.

       Blank lines and lines beginning with ``#'' are ignored.

       For  boolean and enumerated options, the values ``yes'', ``on'', ``t'',
       ``true'' and ``1'' turn the option  on,  the  values  ``no'',  ``off'',
       ``f'', ``false'' and ``0'' turn the option off.

FIELD DESCRIPTIONS

       The   sections   below  detail  options  that  can  be  placed  in  the
       /etc/imapd.conf file, and  show  each  option's  default  value.   Some
       options  have no default value, these are listed with ``<no default>''.
       Some options default  to  the  empty  string,  these  are  listed  with
       ``<none>''.  It is also possible to override options by specifying them
       as <service_id>_<optionname>. One  example  is  ``lmtp_admins'',  which
       overrides ``admins'' just for the lmtp service. The <service_id> is the
       one you specified in the /etc/cyrus.conf file.

       admins: <empty string>
            The list of userids with  administrative  rights.   Separate  each
            userid  with a space.  Sites using Kerberos authentication may use
            separate "admin" instances.

       Note  that  accounts  used  by  users  should  not  be  administrators.
       Administrative  accounts  should  not  receive  mail.  That is, if user
       "jbRo" is a user reading mail, he should not  also  be  in  the  admins
       line.   Some  problems may occur otherwise, most notably the ability of
       administrators to create top-level mailboxes visible to users, but  not
       writable by users.

       afspts_localrealms: <none>
            The  list  of  realms  which  are to be treated as local, and thus
            stripped  during  identifier  canoicalization  (for   the   AFSPTS
            ptloader  module).   This is different from loginrealms in that it
            occurs later in the authorization  process  (as  the  user  id  is
            canonified for PTS lookup)

       afspts_mycell: <none>
            Cell to use for AFS PTS lookups.  Defaults to the local cell.

       allowallsubscribe: 0
            Allow  subscription  to  nonexistent  mailboxes.   This  option is
            typically used on backend servers in a Murder so  that  users  can
            subscribe  to  mailboxes that don't reside on their "home" server.
            This option can also be used as  a  workaround  for  IMAP  clients
            which  don't  play well with nonexistent or unselectable mailboxes
            (eg.  Microsoft Outlook).

       allowanonymouslogin: 0
            Permit logins by the user "anonymous" using  any  password.   Also
            allows use of the SASL ANONYMOUS mechanism.

       allowapop: 1
            Allow use of the POP3 APOP authentication command.

       Note  that  this  command  requires  that  SASL  is  compiled with APOP
       support, that the plaintext passwords are available in a  SASL  auxprop
       backend  (eg.  sasldb),  and that the system can provide enough entropy
       (eg. from /dev/urandom) to create a challenge in the banner.

       allownewnews: 0
            Allow use of the NNTP NEWNEWS command.

       Note that this is a very expensive command and should only  be  enabled
       when absolutely necessary.

       allowplaintext: 1
            Allow the use of cleartext passwords on the wire.

       To  disallow the use of plaintext passwords for authentication, you can
       set ``allowplaintext: no'' in imapd.conf. This will still  allow  PLAIN
       under TLS, but IMAP LOGIN commands will now fail.

       If    you    only   list   plaintext   authentication   mechanisms   in
       ``sasl_mech_list''  and  set  ``allowplaintext:  no'',  only  users  on
       encrypted  sessions  (TLS  or SSL) will be able to authenticate. On the
       other  hand,  if  you  list  no  plaintext  authentication  options  in
       ``sasl_mech_list'', ``allowplaintext: yes'' would have no effect.

       allowusermoves: 0
            Allow  moving user accounts (with associated meta-data) via RENAME
            or XFER.

       Note that measures should be taken to make sure  that  the  user  being
       moved  is not logged in, and can not login during the move.  Failure to
       do so may result in the user's meta-data  (seen  state,  subscriptions,
       etc) being corrupted or out of date.

       altnamespace: 0
            Use the alternate IMAP namespace, where personal folders reside at
            the same level in the hierarchy as INBOX.

       This option  ONLY  applies  where  interaction  takes  place  with  the
       client/user.   Currently  this  is limited to the IMAP protocol (imapd)
       and Sieve scripts (lmtpd).  This option does NOT apply to  admin  tools
       such  as  cyradm  (admins  ONLY), reconstruct, quota, etc., NOR does it
       affect LMTP delivery  of  messages  directly  to  mailboxes  via  plus-
       addressing.

       annotation_db: skiplist
            The cyrusdb backend to use for mailbox annotations.

            Allowed values: berkeley, berkeley-hash, skiplist

       auth_mech: unix
            The authorization mechanism to use.

            Allowed values: unix, pts, krb, krb5

       autocreatequota: 0
            If  nonzero,  normal  users  may create their own IMAP accounts by
            creating the mailbox INBOX.  The user's quota is set to the  value
            if it is positive, otherwise the user has unlimited quota.

       berkeley_cachesize: 512
            Size  (in kilobytes) of the shared memory buffer pool (cache) used
            by the berkeley environment.  The minimum  allowed  value  is  20.
            The maximum allowed value is 4194303 (4GB).

       berkeley_locks_max: 50000
            Maximum  number  of  locks to be held or requested in the berkeley
            environment.

       berkeley_txns_max: 100
            Maximum number of transactions to be  supported  in  the  berkeley
            environment.

       client_timeout: 10
            Number  of seconds to wait before returning a timeout failure when
            performing a client connection (e.g. in a murder enviornment)

       configdirectory: <none>
            The pathname of the IMAP configuration directory.  This  field  is
            required.

       debug_command: <none>
            Debug command to be used by processes started with -D option.  The
            string is a C format string that gets 3 options: the first is  the
            name  of  the  executable  (without  path).  The second is the pid
            (integer)  and  the   third   is   the   service   ID.    Example:
            /usr/local/bin/gdb /usr/cyrus/bin/%s %d

       defaultacl: anyone lrs
            The Access Control List (ACL) placed on a newly-created (non-user)
            mailbox that does not have a parent mailbox.

       defaultdomain: <none>
            The default domain for virtual  domain  support.  Note  that  this
            domain  is stripped from the email-address transmitted using LMTP,
            but  it  is  not  stripped  from  usernames  at  login-time.   For
            imapd/pop3d, "user" and "user@defaultdomain" specify two different
            users.  Please check install-virtdomains.html for details.

       defaultpartition: default
            The partition name used by default for new mailboxes.

       deleteright: c
            The right that a user needs to delete a mailbox.

       duplicate_db: berkeley-nosync
            The cyrusdb backend to use for the duplicate delivery  suppression
            and sieve.

            Allowed    values:   berkeley,   berkeley-nosync,   berkeley-hash,
            berkeley-hash-nosync, skiplist

       duplicatesuppression: 1
            If enabled, lmtpd will suppress delivery of a message to a mailbox
            if  a  message  with the same message-id (or resent-message-id) is
            recorded as having already been delivered to the mailbox.  Records
            the  mailbox  and  message-id/resent-message-id  of all successful
            deliveries.

       foolstupidclients: 0
            If enabled, only list the personal namespace when a  LIST  "*"  is
            performed.  (it changes the request to a LIST "INBOX*"

       force_sasl_client_mech: <none>
            Force  preference  of  a  given  SASL  mechanism  for  client side
            operations (e.g. murder enviornments).  This is separate from (and
            overridden  by)  the  ability  to  use  the <host shortname>_mechs
            option to set prefered mechanisms for a specific host

       fulldirhash: 0
            If enabled, uses an improved directory hashing scheme which hashes
            the  entire username instead of using just the first letter.  This
            changes hash algorithm used for quota and user directories and  if
            hashimapspool is enabled, the entire mail spool.

       Note  that this option can NOT be changed on a live system.  The server
       must be quiesced  and  then  the  directories  moved  with  the  rehash
       utility.

       hashimapspool: 0
            If enabled, the partitions will also be hashed, in addition to the
            hashing done on configuration directories.  This is recommended if
            one partition has a very bushy mailbox tree.

       hostname_mechs: <none>
            Force  a  particuar  list  of  SASL  mechanisms  to  be  used when
            authenticating to the backend server hostname (where  hostname  is
            the  short  hostname  of  the  server  in  question). If it is not
            specified it will query the server for  available  mechanisms  and
            pick one to use. - Cyrus Murder

       hostname_password: <none>
            The  password  to  use  for  authentication  to the backend server
            hostname (where hostname is the short hostname of  the  server)  -
            Cyrus Murder

       idlemethod: %IDLE%
            The idle backend to use for IDLE command.

            Allowed values: no, poll, idled

       idlesocket: {configdirectory}/socket/idle
            Unix domain socket that idled listens on.

       ignorereference: 0
            For  backwards  compatibility  with  Cyrus  1.5.10  and earlier --
            ignore the reference argument in LIST or LSUB commands.

       imapidlepoll: 60
            The interval (in seconds) for  polling  the  mailbox  for  changes
            while  running  the  IDLE command.  This option is used when idled
            can not be contacted or when polling  is  used  exclusively.   The
            minimum  value  is  1.   A  value  of  0 will disable polling (and
            disable IDLE if polling is the only method available).

       imapidresponse: 1
            If enabled, the server responds to an ID command with a  parameter
            list  containing:  version,  vendor,  support-url, os, os-version,
            command, arguments, environment.   Otherwise  the  server  returns
            NIL.

       imapmagicplus: 0
            Only  list  a  restricted  set  of  mailboxes  via  IMAP  by using
            userid+namespace syntax as  the  authentication/authorization  id.
            Using  userid+ (with an empty namespace) will list only subscribed
            mailboxes.

       implicit_owner_rights: lca
            The implicit Access Control List (ACL) for the owner of a mailbox.

       @include: <none>
            Directive  which  includes  the  specified  file  as  part  of the
            configuration.   If  the  path  to  the  file  is  not   absolute,
            CYRUS_PATH is prepended.

       ldap_authz: <none>
            SASL authorization ID for the LDAP server

       ldap_base: <empty string>
            Contains the LDAP base dn for the LDAP ptloader module

       ldap_bind_dn: <none>
            Bind  DN  for the connection to the LDAP server (simple bind).  Do
            not use for anonymous simple binds

       ldap_deref: never
            Specify how aliases dereferencing is handled during search.

            Allowed values: search, find, always, never

       ldap_filter: (uid=%u)
            Specify a filter that searches user  identifiers.   The  following
            tokens can be used in the filter string:

            %%    = % %u   = user %U   = user portion of %u (%U = test when %u
            = test@domain.tld) %d   = domain portion of %u if available (%d  =
            domain.tld  when  %u  = %test@domain.tld), otherwise same as %r %D
            = user dn.  (use when ldap_member_method: filter)  %1-9  =  domain
            tokens (%1 = tld, %2 = domain when %d = domain.tld)

            ldap_filter is not used when ldap_sasl is enabled.

       ldap_group_base: <empty string>
            LDAP base dn for ldap_group_filter.

       ldap_group_filter: (cn=%u)
            Specify  a  filter  that  searches  for  group  identifiers.   See
            ldap_filter for more options.

       ldap_group_scope: sub
            Specify search scope for ldap_group_filter.

            Allowed values: sub, one, base

       ldap_id: <none>
            SASL authentication ID for the LDAP server

       ldap_mech: <none>
            SASL mechanism for LDAP authentication

       ldap_member_attribute: <none>
            See ldap_member_method.

       ldap_member_base: <empty string>
            LDAP base dn for ldap_member_filter.

       ldap_member_filter: (member=%D)
            Specify  a   filter   for   "ldap_member_method:   filter".    See
            ldap_filter for more options.

       ldap_member_method: attribute
            Specify  a  group method.  The "attribute" method retrieves groups
            from a multi-valued attribute specified in  ldap_member_attribute.

            The    "filter"    method    uses    a    filter,   specified   by
            ldap_member_filter, to find  groups;  ldap_member_attribute  is  a
            single-value attribute group name.

            Allowed values: attribute, filter

       ldap_member_scope: sub
            Specify search scope for ldap_member_filter.

            Allowed values: sub, one, base

       ldap_password: <none>
            Password  for  the  connection to the LDAP server (SASL and simple
            bind).  Do not use for anonymous simple binds

       ldap_realm: <none>
            SASL realm for LDAP authentication

       ldap_referrals: 0
            Specify whether or not the client should follow referrals.

       ldap_restart: 1
            Specify whether or  not  LDAP  I/O  operations  are  automatically
            restarted if they abort prematurely.

       ldap_sasl: 1
            Use SASL for LDAP binds in the LDAP PTS module.

       ldap_sasl_authc: <none>
            Depricated.  Use ldap_id

       ldap_sasl_authz: <none>
            Depricated.  Use ldap_authz

       ldap_sasl_mech: <none>
            Depricated.  Use ldap_mech

       ldap_sasl_password: <none>
            Depricated.  User ldap_password

       ldap_sasl_realm: <none>
            Depricated.  Use ldap_realm

       ldap_scope: sub
            Specify search scope.

            Allowed values: sub, one, base

       ldap_servers: ldap://localhost/
            Depricated.  Use ldap_uri

       ldap_size_limit: 1
            Specify a number of entries for a search request to return.

       ldap_start_tls: 0
            Use  StartTLS extended operation.  Do not use ldaps: ldap_uri when
            this option is enabled.

       ldap_time_limit: 5
            Specify a number of seconds for a search request to complete.

       ldap_timeout: 5
            Specify a number of seconds a search can take before timing out.

       ldap_tls_cacert_dir: <none>
            Path to directory with CA (Certificate Authority) certificates.

       ldap_tls_cacert_file: <none>
            File containing CA (Certificate Authority) certificate(s).

       ldap_tls_cert: <none>
            File containing the client certificate.

       ldap_tls_check_peer: 0
            Require and verify server certificate.  If this option is yes, you
            must specify ldap_tls_cacert_file or ldap_tls_cacert_dir.

       ldap_tls_ciphers: <none>
            List  of  SSL/TLS  ciphers  to allow.  The format of the string is
            described in ciphers(1).

       ldap_tls_key: <none>
            File containing the private client key.

       ldap_uri: <none>
            Contains a list of the URLs of all the LDAP servers when using the
            LDAP PTS module.

       ldap_version: 3
            Specify  the  LDAP  protocol  version.   If  ldap_start_tls and/or
            ldap_use_sasl are enabled, ldap_version will be automatiacally set
            to 3.

       lmtp_downcase_rcpt: 0
            If  enabled, lmtpd will convert the recipient address to lowercase
            (up to a '+' character, if present).

       lmtp_over_quota_perm_failure: 0
            If enabled, lmtpd returns a permanent failure code when  a  user's
            mailbox  is  over  quota.   By  default, the failure is temporary,
            causing the MTA to queue the message and retry later.

       lmtpsocket: {configdirectory}/socket/lmtp
            Unix domain socket that lmtpd listens on, used by deliver(8). This
            should match the path specified in cyrus.conf(5).

       loginrealms: <empty string>
            The  list  of  remote  realms  whose  users may authenticate using
            cross-realm authentication identifiers.  Seperate each realm  name
            by  a  space.   (A cross-realm identity is considered any identity
            returned by SASL with an "@" in it.) Note that to support multiple
            virtual  domains  on  the same interface/IP, you need to list them
            all as loginreals.  If  you  don't  list  them  here,  your  users
            probably won't be able to log in.

       loginuseacl: 0
            If  enabled,  any  authentication identity which has a rights on a
            user's INBOX may log in as that user.

       logtimestamps: 0
            Include notations in the protocol telemetry  logs  indicating  the
            number of seconds since the last command or response.

       mailnotifier: <none>
            Notifyd(8)  method  to  use for "MAIL" notifications.  If not set,
            "MAIL" notifications are disabled.

       maxmessagesize: 0
            Maximum incoming LMTP  message  size.   If  non-zero,  lmtpd  will
            reject  messages  larger  than maxmessagesize bytes.  If set to 0,
            this will allow messages of any size (the default).

       mboxlist_db: skiplist
            The cyrusdb backend to use for the mailbox list.

            Allowed values: flat, berkeley, berkeley-hash, skiplist

       munge8bit: 1
            If enabled, lmtpd  changes  8-bit  characters  to  `X'.  Also  see
            reject8bit.  (A proper soultion to non-ASCII characters in headers
            is offered by RFC 2047 and its predecessors.)

       mupdate_connections_max: 128
            The max number of connections that a mupdate process  will  allow,
            this  is  related to the number of file descriptors in the mupdate
            process.  Beyond this number connections will be immedately issued
            a BYE response.

       mupdate_authname: <none>
            The SASL username (Authentication Name) to use when authenticating
            to the mupdate server (if needed).

       mupdate_password: <none>
            The SASL password (if needed) to use when  authenticating  to  the
            mupdate server.

       mupdate_port: 3905
            The port of the mupdate server for the Cyrus Murder

       mupdate_realm: <none>
            The  SASL  realm  (if  needed)  to  use when authenticating to the
            mupdate server.

       mupdate_retry_delay: 20
            The base time to wait between connection retries  to  the  mupdate
            server.

       mupdate_server: <none>
            The mupdate server for the Cyrus Murder

       mupdate_workers_start: 5
            The number of mupdate worker threads to start

       mupdate_workers_minspare: 2
            The minimum number of idle mupdate worker threads

       mupdate_workers_maxspare: 10
            The maximum number of idle mupdate worker threads

       mupdate_workers_max: 50
            The maximum number of mupdate worker threads (overall)

       mupdate_username: <empty string>
            The  SASL username (Authorization Name) to use when authenticating
            to the mupdate server

       netscapeurl: http://asg.web.cmu.edu/cyrus/imapd/netscape-admin.html
            If enabled at compile time, this specifies a  URL  to  reply  when
            Netscape asks the server where the mail administration HTTP server
            is.  The default is a site at CMU  with  a  hopefully  informative
            message;  administrators  should set this to a local resource with
            some information of greater use.

       newsmaster: news
            Userid that is used for checking access  controls  when  executing
            Usenet  control  messages.   For instance, to allow articles to be
            automatically deleted by cancel messages, give the "news" user the
            'd'  right  on  the  desired mailboxes.  To allow newsgroups to be
            automatically created, deleted and renamed  by  the  corresponding
            control  messages,  give  the  "news"  user  the  'c' right on the
            desired mailbox hierarchies.

       newspeer: <none>
            A list of whitespace-separated news server specifications to which
            articles  should be fed.  Each server specification is a string of
            the form [user[:pass]@]host[:port][/wildmat] where 'host'  is  the
            fully  qualified  hostname  of  the  server, 'port' is the port on
            which  the  server  is  listening,  'user'  and  'pass'  are   the
            authentication   credentials  and  'wildmat'  is  a  pattern  that
            specifies which groups should be fed.  If no 'port' is  specified,
            port  119  is  used.  If no 'wildmat' is specified, all groups are
            fed.  If 'user' is specified (even if empty), then the  NNTP  POST
            command  will be used to feed the article to the server, otherwise
            the IHAVE command will be used.

            A '@' may be used in place  of  '!'  in  the  wildmat  to  prevent
            feeding articles cross-posted to the given group, otherwise cross-
            posted articles are fed if any part of the wildmat  matches.   For
            example, the string "peer.example.com:*,!control.*,@local.*" would
            feed all groups  except  control  messages  and  local  groups  to
            peer.example.com.   In  the case of cross-posting to local groups,
            these articles would not be fed.

       newspostuser: <none>
            Userid used  to  deliver  usenet  articles  to  newsgroup  folders
            (usually  via  lmtp2nntp).   For  example, if set to "post", email
            sent  to  "post+comp.mail.imap"  would   be   delivered   to   the
            "comp.mail.imap" folder.

            When  set,  the  Cyrus  NNTP  server will add a To: header to each
            incoming usenet article.   This  To:  header  will  contain  email
            delivery   addresses   corresponding  to  each  newsgroup  in  the
            Newsgroups: header.  By default, a To:  header  is  not  added  to
            usenet articles.

       newsprefix: <none>
            Prefix   to   be   prepended   to  newsgroup  names  to  make  the
            corresponding IMAP mailbox names.

       notifysocket: {configdirectory}/socket/notify
            Unix domain socket that the mail notification daemon listens on.

       partition-name: <none>
            The pathname of the partition name.  At least one field,  for  the
            partition  named in the defaultpartition option, is required.  For
            example, if the value of the  defaultpartion  option  is  default,
            then the partition-default field is required.

       plaintextloginpause: 0
            Number  of  seconds  to  pause after a successful plaintext login.
            For systems that support strong authentication, this permits users
            to  perceive  a cost of using plaintext passwords.  (This does not
            affect the use of PLAIN in SASL authentications.)

       plaintextloginalert: <none>
            Message to send to client after a successful plaintext login.

       popexpiretime: -1
            The number of days advertised as being the minimum a  message  may
            be  left  on  the  POP  server  before it is deleted (via the CAPA
            command, defined in  the  POP3  Extension  Mechanism,  which  some
            clients may support).  "NEVER", the default, may be specified with
            a negative number.  The Cyrus POP3 server never deletes  mail,  no
            matter  what  the  value of this parameter is.  However, if a site
            implements  a  less  liberal  policy,  it  needs  to  change  this
            parameter accordingly.

       popminpoll: 0
            Set  the  minimum  amount  of time the server forces users to wait
            between successive POP logins, in minutes.

       poppollpadding: 1
            Create a softer minimum poll restriction.   Allows  poppollpadding
            connections   before   the   minpoll   restriction  is  triggered.
            Additionally, one padding  entry  is  recovered  every  popminpoll
            minutes.   This allows for the occasional polling rate faster than
            popminpoll, (i.e. for clients that require a send/recieve to  send
            mail)  but  still  enforces  the  rate  long-term.   Default  is 1
            (disabled).

            The easiest way to think of it is a  queue  of  past  connections,
            with  one  slot  being  filled  for every connection, and one slot
            being cleared every popminpoll minutes. When the  queue  is  full,
            the  user  will  not  be  able to check mail again until a slot is
            cleared.  If the user waits a sufficent amount of time, they  will
            get back many or all of the slots.

       poptimeout: 10
            Set the length of the POP server's inactivity autologout timer, in
            minutes.  The minimum value is 10, the default.

       popuseacl: 0
            Enforce IMAP ACLs in the pop server.  Due to  the  nature  of  the
            POP3  protocol,  the  only rights which are used by the pop server
            are 'r' and 'd' for the owner  of  the  mailbox.   The  'r'  right
            allows  the  user  to open the mailbox and list/retrieve messages.
            The 'd' right allows the user to delete messages.

       postmaster: postmaster
            Username that is used as the  'From'  address  in  rejection  MDNs
            produced by sieve.

       postuser: <empty string>
            Userid  used  to deliver messages to shared folders.  For example,
            if set to "bb", email sent to "bb+shared.blah" would be  delivered
            to  the  "shared.blah"  folder.   By  default, an email address of
            "+shared.blah" would be used.

       proxy_authname: proxy
            The authentication name to use when authenticating  to  a  backend
            server in the Cyrus Murder.

       proxy_password: <none>
            The  default  password  to  use  when  authenticating to a backend
            server in the Cyrus Murder.  May be overridden on a  host-specific
            basis using the hostname_password option.

       proxy_realm: <none>
            The  authentication  realm to use when authenticating to a backend
            server in the Cyrus Murder

       proxyd_allow_status_referral: 0
            Set to true to allow proxyd to issue  referrals  to  clients  that
            support it when answering the STATUS command.  This is disabled by
            default since some clients issue many STATUS commands  in  a  row,
            and do not cache the connections that these referrals would cause,
            thus resulting in a higher authentication load on  the  respective
            backend server.

       proxyd_disable_mailbox_referrals: 0
            Set  to  true to disable the use of mailbox-referrals on the proxy
            servers.

       proxyservers: <none>
            A list of users and groups that are allowed  to  proxy  for  other
            users,  seperated  by  spaces.   Any  user  listed in this will be
            allowed to login for any other user: use with caution.

       pts_module: afskrb
            The PTS module to use.

            Allowed values: afskrb, ldap

       ptloader_sock: <none>
            Unix  domain  socket  that  ptloader  listens  on.   (defaults  to
            configdir/ptclient/ptsock)

       ptscache_db: berkeley
            The cyrusdb backend to use for the pts cache.

            Allowed values: berkeley, berkeley-hash, skiplist

       ptscache_timeout: 10800
            The timeout (in seconds) for the PTS cache database when using the
            auth_krb_pts authorization method (default: 3 hours).

       ptskrb5_convert524: 1
            When  using  the  AFSKRB   ptloader   module   with   Kerberos   5
            canonicalization, do the final 524 conversion to get a n AFS style
            name (using '.' instead of '/', and using short names

       ptskrb5_strip_default_realm: 1
            When  using  the  AFSKRB   ptloader   module   with   Kerberos   5
            canonicalization,  strip  the  default realm from the userid (this
            does  not  affect  the  stripping  of  realms  specified  by   the
            afspts_localrealms option)

       quota_db: quotalegacy
            The cyrusdb backend to use for quotas.

            Allowed   values:   flat,   berkeley,   berkeley-hash,   skiplist,
            quotalegacy

       quotawarn: 90
            The percent of quota utilization over which the  server  generates
            warnings.

       quotawarnkb: 0
            The  maximum amount of free space (in kB) in which to give a quota
            warning (if this value is 0, or if the quota is smaller than  this
            amount, than warnings are always given).

       reject8bit: 0
            If  enabled,  lmtpd  rejects messages with 8-bit characters in the
            headers. Also see munge8bit, which is only applied  if  reject8bit
            is  not  activated.  (A proper soultion to non-ASCII characters in
            headers is offered by RFC 2047 and its predecessors.)

       rfc2046_strict: 0
            If enabled, imapd will be strict (per RFC 2046) when matching MIME
            boundary  strings.   This  means  that boundaries containing other
            boundaries as substrings will  be  treated  as  identical.   Since
            enabling  this  option  will break some messages created by Eudora
            5.1 (and earlier), it is recommended  that  it  be  left  disabled
            unless there is good reason to do otherwise.

       rfc3028_strict: 1
            If  enabled,  Sieve  will be strict (per RFC 3028) with regards to
            which headers are allowed to  be  used  in  address  and  envelope
            tests.   This  means  that only those headers which are defined to
            contain addresses will be allowed in address tests and  only  "to"
            and  "from" will be allowed in envelope tests.  When disabled, ANY
            grammatically correct header will be allowed.

       sasl_auto_transition: 0
            If  enabled,  the   SASL   library   will   automatically   create
            authentication  secrets  when given a plaintext password.  See the
            SASL documentation.

       sasl_maximum_layer: 256
            Maximum SSF (security strength factor) that the server will  allow
            a  client  to negotiate. This corresponds to the max_ssf option of
            libsasl.  Please check the  libsasl  documentation  for  available
            values.

       sasl_minimum_layer: 0
            The  minimum SSF that the server will allow a client to negotiate.
            A value of 1 requires integrity protection (i.e.  checksums);  any
            higher  value requires some amount of encryption. This corresponds
            to  the  min_ssf  option  of   libsasl.   Please   check   libsasl
            documentation for available values.

       sasl_option: 0
            Any  SASL  option  can be set by preceeding it with "sasl_".  This
            file overrides the SASL configuration file.

       sasl_pwcheck_method: <none>
            The mechanism used by the server to  verify  plaintext  passwords.
            Possible values include "auxprop", "saslauthd", and "pwcheck".

       seenstate_db: skiplist
            The cyrusdb backend to use for the seen state.

            Allowed values: flat, berkeley, berkeley-hash, skiplist

       sendmail: /usr/lib/sendmail
            The  pathname  of the sendmail executable.  Sieve invokes sendmail
            for sending rejections, redirects and vacation responses.

       servername: <none>
            This is the hostname visible in the greeting messages of the  POP,
            IMAP  and  LMTP  daemons. If it is unset, then the result returned
            from gethostname(2) is used.

       sharedprefix: Shared Folders
            If using the alternate IMAP namespace, the prefix for  the  shared
            namespace.    The   hierarchy   delimiter  will  be  automatically
            appended.

       sieve_maxscriptsize: 32
            Maximum size (in kilobytes) any sieve script can be,  enforced  at
            submission by timsieved(8).

       sieve_maxscripts: 5
            Maximum  number  of  sieve  scripts any user may have, enforced at
            submission by timsieved(8).

       sievedir: /usr/sieve
            If sieveusehomedir is false, this directory is searched for  Sieve
            scripts.

       sievenotifier: <none>
            Notifyd(8)  method  to use for "SIEVE" notifications.  If not set,
            "SIEVE" notifications are disabled.

       This method is only used when no method is specified in the script.

       sieveusehomedir: 0
            If enabled, lmtpd will look  for  Sieve  scripts  in  user's  home
            directories: ~user/.sieve.

       singleinstancestore: 1
            If  enabled, imapd, lmtpd and nntpd attempt to only write one copy
            of a message per partition and create hard links, resulting  in  a
            potentially large disk savings.

       skiplist_unsafe: 0
            If enabled, this option forces the skiplist cyrusdb backend to not
            sync writes to the disk.  Enabling this option is NOT RECOMMENDED.

       soft_noauth: 1
            If  enabled,  lmtpd  returns temporary failures if the client does
            not successfully authenticate.  Otherwise lmtpd returns  permanant
            failures (causing the mail to bounce immediately).

       srvtab: <empty string>
            The  pathname  of srvtab file containing the server's private key.
            This option is passed  to  the  SASL  library  and  overrides  its
            default setting.

       subscription_db: flat
            The cyrusdb backend to use for the subscriptions list.

            Allowed values: flat, berkeley, berkeley-hash, skiplist

       syslog_prefix: <none>
            String to be prepended to the process name in syslog entries.

       temp_path: /tmp
            The pathname to store temporary files in

       timeout: 30
            The  length  of  the IMAP server's inactivity autologout timer, in
            minutes.  The minimum value is 30, the default.

       tls_ca_file: <none>
            File  containing  one   or   more   Certificate   Authority   (CA)
            certificates.

       tls_ca_path: <none>
            Path  to  directory with certificates of CAs.  This directory must
            have filenames with the  hashed  value  of  the  certificate  (see
            openssl(XXX)).

       tlscache_db: berkeley-nosync
            The cyrusdb backend to use for the TLS cache.

            Allowed    values:   berkeley,   berkeley-nosync,   berkeley-hash,
            berkeley-hash-nosync, skiplist

       tls_cert_file: <none>
            File   containing   the   certificate   presented    for    server
            authentication  during  STARTTLS.   A  value  of  "disabled"  will
            disable SSL/TLS.

       tls_cipher_list: DEFAULT
            The list of SSL/TLS ciphers to allow.  The format of the string is
            described in ciphers(1).

       tls_key_file: <none>
            File   containing   the   private  key  belonging  to  the  server
            certificate.  A value of "disabled" will disable SSL/TLS.

       tls_require_cert: 0
            Require a client certificate for ALL services (imap,  pop3,  lmtp,
            sieve).

       tls_session_timeout: 1440
            The  length of time (in minutes) that a TLS session will be cached
            for later reuse.  The  maximum  value  is  1440  (24  hours),  the
            default.  A value of 0 will disable session caching.

       umask: 077
            The umask value used by various Cyrus IMAP programs.

       username_tolower: 1
            Convert  usernames  to  all  lowercase  before login/authenticate.
            This is useful with  authentication  backends  which  ignore  case
            during username lookups (such as LDAP).

       userprefix: Other Users
            If  using  the  alternate IMAP namespace, the prefix for the other
            users namespace.  The hierarchy delimiter  will  be  automatically
            appended.

       unix_group_enable: 1
            Should we look up groups when using auth_unix (disable this if you
            are not using groups in ACLs for your IMAP  server,  and  you  are
            using  auth_unix  with  a  backend  (such  as  LDAP) that can make
            getgrent() calls very slow)

       unixhierarchysep: 0
            Use the UNIX separator character  '/'  for  delimiting  levels  of
            mailbox  hierarchy.   The  default is to use the netnews separator
            character '.'.

       virtdomains: off
            Enable virtual domain support.  If enabled, the user's domain will
            be  determined  by  splitting a fully qualified userid at the last
            '@' or  '%'  symbol.   If  the  userid  is  unqualified,  and  the
            virtdomains  option  is  set  to  "on",  then  the  domain will be
            determined by doing a reverse lookup on  the  IP  address  of  the
            incoming network interface, otherwise the user is assumed to be in
            the default domain (if set).

            Allowed values: off, userid, ldap, on

SEE ALSO

       imapd(8),  pop3d(8),  nntpd(8),   lmtpd(8),   timsieved(8),   idled(8),
       notifyd(8), deliver(8), master(8), ciphers(1)

       Allowed values: off, userid, ldap, on