<pre style='margin:0'>
Frank Schima (mf2k) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/09475c3f89d01de9d9243de788ff0b1c8992f1aa">https://github.com/macports/macports-ports/commit/09475c3f89d01de9d9243de788ff0b1c8992f1aa</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new 09475c3 mail-server: Submission of an email server configuration
</span>09475c3 is described below
<span style='display:block; white-space:pre;color:#808000;'>commit 09475c3f89d01de9d9243de788ff0b1c8992f1aa
</span>Author: Steven Thomas Smith <s.t.smith@ieee.org>
AuthorDate: Tue Jul 30 17:51:52 2019 -0400
<span style='display:block; white-space:pre;color:#404040;'> mail-server: Submission of an email server configuration
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> * postfix for the MTA
</span><span style='display:block; white-space:pre;color:#404040;'> * dovecot for the MDA
</span><span style='display:block; white-space:pre;color:#404040;'> * solr for fast search
</span><span style='display:block; white-space:pre;color:#404040;'> * rspamd for a milter
</span><span style='display:block; white-space:pre;color:#404040;'> * clamav for email virus scans
</span><span style='display:block; white-space:pre;color:#404040;'> * surrogate TLS certificate and DKIM configuration
</span>---
mail/mail-server/Portfile | 875 +++++++++++++
.../ca/intermediate/openssl_intermediate.cnf | 144 ++
.../files/prefix/etc/certificates/ca/openssl.cnf | 238 ++++
mail/mail-server/files/prefix/etc/dcc/dcc_conf | 161 +++
.../files/prefix/etc/dovecot/.turd_dovecot2 | 0
mail/mail-server/files/prefix/etc/dovecot/README | 2 +
.../files/prefix/etc/dovecot/conf.d/10-auth.conf | 176 +++
.../prefix/etc/dovecot/conf.d/10-logging.conf | 101 ++
.../files/prefix/etc/dovecot/conf.d/10-mail.conf | 459 +++++++
.../files/prefix/etc/dovecot/conf.d/10-master.conf | 203 +++
.../files/prefix/etc/dovecot/conf.d/10-ssl.conf | 106 ++
.../files/prefix/etc/dovecot/conf.d/15-lda.conf | 77 ++
.../prefix/etc/dovecot/conf.d/15-mailboxes.conf | 71 +
.../files/prefix/etc/dovecot/conf.d/20-imap.conf | 88 ++
.../files/prefix/etc/dovecot/conf.d/20-lmtp.conf | 29 +
.../prefix/etc/dovecot/conf.d/20-managesieve.conf | 75 ++
.../files/prefix/etc/dovecot/conf.d/90-fts.conf | 6 +
.../prefix/etc/dovecot/conf.d/90-imapsieve.conf | 19 +
.../files/prefix/etc/dovecot/conf.d/90-plugin.conf | 14 +
.../files/prefix/etc/dovecot/conf.d/90-quota.conf | 98 ++
.../files/prefix/etc/dovecot/conf.d/90-sieve.conf | 112 ++
.../prefix/etc/dovecot/conf.d/auth-od.conf.ext | 212 +++
.../prefix/etc/dovecot/default/conf.d/10-auth.conf | 147 +++
.../etc/dovecot/default/conf.d/10-director.conf | 62 +
.../etc/dovecot/default/conf.d/10-logging.conf | 97 ++
.../prefix/etc/dovecot/default/conf.d/10-mail.conf | 409 ++++++
.../etc/dovecot/default/conf.d/10-master.conf | 168 +++
.../prefix/etc/dovecot/default/conf.d/10-ssl.conf | 80 ++
.../prefix/etc/dovecot/default/conf.d/15-lda.conf | 67 +
.../etc/dovecot/default/conf.d/15-mailboxes.conf | 48 +
.../prefix/etc/dovecot/default/conf.d/20-imap.conf | 78 ++
.../prefix/etc/dovecot/default/conf.d/20-lmtp.conf | 21 +
.../etc/dovecot/default/conf.d/20-managesieve.conf | 70 +
.../prefix/etc/dovecot/default/conf.d/20-pop3.conf | 111 ++
.../prefix/etc/dovecot/default/conf.d/90-acl.conf | 20 +
.../etc/dovecot/default/conf.d/90-plugin.conf | 42 +
.../etc/dovecot/default/conf.d/90-quota.conf | 95 ++
.../default/conf.d/90-sieve-extprograms.conf | 46 +
.../etc/dovecot/default/conf.d/90-sieve.conf | 106 ++
.../default/conf.d/auth-checkpassword.conf.ext | 23 +
.../etc/dovecot/default/conf.d/auth-deny.conf.ext | 17 +
.../etc/dovecot/default/conf.d/auth-dict.conf.ext | 18 +
.../etc/dovecot/default/conf.d/auth-ldap.conf.ext | 35 +
.../dovecot/default/conf.d/auth-master.conf.ext | 18 +
.../etc/dovecot/default/conf.d/auth-od.conf.ext | 27 +
.../default/conf.d/auth-passwdfile.conf.ext | 22 +
.../etc/dovecot/default/conf.d/auth-sql.conf.ext | 32 +
.../dovecot/default/conf.d/auth-static.conf.ext | 27 +
.../dovecot/default/conf.d/auth-submit.conf.ext | 15 +
.../dovecot/default/conf.d/auth-system.conf.ext | 76 ++
.../dovecot/default/conf.d/auth-vpopmail.conf.ext | 19 +
.../etc/dovecot/default/dovecot-dict-auth.conf.ext | 28 +
.../etc/dovecot/default/dovecot-dict-sql.conf.ext | 45 +
.../etc/dovecot/default/dovecot-ldap.conf.ext | 147 +++
.../etc/dovecot/default/dovecot-sql.conf.ext | 143 ++
.../files/prefix/etc/dovecot/default/dovecot.conf | 120 ++
.../prefix/etc/dovecot/default/partition_map.conf | 1 +
.../files/prefix/etc/dovecot/dovecot.conf | 122 ++
.../files/prefix/etc/dovecot/etc/pam.d/imap | 7 +
.../etc/dovecot/example-config/conf.d/10-auth.conf | 129 ++
.../dovecot/example-config/conf.d/10-director.conf | 61 +
.../dovecot/example-config/conf.d/10-logging.conf | 89 ++
.../etc/dovecot/example-config/conf.d/10-mail.conf | 392 ++++++
.../dovecot/example-config/conf.d/10-master.conf | 119 ++
.../etc/dovecot/example-config/conf.d/10-ssl.conf | 63 +
.../etc/dovecot/example-config/conf.d/15-lda.conf | 48 +
.../example-config/conf.d/15-mailboxes.conf | 78 ++
.../etc/dovecot/example-config/conf.d/20-imap.conf | 88 ++
.../etc/dovecot/example-config/conf.d/20-lmtp.conf | 26 +
.../etc/dovecot/example-config/conf.d/20-pop3.conf | 99 ++
.../etc/dovecot/example-config/conf.d/90-acl.conf | 19 +
.../dovecot/example-config/conf.d/90-plugin.conf | 11 +
.../dovecot/example-config/conf.d/90-quota.conf | 83 ++
.../conf.d/auth-checkpassword.conf.ext | 21 +
.../example-config/conf.d/auth-deny.conf.ext | 15 +
.../example-config/conf.d/auth-dict.conf.ext | 16 +
.../example-config/conf.d/auth-ldap.conf.ext | 33 +
.../example-config/conf.d/auth-master.conf.ext | 16 +
.../example-config/conf.d/auth-passwdfile.conf.ext | 20 +
.../example-config/conf.d/auth-sql.conf.ext | 30 +
.../example-config/conf.d/auth-static.conf.ext | 24 +
.../example-config/conf.d/auth-system.conf.ext | 74 ++
.../example-config/conf.d/auth-vpopmail.conf.ext | 17 +
.../example-config/dovecot-dict-auth.conf.ext | 54 +
.../example-config/dovecot-dict-sql.conf.ext | 41 +
.../dovecot/example-config/dovecot-ldap.conf.ext | 151 +++
.../dovecot/example-config/dovecot-sql.conf.ext | 144 ++
.../prefix/etc/dovecot/example-config/dovecot.conf | 102 ++
.../files/prefix/etc/dovecot/imap.keytab.README.sh | 112 ++
.../etc/dovecot/sieve-before.d/10-rspamd.sieve | 5 +
.../prefix/etc/dovecot/sieve/report-ham.sieve | 15 +
.../prefix/etc/dovecot/sieve/report-spam.sieve | 7 +
.../files/prefix/etc/dovecot/sieve/train-ham.sh | 2 +
.../files/prefix/etc/dovecot/sieve/train-spam.sh | 2 +
mail/mail-server/files/prefix/etc/logrotate.conf | 24 +
mail/mail-server/files/prefix/etc/logrotate.d/mail | 13 +
.../mail-server/files/prefix/etc/logrotate.d/redis | 13 +
.../files/prefix/etc/logrotate.d/rspamd | 13 +
...MODORSAOrganizationValidationSecureServerCA.pem | 35 +
.../files/prefix/etc/postfix/etc/pam.d/smtp | 7 +
mail/mail-server/files/prefix/etc/postfix/main.cf | 1181 +++++++++++++++++
.../mail-server/files/prefix/etc/postfix/master.cf | 143 ++
.../files/prefix/etc/postfix/master.cf.chroot | 143 ++
.../files/prefix/etc/postfix/master.cf.nochroot | 133 ++
.../files/prefix/etc/postfix/sasl/passwd | 1 +
.../files/prefix/etc/postfix/sasl/smtpd.conf | 2 +
.../files/prefix/etc/postfix/smtp.keytab.README.sh | 179 +++
mail/mail-server/files/prefix/etc/redis.conf | 1385 ++++++++++++++++++++
.../files/prefix/etc/rspamd/dkim_paths.map | 1 +
.../files/prefix/etc/rspamd/dkim_selectors.map | 1 +
.../files/prefix/etc/rspamd/local.d/antivirus.conf | 39 +
.../prefix/etc/rspamd/local.d/arc.conf.do_not_use | 11 +
.../etc/rspamd/local.d/classifier-bayes.conf | 2 +
.../files/prefix/etc/rspamd/local.d/dcc.conf | 3 +
.../prefix/etc/rspamd/local.d/dkim_signing.conf | 32 +
.../files/prefix/etc/rspamd/local.d/dmarc.conf | 10 +
.../rspamd/local.d/greylist-whitelist-domains.inc | 2 +
.../files/prefix/etc/rspamd/local.d/greylist.conf | 1 +
.../prefix/etc/rspamd/local.d/history_redis.conf | 2 +
.../files/prefix/etc/rspamd/local.d/logging.inc | 24 +
.../prefix/etc/rspamd/local.d/milter_headers.conf | 6 +
.../files/prefix/etc/rspamd/local.d/mx_check.conf | 4 +
.../files/prefix/etc/rspamd/local.d/options.inc | 2 +
.../files/prefix/etc/rspamd/local.d/phishing.conf | 3 +
.../files/prefix/etc/rspamd/local.d/ratelimit.conf | 1 +
.../files/prefix/etc/rspamd/local.d/redis.conf | 2 +
.../files/prefix/etc/rspamd/local.d/replies.conf | 2 +
.../files/prefix/etc/rspamd/local.d/surbl.conf | 2 +
.../files/prefix/etc/rspamd/local.d/url_tags.conf | 2 +
.../etc/rspamd/local.d/worker-controller.inc | 13 +
.../prefix/etc/rspamd/local.d/worker-normal.inc | 3 +
.../prefix/etc/rspamd/local.d/worker-proxy.inc | 23 +
.../files/prefix/var/solr/dovecot/conf/schema.xml | 48 +
.../prefix/var/solr/dovecot/conf/solrconfig.xml | 289 ++++
134 files changed, 11881 insertions(+)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/Portfile b/mail/mail-server/Portfile
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..e36016b
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,875 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+PortSystem 1.0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+PortGroup active_variants 1.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+name mail-server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+version 1.0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+revision 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+categories mail net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+platforms darwin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+supported_archs noarch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+maintainers {ieee.org:s.t.smith @essandess} openmaintainer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+license GPL-3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+distfiles
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+description Mail server configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+long_description ${description} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Mail server working configuration that provides a basic, working, \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ easily modifiable mail server. The configuration is built using \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ postfix for the MTA, dovecot for the MDA, solr for fast search, \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ rspamd for a milter, and clamav for email virus scans. The \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configuration includes a surrogate TLS certificate and DKIM.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+homepage https://www.postfix.org/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set postfix_required_variants \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [lsort {dovecot_sasl pcre smtputf8 tls}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set dovecot2_required_variants \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [lsort {gssapi solr}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+depends_lib-append port:dcc \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:dovecot2 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:dovecot2-sieve \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:openssl \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:postfix \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:rspamd \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:sf-pwgen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# these dependencies are from variants that may not be active
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+depends_lib-append port:apache-solr8 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:clucene \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:curl \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:expat \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:pcre
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+depends_run-append port:clamav-server \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:dns-server \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:logrotate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+variant initialize \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ description {Initialize all configuration files. Existing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configurations files are not overwritten by default.} {}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+use_configure no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+pre-build {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # require these port dependency variants
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # MacPorts doesn't support variant dependencies, so do this this by hand
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # See: https://trac.macports.org/ticket/126
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # https://lists.macports.org/pipermail/macports-users/2015-September/039201.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set required_variants_flag true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set required_variants_message ""
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { [catch {set result [registry_active postfix]}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ || [lindex [lindex ${result} 0] 3] \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ != "+[join ${postfix_required_variants} +]" } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ append required_variants_message "\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Postfix not installed with required variants. Please install:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo port -pN install postfix +[join ${postfix_required_variants} +]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set required_variants_flag false
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { [catch {set result [registry_active dovecot2]}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ || [lindex [lindex ${result} 0] 3] \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ != "+[join ${dovecot2_required_variants} +]" } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ append required_variants_message "\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Dovecot not installed with required variants. Please install:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo port -pN install dovecot2 +[join ${dovecot2_required_variants} +]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set required_variants_flag false
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {${required_variants_flag} != true} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ui_error ${required_variants_message}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # one of these will exit with error if the ports are not installed at all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ registry_active postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ registry_active dovecot2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+build {}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set certificates_dir ${prefix}/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set tls_ca_dir ${certificates_dir}/ca.macports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# random 4-word-based passphrase
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+proc correct_horse_battery_staple {} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # ignore errors from sf-pwgen if the password is shorter than requested
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [join [exec sh -c "sf-pwgen \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --algorithm memorable --count 2 --length 16 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 2>/dev/null || true"] -]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+destroot {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # configuration design: MacPorts file and/or directory templates installed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # to *.macports, then edited with local network settings, then in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # post-activate copied to actual configuration files if such don't exist
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # common
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach d [list \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ var/log/mail \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ etc/certificates \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ var/spool/postfix${prefix}/var/run/rspamd \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ var/run/redis \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ] {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0750 -o root -g mail -d ${destroot}${prefix}/${d}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ destroot.keepdirs-append ${destroot}${prefix}/${d}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0755 -d ${destroot}${prefix}/etc/postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0755 -d ${destroot}${prefix}/etc/postfix/etc/pam.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0750 -o root -g _postfix -d ${destroot}${prefix}/etc/postfix/sasl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0755 -o root -g _postfix -d ${destroot}${prefix}/var/spool/postfix/etc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0755 -o root -g mail -d \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/postfix/etc \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/postfix/etc/certificates \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/postfix/etc/pam.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # *.macports templates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ main.cf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ master.cf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sasl/passwd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${filespath}/prefix/etc/postfix/${f} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/postfix/${f}.macports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # generic templates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ master.cf.chroot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ master.cf.nochroot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ smtp.keytab.README.sh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ etc/pam.d/smtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${filespath}/prefix/etc/postfix/${f} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/postfix/${f}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # chroot jail necessities
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 /etc/hosts ${destroot}${prefix}/var/spool/postfix/etc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 /etc/services ${destroot}${prefix}/var/spool/postfix/etc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0755 -d ${destroot}${prefix}/etc/dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # *.macports templates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach d {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ conf.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0755 -d \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/dovecot/${d}.macports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ destroot.keepdirs-append \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/dovecot/${d}.macports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach d {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve-before.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve-afer.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0755 -g mail -d \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/dovecot/${d}.macports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ destroot.keepdirs-append \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/dovecot/${d}.macports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dovecot.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${filespath}/prefix/etc/dovecot/${f} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/dovecot/${f}.macports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach d {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ conf.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve-before.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve-afer.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f [glob -nocomplain ${filespath}/prefix/etc/dovecot/${d}/*] {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {[file isfile ${f}]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 ${f} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/dovecot/${d}.macports/[file tail ${f}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # generic templates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach d {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ example-config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ etc/pam.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0755 -d \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/dovecot/${d}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ etc/pam.d/imap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ imap.keytab.README.sh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${filespath}/prefix/etc/dovecot/${f} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/dovecot/${f}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach d {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ example-config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f [glob -nocomplain ${filespath}/prefix/etc/dovecot/${d}/*] {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {[file isfile ${f}]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 ${f} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/dovecot/${d}/[file tail ${f}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # rspamd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0755 -d ${destroot}${prefix}/etc/rspamd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach d {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ local.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0755 -d ${destroot}${prefix}/etc/rspamd/${d}.macports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f [glob -nocomplain ${filespath}/prefix/etc/rspamd/${d}/*] {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {[file isfile ${f}]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 ${f} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/rspamd/${d}.macports/[file tail ${f}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dkim_paths.map
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dkim_selectors.map
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 ${filespath}/prefix/etc/rspamd/${f} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/rspamd/${f}.macports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # redis
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ redis.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 ${filespath}/prefix/etc/${f} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/${f}.macports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # dcc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0755 -d ${destroot}${prefix}/etc/dcc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dcc_conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 ${filespath}/prefix/etc/dcc/${f} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/dcc/${f}.macports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # logrotate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach d {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ logrotate.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0755 -d ${destroot}${prefix}/etc/${d}.macports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f [glob -nocomplain ${filespath}/prefix/etc/${d}/*] {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {[file isfile ${f}]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 ${f} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/${d}.macports/[file tail ${f}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ logrotate.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 ${filespath}/prefix/etc/${f} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/etc/${f}.macports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # TLS certificate surrogate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0755 -d ${destroot}${certificates_dir}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0700 -d ${destroot}${certificates_dir}/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ destroot.keepdirs-append \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${certificates_dir} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${certificates_dir}/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0755 -d ${destroot}${tls_ca_dir}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0755 -d ${destroot}${tls_ca_dir}/intermediate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${filespath}/prefix/etc/certificates/ca/openssl.cnf \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${tls_ca_dir}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${filespath}/prefix/etc/certificates/ca/intermediate/openssl_intermediate.cnf \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${tls_ca_dir}/intermediate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { [variant_isset "initialize"]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ && [file exists ${tls_ca_dir}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ delete ${tls_ca_dir}.previous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ move \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${tls_ca_dir} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${tls_ca_dir}.previous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+destroot.keepdirs ${destroot}${prefix}/var/log/mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Network configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hard-coded examples
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set host host
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set domain domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set tld tld
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set fullhost ${host}.${domain}.${tld}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set domaintld ${domain}.${tld}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set HOST [string toupper ${host}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set DOMAIN [string toupper ${domain}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set TLD [string toupper ${tld}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set FULLHOST [string toupper ${fullhost}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set DOMAINTLD [string toupper ${domaintld}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set relayhost mymailrelay.tld
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+post-activate {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # use network settings for installed example configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set fullhost [exec /bin/hostname -f]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set host [lindex [split ${fullhost} .] 0]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set domaintld [join [lrange [split ${fullhost} .] end-1 end] .]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set domain [lindex [split ${domaintld} .] 0]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set tld [lindex [split ${domaintld} .] end]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set HOST [string toupper ${host}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set DOMAIN [string toupper ${domain}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set TLD [string toupper ${tld}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set FULLHOST [string toupper ${fullhost}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set DOMAINTLD [string toupper ${domaintld}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set rspamd_control_password \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [correct_horse_battery_staple]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set rspamd_control_password_hash \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [exec rspamadm pw --password ${rspamd_control_password}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ui_msg "Configuring Mail Server with:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ host : ${host}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ domain : ${domain}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ tld : ${tld}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ proc install_initial_configuration {f_or_d} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { [variant_isset "initialize"]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ && [file exists ${f_or_d}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ delete ${f_or_d}.previous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ move \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${f_or_d} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${f_or_d}.previous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { [variant_isset "initialize"]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ || ![file exists ${f_or_d}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { [file isfile ${f_or_d}.macports] } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${f_or_d}.macports \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${f_or_d}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } elseif { [file isdirectory ${f_or_d}.macports] } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0755 -d ${f_or_d}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f [glob -nocomplain ${f_or_d}.macports/*] {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 ${f} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${f_or_d}/[file tail ${f}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # postfix configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f_or_d {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ main.cf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ master.cf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sasl/passwd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ install_initial_configuration ${prefix}/etc/postfix/${f_or_d}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # postfix relay host and password surrogate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ file attributes ${prefix}/etc/postfix/sasl/passwd \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -group _postfix -permissions 0640
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # dovecot configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f_or_d {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dovecot.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ conf.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve-before.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve-afer.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ install_initial_configuration ${prefix}/etc/dovecot/${f_or_d}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0770 -g mail -d /private/var/mail/${tld}.${domain}.mail/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0777 -g mail -d /private/var/mail/${tld}.${domain}.mail/attachments/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # solr configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { [variant_isset "initialize"] } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ system "sudo -u solr -g solr sh <<SOLR_DELETE_DOVECOT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ solr8 stop -p 8983 2>/dev/null || true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ solr8 start -p 8983 2>/dev/null || true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ solr8 delete -c dovecot 2>/dev/null || true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ solr8 stop -p 8983 2>/dev/null || true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+SOLR_DELETE_DOVECOT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # create dovecot core; wrap commands in shell to avoid non-zero
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # return value if it already exists
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ system "sudo -u solr -g solr sh -c \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ \"solr8 stop -p 8983 2>/dev/null || true\""
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ system "sudo -u solr -g solr sh -c \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ \"solr8 start -p 8983 2>/dev/null || true\""
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set solr_version [exec solr8 version]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ system "sudo -u solr -g solr sh -c \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ \"solr8 create -c dovecot -n dovecot 2>/dev/null || true\""
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ system "sudo -u solr -g solr sh -c \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ \"solr8 stop -p 8983 2>/dev/null || true\""
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { ![file exists ${prefix}/var/solr/dovecot/conf/] } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ui_error \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "solr directory ${prefix}/var/solr/dovecot/conf/ doesn't exist."
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ exit 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # See Tips at https://wiki.dovecot.org/Plugins/FTS/Solr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # wget -O solrconfig.xml https://github.com/dovecot/core/raw/master/doc/solr-config-7.7.0.xml
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -b -B.orig -g solr -m 0644 -o solr \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${filespath}/prefix/var/solr/dovecot/conf/solrconfig.xml \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/var/solr/dovecot/conf/solrconfig.xml
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # wget -O schema.xml https://github.com/dovecot/core/raw/master/doc/solr-schema-7.7.0.xml
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -b -B.orig -g solr -m 0644 -o solr \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${filespath}/prefix/var/solr/dovecot/conf/schema.xml \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/var/solr/dovecot/conf/schema.xml
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Note: solr will replace schema.xml with managed-schema
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { [file exists ${prefix}/var/solr/dovecot/conf/managed-schema.orig] } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ delete ${prefix}/var/solr/dovecot/conf/managed-schema.orig
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ move ${prefix}/var/solr/dovecot/conf/managed-schema \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/var/solr/dovecot/conf/managed-schema.orig
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Edit in the Lucene version; see lucene-spec at http://localhost:8983/solr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ reinplace -E -q \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "s|(<luceneMatchVersion>)\[\[:digit:\]\]\\.\[\[:digit:\]\]\\.\[\[:digit:\]\](</luceneMatchVersion>)|\\1${solr_version}\\2|" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/var/solr/dovecot/conf/solrconfig.xml
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ reinplace -E -q \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "s|<str name=\"df\">|<str name=\"hdr\">|" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/var/solr/dovecot/conf/solrconfig.xml
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # rspamd configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { ![file exists ${prefix}/var/lib/rspamd/dkim] } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0750 -o _rspamd -g _rspamd -d \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/var/lib/rspamd/dkim
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f_or_d {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ local.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dkim_paths.map
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dkim_selectors.map
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ install_initial_configuration ${prefix}/etc/rspamd/${f_or_d}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f [list \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/var/lib/rspamd/dkim/${domaintld}.dkim_rsa2048.key \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/var/lib/rspamd/dkim/${domaintld}.dkim_ed25519.key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ] {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { ![file exists ${f}] } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set f_txt [strsed ${f} {s|\.key$|.txt|}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { [string match "*rsa2048*" ${f}] } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ system -W ${prefix}/var/lib/rspamd/dkim \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "sh -c \"rspamadm dkim_keygen \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -k ${f} -s dkim_rsa2048 -t rsa -b 2048 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -d ${domaintld} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 1>${f_txt}\""
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } elseif { [string match "*ed25519*" ${f}] } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ system -W ${prefix}/var/lib/rspamd/dkim \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "sh -c \"rspamadm dkim_keygen \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -k ${f} -s dkim_ed25519 -t ed25519 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -d ${domaintld} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 1>${f_txt}\""
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ file attributes ${f} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -owner _rspamd -group _rspamd -permissions 0640
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ file attributes ${f_txt} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -owner _rspamd -group _rspamd -permissions 0644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # redis configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f_or_d {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ redis.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ install_initial_configuration ${prefix}/etc/${f_or_d}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # dcc configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f_or_d {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dcc_conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ install_initial_configuration ${prefix}/etc/dcc/${f_or_d}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # logrotate configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f_or_d {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ logrotate.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ logrotate.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ install_initial_configuration ${prefix}/etc/${f_or_d}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { ![file exists /Library/LaunchDaemons/org.macports.logrotate.plist] } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/share/logrotate/org.macports.logrotate.plist.example \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /Library/LaunchDaemons/org.macports.logrotate.plist
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # TLS certificate surrogate -- certificate authority chain of trust
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0700 -d ${tls_ca_dir}/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0700 -d ${tls_ca_dir}/intermediate/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f { \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl.cnf \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intermediate/openssl_intermediate.cnf \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ reinplace "s|@TLS_CA_DIR@|${tls_ca_dir}|g" ${tls_ca_dir}/${f}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # CA and Intermediate CA encrypted key passphrases in ./private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # CA passphrase
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set tls_ca_passphrase \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [correct_horse_battery_staple]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set tls_ca_passphrase_fd \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [open ${tls_ca_dir}/private/passphrase.txt w 0600]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ puts ${tls_ca_passphrase_fd} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${tls_ca_passphrase}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ close ${tls_ca_passphrase_fd}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Intermediate CA passphrase
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set tls_intermediate_ca_passphrase \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [correct_horse_battery_staple]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set tls_intermediate_ca_passphrase_fd \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [open ${tls_ca_dir}/intermediate/private/passphrase_intermediate.txt w 0600]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ puts ${tls_intermediate_ca_passphrase_fd} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${tls_intermediate_ca_passphrase}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ close ${tls_intermediate_ca_passphrase_fd}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Client certificate passphrase
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set tls_client_certificate_passphrase \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [correct_horse_battery_staple]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set tls_client_certificate_passphrase_fd \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [open ${tls_ca_dir}/intermediate/private/passphrase_client.txt w 0600]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ puts ${tls_client_certificate_passphrase_fd} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${tls_client_certificate_passphrase}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ close ${tls_client_certificate_passphrase_fd}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # create the chain of trust
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ system -W ${tls_ca_dir} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "sh <<TLS_CERTIFICATE_SURROGATE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # CA encrypted key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl genrsa -aes256 -out private/ca.key.pem \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -passout file:private/passphrase.txt 4096
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ chmod go-r private/ca.key.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # CA certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl req -config openssl.cnf \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -new -x509 -days 1460 -sha256 \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -extensions v3_ca \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -out ca.cert.pem -key private/ca.key.pem \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -passin file:private/passphrase.txt -batch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # CA certificate openssl self-verification
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl verify -CAfile ca.cert.pem ca.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ##################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Intermediate CA
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ##################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Intermediate CA encrypted key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl genrsa -aes256 \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -out intermediate/private/intermediate.key.pem \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -passout file:intermediate/private/passphrase_intermediate.txt \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 4096
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ chmod go-r intermediate/private/intermediate.key.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Intermediate CA CSR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl req -config intermediate/openssl_intermediate.cnf \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -new -sha256 \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -key intermediate/private/intermediate.key.pem \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -passin file:intermediate/private/passphrase_intermediate.txt \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -out intermediate/intermediate.csr.pem -batch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # CA initialize database
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ echo 01 > serial
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ touch index.txt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Intermediate CA certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl ca -config openssl.cnf \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -days 730 -notext -md sha256 -extensions v3_intermediate_ca \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -in intermediate/intermediate.csr.pem \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -out intermediate/intermediate.cert.pem \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -passin file:private/passphrase.txt -batch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Intermediate CA chain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ cat intermediate/intermediate.cert.pem ca.cert.pem \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ > intermediate/ca-chain.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Intermediate CA chain openssl verification
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl verify -CAfile ca.cert.pem intermediate/ca-chain.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ##################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Client Certs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ##################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Client certificate encrypted key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl genrsa -aes256 \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -out intermediate/private/${fullhost}.key.pem \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -passout file:intermediate/private/passphrase_client.txt \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 4096
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ chmod go-r intermediate/private/${fullhost}.key.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Client certificate decrypted key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl rsa -in intermediate/private/${fullhost}.key.pem \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -passin file:intermediate/private/passphrase_client.txt \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -out intermediate/private/${fullhost}.key.pem.decrypted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ chmod go-r intermediate/private/${fullhost}.key.pem.decrypted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Client certificate CSR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl req -config intermediate/openssl_intermediate.cnf \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -new -sha256 \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -key intermediate/private/${fullhost}.key.pem \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -passin file:intermediate/private/passphrase_client.txt \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -out intermediate/${fullhost}.csr.pem -batch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Intermediate CA initialize database
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ echo 01 > intermediate/serial
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ touch intermediate/index.txt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Client certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl ca -config intermediate/openssl_intermediate.cnf \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -days 375 -notext -md sha256 \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -in intermediate/${fullhost}.csr.pem \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -out intermediate/${fullhost}.cert.pem \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -passin file:intermediate/private/passphrase_intermediate.txt \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -subj '/CN=${fullhost}' -batch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Client chain openssl verification
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl verify -CAfile intermediate/ca-chain.cert.pem \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intermediate/${fullhost}.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Client chain of trust
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ cat intermediate/${fullhost}.cert.pem \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intermediate/intermediate.cert.pem ca.cert.pem \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ > intermediate/${fullhost}.chain.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Client certificate of the forms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # @host@.@domain@.@tld@.@CERTIFICATE_SHA1@.{cert,key,chain}.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+TLS_CERTIFICATE_SURROGATE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set certificate_sha1 [exec \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl x509 -noout -fingerprint -sha1 -inform pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -in ${tls_ca_dir}/intermediate/${fullhost}.cert.pem]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set certificate_sha1 [strsed ${certificate_sha1} "s|^SHA1 Fingerprint=||"]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set certificate_sha1 [strsed ${certificate_sha1} "g|:||"]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0600 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${tls_ca_dir}/intermediate/private/${fullhost}.key.pem.decrypted \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${certificates_dir}/private/${fullhost}.${certificate_sha1}.key.pem.decrypted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0600 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${tls_ca_dir}/intermediate/private/${fullhost}.key.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${certificates_dir}/private/${fullhost}.${certificate_sha1}.key.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0600 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${tls_ca_dir}/intermediate/private/passphrase_client.txt \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${certificates_dir}/private/${fullhost}.${certificate_sha1}.key.passphrase
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${tls_ca_dir}/intermediate/${fullhost}.cert.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${certificates_dir}/${fullhost}.${certificate_sha1}.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${tls_ca_dir}/intermediate/${fullhost}.chain.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${certificates_dir}/${fullhost}.${certificate_sha1}.chain.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # configure all template files with local settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach d_or_f {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ rspamd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ redis.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ logrotate.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ logrotate.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fs-traverse f ${prefix}/etc/${d_or_f} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { [file isfile ${f}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ && ![string match ".macports" ${f}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ && [string match "text/*" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [lindex [exec /usr/bin/file --mime-type ${f}] end]]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } then {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach cmd [list \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "s|@PREFIX@|${prefix}|g" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "s|@host@.@domain@.@tld@|${fullhost}|g" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "s|@domain@.@tld@|${domaintld}|g" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "s|@host@|${host}|g" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "s|@domain@|${domain}|g" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "s|@tld@|${tld}|g" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "s|@HOST@.@DOMAIN@.@TLD@|${FULLHOST}|g" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "s|@DOMAIN@.@TLD@|${DOMAINTLD}|g" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "s|@HOST@|${HOST}|g" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "s|@DOMAIN@|${DOMAIN}|g" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "s|@TLD@|${TLD}|g" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "s|@RSPAMD_CONTROL_PASSWORD@|${rspamd_control_password}|g" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "s|@RSPAMD_CONTROL_PASSWORD_HASH@|${rspamd_control_password_hash}|g" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "s|@CERTIFICATE_SHA1@|${certificate_sha1}|g" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "s|@RELAYHOST@|${relayhost}|g" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ] {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ reinplace -q ${cmd} ${f}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # postfix relay host and password surrogate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ system -W ${prefix}/etc/postfix/sasl "postmap passwd"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # postfix permissions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # system -W ${prefix}/etc/postfix "postfix set-permissions"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # dovecot sieve functions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # dovecot must be built with `--with-lucene` for sievec to work here
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if { ![catch {set result [registry_active dovecot2]}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ && [string match "*solr*" [lindex [lindex ${result} 0] 3]] } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach d {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve-before.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve-afer.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach f [glob -nocomplain ${prefix}/etc/dovecot/${d}/*.sieve] {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ system -W ${prefix}/etc/dovecot/${d} "sievec ${f}"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ui_msg "dovecot plugin 'fts_lucene' not installed. Please install:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo port -pN install dovecot2 +[join ${dovecot2_required_variants} +]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+and rerun `sudo port install ${name}`. Ensure that the sieve scripts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+in ${prefix}/etc/dovecot/sieve*/*.sieve are compiled with sievec.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # PAM authentication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ![file exists /etc/pam.d/smtp] {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 ${prefix}/etc/postfix/etc/pam.d/smtp /etc/pam.d/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ![file exists /etc/pam.d/imap] {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0644 ${prefix}/etc/dovecot/etc/pam.d/imap /etc/pam.d/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # TLS PFS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ![file exists ${prefix}/var/lib/postfix/dh2048.pem] {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ system -W ${prefix}/var/lib/postfix "sudo -u _postfix openssl dhparam -out dh2048.pem 2048"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ![file exists ${prefix}/etc/dovecot/dh2048.pem] {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # create a shorter, faster DH parameter file for the default installation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ system -W ${prefix}/etc/dovecot "openssl dhparam -out dh2048.pem 2048"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # mail group membership
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # dscacheutil -q group -a name mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ foreach u {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _dovenull
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _rspamd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ system "dseditgroup -o edit -a ${u} -t user mail"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+startupitem.create yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+startupitem.start "port load dns-server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport load clamav-server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport load apache-solr8
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport load redis
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport load dcc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport load postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport load dovecot2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport load rspamd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport load logrotate"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+startupitem.stop "port unload apache-solr8
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport unload dcc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport unload postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport unload dovecot2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport unload rspamd"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+startupitem.restart "port reload apache-solr8
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport reload redis
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport reload dcc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport unload postfix ; \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tsleep 1 ; \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport load postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport unload dovecot2 ; \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tsleep 1 ; \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport load dovecot2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+\tport reload rspamd"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+notes "A mail server is a complex, interdependent set of tools that must
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+all be configured correctly to provide secure, reliable email.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Users must reconfigure this installation for their own system, network,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+and security model specifics by editing all necessary files and checking
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+file permissions. A subset of these settings are visible in the files:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port contents mail-server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port file mail-server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Full deployment also requires a working DNS configuration on both the LAN
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+and the internet, including SPF and DKIM records, trusted TLS certificates,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+port forwarding, possibly a mail replay, and more.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Postfix and dovecot must be installed with these variants:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo port -pN install postfix +[join ${postfix_required_variants} +]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo port -pN install dovecot2 +[join ${dovecot2_required_variants} +]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+These are the locations and network settings for the default configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ MTA (postfix):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/postfix/main.cf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/postfix/master.cf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ports: smtp/tcp (25), submission/tcp (587)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ MDA (dovecot):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/dovecot/dovecot.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/dovecot/conf.d/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port: imaps/tcp (993)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ FTS (solr):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ http://localhost:8983/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Milter (rspamd):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/rspamd/rspamd.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/rspamd/local.d/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ A default Rspamd controller password and its hash appear in the files:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/dovecot/sieve/train-spam.sh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/dovecot/sieve/train-ham.sh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/rspamd/local.d/worker-controller.inc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Rspamd controller:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ http://localhost:11334/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Spam/Ham training (default behavior):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Move/Copy email to the folders Spam_train or Notspam_train.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+The configuration also includes a surrogate TLS certificate and DKIM settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+that must be changed before deployment.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ TLS:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ DKIM:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/var/lib/rspamd/dkim
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+The port's launch daemon controls launching for each of the dependendent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+services. These may be controlled independently, e.g.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo port load clamav-server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo port load apache-solr8
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo port load redis
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo port load dcc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo port load postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo port load dovecot2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo port load rspamd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo port load logrotate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ References:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * http://www.postfix.org/documentation.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * https://wiki.dovecot.org/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * https://www.rspamd.com/doc/index.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * https://www.c0ffee.net/blog/mail-server-guide/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * _The Book of Postfix_, by Patrick Koetter and Ralf Hildebrandt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+livecheck.type none
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/certificates/ca/intermediate/openssl_intermediate.cnf b/mail/mail-server/files/prefix/etc/certificates/ca/intermediate/openssl_intermediate.cnf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..4c9f5ca
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/certificates/ca/intermediate/openssl_intermediate.cnf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,144 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Change this block from the CA's ./openssl.cnf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [ CA_default ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dir = …/intermediate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# database = $dir/index_intermediate.txt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# serial = $dir/serial_intermediate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# private_key = $dir/private/intermediate.key.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificate = $dir/intermediate.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# crlnumber = $dir/crlnumber_intermediate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# crl = $dir/intermediate.crl.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# policy = policy_loose
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# commonName = MacPorts Intermediate CA Surrogate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# commonName_default = MacPorts Intermediate CA Surrogate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ca]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_ca = CA_default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ CA_default ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Directory and file locations.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+dir = @TLS_CA_DIR@/intermediate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+certs = $dir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+crl_dir = $dir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+new_certs_dir = $dir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+database = $dir/index.txt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+serial = $dir/serial
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+RANDFILE = $dir/private/.rand
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The root key and root certificate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+private_key = $dir/private/intermediate.key.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+certificate = $dir/intermediate.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For certificate revocation lists.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+crlnumber = $dir/crlnumber_intermediate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+crl = $dir/intermediate.crl.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+crl_extensions = crl_ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_crl_days = 30
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SHA-1 is deprecated, so use SHA-2 instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_md = sha256
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+name_opt = ca_default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+cert_opt = ca_default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_days = 375
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+preserve = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+policy = policy_loose
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ policy_strict ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The root CA should only sign intermediate certificates that match.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the POLICY FORMAT section of `man ca`.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+countryName = match
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+stateOrProvinceName = match
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+organizationName = match
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+organizationalUnitName = optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+commonName = supplied
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+emailAddress = optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ policy_loose ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow the intermediate CA to sign a more diverse range of certificates.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the POLICY FORMAT section of the `ca` man page.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+countryName = optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+stateOrProvinceName = optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+localityName = optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+organizationName = optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+organizationalUnitName = optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+commonName = optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+emailAddress = optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ req ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Options for the `req` tool (`man req`).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_bits = 4096
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+distinguished_name = req_distinguished_name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+string_mask = utf8only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SHA-1 is deprecated, so use SHA-2 instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_md = sha256
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Extension to add when the -x509 option is used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+x509_extensions = v3_ca
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ req_distinguished_name ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+countryName = US
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+stateOrProvinceName = MA
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+localityName = Boston
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+organizationName = MacPorts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+organizationalUnitName = Change This Surrogate Certificate Chain of Trust
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+commonName = MacPorts Intermediate CA Surrogate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+emailAddress = macports-users@lists.macports.org
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Optionally, specify some defaults.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+countryName_default = US
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+stateOrProvinceName_default = MA
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+localityName_default = Boston
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+organizationName_default = MacPorts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+organizationalUnitName_default = Change This Surrogate Certificate Chain of Trust
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+commonName_default = MacPorts Intermediate CA Root
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+emailAddress_default = macports-users@lists.macports.org
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ v3_ca ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Extensions for a typical CA (`man x509v3_config`).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+subjectKeyIdentifier = hash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+authorityKeyIdentifier = keyid:always,issuer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+basicConstraints = critical, CA:true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ v3_intermediate_ca ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Extensions for a typical intermediate CA (`man x509v3_config`).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+subjectKeyIdentifier = hash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+authorityKeyIdentifier = keyid:always,issuer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+basicConstraints = critical, CA:true, pathlen:0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ usr_cert ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Extensions for client certificates (`man x509v3_config`).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+basicConstraints = CA:FALSE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+nsCertType = client, email
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+nsComment = "OpenSSL Generated Client Certificate"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+subjectKeyIdentifier = hash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+authorityKeyIdentifier = keyid,issuer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+extendedKeyUsage = clientAuth, emailProtection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ server_cert ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Extensions for server certificates (`man x509v3_config`).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+basicConstraints = CA:FALSE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+nsCertType = server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+nsComment = "OpenSSL Generated Server Certificate"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+subjectKeyIdentifier = hash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+authorityKeyIdentifier = keyid,issuer:always
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+keyUsage = critical, digitalSignature, keyEncipherment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+extendedKeyUsage = serverAuth
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ crl_ext ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Extension for CRLs (`man x509v3_config`).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+authorityKeyIdentifier=keyid:always
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ ocsp ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Extension for OCSP signing certificates (`man ocsp`).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+basicConstraints = CA:FALSE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+subjectKeyIdentifier = hash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+authorityKeyIdentifier = keyid,issuer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+keyUsage = critical, digitalSignature
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+extendedKeyUsage = critical, OCSPSigning
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/certificates/ca/openssl.cnf b/mail/mail-server/files/prefix/etc/certificates/ca/openssl.cnf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..f3a8f0c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/certificates/ca/openssl.cnf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,238 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Commands to create a surrogate TLS server certificate chain of trust
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CA
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CA encrypted key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl genrsa -aes256 -out private/ca.key.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -passout file:private/passphrase.txt 4096
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CA certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl req -config openssl.cnf \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -new -x509 -days 1460 -sha256 -extensions v3_ca -out ca.cert.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -key private/ca.key.pem -passin file:private/passphrase.txt -batch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CA certificate text verification
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl x509 -text -noout -in ca.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CA certificate openssl self-verification
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl verify -CAfile ca.cert.pem ca.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Intermediate CA
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Intermediate CA encrypted key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -passout file:intermediate/private/passphrase_intermediate.txt 4096
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Intermediate CA CSR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl req -config intermediate/openssl_intermediate.cnf -new -sha256 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -key intermediate/private/intermediate.key.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -passin file:intermediate/private/passphrase_intermediate.txt -batch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -out intermediate/intermediate.csr.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CA initialize database
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sh -c 'echo 01 > serial'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# touch index.txt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Intermediate CA certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl ca -config openssl.cnf \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -days 730 -notext -md sha256 -extensions v3_intermediate_ca \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -in intermediate/intermediate.csr.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -out intermediate/intermediate.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -passin file:private/passphrase.txt -batch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Intermediate CA chain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sh -c 'cat intermediate/intermediate.cert.pem ca.cert.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# > intermediate/ca-chain.cert.pem'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Intermediate CA certificate text verification
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl x509 -text -noout -in intermediate/intermediate.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Intermediate CA chain openssl self-verification
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl verify -CAfile ca.cert.pem intermediate/ca-chain.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Client Certs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Client certificate encrypted key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl genrsa -aes256 -out intermediate/private/www.example.com.key.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -passout file:intermediate/private/passphrase_client.txt 4096
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Client certificate decrypted key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl rsa -in intermediate/private/www.example.com.key.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -passin file:intermediate/private/passphrase_client.txt \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -out intermediate/private/www.example.com.key.pem.decrypted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Client certificate CSR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl req -config intermediate/openssl_intermediate.cnf -new -sha256 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -key intermediate/private/www.example.com.key.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -passin file:intermediate/private/passphrase_client.txt -batch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -out intermediate/www.example.com.csr.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Intermediate CA initialize database
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sh -c 'echo 01 > intermediate/serial'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# touch intermediate/index.txt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Client certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl ca -config intermediate/openssl_intermediate.cnf \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -days 375 -notext -md sha256 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -in intermediate/www.example.com.csr.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -out intermediate/www.example.com.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -passin file:intermediate/private/passphrase_intermediate.txt -batch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -subj '/CN=www.example.com'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Client certificate text verification
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl x509 -text -noout -in intermediate/www.example.com.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Client chain openssl self-verification
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl verify -CAfile intermediate/ca-chain.cert.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# intermediate/www.example.com.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Client chain of trust
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sh -c 'cat intermediate/www.example.com.cert.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# intermediate/intermediate.cert.pem ca.cert.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# > intermediate/www.example.com.chain.pem'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Client certificate SHA1 hash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl x509 -noout -fingerprint -sha1 -inform pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -in intermediate/www.example.com.cert.pem \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# | tr -d ':' | sed -e 's|^SHA1 Fingerprint=||'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Client certificate of the forms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# @host@.@domain@.@tld@.@CERTIFICATE_SHA1@.{cert,key,chain}.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ca]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_ca = CA_default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ CA_default ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Directory and file locations.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+dir = @TLS_CA_DIR@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+certs = $dir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+crl_dir = $dir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+new_certs_dir = $dir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+database = $dir/index.txt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+serial = $dir/serial
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+RANDFILE = $dir/private/.rand
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The root key and root certificate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+private_key = $dir/private/ca.key.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+certificate = $dir/ca.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For certificate revocation lists.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+crlnumber = $dir/crlnumber
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+crl = $dir/ca.crl.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+crl_extensions = crl_ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_crl_days = 30
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SHA-1 is deprecated, so use SHA-2 instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_md = sha256
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+name_opt = ca_default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+cert_opt = ca_default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_days = 375
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+preserve = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+policy = policy_strict
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ policy_strict ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The root CA should only sign intermediate certificates that match.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the POLICY FORMAT section of `man ca`.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+countryName = match
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+stateOrProvinceName = match
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+organizationName = match
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+organizationalUnitName = optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+commonName = supplied
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+emailAddress = optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ policy_loose ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow the intermediate CA to sign a more diverse range of certificates.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the POLICY FORMAT section of the `ca` man page.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+countryName = optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+stateOrProvinceName = optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+localityName = optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+organizationName = optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+organizationalUnitName = optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+commonName = optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+emailAddress = optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ req ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Options for the `req` tool (`man req`).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_bits = 4096
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+distinguished_name = req_distinguished_name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+string_mask = utf8only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SHA-1 is deprecated, so use SHA-2 instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_md = sha256
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Extension to add when the -x509 option is used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+x509_extensions = v3_ca
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ req_distinguished_name ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+countryName = US
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+stateOrProvinceName = MA
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+localityName = Boston
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+organizationName = MacPorts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+organizationalUnitName = Change This Surrogate Certificate Chain of Trust
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+commonName = MacPorts CA Root Surrogate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+emailAddress = macports-users@lists.macports.org
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Optionally, specify some defaults.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+countryName_default = US
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+stateOrProvinceName_default = MA
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+localityName_default = Boston
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+organizationName_default = MacPorts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+organizationalUnitName_default = Change This Surrogate Certificate Chain of Trust
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+commonName_default = MacPorts CA Root Surrogate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+emailAddress_default = macports-users@lists.macports.org
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ v3_ca ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Extensions for a typical CA (`man x509v3_config`).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+subjectKeyIdentifier = hash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+authorityKeyIdentifier = keyid:always,issuer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+basicConstraints = critical, CA:true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ v3_intermediate_ca ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Extensions for a typical intermediate CA (`man x509v3_config`).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+subjectKeyIdentifier = hash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+authorityKeyIdentifier = keyid:always,issuer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+basicConstraints = critical, CA:true, pathlen:0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ usr_cert ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Extensions for client certificates (`man x509v3_config`).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+basicConstraints = CA:FALSE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+nsCertType = client, email
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+nsComment = "OpenSSL Generated Client Certificate"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+subjectKeyIdentifier = hash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+authorityKeyIdentifier = keyid,issuer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+extendedKeyUsage = clientAuth, emailProtection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ server_cert ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Extensions for server certificates (`man x509v3_config`).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+basicConstraints = CA:FALSE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+nsCertType = server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+nsComment = "OpenSSL Generated Server Certificate"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+subjectKeyIdentifier = hash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+authorityKeyIdentifier = keyid,issuer:always
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+keyUsage = critical, digitalSignature, keyEncipherment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+extendedKeyUsage = serverAuth
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ crl_ext ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Extension for CRLs (`man x509v3_config`).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+authorityKeyIdentifier=keyid:always
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[ ocsp ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Extension for OCSP signing certificates (`man ocsp`).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+basicConstraints = CA:FALSE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+subjectKeyIdentifier = hash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+authorityKeyIdentifier = keyid,issuer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+keyUsage = critical, digitalSignature
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+extendedKeyUsage = critical, OCSPSigning
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dcc/dcc_conf b/mail/mail-server/files/prefix/etc/dcc/dcc_conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..b40c3eb
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dcc/dcc_conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,161 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#! /bin/sh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set parameters for DCC start, stop, and cron scripts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This file is parsed by /bin/sh, and so parameters must be appropriately quoted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Start your own comment lines with something other than "#" such as "##"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# so that they will be preserved when installing a new version.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from Rhyolite Software DCC 1.3.163-1.88 $Revision$
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCC_CONF_VERSION=4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# don't set DCC_HOMEDIR since if we got here, it must be set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCC_LIBEXEC=@PREFIX@/libexec/dcc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCC_RUNDIR=@PREFIX@/var/run/dcc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DCC user name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCUID=_rspamd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCD_ENABLE=off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DCC server-IDs must be globally unique.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+SRVR_ID=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# BRAND can be any short alphanumeric string that suggests the identity
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of the server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+BRAND=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# args used to start dccd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCD_ARGS=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# GREY_CLIENT_ARGS contains "on", "-GnoIP", etc. to turn on greylisting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in the dccm and dccifd DCC clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Also turns on the local greylist dccd server unless GREY_ENABLE=off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+GREY_CLIENT_ARGS=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# GREY_ENABLE turns local greylist server 'on' or 'off',
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# but does not effect dccm, dccifd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+GREY_ENABLE=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# GREY_SRVR_ID DCC server-IDs must be globally unique, but greylisting dccd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# servers are usually isolated. If you have more than one greylist server,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ensure that they use distinct server-IDs and that they flood each other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with entries in @PREFIX@/etc/dcc/flod
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+GREY_SRVR_ID=$SRVR_ID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Start dccd for grey listing or set server options such as -Gweak-IP.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also GREY_ENABLE.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+GREY_DCCD_ARGS=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dccm and dccifd client reputation parameters such as -tREP,20
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+REP_ARGS=-tREP,20
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DNS blacklist -B parameters for dccifd and dccm
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example, this checks SMTP client IP addresses for any value Spamhaus'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ZEN. It also looks for for values between 127.0.0.0 and 127.0.0.8 for SMTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# envelope sender mail_host or mail_host domain names, URLs in mail message
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bodies, MX servers, DNS (NS) servers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It then checks URLs in the message body in Spamhaus' DBL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It also whitelists with the "0 = none" values of dnswl.org.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DNSBL_ARGS="'-Bset:rej-msg=5.7.1 550 %ID %BTYPE https://www.spamhaus.org/query/bl?ip=%BTGT' \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -Bzen.spamhaus.org,127.0.0.0-127.0.0.8 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -Bset:no-mail_host -Bset:no-URL -Bset:no-NS -Bzen.spamhaus.org \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -Bset:URL -Bset:no-client -Bdbl.spamhaus.org,127.0.1.1-127.0.1.59,name \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -Bset:white -Bset:client -Bset:no-URL -Bset:no-mail_host \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -Bset:no-NS -Bset:no-MX '-Blist.dnswl.org,127.0.0.3&255.255.0.255'"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DNSBL_ARGS=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCM_ENABLE=off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used to start dccm
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a common value is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DCCM_ARGS="-SHELO -Smail_host -SSender -SList-ID"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note the use of single quotes in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DCCM_ARGS="-SHELO '-r5.7.1 550 mail %s from %s rejected with DCC'"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Put greylist parameters in GREY_CLIENT_ARGS but not in DCCM_ARGS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCM_ARGS="-SHELO -Smail_host -SSender -SList-ID"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The log directories should be cleaned with the @PREFIX@/libexec/dcc/cron-dccd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# nightly cron job. DCCM_LOGDIR can start with D? H? or M? as in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DCCM_LOGDIR='D?log' See -l in the man page.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set DCCM_LOGDIR to the empty or null string to disable logging.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCM_LOGDIR="D?log"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCM_WHITECLNT=whiteclnt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCM_USERDIRS=userdirs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set DCCM_LOG_AT to a number that determines "bulk mail" for your situation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 50 is a typical value.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Leave DCCM_REJECT_AT blank until you are confident that most sources of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# solicited bulk mail have been whitelisted. Then set it to the number
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that defines "bulk mail" for your site. This rejection or "bulk" threshold
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# does not affect the blacklisting of the DCCM_WHITECLNT whitelist file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Add '-aIGNORE' to DCCM_ARGS to ignore the bulkiness of mail except to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# add X-DCC headers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DCCM_LOG_AT=5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DCCM_REJECT_AT=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCM_LOG_AT=NEVER
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCM_REJECT_AT=MANY
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# override basic list of DCC server checksums controlling rejections or logging
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCM_CKSUMS=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# additional DCC server checksums worthy of rejections or logging
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCM_XTRA_CKSUMS=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DCCIFD_ENABLE=off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCIFD_ENABLE=on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used to start dccifd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a common value is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DCCIFD_ARGS="-SHELO -Smail_host -SSender -SList-ID"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCIFD_ARGS="-SHELO -Smail_host -SSender -SList-ID"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCIFD_LOGDIR="$DCCM_LOGDIR"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCIFD_WHITECLNT="$DCCM_WHITECLNT"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When both dccm and dccifd are used it may be necessary to set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DCCIFD_USERDIRS="$DCCM_USERDIRS/local"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCIFD_USERDIRS="$DCCM_USERDIRS"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCIFD_LOG_AT="$DCCM_LOG_AT"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCIFD_REJECT_AT="$DCCM_REJECT_AT"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# override basic list of checksums controlling rejections or logging
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCIFD_CKSUMS="$DCCM_CKSUMS"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# additional DCC server checksums worthy of rejections or logging
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCCIFD_XTRA_CKSUMS="$DCCM_XTRA_CKSUMS"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# days to keep files in DCC log directories
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DBCLEAN_LOGDAYS=14
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used to start dbclean, including -H, -u, -e, and -E
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DBCLEAN_ARGS=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# optionally set to something like "local5" or "local5.notice" for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dccd, dbclean, dccifd, and dccm. The defaults are equivalent to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DCC_INFO_LOG_FACILITY=MAIL.NOTICE and DCC_ERROR_LOG_FACILITY=MAIL.ERR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCC_INFO_LOG_FACILITY=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCC_ERROR_LOG_FACILITY=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ensure that the log facilities include levels and that $DCC_LOGGER
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# has a default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+if test -n "$DCC_INFO_LOG_FACILITY"; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if expr "X$DCC_INFO_LOG_FACILITY" : 'X.*\..*' >/dev/null; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ :
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ DCC_INFO_LOG_FACILITY="$DCC_INFO_LOG_FACILITY.notice"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ DCC_LOG_ARGS="$DCC_LOG_ARGS -Linfo,$DCC_INFO_LOG_FACILITY"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+fi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+if test -z "$DCC_ERROR_LOG_FACILITY"; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # for $DCC_LOGGER
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ DCC_ERROR_LOG_FACILITY=mail.err
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if expr "X$DCC_ERROR_LOG_FACILITY" : 'X.*\..*' >/dev/null; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ :
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ DCC_ERROR_LOG_FACILITY="$DCC_ERROR_LOG_FACILITY.err"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ DCC_LOG_ARGS="$DCC_LOG_ARGS -Lerror,$DCC_ERROR_LOG_FACILITY"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+fi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DCC_LOGGER="logger -s -p ${DCC_ERROR_LOG_FACILITY-mail.err} -t ${LOGGER_TAG-DCC}"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# capture ./configure values for make-dcc_conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Configure_DCC_LIBEXEC=@PREFIX@/libexec/dcc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Configure_DCC_RUNDIR=@PREFIX@/var/run/dcc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Configure_DCCUID=_rspamd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Configure_DCC_LOGGER="logger -s -p ${DCC_ERROR_LOG_FACILITY-mail.err} -t ${LOGGER_TAG-DCC}"
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/.turd_dovecot2 b/mail/mail-server/files/prefix/etc/dovecot/.turd_dovecot2
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..e69de29
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/README b/mail/mail-server/files/prefix/etc/dovecot/README
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..ba8fac4
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/README
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,2 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Configuration files go to this directory. See example configuration files in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@PREFIX@/share/doc/dovecot/example-config/
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-auth.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-auth.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..72cedf2
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-auth.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,176 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Authentication processes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *** Please read this section before modifying this file ***
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several of the keys and values within this file are modified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple's Server Admin application. Each key that is automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modified by the Server Admin app is identified with a comment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceding the key with this note:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Disable LOGIN command and all other plaintext authentications unless
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# matches the local IP (ie. you're connecting from the same computer), the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection is considered secure and plaintext authentication is allowed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also ssl=required setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+disable_plaintext_auth = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth_cache_size = 10M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Time to live for cached data. After TTL expires the cached record is no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# longer used, *except* if the main database lookup returns internal failure.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# We also try to handle password changes automatically: If user's previous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# authentication was successful, but this one wasn't, the cache isn't used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For now this works only with plaintext authentication.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth_cache_ttl = 1 hour
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TTL for negative hits (user not found, password mismatch).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0 disables caching them completely.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth_cache_negative_ttl = 1 hour
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of realms for SASL authentication mechanisms that need
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# them. You can leave it empty if you don't want to support multiple realms.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Many clients simply use the first one listed here, so keep the default realm
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# first.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth_realms = @host@.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default realm/domain to use if none was specified. This is used for both
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SASL realms and appending @domain to username in plaintext logins.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_default_realm =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# List of allowed characters in username. If the user-given username contains
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a character not listed in here, the login automatically fails. This is just
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an extra check to make sure user can't exploit any potential quote escaping
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set this value to empty.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Username character translations before it's looked up from databases. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value contains series of from -> to characters. For example "#@/@" means
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that '#' and '/' characters are translated to '@'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_username_translation =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Username formatting before it's looked up from databases. You can use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the standard variables here, eg. %Lu would lowercase the username, %n would
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "-AT-". This translation is done after auth_username_translation changes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth_username_format = %Ln
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want to allow master users to log in by specifying the master
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# username within the normal username string (ie. not using SASL mechanism's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# support for it), you can specify the separator character here. The format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is then <username><separator><master username>. UW-IMAP uses "*" as the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# separator, so that could be a good choice.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_master_user_separator =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Username to use for users logging in with ANONYMOUS SASL mechanism
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_anonymous_username = anonymous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum number of dovecot-auth worker processes. They're used to execute
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# blocking passdb and userdb queries (eg. MySQL and PAM). They're
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# automatically created and destroyed as needed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_worker_max_count = 30
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Host name to use in GSSAPI principal names. The default is to use the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# entries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth_gssapi_hostname = "$ALL"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default (usually /etc/krb5.keytab) if not specified. You may need to change
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the auth service to run as root to be able to read this file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_krb5_keytab = @PREFIX@/etc/dovecot/dovecot.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_use_winbind = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Path for Samba's ntlm_auth helper binary.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_winbind_helper_path = /usr/bin/ntlm_auth
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Time to delay before replying to failed authentications.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_failure_delay = 2 secs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Require a valid SSL client certificate or the authentication fails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_ssl_require_client_cert = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Take the username from client's SSL certificate, using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# X509_NAME_get_text_by_NID() which returns the subject's DN's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CommonName.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_ssl_username_from_cert = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of wanted authentication mechanisms:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# gss-spnego
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: See also disable_plaintext_auth setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# auth_mechanisms = cram-md5 plain login apop digest-md5 gssapi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# plain username/password auth - OK since everything is over TLS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth_mechanisms = plain gssapi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disable_plaintext_auth = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth_krb5_keytab = @PREFIX@/etc/dovecot/imap.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Password and user databases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Password database is used to verify user's password (and nothing more).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can have multiple passdbs and userdbs. This is useful if you want to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allow both system users (/etc/passwd) and virtual users to login without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# duplicating the system users into virtual database.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/PasswordDatabase.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# User database specifies where mails are located and what user/group IDs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# own them. For single-UID configuration use "static" userdb.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/UserDatabase.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-deny.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-master.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-system.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-ldap.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+!include auth-od.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-submit.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-passwdfile.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-checkpassword.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-vpopmail.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-static.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#####################################################################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# c0ffee.net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache all authentication results for one hour
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_cache_size = 10M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_cache_ttl = 1 hour
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_cache_negative_ttl = 1 hour
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# only use plain username/password auth - OK since everything is over TLS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_mechanisms = plain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# passdb specifies how users are authenticated - LDAP in my case
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# driver = ldap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# args = /usr/local/etc/dovecot/ldap.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# userdb specifies the location of users' "home" directories - where their
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail is stored. e.g. /var/mail/vhosts/exmaple.com/user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %d = domain, %n = user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# driver = static
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-logging.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-logging.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..7d114b6
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-logging.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,101 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Log destination.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *** Please read this section before modifying this file ***
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several of the keys and values within this file are modified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple's Server Admin application. Each key that is automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modified by the Server Admin app is identified with a comment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceding the key with this note:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log file to use for error messages. "syslog" logs to syslog,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# /dev/stderr logs to stderr.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+log_path = @PREFIX@/var/log/mail/mail-err.log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log file to use for informational messages. Defaults to log_path.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+info_log_path = @PREFIX@/var/log/mail/mail-info.log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log file to use for debug messages. Defaults to info_log_path.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+debug_log_path = @PREFIX@/var/log/mail/mail-debug.log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Syslog facility to use if you're logging to syslog. Usually if you don't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# want to use "mail", you'll use local0..local7. Also other standard
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# facilities are supported.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# syslog_facility = local6
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Logging verbosity and debugging.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log unsuccessful authentication attempts and the reasons why they failed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_verbose = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In case of password mismatches, log the attempted password. Valid values are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no, plain and sha1. sha1 can be useful for detecting brute force password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# attempts vs. user simply trying the same password over and over again.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_verbose_passwords = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Even more verbose logging for debugging purposes. Shows for example SQL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# queries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_debug = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In case of password mismatches, log the passwords and used scheme so the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# problem can be debugged. Enabling this also enables auth_debug.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_debug_passwords = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enable mail process debugging. This can help you figure out why Dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# isn't finding your mails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_debug = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Show protocol level SSL errors.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#verbose_ssl = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail_log plugin provides more event logging for mail processes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Events to log. Also available: flag_change append
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Available fields: uid, box, msgid, from, subject, size, vsize, flags
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # size and vsize are available only for expunge and copy events.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mail_log_fields = uid box msgid size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mail_log_fields = uid box msgid from subject size flags
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Log formatting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Prefix for each line written to log file. % codes are in strftime(3)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# format.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#log_timestamp = "%b %d %H:%M:%S "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space-separated list of elements we want to log. The elements which have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a non-empty variable value are joined together to form a comma-separated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# string.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Login log format. %$ contains login_log_format_elements string, %s contains
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the data we want to log.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#login_log_format = %$: %s
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# possible variables you can use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mail_log_prefix = "%s(pid %p user %u): "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Format to use for logging mail deliveries. You can use variables:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %$ - Delivery status message (e.g. "saved to INBOX")
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %m - Message-ID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %s - Subject
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %f - From address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %p - Physical size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %w - Virtual size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#deliver_log_format = msgid=%m: %$
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+deliver_log_format = msgid=%m: %$
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-mail.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-mail.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..2185aff
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-mail.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,459 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Mailbox locations and namespaces
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *** Please read this section before modifying this file ***
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several of the keys and values within this file are modified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple's Server Admin application. Each key that is automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modified by the Server Admin app is identified with a comment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceding the key with this note:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Location for users' mailboxes. The default is empty, which means that Dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tries to find the mailboxes automatically. This won't work if the user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# doesn't yet have any mail, so you should explicitly tell Dovecot the full
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# location.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kept. This is called the "root mail directory", and it must be the first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# path given in the mail_location setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# There are a few special variables you can use, eg.:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %u - username
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %n - user part in user@domain, same as %u if there's no domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %d - domain part in user@domain, empty if there's no domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %h - home directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See doc/wiki/Variables.txt for full list. Some examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail_location = maildir:~/Maildir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail_location = mbox:~/mail:INBOX=/var/mail/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/MailLocation.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Create the mail_home
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo mkdir /private/var/mail/@tld@.@domain@.mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chgrp staff /private/var/mail/@tld@.@domain@.mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chmod 0770 /private/var/mail/@tld@.@domain@.mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default home directory location for all users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mail_home = /private/var/mail/@tld@.@domain@.mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_location =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail_location = maildir:/Library/Server/Mail/Data/mail/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# I use mdbox - this is Dovecot's own high-performance mail store format.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# There are other slower, more "traditional" formats you can choose from.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Read about them here: https://wiki2.dovecot.org/MailboxFormat
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mail_location = mdbox:/private/var/mail/@tld@.@domain@.mail/%Ln/mdbox
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you need to set multiple mailbox locations or want to change default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# namespace settings, you can do it by defining namespace sections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can have private, shared and public namespaces. Private namespaces
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are for user's personal mails. Shared namespaces are for accessing other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# users' mailboxes that have been shared. Public namespaces are for shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mailboxes that are managed by sysadmin. If you create any shared or public
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# namespaces you'll typically want to enable ACL plugin also, otherwise all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# users can access all the shared mailboxes, assuming they have permissions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on filesystem level to do so.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+namespace inbox {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# nothing fancy - just a standard default namespace with '.' as the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hierarchy separator
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Namespace type: private, shared or public
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#type = private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Hierarchy separator to use. You should use the same separator for all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# namespaces or some clients get confused. '/' is usually a good one.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default however depends on the underlying mail storage format.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+separator = /
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Prefix required to access this namespace. This needs to be different for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# all namespaces. For example "Public/".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#prefix =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Physical location of the mailbox. This is in same format as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail_location, which is also the default for it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#location =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# There can be only one INBOX, and this setting defines which namespace
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# has it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+inbox = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If namespace is hidden, it's not advertised to clients via NAMESPACE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# extension. You'll most likely also want to set list=no. This is mostly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# useful when converting from another server with different namespaces which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you want to deprecate but still keep working. For example you can create
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#hidden = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Show the mailboxes under this namespace with LIST command. This makes the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# namespace visible for clients that don't support NAMESPACE extension.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "children" value lists child mailboxes, but hides the namespace prefix.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#list = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Namespace handles its own subscriptions. If set to "no", the parent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# namespace handles them (empty prefix should always have this as "yes")
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#subscriptions = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # shared namespace configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# namespace acl-mailboxes {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# type = shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# separator = .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# prefix = shared.%%u.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #location = maildir:/Library/Server/Mail/Data/mail/%%u:INDEX=/Library/Server/Mail/Data/mail/%%u/shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# location = maildir:/Library/Server/Mail/Data/mail/users/%%u:INDEX=/Library/Server/Mail/Data/mail/shared/%%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# subscriptions = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# list = children
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# shared namespace configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# namespace list-archives {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# type = shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# separator = .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# prefix = archives.%%u.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# location = maildir:/Library/Server/Mail/Data/listserver/messages/archive/lists/%%u:INDEX=/Library/Server/Mail/Data/listserver/messages/archive/shared/%%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# subscriptions = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# list = children
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example shared namespace configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#namespace {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#type = shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#separator = .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mailboxes are visible under "shared/user@domain/"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %%n, %%d and %%u are expanded to the destination user.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#prefix = shared.%%u.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mail location for other users' mailboxes. Note that %variables and ~/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# destination user's data.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#location = maildir:/Library/Server/Mail/Data/mail/users/%%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use the default namespace for saving subscriptions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#subscriptions = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# List the shared/ namespace only if there are visible shared mailboxes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#list = children
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_shared_explicit_inbox = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# System user and group used to access mails. If you use multiple, userdb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can override these by returning uid or gid fields. You can use either numbers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or names. <doc/wiki/UserIds.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mail_uid = _dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mail_gid = mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set this to the group that owns your mail directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mail_privileged_group = mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Group to enable temporarily for privileged operations. Currently this is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used only with INBOX when either its initial creation or dotlocking fails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Typically this is set to "mail" to give access to /var/mail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_privileged_group =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Grant access to these supplementary groups for mail processes. Typically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# these are used to set up access to shared mailboxes. Note that it may be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dangerous to set these if users can create symlinks (e.g. if "mail" group is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mail_access_groups = mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow full filesystem access to clients. There's no access checks other than
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# what the operating system does for the active UID/GID. It works with both
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or ~user/.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_full_filesystem_access = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# soon intended to be used by METADATA as well.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_attribute_dict = file:/Library/Server/Mail/Data/attributes/attributes.dict
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Mail processes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Don't use mmap() at all. This is required if you store indexes to shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# filesystems (NFS or clustered filesystem).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mmap_disable = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# since version 3, so this should be safe to use nowadays by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#dotlock_use_excl = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When to use fsync() or fdatasync() calls:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# optimized (default): Whenever necessary to avoid losing important data
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# always: Useful with e.g. NFS when write()s are delayed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# never: Never use it (best performance, but crashes can lose data)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_fsync = optimized
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# whenever needed. If you're using only a single mail server this isn't needed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_nfs_storage = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mail index files also exist in NFS. Setting this to yes requires
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mmap_disable=yes and fsync_disable=no.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_nfs_index = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Locking method for index files. Alternatives are fcntl, flock and dotlock.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dotlocking uses some tricks which may create more disk I/O than other locking
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# methods. NFS users: flock doesn't work, remember to change mmap_disable.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lock_method = fcntl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_temp_dir = /tmp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Valid UID range for users, defaults to 500 and above. This is mostly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to make sure that users can't log in as daemons or other system users.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that denying root logins is hardcoded to dovecot binary and can't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be done even if first_valid_uid is set to 0.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+first_valid_uid = 6
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+last_valid_uid = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Valid GID range for users, defaults to non-root/wheel. Users having
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# non-valid GID as primary group ID aren't allowed to log in. If user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# belongs to supplementary groups with non-valid GIDs, those groups are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not set.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS: `last_valid_gid = 100` to avoid the error
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# imap: Fatal: setgroups(501) failed: Too many extra groups
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://www.systemcodegeeks.com/mac-os/macos-dovecot-setgroups-failed/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+first_valid_gid = 6
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+last_valid_gid = 100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum allowed length for mail keyword name. It's only forced when trying
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to create new keywords.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_max_keyword_length = 50
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ':' separated list of directories under which chrooting is allowed for mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This setting doesn't affect login_chroot, mail_chroot or auth chroot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# settings. If this setting is empty, "/./" in home dirs are ignored.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: Never add directories here which local users can modify, that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may lead to root exploit. Usually this should be done only if you don't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allow shell access for users. <doc/wiki/Chrooting.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#valid_chroot_dirs =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default chroot directory for mail processes. This can be overridden for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# specific users in user database by giving /./ in user's home directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (eg. /home/./user chroots into /home). Note that usually there is no real
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# need to do chrooting, Dovecot doesn't allow users to access files outside
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# their mail directory anyway. If your home directories are prefixed with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_chroot =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (APPLE) Disconnect clients when they send too many bad commands in a row.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_max_bad_commands = 20
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# UNIX socket path to master authentication server to find users.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is used by imap (for shared users) and lda.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth_socket_path = @PREFIX@/var/run/dovecot/auth-userdb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Directory where to look up mail plugins.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_plugin_dir = /usr/lib/dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of plugins to load for all services. Plugins specific to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IMAP, LDA, etc. are added to this list in their own .conf files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (APPLE) added fts_sk
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail_plugins = quota zlib acl fts fts_sk
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mail_plugins = quota zlib acl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Solr install:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo port install apache-solr8
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Solr dovecot configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo -u solr solr8 start
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo -u solr @PREFIX@/bin/solr8 create -c dovecot -n dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo -u solr solr8 stop -p 8983
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wget -O solrconfig.xml https://github.com/dovecot/core/raw/master/doc/solr-config-7.7.0.xml
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Edit in the latest Lucene; see lucene-spec at http://localhost:8983/solr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sed -E -i '' -e 's|(<luceneMatchVersion>)[[:digit:]]\.[[:digit:]]\.[[:digit:]](</luceneMatchVersion>)|\18.0.0\2|' solrconfig.xml
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## See Tips at https://wiki.dovecot.org/Plugins/FTS/Solr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sed -E -i '' -e 's|<str name="df">|<str name="hdr">|' solrconfig.xml
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wget -O schema.xml https://github.com/dovecot/core/raw/master/doc/solr-schema-7.7.0.xml
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo -u solr -g solr install -m 0644 -b -B .orig solrconfig.xml @PREFIX@/var/solr/dovecot/conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo -u solr -g solr install -m 0644 -b -B .orig schema.xml @PREFIX@/var/solr/dovecot/conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo mv @PREFIX@/var/solr/dovecot/conf/managed-schema @PREFIX@/var/solr/dovecot/conf/managed-schema.orig
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo -u solr -g solr solr8 start -p 8984
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# we'll uncomment this after we set up Solr in the following section:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mail_plugins = $mail_plugins fts fts_solr fts_lucene
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Mailbox handling optimizations
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# also required for IMAP NOTIFY extension to be enabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mailbox_list_index = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The minimum number of mails in a mailbox before updates are done to cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# file. This allows optimizing Dovecot's behavior to do less disk writes at
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the cost of more disk reads.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_cache_min_mail_count = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When IDLE command is running, mailbox is checked once in a while to see if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# there are any new mails or other changes. This setting defines the minimum
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# time to wait between those checks. Dovecot can also use dnotify, inotify and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kqueue to find out immediately when changes occur.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mailbox_idle_check_interval = 30 secs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Save mails with CR+LF instead of plain LF. This makes sending those mails
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# But it also creates a bit more disk I/O which may just make it slower.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Also note that if other software reads the mboxes/maildirs, they may handle
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the extra CRs wrong and cause problems.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_save_crlf = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Max number of mails to keep open and prefetch to memory. This only works with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# some mailbox formats and/or operating systems.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_prefetch_count = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How often to scan for stale temporary files and delete them (0 = never).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# These should exist only after Dovecot dies in the middle of saving mails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_temp_scan_interval = 1w
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Maildir-specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default LIST command returns all entries in maildir beginning with a dot.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enabling this option makes Dovecot return only entries which are directories.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is done by stat()ing each entry, so it causes more disk I/O.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (For systems setting struct dirent->d_type, this check is free and it's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# done always regardless of this setting)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#maildir_stat_dirs = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When copying a message, do it with hard links whenever possible. This makes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the performance much better, and it's unlikely to have any side effects.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#maildir_copy_with_hardlinks = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when its mtime changes unexpectedly or when we can't find the mail otherwise.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#maildir_very_dirty_syncs = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# getting the mail's physical size, except when recalculating Maildir++ quota.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This can be useful in systems where a lot of the Maildir filenames have a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# broken size. The performance hit for enabling this is very small.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#maildir_broken_filename_sizes = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## mbox-specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Which locking methods to use for locking mbox. There are four available:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# solution. If you want to use /var/mail/ like directory, the users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will need write access to that directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dotlock_try: Same as dotlock, but if it fails because of permissions or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# because there isn't enough disk space, just skip it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fcntl : Use this if possible. Works with NFS too if lockd is used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flock : May not exist in all systems. Doesn't work with NFS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lockf : May not exist in all systems. Doesn't work with NFS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can use multiple locking methods; if you do the order they're declared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# locking methods as well. Some operating systems don't allow using some of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# them simultaneously.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_read_locks = fcntl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_write_locks = dotlock fcntl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum time to wait for lock (all of them) before aborting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_lock_timeout = 5 mins
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If dotlock exists but the mailbox isn't modified in any way, override the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lock file after this much time.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_dotlock_change_timeout = 2 mins
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When mbox changes unexpectedly we have to fully read it to find out what
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# changed. If the mbox is large this can take a long time. Since the change
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is usually just a newly appended mail, it'd be faster to simply read the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# new mails. If this setting is enabled, Dovecot does this but still safely
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# how it's expected to be. The only real downside to this setting is that if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# some other MUA changes message flags, Dovecot doesn't notice it immediately.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# commands.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_dirty_syncs = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_very_dirty_syncs = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# commands and when closing the mailbox). This is especially useful for POP3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# where clients often delete all mails. The downside is that our changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# aren't immediately visible to other MUAs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_lazy_writes = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If mbox size is smaller than this (e.g. 100k), don't write index files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If an index file already exists it's still read, just not updated.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_min_index_size = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mail header selection algorithm to use for MD5 POP3 UIDLs when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# algorithm, but it fails if the first Received: header isn't unique in all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mails. An alternative algorithm is "all" that selects all headers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_md5 = apop3d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## mdbox-specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum dbox file size until it's rotated.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mdbox_rotate_size = 200M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum dbox file age until it's rotated. Typically in days. Day begins
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mdbox_rotate_interval = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When creating new mdbox files, immediately preallocate their size to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mdbox_rotate_size. This setting currently works only in Linux with some
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# filesystems (ext4, xfs).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mdbox_preallocate_space = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Mail attachments
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sdbox and mdbox support saving mail attachments to external files, which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# also allows single instance storage for them. Other backends don't support
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this for now.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Directory root where to store mail attachments. Disabled, if empty.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_attachment_dir =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mail_attachment_dir = /private/var/mail/@tld@.@domain@.mail/attachments
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Attachments smaller than this aren't saved externally. It's also possible to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# write a plugin to disable saving specific attachments externally.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_attachment_min_size = 128k
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Filesystem backend to use for saving attachments:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# posix : No SiS done by Dovecot (but this might help FS's own deduplication)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sis posix : SiS with immediate byte-by-byte comparison during saving
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sis-queue posix : SiS with delayed comparison and deduplication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mail_attachment_fs = sis posix:mode=0666
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Hash format to use in attachment filenames. You can add any text and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_attachment_hash = %{sha1}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-master.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-master.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..e1b8f75
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-master.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,203 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Master config settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *** Please read this section before modifying this file ***
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several of the keys and values within this file are modified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple's Server Admin application. Each key that is automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modified by the Server Admin app is identified with a comment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceding the key with this note:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#default_process_limit = 100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#default_client_limit = 1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default VSZ (virtual memory size) limit for service processes. This is mainly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# intended to catch and kill processes that leak memory before they eat up
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# everything.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#default_vsz_limit = 256M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Login user is internally used by login processes. This is the most untrusted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user in Dovecot system. It shouldn't have access to anything at all.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_login_user = _dovenull
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Internal user is used by unprivileged processes. It should be separate from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# login user, so that login processes can't disturb other processes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_internal_user = _dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_internal_group = _dovenull
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service imap-login {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # plain-text IMAP should only be accessible from localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ inet_listener imap {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ address = 127.0.0.1, ::1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port = 143
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ inet_listener imaps {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port = 993
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssl = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## enable high-performance mode, described here:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## https://wiki.dovecot.org/LoginProcess
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Number of connections to handle before starting a new process. Typically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # is faster. <doc/wiki/LoginProcess.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ service_count = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # set to the number of CPU cores on your server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ process_min_avail = 6
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # If you set service_count=0, you probably need to grow this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #vsz_limit = $default_vsz_limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ vsz_limit = 2G
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# service pop3-login {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# inet_listener pop3 {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# port = 110
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# inet_listener pop3s {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# port = 995
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# expose an LMTP socket for postfix to deliver mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service lmtp {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unix_listener @PREFIX@/var/spool/postfix/private/dovecot-lmtp {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mode = 0660
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ user = _postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ group = mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Create inet listener only if you can't use the above UNIX socket
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #inet_listener lmtp {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Avoid making LMTP visible for the entire internet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #address =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #port =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service imap {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Most of the memory goes to mmap()ing files. You may need to increase this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # limit if you have huge mailboxes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #vsz_limit = $default_vsz_limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Max. number of IMAP processes (connections)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ process_limit = 200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # set to the number of CPU cores on your server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ process_min_avail = 6
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *Note*: Do *not* set `client_limit` or `service_count` on multi-user server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Results in imap userdb Fatal setuid errors
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See: https://dovecot.org/pipermail/dovecot/2019-May/116014.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# service pop3 {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Max. number of POP3 processes (connections)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# process_limit = 200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_limit = 5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# service_count = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# expose an auth socket for postfix to authenticate users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service auth {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # auth_socket_path points to this userdb socket by default. It's typically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # full permissions to this socket are able to get a list of all usernames and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # get the results of everyone's userdb lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The default 0666 mode allows anyone to connect to the socket, but the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # userdb lookups will succeed only if the userdb returns an "uid" field that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # matches the caller process's UID. Also if caller's uid or gid matches the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # socket's uid or gid the lookup succeeds. Anything else causes a failure.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # To give the caller full permissions to lookup all users, set the mode to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # something else than 0666 and Dovecot lets the kernel enforce the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # permissions (e.g. 0777 allows everyone full permissions).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # unix_listener auth-userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # #mode = 0600
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # user = _dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # #group = mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Postfix smtp-auth
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unix_listener @PREFIX@/var/spool/postfix/private/auth {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mode = 0660
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mode = 0777
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ user = _postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ group = mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Auth process is run as this user.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #user = $default_internal_user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # APPLE - keep auth alive for a while for the cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ idle_kill = 15m
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Allow access to keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extra_groups = _keytabusers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# test: run as root:mail to determine if setuid issues solved
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service auth-worker {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Auth worker process is run as root by default, so that it can access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # /etc/shadow. If this isn't necessary, the user should be changed to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # $default_internal_user.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # user = $default_internal_user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ user = root
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ group = mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# service auth-worker {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Auth worker process is run as root by default, so that it can access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # /etc/shadow. If this isn't necessary, the user should be changed to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # $default_internal_user.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #user = root
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# service dict {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # If dict proxy is used, mail processes should have access to its socket.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # For example: mode=0660, group=vmail and global mail_access_groups=vmail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# unix_listener dict {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #mode = 0600
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #user =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #group =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service dns_client {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unix_listener dns-client {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mode = 0600
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # for stats plugin, if enabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# service stats {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fifo_listener stats-mail {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user = _dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mode = 0600
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To reduce indexer-workers' CPU and disk I/O load, change process_limit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service indexer-worker {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # necessary default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # user = root
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # user = _dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # process_limit = 10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-ssl.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-ssl.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..12c46b4
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-ssl.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,106 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## SSL settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *** Please read this section before modifying this file ***
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several of the keys and values within this file are modified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple's Server Admin application. Each key that is automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modified by the Server Admin app is identified with a comment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceding the key with this note:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ssl = required
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dropping root privileges, so keep the key file unreadable by anyone but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# root. Included doc/mkcert.sh can be used to easily generate self-signed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificate, just make sure to update the domains in dovecot-openssl.cnf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ssl_cert = <@PREFIX@/etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dropping root privileges, so keep the key file unreadable by anyone but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# root. Included doc/mkcert.sh can be used to easily generate self-signed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificate, just make sure to update the domains in dovecot-openssl.cnf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ssl_key = <@PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.decrypted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.8 encrypts the .key.pem files. The passwords are in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Keychain Access.app under the cert's SHA-1 as the Account. Save this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# password securely for dovecot:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo mkdir /etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chmod 700 /etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo mv @host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.passphrase /etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chmod -R go-rwx /etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# `ssl_key_password` wasn't working on my install, so put the decrypted key in /etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo openssl rsa -in /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem -out /etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.decrypted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chmod -R go-rwx /etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If key file is password protected, give the password here. Alternatively
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# give it when starting dovecot with -p parameter. Since this file is often
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# world-readable, you may want to place this setting instead to a different
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# root owned 0600 file by using ssl_key_password = <path.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_key_password = <@PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.passphrase
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PEM encoded trusted certificate authority. Set this only if you intend to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ssl_ca = <@PREFIX@/etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.chain.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Require that CRL check succeeds for client certificates.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_require_crl = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Directory and/or file for trusted SSL CA certificates. These are used only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# directory is usually /etc/ssl/certs in Debian-based systems and the file is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# /etc/pki/tls/cert.pem in RedHat-based systems.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_client_ca_dir =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_client_ca_file =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Request client to send a certificate. If you also want to require it, set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# auth_ssl_require_client_cert=yes in auth section.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_verify_client_cert = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Which field from certificate to use for username. commonName and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# x500UniqueIdentifier are the usual choices. You'll also need to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set auth_ssl_username_from_cert=yes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_cert_username_field = commonName
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How often to regenerate the SSL parameters file. Generation is quite CPU
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# intensive operation. The value is in hours, 0 disables regeneration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# entirely.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_parameters_regenerate = 168
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Diffie-Hellman is necessary for the modern crypto settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo openssl dhparam -out @PREFIX@/etc/dovecot/dh4096.pem 4096
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_dh = <@PREFIX@/etc/dovecot/dh4096.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# create a shorter, faster DH parameter file for the default installation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ssl_dh = <@PREFIX@/etc/dovecot/dh2048.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL protocols to use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl_protocols = !SSLv2 !SSLv3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL ciphers to use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DH [...]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL crypto device to use, for valid values run "openssl engine"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_crypto_device =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# require modern crypto - taken from Mozilla's SSL recommendations page
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://wiki.mozilla.org/Security/Server_Side_TLS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ssl_min_protocol = TLSv1.2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ssl_cipher_list=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ssl_prefer_server_ciphers = yes
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/15-lda.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/15-lda.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..0cc8ea3
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/15-lda.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,77 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## LDA specific settings (also used by LMTP)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *** Please read this section before modifying this file ***
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several of the keys and values within this file are modified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple's Server Admin application. Each key that is automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modified by the Server Admin app is identified with a comment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceding the key with this note:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Address to use when sending rejection mails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default is postmaster@<your domain>. %d expands to recipient domain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+postmaster_address = postmaster@@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in LMTP replies. Default is the system's real hostname@domain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#hostname =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If user is over quota, return with temporary failure instead of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bouncing the mail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+quota_full_tempfail = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Binary to use for sending mails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sendmail_path = @PREFIX@/sbin/sendmail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If non-empty, send mails via this SMTP host[:port] instead of sendmail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#submission_host =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Subject: header to use for rejection mails. You can use the same variables
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as for rejection_reason below.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#rejection_subject = Rejected: %s
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Human readable error message for rejection mails. You can use variables:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %n = CRLF, %r = reason, %s = original subject, %t = recipient
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#rejection_reason = Your message to <%t> was automatically rejected:%n%r
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Delimiter character between local-part and detail in email address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#recipient_delimiter = +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Should be consistent with @PREFIX@/var/postfix/main.cf>recipient_delimiter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# `recipient_delimiter = +` used by CalendarServer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do *not* use `smtpd_recipient_restrictions = reject_unverified_recipient …`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if `recipient_delimiter = yes` *and* dovecot-lmtp is used; also see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dovecot/conf.d/15-lda.conf and dovecot/conf.d/20-lmtp.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Header where the original recipient address (SMTP's RCPT TO: address) is taken
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from if not available elsewhere. With dovecot-lda -a parameter overrides this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A commonly used header for this is X-Original-To.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lda_original_recipient_header =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Should saving a mail to a nonexistent mailbox automatically create it?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+lda_mailbox_autocreate = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Save messages to mailbox with mailbox name parsed from List-Id. When enabled,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the server will automatically create nonexistent mailboxes with name parsed from List-Id
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example: List-Id: List Header Mailing List <list-header.nisto.com>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mailbox name will would be: list-header
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lda_mailbox_listid_autosave = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Should automatically created mailboxes be also automatically subscribed?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lda_mailbox_autosubscribe = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration for mail delivered by the `dovecot-lda` command. Shouldn't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be needed since we are using LMTP, but kept for backwards compatibility.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protocol lda {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # use fsync for write-safety - this deals with delivering actual mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mail_fsync = optimized
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Space separated list of plugins to load (default is global mail_plugins).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # mail_plugins = $mail_plugins sieve push_notify
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mail_plugins = $mail_plugins sieve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/15-mailboxes.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/15-mailboxes.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..243158e
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/15-mailboxes.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,71 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Mailbox definitions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# define any special IMAP folders here. You can force them to be created or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# created+subscribed automatically used the `auto` option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+namespace inbox {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mailbox name {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # auto=create will automatically create this mailbox.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # auto=subscribe will both create and subscribe to the mailbox.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #auto = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Space separated list of IMAP SPECIAL-USE attributes as specified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #special_use =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # These mailboxes are widely used and could perhaps be created automatically:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox Drafts {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ auto = subscribe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ special_use = \Drafts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox Junk {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ auto = create
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ special_use = \Junk
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox Trash {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ auto = create
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ special_use = \Trash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Create these mailboxes for rspamd Spam and Ham training;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # see conf.d/90-imapsieve.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox Spam_train {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ auto = create
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ special_use = \Junk
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox Notspam_train {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ auto = create
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ special_use = \Junk
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # For \Sent mailboxes there are two widely used names. We'll mark both of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # them as \Sent. User typically deletes one of them if duplicates are created.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox Sent {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ auto = subscribe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ special_use = \Sent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # macOS Server v.5.7 configuration; used by iOS:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox "Sent Messages" {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ special_use = \Sent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox Archive {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ auto = subscribe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ special_use = \Archive
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # If you have a virtual "All messages" mailbox:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mailbox virtual/All {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # special_use = \All
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # If you have a virtual "Flagged" mailbox:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mailbox virtual/Flagged {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # special_use = \Flagged
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/20-imap.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/20-imap.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..305959d
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/20-imap.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,88 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# References:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://serverfault.com/questions/930245/dovecot-operation-not-permitted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://trac.macports.org/ticket/58506
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## IMAP specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *** Please read this section before modifying this file ***
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several of the keys and values within this file are modified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple's Server Admin application. Each key that is automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modified by the Server Admin app is identified with a comment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceding the key with this note:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum IMAP command line length. Some clients generate very long command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lines with huge mailboxes, so you may need to raise this if you get
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "Too long argument" or "IMAP command line too large" errors often.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_max_line_length = 64k
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IMAP logout format string:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %i - total number of bytes read from client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %o - total number of bytes sent to client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_logout_format = in=%i out=%o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Override the IMAP CAPABILITY response. If the value begins with '+',
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_capability =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How long to wait between "OK Still here" notifications when client is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IDLEing.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_idle_notify_interval = 2 mins
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ID field names and values to send to clients. Using * as the value makes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dovecot use the default value. The following fields have default values
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# currently: name, version, os, os-version, support-url, support-email.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+imap_id_send = "name" * "version" *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ID fields sent by client to log. * means everything.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+imap_id_log = *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Workarounds for various client bugs:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay-newmail:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Send EXISTS/RECENT new mail notifications only when replying to NOOP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and CHECK commands. Some clients ignore them otherwise, for example OSX
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mail (<v2.1). Outlook Express breaks more badly though, without this it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may show user "Message no longer in server" errors. Note that OE6 still
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# breaks even with this workaround if synchronization is set to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "Headers Only".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tb-extra-mailbox-sep:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adds extra '/' suffixes to mailbox names. This option causes Dovecot to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ignore the extra '/' instead of treating it as invalid mailbox name.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tb-lsub-flags:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This makes Thunderbird realize they aren't selectable and show them
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# greyed out, instead of only later giving "not selectable" popup error.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The list is space-separated.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_client_workarounds =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Host allowed in URLAUTH URLs sent by client. "*" allows all.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_urlauth_host =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# User with submission privileges.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+imap_urlauth_submit_user = submit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protocol imap {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Space separated list of plugins to load (default is global mail_plugins).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # stats (in global mail_plugins) and imap_stats (here) are also available
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mail_plugins = $mail_plugins imap_acl imap_quota imap_zlib
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # imap_sieve will be used for spam training by rspamd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mail_plugins = $mail_plugins imap_sieve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Maximum number of IMAP connections allowed for a user from each IP address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # NOTE: The username is compared case-sensitively.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mail_max_userip_connections = 50
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use a longer IDLE interval to reduce network chatter and save battery
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# life. Max is 30 minutes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+imap_idle_notify_interval = 29 mins
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/20-lmtp.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/20-lmtp.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..44ef4a2
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/20-lmtp.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,29 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## LMTP specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Support proxying to other LMTP/SMTP servers by performing passdb lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lmtp_proxy = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When recipient address includes the detail (e.g. user+detail), try to save
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the mail to the detail mailbox. See also recipient_delimiter and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lda_mailbox_autocreate settings.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lmtp_save_to_detail_mailbox = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# `recipient_delimiter = +` used by CalendarServer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do *not* set without specifically turning off in a calendarserver userdb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do *not* use `smtpd_recipient_restrictions = reject_unverified_recipient …`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if `recipient_delimiter = yes` *and* dovecot-lmtp is used; also see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dovecot/conf.d/15-lda.conf and dovecot/conf.d/20-lmtp.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Verify quota before replying to RCPT TO. This adds a small overhead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lmtp_rcpt_check_quota = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protocol lmtp {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # use fsync for write-safety - this deals with delivering actual mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mail_fsync = optimized
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Space separated list of plugins to load (default is global mail_plugins).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # mail_plugins = $mail_plugins sieve push_notify
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mail_plugins = $mail_plugins sieve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/20-managesieve.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/20-managesieve.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..66d2fd7
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/20-managesieve.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,75 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## ManageSieve specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protocols = $protocols sieve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Service definitions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # uncomment if you want remote managesieve functionality - unfortunately
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # almost no mail clients support it :(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## service managesieve-login {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## inet_listener sieve {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## port = 4190
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # Number of connections to handle before starting a new process. Typically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # is faster. <doc/wiki/LoginProcess.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #service_count = 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # Number of processes to always keep waiting for more connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #process_min_avail = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # If you set service_count=0, you probably need to grow this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #vsz_limit = 64M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## service managesieve {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # Max. number of ManageSieve processes (connections)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #process_count = 1024
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # Service configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## protocol sieve {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # Maximum ManageSieve command line length in bytes. ManageSieve usually does
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # not involve overly long command lines, so this setting will not normally
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # need adjustment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #managesieve_max_line_length = 65536
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # Maximum number of ManageSieve connections allowed for a user from each IP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # NOTE: The username is compared case-sensitively.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #mail_max_userip_connections = 10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # Space separated list of plugins to load (none known to be useful so far).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # Do NOT try to load IMAP plugins here.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #mail_plugins =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # MANAGESIEVE logout format string:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # %i - total number of bytes read from client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # %o - total number of bytes sent to client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #managesieve_logout_format = bytes=%i/%o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # To fool ManageSieve clients that are focused on CMU's timesieved you can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # specify the IMPLEMENTATION capability that Dovecot reports to clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # For example: 'Cyrus timsieved v2.2.13'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #managesieve_implementation_string = Dovecot Pigeonhole
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # Explicitly specify the SIEVE and NOTIFY capability reported by the server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # before login. If left unassigned these will be reported dynamically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # according to what the Sieve interpreter supports by default (after login
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # this may differ depending on the user).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #managesieve_sieve_capability =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #managesieve_notify_capability =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # The maximum number of compile errors that are returned to the client upon
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # script upload or script verification.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #managesieve_max_compile_errors = 5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # Refer to 90-sieve.conf for script quota configuration and configuration of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # Sieve execution limits.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## }
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/90-fts.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/90-fts.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..e3191d1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/90-fts.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,6 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# We'll uncomment these when we set up Solr in the next section:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fts_autoindex = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fts = solr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fts_solr = url=http://127.0.0.1:8983/solr/dovecot/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/90-imapsieve.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/90-imapsieve.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..6392c2b
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/90-imapsieve.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,19 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve_plugins = sieve_imapsieve sieve_extprograms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # SPAM
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # From elsewhere to Spam_train folder
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ imapsieve_mailbox1_name = Spam_train
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ imapsieve_mailbox1_causes = COPY APPEND
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ imapsieve_mailbox1_before = file:@PREFIX@/etc/dovecot/sieve/report-spam.sieve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # HAM
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # From elsewhere to Notspam_train folder
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ imapsieve_mailbox2_name = Notspam_train
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ imapsieve_mailbox2_causes = COPY APPEND
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ imapsieve_mailbox2_before = file:@PREFIX@/etc/dovecot/sieve/report-ham.sieve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve_pipe_bin_dir = @PREFIX@/etc/dovecot/sieve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/90-plugin.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/90-plugin.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..3bf04c0
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/90-plugin.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,14 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Plugin settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# All wanted plugins must be listed in mail_plugins setting before any of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# their configuration. Note that %variable expansion is done for all values.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #setting_name = value
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # No full text search of Junk or Bayesian learning folders
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fts_autoindex_exclude = \Junk
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/90-quota.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/90-quota.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..36a23be
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/90-quota.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,98 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Quota configuration.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that you also have to enable quota plugin in mail_plugins setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/Quota.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See 10-mail.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail_plugins = $mail_plugins quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Quota limits
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Quota limits are set using "quota_rule" parameters. To get per-user quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# limits, you can set/override them by returning "quota_rule" extra field
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from userdb. It's also possible to give mailbox-specific limits, for example
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to give additional 100 MB when saving to Trash:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ quota_rule = *:storage=16G
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ quota_rule2 = Trash:storage=+256M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # LDA/LMTP allows saving the last mail to bring user from under quota to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # over quota, if the quota doesn't grow too high. Default is to allow as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ quota_grace = 10%%
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Quota warnings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can execute a given command when user exceeds a specified quota limit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Each quota root has separate limits. Only the command for the first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# exceeded limit is excecuted, so put the highest limit first.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The commands are executed via script service by connecting to the named
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# UNIX socket (quota-warning below).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that % needs to be escaped as %%, otherwise "% " expands to empty.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ quota_warning = storage=100%% quota-exceeded %u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ quota_warning2 = storage=80%% quota-warning %u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example quota-warning service. The unix listener's permissions should be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set in a way that mail processes can connect to it. Below example assumes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that mail processes run as vmail user. If you use mode=0666, all system users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can generate quota warnings to anyone.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## service quota-exceeded {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## executable = script /Applications/Server.app/Contents/ServerRoot/usr/libexec/dovecot/quota-exceeded.sh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## user = _dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## unix_listener quota-exceeded {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## user = _dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## group = mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## mode = 0660
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## service quota-warning {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## executable = script /Applications/Server.app/Contents/ServerRoot/usr/libexec/dovecot/quota-warning.sh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## user = _dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## unix_listener quota-warning {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## user = _dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## group = mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## mode = 0660
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Quota backends
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Multiple backends are supported:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dirsize: Find and sum all the files found from mail directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Extremely SLOW with Maildir. It'll eat your CPU and disk I/O.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dict: Keep quota stored in dictionary (eg. SQL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maildir: Maildir++ quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fs: Read-only support for filesystem quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #quota = dirsize:User quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## quota = maildir:User quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #quota = dict:User quota::proxy::quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #quota = fs:User quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Multiple quota roots are also possible, for example this gives each user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# their own 100MB quota and one shared 1GB quota within the domain:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #quota = dict:user::proxy::quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #quota2 = dict:domain:%d:proxy::quota_domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #quota_rule = *:storage=102400
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## #quota2_rule = *:storage=1048576
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## }
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/90-sieve.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/90-sieve.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..5765d8a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/90-sieve.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,112 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Settings for the Sieve interpreter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by adding it to the respective mail_plugins= settings.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The path to the user's main active script. If ManageSieve is used, this the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # location of the symbolic link controlled by ManageSieve.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve = /private/var/mail/@tld@.@domain@.mail/rules/%Ln/dovecot.sieve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The default Sieve script when the user has none. This is a path to a global
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # sieve script file, which gets executed ONLY if user's private Sieve script
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # doesn't exist. Be sure to pre-compile this script manually using the sievec
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # command line tool.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # --> See sieve_before fore executing scripts before the user's personal
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # script.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_default = /var/lib/dovecot/sieve/default.sieve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Directory for :personal include scripts for the include extension. This
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # is also where the ManageSieve service stores the user's scripts.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve_dir = /private/var/mail/@tld@.@domain@.mail/rules/%Ln/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Directory for :global include scripts for the include extension.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_global_dir =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # directory of global sieve scripts to run before and after processing ALL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # incoming mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve_before = @PREFIX@/etc/dovecot/sieve-before.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve_after = @PREFIX@/etc/dovecot/sieve-after.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Path to a script file or a directory containing script files that need to be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # executed before the user's script. If the path points to a directory, all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # the Sieve scripts contained therein (with the proper .sieve extension) are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # executed. The order of execution within a directory is determined by the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # file names, using a normal 8bit per-character comparison. Multiple script
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # file or directory paths can be specified by appending an increasing number.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_before =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_before2 =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_before3 = (etc...)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Identical to sieve_before, only the specified scripts are executed after the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # user's script (only when keep is still in effect!). Multiple script file or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # directory paths can be specified by appending an increasing number.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_after =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_after2 =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_after2 = (etc...)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Which Sieve language extensions are available to users. By default, all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # supported extensions are available, except for deprecated extensions or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # those that are still under development. Some system administrators may want
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # to disable certain Sieve extensions or enable those that are not available
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # by default. This setting can use '+' and '-' to specify differences relative
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # to the default. For example `sieve_extensions = +imapflags' will enable the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # deprecated imapflags extension in addition to all extensions were already
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # enabled by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_extensions = +notify +imapflags
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Which Sieve language extensions are ONLY available in global scripts. This
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # can be used to restrict the use of certain Sieve extensions to administrator
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # control, for instance when these extensions can cause security concerns.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # This setting has higher precedence than the `sieve_extensions' setting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # (above), meaning that the extensions enabled with this setting are never
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # available to the user's personal script no matter what is specified for the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # `sieve_extensions' setting. The syntax of this setting is similar to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # `sieve_extensions' setting, with the difference that extensions are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # enabled or disabled for exclusive use in global scripts. Currently, no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # extensions are marked as such by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_global_extensions =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The Pigeonhole Sieve interpreter can have plugins of its own. Using this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # setting, the used plugins can be specified. Check the Dovecot wiki
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # (wiki2.dovecot.org) or the pigeonhole website
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # (http://pigeonhole.dovecot.org) for available plugins.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The sieve_extprograms plugin is included in this release.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_plugins =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # make sieve aware of user+tag@domain.tld aliases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The separator that is expected between the :user and :detail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # address parts introduced by the subaddress extension. This may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # also be a sequence of characters (e.g. '--'). The current
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # implementation looks for the separator from the left of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # localpart and uses the first one encountered. The :user part is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # left of the separator and the :detail part is right. This setting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # is also used by Dovecot's LMTP service.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ recipient_delimiter = +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The maximum size of a Sieve script. The compiler will refuse to compile any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # script larger than this limit. If set to 0, no limit on the script size is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # enforced.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_max_script_size = 1M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The maximum number of actions that can be performed during a single script
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # execution. If set to 0, no limit on the total number of actions is enforced.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_max_actions = 32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The maximum number of redirect actions that can be performed during a single
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # script execution. If set to 0, no redirect actions are allowed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_max_redirects = 4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The maximum number of personal Sieve scripts a single user can have. If set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # to 0, no limit on the number of scripts is enforced.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # (Currently only relevant for ManageSieve)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_quota_max_scripts = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The maximum amount of disk storage a single user's scripts may occupy. If
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # set to 0, no limit on the used amount of disk storage is enforced.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # (Currently only relevant for ManageSieve)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve_quota_max_storage = 50M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/auth-od.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/conf.d/auth-od.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..9887c0f
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/auth-od.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,212 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication using Open Directory. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://wiki.dovecot.org/Authentication/Kerberos
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Kerberos authentication with `auth_gssapi_hostname = "$ALL"`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Local account authentication with `driver pam`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server `driver od` was used to provide UUIDs and GUIDs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It would be great to use that system to avoid namespace conflicts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# between /Local/Default and /LDAPv3/127.0.0.1, but just use %Ln
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (lower case username) in this setup to specify the mailbox locations.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that the mail client must support GSSAPI (Apple Mail does)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes for LDAP authentication on macOS Server:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# /Applications/Server.app/Contents/ServerRoot/private/etc/dovecot/default/dovecot-ldap.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://www.c0ffee.net/blog/mail-server-guide/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://trac.macports.org/wiki/howto/SetupDovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple source code for Open Directory `driver od`:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://opensource.apple.com/source/dovecot/dovecot-293/dovecot/src/auth/db-od.c.auto.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://opensource.apple.com/source/dovecot/dovecot-293/dovecot/src/auth/db-passwd-file.c.auto.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# GitHub brew approach for PAM:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://github.com/taniguti/Services_on_macOS/blob/master/mail/setup-scripts/setup-dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# GSSAPI configuration per https://wiki.dovecot.org/Authentication/Kerberos
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Ensure `auth_gssapi_hostname = "$ALL"`, `auth_mechanisms = gssapi`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in 10-auth.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Kerberos kadmin to create a dovecot.keytab with existing macOS principals
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# References:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Zillions of Kerberos web pages
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://dovecot.org/list/dovecot/2016-July/104842.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Configure Kerberos on macOS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# krb5.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DNS URI, TXT, and SRV records
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Create missing krb5.conf file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Create edu.mit.Kerberos from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# curl -O https://wiki.ncsa.illinois.edu/download/attachments/20613205/edu.mit.Kerberos
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo cp -p /etc/krb5.conf /etc/krb5.conf.orig
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo cp edu.mit.Kerberos /etc/krb5.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo ln -s /etc/krb5.conf /Library/Preferences/edu.mit.Kerberos
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Create dovecot.keytab on macOS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo /usr/sbin/kadmin -l
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> ext_keytab -k dovecot.keytab imap/@host@.@domain@.@tld@ smtp/@host@.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> exit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo @PREFIX@/bin/klist -e -k -t dovecot.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Keytab name: FILE:dovecot.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# KVNO Timestamp Principal
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ---- ------------------- ------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1 04/20/2019 23:22:06 imap/@host@.@domain@.@tld@@@HOST@.@DOMAIN@.@TLD@ (aes256-cts-hmac-sha1-96)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1 04/20/2019 23:22:06 imap/@host@.@domain@.@tld@@@HOST@.@DOMAIN@.@TLD@ (aes128-cts-hmac-sha1-96)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1 04/20/2019 23:22:06 imap/@host@.@domain@.@tld@@@HOST@.@DOMAIN@.@TLD@ (des3-cbc-sha1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1 04/20/2019 23:22:06 smtp/@host@.@domain@.@tld@@@HOST@.@DOMAIN@.@TLD@ (aes256-cts-hmac-sha1-96)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1 04/20/2019 23:22:06 smtp/@host@.@domain@.@tld@@@HOST@.@DOMAIN@.@TLD@ (aes128-cts-hmac-sha1-96)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1 04/20/2019 23:22:06 smtp/@host@.@domain@.@tld@@@HOST@.@DOMAIN@.@TLD@ (des3-cbc-sha1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Secure the file permissions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chown _dovecot dovecot.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chgrp mail dovecot.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chmod go-rwx dovecot.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Learning curve, barking up the wrong trees, but useful background
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# None of this will ultimately work on macOS, but it's a useful reference
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for handling Kerberos, and led to the approach that does work
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FAIL 1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It is unncessary to use macOS's krbservicesetup or sso_util
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to add kerberos principals because the ones we want already exist
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Use krbservicesetup, without Macports kerberos binaries
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/Server.app/Contents/ServerRoot/usr/bin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo krbservicesetup -x -a "admin" -p "pass" -r @HOST@.@DOMAIN@.@TLD@ imap dovecot/@host@.@domain@.@tld@@@HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## this principal doesn't appear in /etc/krb5.keytab, or in a kadmin get
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo @PREFIX@/bin/klist -e -k -t /etc/krb5.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FAIL 2:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Kerberos on macOS is controlled and locked down
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It does not work the way plain kerberos does
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example, adding principals in kadmin -l, then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# attempting to authenticate with these principals in e.g. kinit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# always produces a Client expired error
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Reference: https://discussions.apple.com/thread/7220240
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Try using Directory Admin's credentials to run kerberos
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Kerberos commands to create tickets
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo /usr/bin/kinit -p diradmin@@HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo /usr/bin/kinit -S kadmin/admin diradmin@@HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# env KRB5_TRACE=/dev/stdout sudo -E /usr/sbin/kadmin -p kadmin/admin@@HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# echo $?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Try adding missing kadmin/@host@.@domain@.@tld@ and kadmin/admin principals
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Ditto for kadmin.local, kinit, kpasswd, ktutil
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo /usr/sbin/kadmin -l
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> add kadmin/@host@.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Max ticket life [unlimited]:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Max renewable life [unlimited]:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Principal expiration time [never]:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Password expiration time [never]:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Attributes []:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Policy [default]:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin/@host@.@domain@.@tld@@@HOST@.@DOMAIN@.@TLD@'s Password:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Verify password - kadmin/@host@.@domain@.@tld@@@HOST@.@DOMAIN@.@TLD@'s Password:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> add kadmin/admin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Max ticket life [unlimited]:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Max renewable life [unlimited]:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Principal expiration time [never]:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Password expiration time [never]:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Attributes []:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Policy [default]:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin/admin@@HOST@.@DOMAIN@.@TLD@'s Password:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Verify password - kadmin/admin@@HOST@.@DOMAIN@.@TLD@'s Password:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> exit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Add principal _dovecot/@host@.@domain@.@tld@, _dovecot/admin, dovecot/…
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## and merge their keytab files
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo /usr/sbin/kadmin -l
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> add _dovecot/@host@.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Max ticket life [unlimited]:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Max renewable life [unlimited]:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Principal expiration time [never]:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Password expiration time [never]:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Attributes []:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Policy [default]:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# _dovecot/@host@.@domain@.@tld@@@HOST@.@DOMAIN@.@TLD@'s Password:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Verify password - _dovecot/@host@.@domain@.@tld@@@HOST@.@DOMAIN@.@TLD@'s Password:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> add dovecot/@host@.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> add _dovecot/admin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> add dovecot/admin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> ext_keytab -k dovecot.keytab _dovecot/@host@.@domain@.@tld@ dovecot/@host@.@domain@.@tld@ _dovecot/admin dovecot/admin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## unnecessary: output each principal into individual files, then merge with ktutil
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> ext_keytab -k _dovecot-fqdn.keytab _dovecot/@host@.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> ext_keytab -k dovecot-fqdn.keytab dovecot/@host@.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> ext_keytab -k _dovecot-admin.keytab _dovecot/admin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> ext_keytab -k dovecot-admin.keytab dovecot/admin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> exit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## unecessary merger with ktutil
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo @PREFIX@/bin/ktutil
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ktutil: rkt _dovecot-fqdn.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ktutil: rkt dovecot-fqdn.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ktutil: rkt _dovecot-admin.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ktutil: rkt dovecot-admin.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ktutil: wkt dovecot.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ktutil: exit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## List the contents of dovecot.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# klist -e -k -t dovecot.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow/remove diradmin permissions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chmod +a "diradmin allow readattr,writeattr,list,search,add_file" /var/log/krb5kdc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chmod -N /var/log/krb5kdc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Debugging:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# env KRB5_TRACE=/dev/stdout sudo -E kadmin -p kadmin/admin@@HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo kdestroy -p diradmin@@HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo serveradmin stop dirserv ; sudo serveradmin start dirserv
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dscacheutil -flushcache ; sudo killall -HUP mDNSResponder ; sudo port unload bind9 ; sudo port load bind9
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo /usr/sbin/ktutil list
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo @PREFIX@/bin/klist -e -k -t /etc/krb5.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://trac.macports.org/wiki/howto/SetupDovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://wiki2.dovecot.org/QuickConfiguration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb pam {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = pam
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb passwd {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = passwd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No passdb {} block for kerberos authentication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Test settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## driver = pam
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # service name, imap/hostname@REALM is in macOS krb5.keytab; create /etc/pam.d/imap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## args = imap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## driver = passwd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # OD cache refresh intervals. The positive cache TTL applies to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # enabled accounts. The negative cache TTL applies to disabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # accounts. Nonexistent accounts are not cached.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # arguments: args = pos_cache_ttl=3600 neg_cache_ttl=60
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # use_getpwnam_ext=yes blocking=no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # driver = od
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # OD cache refresh intervals. The positive cache TTL applies to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # enabled accounts. The negative cache TTL applies to disabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # accounts. Nonexistent accounts are not cached.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Set enforce_quotas to yes to deny message delivery and message
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # copying when user account has exceeded their quota.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Use global_quota to enable system wide quota. Individual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # quotas override global quota.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # additional args: pos_cache_ttl=3600 neg_cache_ttl=60
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # luser_relay=<userid> enforce_quotas=no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # use_getpwnam_ext=yes blocking=no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # macOS Server v.5.7 configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # driver = od
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# driver = ldap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# args = partition=@PREFIX@/etc/dovecot/partition_map.conf global_quota=8192 enforce_quotas=yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# }
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/10-auth.conf b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/10-auth.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..27150d8
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/10-auth.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,147 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Authentication processes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *** Please read this section before modifying this file ***
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several of the keys and values within this file are modified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple's Server Admin application. Each key that is automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modified by the Server Admin app is identified with a comment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceding the key with this note:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Disable LOGIN command and all other plaintext authentications unless
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# matches the local IP (ie. you're connecting from the same computer), the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection is considered secure and plaintext authentication is allowed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also ssl=required setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+disable_plaintext_auth = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_cache_size = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Time to live for cached data. After TTL expires the cached record is no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# longer used, *except* if the main database lookup returns internal failure.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# We also try to handle password changes automatically: If user's previous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# authentication was successful, but this one wasn't, the cache isn't used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For now this works only with plaintext authentication.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_cache_ttl = 1 hour
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TTL for negative hits (user not found, password mismatch).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0 disables caching them completely.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_cache_negative_ttl = 1 hour
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of realms for SASL authentication mechanisms that need
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# them. You can leave it empty if you don't want to support multiple realms.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Many clients simply use the first one listed here, so keep the default realm
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# first.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_realms =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default realm/domain to use if none was specified. This is used for both
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SASL realms and appending @domain to username in plaintext logins.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_default_realm =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# List of allowed characters in username. If the user-given username contains
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a character not listed in here, the login automatically fails. This is just
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an extra check to make sure user can't exploit any potential quote escaping
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set this value to empty.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Username character translations before it's looked up from databases. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value contains series of from -> to characters. For example "#@/@" means
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that '#' and '/' characters are translated to '@'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_username_translation =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Username formatting before it's looked up from databases. You can use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the standard variables here, eg. %Lu would lowercase the username, %n would
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "-AT-". This translation is done after auth_username_translation changes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth_username_format = %n
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want to allow master users to log in by specifying the master
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# username within the normal username string (ie. not using SASL mechanism's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# support for it), you can specify the separator character here. The format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is then <username><separator><master username>. UW-IMAP uses "*" as the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# separator, so that could be a good choice.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_master_user_separator =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Username to use for users logging in with ANONYMOUS SASL mechanism
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_anonymous_username = anonymous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum number of dovecot-auth worker processes. They're used to execute
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# blocking passdb and userdb queries (eg. MySQL and PAM). They're
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# automatically created and destroyed as needed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_worker_max_count = 30
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Host name to use in GSSAPI principal names. The default is to use the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# entries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth_gssapi_hostname = "$ALL"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default (usually /etc/krb5.keytab) if not specified. You may need to change
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the auth service to run as root to be able to read this file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_krb5_keytab =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_use_winbind = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Path for Samba's ntlm_auth helper binary.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_winbind_helper_path = /usr/bin/ntlm_auth
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Time to delay before replying to failed authentications.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_failure_delay = 2 secs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Require a valid SSL client certificate or the authentication fails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_ssl_require_client_cert = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Take the username from client's SSL certificate, using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# X509_NAME_get_text_by_NID() which returns the subject's DN's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CommonName.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_ssl_username_from_cert = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of wanted authentication mechanisms:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# gss-spnego
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: See also disable_plaintext_auth setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth_mechanisms = cram-md5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Password and user databases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Password database is used to verify user's password (and nothing more).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can have multiple passdbs and userdbs. This is useful if you want to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allow both system users (/etc/passwd) and virtual users to login without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# duplicating the system users into virtual database.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/PasswordDatabase.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# User database specifies where mails are located and what user/group IDs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# own them. For single-UID configuration use "static" userdb.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/UserDatabase.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-deny.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-master.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-system.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-ldap.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+!include auth-od.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+!include auth-submit.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-passwdfile.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-checkpassword.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-vpopmail.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-static.conf.ext
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/10-director.conf b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/10-director.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..4e46b35
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/10-director.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,62 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Director-specific settings.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Director can be used by Dovecot proxy to keep a temporary user -> mail server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mapping. As long as user has simultaneous connections, the user is always
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# redirected to the same server. Each proxy server is running its own director
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# process, and the directors are communicating the state to each others.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Directors are mainly useful with NFS-like setups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# List of IPs or hostnames to all director servers, including ourself.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Ports can be specified as ip:port. The default port is the same as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# what director service's inet_listener is using.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#director_servers =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# List of IPs or hostnames to all backend mail servers. Ranges are allowed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# too, like 10.0.0.10-10.0.0.30.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#director_mail_servers =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How long to redirect users to a specific server after it no longer has
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# any connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#director_user_expire = 15 min
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TCP/IP port that accepts doveadm connections (instead of director connections)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you enable this, you'll also need to add inet_listener for the port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#director_doveadm_port = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How the username is translated before being hashed. Useful values include
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %Ln if user can log in with or without @domain, %Ld if mailboxes are shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# within domain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#director_username_hash = %Lu
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To enable director service, uncomment the modes and assign a port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service director {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unix_listener login/director {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mode = 0666
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fifo_listener login/proxy-notify {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mode = 0666
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unix_listener director-userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mode = 0600
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ inet_listener {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #port =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enable director for the wanted login services by telling them to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connect to director socket instead of the default login socket:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service imap-login {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #executable = imap-login director
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service pop3-login {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #executable = pop3-login director
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enable director for LMTP proxying:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protocol lmtp {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #auth_socket_path = director-userdb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/10-logging.conf b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/10-logging.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..971b0c9
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/10-logging.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,97 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Log destination.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *** Please read this section before modifying this file ***
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several of the keys and values within this file are modified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple's Server Admin application. Each key that is automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modified by the Server Admin app is identified with a comment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceding the key with this note:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log file to use for error messages. "syslog" logs to syslog,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# /dev/stderr logs to stderr.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+log_path = /Library/Logs/Mail/mail-err.log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log file to use for informational messages. Defaults to log_path.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+info_log_path = /Library/Logs/Mail/mail-info.log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log file to use for debug messages. Defaults to info_log_path.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+debug_log_path = /Library/Logs/Mail/mail-debug.log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Syslog facility to use if you're logging to syslog. Usually if you don't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# want to use "mail", you'll use local0..local7. Also other standard
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# facilities are supported.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# syslog_facility = local6
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Logging verbosity and debugging.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log unsuccessful authentication attempts and the reasons why they failed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_verbose = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In case of password mismatches, log the attempted password. Valid values are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no, plain and sha1. sha1 can be useful for detecting brute force password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# attempts vs. user simply trying the same password over and over again.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_verbose_passwords = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Even more verbose logging for debugging purposes. Shows for example SQL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# queries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_debug = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In case of password mismatches, log the passwords and used scheme so the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# problem can be debugged. Enabling this also enables auth_debug.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_debug_passwords = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enable mail process debugging. This can help you figure out why Dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# isn't finding your mails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_debug = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Show protocol level SSL errors.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#verbose_ssl = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail_log plugin provides more event logging for mail processes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Events to log. Also available: flag_change append
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Available fields: uid, box, msgid, from, subject, size, vsize, flags
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # size and vsize are available only for expunge and copy events.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mail_log_fields = uid box msgid size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Log formatting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Prefix for each line written to log file. % codes are in strftime(3)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# format.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#log_timestamp = "%b %d %H:%M:%S "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space-separated list of elements we want to log. The elements which have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a non-empty variable value are joined together to form a comma-separated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# string.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Login log format. %$ contains login_log_format_elements string, %s contains
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the data we want to log.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#login_log_format = %$: %s
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# possible variables you can use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mail_log_prefix = "%s(pid %p user %u): "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Format to use for logging mail deliveries. You can use variables:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %$ - Delivery status message (e.g. "saved to INBOX")
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %m - Message-ID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %s - Subject
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %f - From address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %p - Physical size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %w - Virtual size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#deliver_log_format = msgid=%m: %$
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/10-mail.conf b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/10-mail.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..b13918d
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/10-mail.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,409 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Mailbox locations and namespaces
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *** Please read this section before modifying this file ***
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several of the keys and values within this file are modified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple's Server Admin application. Each key that is automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modified by the Server Admin app is identified with a comment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceding the key with this note:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Location for users' mailboxes. The default is empty, which means that Dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tries to find the mailboxes automatically. This won't work if the user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# doesn't yet have any mail, so you should explicitly tell Dovecot the full
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# location.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kept. This is called the "root mail directory", and it must be the first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# path given in the mail_location setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# There are a few special variables you can use, eg.:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %u - username
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %n - user part in user@domain, same as %u if there's no domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %d - domain part in user@domain, empty if there's no domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %h - home directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See doc/wiki/Variables.txt for full list. Some examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail_location = maildir:~/Maildir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail_location = mbox:~/mail:INBOX=/var/mail/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/MailLocation.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_location =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mail_location = maildir:/Library/Server/Mail/Data/mail/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you need to set multiple mailbox locations or want to change default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# namespace settings, you can do it by defining namespace sections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can have private, shared and public namespaces. Private namespaces
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are for user's personal mails. Shared namespaces are for accessing other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# users' mailboxes that have been shared. Public namespaces are for shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mailboxes that are managed by sysadmin. If you create any shared or public
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# namespaces you'll typically want to enable ACL plugin also, otherwise all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# users can access all the shared mailboxes, assuming they have permissions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on filesystem level to do so.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+namespace inbox {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Namespace type: private, shared or public
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #type = private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Hierarchy separator to use. You should use the same separator for all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # namespaces or some clients get confused. '/' is usually a good one.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The default however depends on the underlying mail storage format.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #separator =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Prefix required to access this namespace. This needs to be different for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # all namespaces. For example "Public/".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #prefix =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Physical location of the mailbox. This is in same format as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # mail_location, which is also the default for it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #location =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # There can be only one INBOX, and this setting defines which namespace
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # has it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ inbox = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # If namespace is hidden, it's not advertised to clients via NAMESPACE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # extension. You'll most likely also want to set list=no. This is mostly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # useful when converting from another server with different namespaces which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # you want to deprecate but still keep working. For example you can create
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #hidden = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Show the mailboxes under this namespace with LIST command. This makes the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # namespace visible for clients that don't support NAMESPACE extension.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # "children" value lists child mailboxes, but hides the namespace prefix.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #list = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Namespace handles its own subscriptions. If set to "no", the parent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # namespace handles them (empty prefix should always have this as "yes")
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #subscriptions = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# shared namespace configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+namespace acl-mailboxes {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ type = shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ separator = .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ prefix = shared.%%u.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #location = maildir:/Library/Server/Mail/Data/mail/%%u:INDEX=/Library/Server/Mail/Data/mail/%%u/shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ location = maildir:/Library/Server/Mail/Data/mail/users/%%u:INDEX=/Library/Server/Mail/Data/mail/shared/%%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ subscriptions = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ list = children
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# shared namespace configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+namespace list-archives {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ type = shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ separator = .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ prefix = archives.%%u.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ location = maildir:/Library/Server/Mail/Data/listserver/messages/archive/lists/%%u:INDEX=/Library/Server/Mail/Data/listserver/messages/archive/shared/%%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ subscriptions = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ list = children
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example shared namespace configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#namespace {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #type = shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #separator = .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Mailboxes are visible under "shared/user@domain/"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # %%n, %%d and %%u are expanded to the destination user.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #prefix = shared.%%u.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Mail location for other users' mailboxes. Note that %variables and ~/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # destination user's data.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #location = maildir:/Library/Server/Mail/Data/mail/users/%%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Use the default namespace for saving subscriptions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #subscriptions = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # List the shared/ namespace only if there are visible shared mailboxes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #list = children
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_shared_explicit_inbox = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# System user and group used to access mails. If you use multiple, userdb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can override these by returning uid or gid fields. You can use either numbers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or names. <doc/wiki/UserIds.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_uid =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_gid =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Group to enable temporarily for privileged operations. Currently this is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used only with INBOX when either its initial creation or dotlocking fails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Typically this is set to "mail" to give access to /var/mail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_privileged_group =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Grant access to these supplementary groups for mail processes. Typically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# these are used to set up access to shared mailboxes. Note that it may be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dangerous to set these if users can create symlinks (e.g. if "mail" group is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mail_access_groups = mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow full filesystem access to clients. There's no access checks other than
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# what the operating system does for the active UID/GID. It works with both
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or ~user/.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_full_filesystem_access = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# soon intended to be used by METADATA as well.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mail_attribute_dict = file:/Library/Server/Mail/Data/attributes/attributes.dict
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Mail processes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Don't use mmap() at all. This is required if you store indexes to shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# filesystems (NFS or clustered filesystem).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mmap_disable = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# since version 3, so this should be safe to use nowadays by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#dotlock_use_excl = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When to use fsync() or fdatasync() calls:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# optimized (default): Whenever necessary to avoid losing important data
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# always: Useful with e.g. NFS when write()s are delayed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# never: Never use it (best performance, but crashes can lose data)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_fsync = optimized
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# whenever needed. If you're using only a single mail server this isn't needed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_nfs_storage = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mail index files also exist in NFS. Setting this to yes requires
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mmap_disable=yes and fsync_disable=no.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_nfs_index = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Locking method for index files. Alternatives are fcntl, flock and dotlock.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dotlocking uses some tricks which may create more disk I/O than other locking
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# methods. NFS users: flock doesn't work, remember to change mmap_disable.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lock_method = fcntl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_temp_dir = /tmp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Valid UID range for users, defaults to 500 and above. This is mostly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to make sure that users can't log in as daemons or other system users.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that denying root logins is hardcoded to dovecot binary and can't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be done even if first_valid_uid is set to 0.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+first_valid_uid = 6
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+last_valid_uid = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Valid GID range for users, defaults to non-root/wheel. Users having
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# non-valid GID as primary group ID aren't allowed to log in. If user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# belongs to supplementary groups with non-valid GIDs, those groups are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not set.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+first_valid_gid = 6
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+last_valid_gid = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum allowed length for mail keyword name. It's only forced when trying
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to create new keywords.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_max_keyword_length = 50
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ':' separated list of directories under which chrooting is allowed for mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This setting doesn't affect login_chroot, mail_chroot or auth chroot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# settings. If this setting is empty, "/./" in home dirs are ignored.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: Never add directories here which local users can modify, that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may lead to root exploit. Usually this should be done only if you don't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allow shell access for users. <doc/wiki/Chrooting.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#valid_chroot_dirs =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default chroot directory for mail processes. This can be overridden for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# specific users in user database by giving /./ in user's home directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (eg. /home/./user chroots into /home). Note that usually there is no real
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# need to do chrooting, Dovecot doesn't allow users to access files outside
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# their mail directory anyway. If your home directories are prefixed with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_chroot =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (APPLE) Disconnect clients when they send too many bad commands in a row.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_max_bad_commands = 20
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# UNIX socket path to master authentication server to find users.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is used by imap (for shared users) and lda.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth_socket_path = /var/run/dovecot/auth-userdb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Directory where to look up mail plugins.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_plugin_dir = /usr/lib/dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of plugins to load for all services. Plugins specific to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IMAP, LDA, etc. are added to this list in their own .conf files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (APPLE) added fts_sk
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mail_plugins = quota zlib acl fts fts_sk
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Mailbox handling optimizations
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# also required for IMAP NOTIFY extension to be enabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mailbox_list_index = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The minimum number of mails in a mailbox before updates are done to cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# file. This allows optimizing Dovecot's behavior to do less disk writes at
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the cost of more disk reads.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_cache_min_mail_count = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When IDLE command is running, mailbox is checked once in a while to see if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# there are any new mails or other changes. This setting defines the minimum
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# time to wait between those checks. Dovecot can also use dnotify, inotify and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kqueue to find out immediately when changes occur.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mailbox_idle_check_interval = 30 secs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Save mails with CR+LF instead of plain LF. This makes sending those mails
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# But it also creates a bit more disk I/O which may just make it slower.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Also note that if other software reads the mboxes/maildirs, they may handle
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the extra CRs wrong and cause problems.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_save_crlf = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Max number of mails to keep open and prefetch to memory. This only works with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# some mailbox formats and/or operating systems.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_prefetch_count = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How often to scan for stale temporary files and delete them (0 = never).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# These should exist only after Dovecot dies in the middle of saving mails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_temp_scan_interval = 1w
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Maildir-specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default LIST command returns all entries in maildir beginning with a dot.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enabling this option makes Dovecot return only entries which are directories.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is done by stat()ing each entry, so it causes more disk I/O.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (For systems setting struct dirent->d_type, this check is free and it's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# done always regardless of this setting)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#maildir_stat_dirs = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When copying a message, do it with hard links whenever possible. This makes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the performance much better, and it's unlikely to have any side effects.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#maildir_copy_with_hardlinks = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when its mtime changes unexpectedly or when we can't find the mail otherwise.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#maildir_very_dirty_syncs = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# getting the mail's physical size, except when recalculating Maildir++ quota.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This can be useful in systems where a lot of the Maildir filenames have a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# broken size. The performance hit for enabling this is very small.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#maildir_broken_filename_sizes = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## mbox-specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Which locking methods to use for locking mbox. There are four available:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# solution. If you want to use /var/mail/ like directory, the users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will need write access to that directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dotlock_try: Same as dotlock, but if it fails because of permissions or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# because there isn't enough disk space, just skip it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fcntl : Use this if possible. Works with NFS too if lockd is used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flock : May not exist in all systems. Doesn't work with NFS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lockf : May not exist in all systems. Doesn't work with NFS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can use multiple locking methods; if you do the order they're declared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# locking methods as well. Some operating systems don't allow using some of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# them simultaneously.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_read_locks = fcntl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_write_locks = dotlock fcntl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum time to wait for lock (all of them) before aborting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_lock_timeout = 5 mins
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If dotlock exists but the mailbox isn't modified in any way, override the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lock file after this much time.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_dotlock_change_timeout = 2 mins
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When mbox changes unexpectedly we have to fully read it to find out what
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# changed. If the mbox is large this can take a long time. Since the change
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is usually just a newly appended mail, it'd be faster to simply read the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# new mails. If this setting is enabled, Dovecot does this but still safely
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# how it's expected to be. The only real downside to this setting is that if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# some other MUA changes message flags, Dovecot doesn't notice it immediately.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# commands.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_dirty_syncs = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_very_dirty_syncs = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# commands and when closing the mailbox). This is especially useful for POP3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# where clients often delete all mails. The downside is that our changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# aren't immediately visible to other MUAs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_lazy_writes = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If mbox size is smaller than this (e.g. 100k), don't write index files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If an index file already exists it's still read, just not updated.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_min_index_size = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mail header selection algorithm to use for MD5 POP3 UIDLs when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# algorithm, but it fails if the first Received: header isn't unique in all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mails. An alternative algorithm is "all" that selects all headers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_md5 = apop3d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## mdbox-specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum dbox file size until it's rotated.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mdbox_rotate_size = 200M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum dbox file age until it's rotated. Typically in days. Day begins
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mdbox_rotate_interval = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When creating new mdbox files, immediately preallocate their size to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mdbox_rotate_size. This setting currently works only in Linux with some
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# filesystems (ext4, xfs).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mdbox_preallocate_space = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Mail attachments
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sdbox and mdbox support saving mail attachments to external files, which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# also allows single instance storage for them. Other backends don't support
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this for now.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Directory root where to store mail attachments. Disabled, if empty.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_attachment_dir =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Attachments smaller than this aren't saved externally. It's also possible to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# write a plugin to disable saving specific attachments externally.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_attachment_min_size = 128k
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Filesystem backend to use for saving attachments:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# posix : No SiS done by Dovecot (but this might help FS's own deduplication)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sis posix : SiS with immediate byte-by-byte comparison during saving
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sis-queue posix : SiS with delayed comparison and deduplication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_attachment_fs = sis posix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Hash format to use in attachment filenames. You can add any text and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_attachment_hash = %{sha1}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/10-master.conf b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/10-master.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..e95bf16
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/10-master.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,168 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Master config settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *** Please read this section before modifying this file ***
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several of the keys and values within this file are modified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple's Server Admin application. Each key that is automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modified by the Server Admin app is identified with a comment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceding the key with this note:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#default_process_limit = 100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#default_client_limit = 1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default VSZ (virtual memory size) limit for service processes. This is mainly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# intended to catch and kill processes that leak memory before they eat up
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# everything.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#default_vsz_limit = 256M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Login user is internally used by login processes. This is the most untrusted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user in Dovecot system. It shouldn't have access to anything at all.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_login_user = _dovenull
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Internal user is used by unprivileged processes. It should be separate from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# login user, so that login processes can't disturb other processes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_internal_user = _dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service imap-login {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ inet_listener imap {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port = 143
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ inet_listener imaps {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port = 993
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssl = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Number of connections to handle before starting a new process. Typically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # is faster. <doc/wiki/LoginProcess.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ service_count = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Number of processes to always keep waiting for more connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #process_min_avail = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # If you set service_count=0, you probably need to grow this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #vsz_limit = $default_vsz_limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service pop3-login {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ inet_listener pop3 {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port = 110
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ inet_listener pop3s {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port = 995
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssl = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service lmtp {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unix_listener lmtp {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mode = 0600
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Create inet listener only if you can't use the above UNIX socket
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #inet_listener lmtp {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Avoid making LMTP visible for the entire internet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #address =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #port =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service imap {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Most of the memory goes to mmap()ing files. You may need to increase this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # limit if you have huge mailboxes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #vsz_limit = $default_vsz_limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Max. number of IMAP processes (connections)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ process_limit = 200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ client_limit = 5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ service_count = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service pop3 {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Max. number of POP3 processes (connections)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ process_limit = 200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ client_limit = 5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ service_count = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service auth {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # auth_socket_path points to this userdb socket by default. It's typically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # full permissions to this socket are able to get a list of all usernames and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # get the results of everyone's userdb lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The default 0666 mode allows anyone to connect to the socket, but the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # userdb lookups will succeed only if the userdb returns an "uid" field that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # matches the caller process's UID. Also if caller's uid or gid matches the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # socket's uid or gid the lookup succeeds. Anything else causes a failure.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # To give the caller full permissions to lookup all users, set the mode to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # something else than 0666 and Dovecot lets the kernel enforce the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # permissions (e.g. 0777 allows everyone full permissions).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unix_listener auth-userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mode = 0600
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ user = _dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #group =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Postfix smtp-auth
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #unix_listener /Library/Server/Mail/Data/spool/private/auth {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # mode = 0666
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Auth process is run as this user.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #user = $default_internal_user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # APPLE - keep auth alive for a while for the cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ idle_kill = 15m
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Allow access to keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extra_groups = _keytabusers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service auth-worker {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Auth worker process is run as root by default, so that it can access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # /etc/shadow. If this isn't necessary, the user should be changed to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # $default_internal_user.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #user = root
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service dict {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # If dict proxy is used, mail processes should have access to its socket.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # For example: mode=0660, group=vmail and global mail_access_groups=vmail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unix_listener dict {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mode = 0600
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #user =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #group =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service dns_client {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unix_listener dns-client {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mode = 0600
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for stats plugin, if enabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service stats {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fifo_listener stats-mail {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ user = _dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mode = 0600
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To reduce indexer-workers' CPU and disk I/O load, change process_limit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service indexer-worker {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ user = _dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #process_limit = 10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/10-ssl.conf b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/10-ssl.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..913a4a9
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/10-ssl.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,80 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## SSL settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *** Please read this section before modifying this file ***
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several of the keys and values within this file are modified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple's Server Admin application. Each key that is automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modified by the Server Admin app is identified with a comment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceding the key with this note:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ssl = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dropping root privileges, so keep the key file unreadable by anyone but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# root. Included doc/mkcert.sh can be used to easily generate self-signed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificate, just make sure to update the domains in dovecot-openssl.cnf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ssl_cert =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dropping root privileges, so keep the key file unreadable by anyone but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# root. Included doc/mkcert.sh can be used to easily generate self-signed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificate, just make sure to update the domains in dovecot-openssl.cnf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ssl_key =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If key file is password protected, give the password here. Alternatively
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# give it when starting dovecot with -p parameter. Since this file is often
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# world-readable, you may want to place this setting instead to a different
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# root owned 0600 file by using ssl_key_password = <path.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_key_password =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PEM encoded trusted certificate authority. Set this only if you intend to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ssl_ca =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Require that CRL check succeeds for client certificates.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_require_crl = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Directory and/or file for trusted SSL CA certificates. These are used only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# directory is usually /etc/ssl/certs in Debian-based systems and the file is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# /etc/pki/tls/cert.pem in RedHat-based systems.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_client_ca_dir =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_client_ca_file =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Request client to send a certificate. If you also want to require it, set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# auth_ssl_require_client_cert=yes in auth section.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_verify_client_cert = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Which field from certificate to use for username. commonName and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# x500UniqueIdentifier are the usual choices. You'll also need to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set auth_ssl_username_from_cert=yes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_cert_username_field = commonName
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How often to regenerate the SSL parameters file. Generation is quite CPU
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# intensive operation. The value is in hours, 0 disables regeneration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# entirely.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_parameters_regenerate = 168
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL protocols to use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ssl_protocols = !SSLv2 !SSLv3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL ciphers to use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ssl_cipher_list = ALL:!LOW:!EXP:!aNULL:!ADH:!eNULL:!EXPORT:!3DES:!DES:!aECDH:!DSS:!SEED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL crypto device to use, for valid values run "openssl engine"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_crypto_device =
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/15-lda.conf b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/15-lda.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..f0d2cb0
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/15-lda.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,67 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## LDA specific settings (also used by LMTP)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *** Please read this section before modifying this file ***
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several of the keys and values within this file are modified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple's Server Admin application. Each key that is automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modified by the Server Admin app is identified with a comment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceding the key with this note:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Address to use when sending rejection mails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default is postmaster@<your domain>. %d expands to recipient domain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#postmaster_address =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in LMTP replies. Default is the system's real hostname@domain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#hostname =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If user is over quota, return with temporary failure instead of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bouncing the mail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+quota_full_tempfail = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Binary to use for sending mails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sendmail_path = /usr/sbin/sendmail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If non-empty, send mails via this SMTP host[:port] instead of sendmail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#submission_host =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Subject: header to use for rejection mails. You can use the same variables
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as for rejection_reason below.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#rejection_subject = Rejected: %s
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Human readable error message for rejection mails. You can use variables:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %n = CRLF, %r = reason, %s = original subject, %t = recipient
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#rejection_reason = Your message to <%t> was automatically rejected:%n%r
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Delimiter character between local-part and detail in email address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#recipient_delimiter = +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Header where the original recipient address (SMTP's RCPT TO: address) is taken
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from if not available elsewhere. With dovecot-lda -a parameter overrides this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A commonly used header for this is X-Original-To.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lda_original_recipient_header =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Should saving a mail to a nonexistent mailbox automatically create it?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lda_mailbox_autocreate = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Save messages to mailbox with mailbox name parsed from List-Id. When enabled,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the server will automatically create nonexistent mailboxes with name parsed from List-Id
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example: List-Id: List Header Mailing List <list-header.nisto.com>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mailbox name will would be: list-header
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lda_mailbox_listid_autosave = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Should automatically created mailboxes be also automatically subscribed?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lda_mailbox_autosubscribe = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protocol lda {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Space separated list of plugins to load (default is global mail_plugins).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mail_plugins = $mail_plugins sieve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/15-mailboxes.conf b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/15-mailboxes.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..5b3c774
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/15-mailboxes.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,48 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Mailbox definitions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+namespace inbox {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mailbox name {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # auto=create will automatically create this mailbox.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # auto=subscribe will both create and subscribe to the mailbox.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #auto = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Space separated list of IMAP SPECIAL-USE attributes as specified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #special_use =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # These mailboxes are widely used and could perhaps be created automatically:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox Drafts {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ special_use = \Drafts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox Junk {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ special_use = \Junk
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox Trash {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ special_use = \Trash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # For \Sent mailboxes there are two widely used names. We'll mark both of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # them as \Sent. User typically deletes one of them if duplicates are created.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox Sent {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ special_use = \Sent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox "Sent Messages" {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ special_use = \Sent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # If you have a virtual "All messages" mailbox:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mailbox virtual/All {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # special_use = \All
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # If you have a virtual "Flagged" mailbox:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mailbox virtual/Flagged {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # special_use = \Flagged
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/20-imap.conf b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/20-imap.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..864aafb
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/20-imap.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,78 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## IMAP specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *** Please read this section before modifying this file ***
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several of the keys and values within this file are modified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple's Server Admin application. Each key that is automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modified by the Server Admin app is identified with a comment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceding the key with this note:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum IMAP command line length. Some clients generate very long command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lines with huge mailboxes, so you may need to raise this if you get
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "Too long argument" or "IMAP command line too large" errors often.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_max_line_length = 64k
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IMAP logout format string:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %i - total number of bytes read from client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %o - total number of bytes sent to client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_logout_format = in=%i out=%o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Override the IMAP CAPABILITY response. If the value begins with '+',
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_capability =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How long to wait between "OK Still here" notifications when client is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IDLEing.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_idle_notify_interval = 2 mins
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ID field names and values to send to clients. Using * as the value makes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dovecot use the default value. The following fields have default values
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# currently: name, version, os, os-version, support-url, support-email.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+imap_id_send = "name" * "version" *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ID fields sent by client to log. * means everything.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+imap_id_log = *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Workarounds for various client bugs:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay-newmail:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Send EXISTS/RECENT new mail notifications only when replying to NOOP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and CHECK commands. Some clients ignore them otherwise, for example OSX
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mail (<v2.1). Outlook Express breaks more badly though, without this it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may show user "Message no longer in server" errors. Note that OE6 still
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# breaks even with this workaround if synchronization is set to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "Headers Only".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tb-extra-mailbox-sep:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adds extra '/' suffixes to mailbox names. This option causes Dovecot to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ignore the extra '/' instead of treating it as invalid mailbox name.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tb-lsub-flags:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This makes Thunderbird realize they aren't selectable and show them
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# greyed out, instead of only later giving "not selectable" popup error.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The list is space-separated.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_client_workarounds =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Host allowed in URLAUTH URLs sent by client. "*" allows all.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_urlauth_host =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# User with submission privileges.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+imap_urlauth_submit_user = submit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protocol imap {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Space separated list of plugins to load (default is global mail_plugins).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # stats (in global mail_plugins) and imap_stats (here) are also available
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mail_plugins = $mail_plugins imap_acl imap_quota imap_zlib
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Maximum number of IMAP connections allowed for a user from each IP address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # NOTE: The username is compared case-sensitively.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mail_max_userip_connections = 20
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/20-lmtp.conf b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/20-lmtp.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..a1adc60
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/20-lmtp.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,21 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## LMTP specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Support proxying to other LMTP/SMTP servers by performing passdb lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lmtp_proxy = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When recipient address includes the detail (e.g. user+detail), try to save
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the mail to the detail mailbox. See also recipient_delimiter and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lda_mailbox_autocreate settings.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lmtp_save_to_detail_mailbox = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Verify quota before replying to RCPT TO. This adds a small overhead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lmtp_rcpt_check_quota = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protocol lmtp {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Space separated list of plugins to load (default is global mail_plugins).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mail_plugins = $mail_plugins sieve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span>\ No newline at end of file
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/20-managesieve.conf b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/20-managesieve.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..8a8e258
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/20-managesieve.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,70 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## ManageSieve specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Service definitions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service managesieve-login {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ inet_listener sieve {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port = 4190
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Number of connections to handle before starting a new process. Typically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # is faster. <doc/wiki/LoginProcess.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #service_count = 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Number of processes to always keep waiting for more connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #process_min_avail = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # If you set service_count=0, you probably need to grow this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #vsz_limit = 64M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service managesieve {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Max. number of ManageSieve processes (connections)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #process_count = 1024
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Service configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protocol sieve {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Maximum ManageSieve command line length in bytes. ManageSieve usually does
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # not involve overly long command lines, so this setting will not normally
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # need adjustment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #managesieve_max_line_length = 65536
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Maximum number of ManageSieve connections allowed for a user from each IP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # NOTE: The username is compared case-sensitively.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mail_max_userip_connections = 10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Space separated list of plugins to load (none known to be useful so far).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Do NOT try to load IMAP plugins here.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mail_plugins =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # MANAGESIEVE logout format string:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # %i - total number of bytes read from client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # %o - total number of bytes sent to client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #managesieve_logout_format = bytes=%i/%o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # To fool ManageSieve clients that are focused on CMU's timesieved you can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # specify the IMPLEMENTATION capability that Dovecot reports to clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # For example: 'Cyrus timsieved v2.2.13'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #managesieve_implementation_string = Dovecot Pigeonhole
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Explicitly specify the SIEVE and NOTIFY capability reported by the server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # before login. If left unassigned these will be reported dynamically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # according to what the Sieve interpreter supports by default (after login
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # this may differ depending on the user).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #managesieve_sieve_capability =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #managesieve_notify_capability =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The maximum number of compile errors that are returned to the client upon
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # script upload or script verification.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #managesieve_max_compile_errors = 5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Refer to 90-sieve.conf for script quota configuration and configuration of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Sieve execution limits.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/20-pop3.conf b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/20-pop3.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..d7881bc
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/20-pop3.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,111 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## POP3 specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *** Please read this section before modifying this file ***
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several of the keys and values within this file are modified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple's Server Admin application. Each key that is automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modified by the Server Admin app is identified with a comment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceding the key with this note:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Don't try to set mails non-recent or seen with POP3 sessions. This is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mostly intended to reduce disk I/O. With maildir it doesn't move files
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from new/ to cur/, with mbox it doesn't write Status-header.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_no_flag_updates = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Support LAST command which exists in old POP3 specs, but has been removed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from new ones. Some clients still wish to use this though. Enabling this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# makes RSET command clear all \Seen flags from messages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_enable_last = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If mail has X-UIDL header, use it as the mail's UIDL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_reuse_xuidl = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow only one POP3 session to run simultaneously for the same user.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_lock_session = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# POP3 requires message sizes to be listed as if they had CR+LF linefeeds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Many POP3 servers violate this by returning the sizes with LF linefeeds,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# because it's faster to get. When this setting is enabled, Dovecot still
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tries to do the right thing first, but if that requires opening the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# message, it fallbacks to the easier (but incorrect) size.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_fast_size_lookups = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# POP3 UIDL (unique mail identifier) format to use. You can use following
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# variables, along with the variable modifiers described in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# doc/wiki/Variables.txt (e.g. %Uf for the filename in uppercase)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %v - Mailbox's IMAP UIDVALIDITY
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %u - Mail's IMAP UID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %m - MD5 sum of the mailbox headers in hex (mbox only)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %f - filename (maildir only)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %g - Mail's GUID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want UIDL compatibility with other POP3 servers, use:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# UW's ipop3d : %08Xv%08Xu
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Courier : %f or %v-%u (both might be used simultaneosly)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Cyrus (<= 2.1.3) : %u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Cyrus (>= 2.1.4) : %v.%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dovecot v0.99.x : %v.%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tpop3d : %Mf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that Outlook 2003 seems to have problems with %v.%u format which was
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dovecot's default, so if you're building a new server it would be a good
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# idea to change this. %08Xu%08Xv should be pretty fail-safe.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_uidl_format = %08Xu%08Xv
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Permanently save UIDLs sent to POP3 clients, so pop3_uidl_format changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# won't change those UIDLs. Currently this works only with Maildir.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_save_uidl = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# What to do about duplicate UIDLs if they exist?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allow: Show duplicates to clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# rename: Append a temporary -2, -3, etc. counter after the UIDL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_uidl_duplicates = allow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option changes POP3 behavior so that it's not possible to actually
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delete mails via POP3, only hide them from future POP3 sessions. The mails
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will still be counted towards user's quota until actually deleted via IMAP.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use e.g. "$POP3Deleted" as the value (it will be visible as IMAP keyword).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Make sure you can legally archive mails before enabling this setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_deleted_flag =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# POP3 logout format string:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %i - total number of bytes read from client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %o - total number of bytes sent to client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %t - number of TOP commands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %p - number of bytes sent to client as a result of TOP command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %r - number of RETR commands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %b - number of bytes sent to client as a result of RETR command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %d - number of deleted messages
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %m - number of messages (before deletion)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %s - mailbox size in bytes (before deletion)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %u - old/new UIDL hash. may help finding out if UIDLs changed unexpectedly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Workarounds for various client bugs:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# outlook-no-nuls:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Outlook and Outlook Express hang if mails contain NUL characters.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This setting replaces them with 0x80 character.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# oe-ns-eoh:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Outlook Express and Netscape Mail breaks if end of headers-line is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# missing. This option simply sends it if it's missing.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The list is space-separated.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_client_workarounds =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protocol pop3 {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Space separated list of plugins to load (default is global mail_plugins).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mail_plugins = $mail_plugins
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Maximum number of POP3 connections allowed for a user from each IP address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # NOTE: The username is compared case-sensitively.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mail_max_userip_connections = 6
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/90-acl.conf b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/90-acl.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..d6e3c73
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/90-acl.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,20 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Mailbox access control lists.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# vfile backend reads ACLs from "dovecot-acl" file from mail directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can also optionally give a global ACL directory path where ACLs are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# applied to all users' mailboxes. The global ACL directory contains
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# specifies how many seconds to wait between stat()ing dovecot-acl file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to see if it changed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ acl = vfile:/Library/Server/Mail/Config/dovecot/global-acls:cache_secs=300
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To let users LIST mailboxes shared by other users, Dovecot needs a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# shared mailbox dictionary. For example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ acl_shared_dict = file:/Library/Server/Mail/Data/shared/shared-mailboxes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/90-plugin.conf b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/90-plugin.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..ec312cf
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/90-plugin.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,42 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Plugin settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *** Please read this section before modifying this file ***
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several of the keys and values within this file are modified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple's Server Admin application. Each key that is automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modified by the Server Admin app is identified with a comment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceding the key with this note:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# All wanted plugins must be listed in mail_plugins setting before any of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# their configuration. Note that %variable expansion is done for all values.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #setting_name = value
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # (APPLE) The fts_sk plugin indexes and searches the bodies of stored mail,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # including non-text attachments for which there are Spotlight importers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # installed on the system.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fts = sk
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # (APPLE) fts_sk options:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # - lock_timeout_secs: how long to wait for a lock on the index
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # - min_term_length: shortest word to be indexed; longer saves disk space
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # - search_secs: how long to let a search run before giving up
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # - spill_dir: directory in which to create temporary files for indexing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # message parts; can be an absolute path or "index" to use the user's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # index directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #fts_sk = lock_timeout_secs=20 min_term_length=1 search_secs=5 spill_dir=/tmp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # (APPLE) If stats plugin is enabled:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ stats_refresh = 30 secs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ stats_track_cmds = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/90-quota.conf b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/90-quota.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..ef2f2fd
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/90-quota.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,95 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Quota configuration.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that you also have to enable quota plugin in mail_plugins setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/Quota.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Quota limits
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Quota limits are set using "quota_rule" parameters. To get per-user quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# limits, you can set/override them by returning "quota_rule" extra field
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from userdb. It's also possible to give mailbox-specific limits, for example
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to give additional 100 MB when saving to Trash:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota_rule = *:storage=1G
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota_rule2 = Trash:storage=+100M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # LDA/LMTP allows saving the last mail to bring user from under quota to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # over quota, if the quota doesn't grow too high. Default is to allow as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota_grace = 10%%
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Quota warnings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can execute a given command when user exceeds a specified quota limit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Each quota root has separate limits. Only the command for the first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# exceeded limit is excecuted, so put the highest limit first.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The commands are executed via script service by connecting to the named
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# UNIX socket (quota-warning below).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that % needs to be escaped as %%, otherwise "% " expands to empty.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ quota_warning = storage=100%% quota-exceeded %u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota_warning2 = storage=80%% quota-warning %u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example quota-warning service. The unix listener's permissions should be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set in a way that mail processes can connect to it. Below example assumes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that mail processes run as vmail user. If you use mode=0666, all system users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can generate quota warnings to anyone.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service quota-exceeded {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ executable = script /Applications/Server.app/Contents/ServerRoot/usr/libexec/dovecot/quota-exceeded.sh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ user = _dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unix_listener quota-exceeded {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ user = _dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ group = mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mode = 0660
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service quota-warning {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ executable = script /Applications/Server.app/Contents/ServerRoot/usr/libexec/dovecot/quota-warning.sh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ user = _dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unix_listener quota-warning {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ user = _dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ group = mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mode = 0660
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Quota backends
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Multiple backends are supported:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dirsize: Find and sum all the files found from mail directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Extremely SLOW with Maildir. It'll eat your CPU and disk I/O.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dict: Keep quota stored in dictionary (eg. SQL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maildir: Maildir++ quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fs: Read-only support for filesystem quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota = dirsize:User quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ quota = maildir:User quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota = dict:User quota::proxy::quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota = fs:User quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Multiple quota roots are also possible, for example this gives each user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# their own 100MB quota and one shared 1GB quota within the domain:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota = dict:user::proxy::quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota2 = dict:domain:%d:proxy::quota_domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota_rule = *:storage=102400
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota2_rule = *:storage=1048576
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/90-sieve-extprograms.conf b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/90-sieve-extprograms.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..7a9298d
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/90-sieve-extprograms.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,46 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sieve Extprograms plugin configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Don't forget to add the sieve_extprograms plugin to the sieve_plugins setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Also enable the extensions you need (one or more of vnd.dovecot.pipe,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# vnd.dovecot.filter and vnd.dovecot.execute) by adding these to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sieve_extensions or sieve_global_extensions settings. Restricting these
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# extensions to a global context using sieve_global_extensions is recommended.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The directory where the program sockets are located for the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # respectively. The name of each unix socket contained in that directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # directly maps to a program-name referenced from the Sieve script.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_pipe_socket_dir = sieve-pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_filter_socket_dir = sieve-filter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_execute_socket_dir = sieve-execute
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The directory where the scripts are located for direct execution by the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # respectively. The name of each script contained in that directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # directly maps to a program-name referenced from the Sieve script.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# An example program service called 'do-something' to pipe messages to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#service do-something {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Define the executed script as parameter to the sieve service
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #executable = script /usr/lib/dovecot/sieve-pipe/do-something.sh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Use some unprivileged user for executing the program
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #user = dovenull
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The unix socket located in the sieve_pipe_socket_dir (as defined in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # plugin {} section above)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #unix_listener sieve-pipe/do-something {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # LDA/LMTP must have access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # user = vmail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # mode = 0600
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/90-sieve.conf b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/90-sieve.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..64d50f5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/90-sieve.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,106 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Settings for the Sieve interpreter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by adding it to the respective mail_plugins= settings.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The path to the user's main active script. If ManageSieve is used, this the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # location of the symbolic link controlled by ManageSieve.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve = /Library/Server/Mail/Data/rules/%u/dovecot.sieve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The default Sieve script when the user has none. This is a path to a global
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # sieve script file, which gets executed ONLY if user's private Sieve script
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # doesn't exist. Be sure to pre-compile this script manually using the sievec
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # command line tool.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # --> See sieve_before fore executing scripts before the user's personal
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # script.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_default = /var/lib/dovecot/sieve/default.sieve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Directory for :personal include scripts for the include extension. This
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # is also where the ManageSieve service stores the user's scripts.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sieve_dir = /Library/Server/Mail/Data/rules/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Directory for :global include scripts for the include extension.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_global_dir =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Path to a script file or a directory containing script files that need to be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # executed before the user's script. If the path points to a directory, all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # the Sieve scripts contained therein (with the proper .sieve extension) are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # executed. The order of execution within a directory is determined by the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # file names, using a normal 8bit per-character comparison. Multiple script
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # file or directory paths can be specified by appending an increasing number.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_before =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_before2 =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_before3 = (etc...)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Identical to sieve_before, only the specified scripts are executed after the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # user's script (only when keep is still in effect!). Multiple script file or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # directory paths can be specified by appending an increasing number.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_after =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_after2 =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_after2 = (etc...)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Which Sieve language extensions are available to users. By default, all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # supported extensions are available, except for deprecated extensions or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # those that are still under development. Some system administrators may want
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # to disable certain Sieve extensions or enable those that are not available
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # by default. This setting can use '+' and '-' to specify differences relative
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # to the default. For example `sieve_extensions = +imapflags' will enable the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # deprecated imapflags extension in addition to all extensions were already
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # enabled by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_extensions = +notify +imapflags
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Which Sieve language extensions are ONLY available in global scripts. This
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # can be used to restrict the use of certain Sieve extensions to administrator
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # control, for instance when these extensions can cause security concerns.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # This setting has higher precedence than the `sieve_extensions' setting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # (above), meaning that the extensions enabled with this setting are never
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # available to the user's personal script no matter what is specified for the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # `sieve_extensions' setting. The syntax of this setting is similar to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # `sieve_extensions' setting, with the difference that extensions are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # enabled or disabled for exclusive use in global scripts. Currently, no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # extensions are marked as such by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_global_extensions =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The Pigeonhole Sieve interpreter can have plugins of its own. Using this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # setting, the used plugins can be specified. Check the Dovecot wiki
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # (wiki2.dovecot.org) or the pigeonhole website
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # (http://pigeonhole.dovecot.org) for available plugins.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The sieve_extprograms plugin is included in this release.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_plugins =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The separator that is expected between the :user and :detail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # address parts introduced by the subaddress extension. This may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # also be a sequence of characters (e.g. '--'). The current
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # implementation looks for the separator from the left of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # localpart and uses the first one encountered. The :user part is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # left of the separator and the :detail part is right. This setting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # is also used by Dovecot's LMTP service.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #recipient_delimiter = +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The maximum size of a Sieve script. The compiler will refuse to compile any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # script larger than this limit. If set to 0, no limit on the script size is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # enforced.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_max_script_size = 1M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The maximum number of actions that can be performed during a single script
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # execution. If set to 0, no limit on the total number of actions is enforced.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_max_actions = 32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The maximum number of redirect actions that can be performed during a single
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # script execution. If set to 0, no redirect actions are allowed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_max_redirects = 4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The maximum number of personal Sieve scripts a single user can have. If set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # to 0, no limit on the number of scripts is enforced.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # (Currently only relevant for ManageSieve)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_quota_max_scripts = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The maximum amount of disk storage a single user's scripts may occupy. If
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # set to 0, no limit on the used amount of disk storage is enforced.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # (Currently only relevant for ManageSieve)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #sieve_quota_max_storage = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-checkpassword.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-checkpassword.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..e6cc9e7
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-checkpassword.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,23 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication for checkpassword users. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/AuthDatabase.CheckPassword.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = checkpassword
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /usr/bin/checkpassword
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# passdb lookup should return also userdb info
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = prefetch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Standard checkpassword doesn't support direct userdb lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you need checkpassword userdb, the checkpassword must support
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dovecot-specific extensions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# driver = checkpassword
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# args = /usr/bin/checkpassword
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-deny.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-deny.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..34df713
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-deny.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,17 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Deny access for users. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Users can be (temporarily) disabled by adding a passdb with deny=yes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the user is found from that database, authentication will fail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The deny passdb should always be specified before others, so it gets
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# checked first.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example deny passdb using passwd-file. You can use any passdb though.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = passwd-file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ deny = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # File contains a list of usernames, one per line
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /Library/Server/Mail/Config/dovecot/deny-users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-dict.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-dict.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..0404404
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-dict.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,18 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication via dict backend. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/AuthDatabase.Dict.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = dict
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Path for dict configuration file, see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # example-config/dovecot-dict-auth.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /etc/dovecot/dovecot-dict-auth.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = dict
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /etc/dovecot/dovecot-dict-auth.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-ldap.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-ldap.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..8d33537
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-ldap.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,35 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication for LDAP users. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/AuthDatabase.LDAP.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = ldap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /Library/Server/Mail/Config/dovecot/dovecot-ldap.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "prefetch" user database means that the passdb already provided the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# needed information and there's no need to do a separate userdb lookup.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/UserDatabase.Prefetch.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# driver = prefetch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = ldap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /Library/Server/Mail/Config/dovecot/dovecot-ldap.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Default fields can be used to specify defaults that LDAP may override
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #default_fields = home=/home/virtual/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you don't have any user-specific settings, you can avoid the userdb LDAP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lookup by using userdb static instead of userdb ldap, for example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/UserDatabase.Static.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #driver = static
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #args = uid=vmail gid=vmail home=/var/vmail/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-master.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-master.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..c72de1d
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-master.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,18 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication for master users. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By adding master=yes setting inside a passdb you make the passdb a list
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of "master users", who can log in as anyone else.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/Authentication.MasterUsers.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example master user passdb using passwd-file. You can use any passdb though.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = passwd-file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ master = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /Library/Server/Mail/Config/dovecot/master-users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Unless you're using PAM, you probably still want the destination user to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # be looked up from passdb that it really exists. pass=yes does that.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ pass = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-od.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-od.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..9ad560f
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-od.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,27 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication using Open Directory. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # OD cache refresh intervals. The positive cache TTL applies to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # enabled accounts. The negative cache TTL applies to disabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # accounts. Nonexistent accounts are not cached.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # arguments: args = pos_cache_ttl=3600 neg_cache_ttl=60
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # use_getpwnam_ext=yes blocking=no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = od
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # OD cache refresh intervals. The positive cache TTL applies to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # enabled accounts. The negative cache TTL applies to disabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # accounts. Nonexistent accounts are not cached.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Set enforce_quotas to yes to deny message delivery and message
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # copying when user account has exceeded their quota.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Use global_quota to enable system wide quota. Individual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # quotas override global quota.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # additional args: pos_cache_ttl=3600 neg_cache_ttl=60
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # luser_relay=<userid> enforce_quotas=no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # use_getpwnam_ext=yes blocking=no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = od
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = partition=/Library/Server/Mail/Config/dovecot/partition_map.conf enforce_quotas=no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-passwdfile.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-passwdfile.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..3b1d9ea
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-passwdfile.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,22 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication for passwd-file users. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# passwd-like file with specified location.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/AuthDatabase.PasswdFile.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = passwd-file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = scheme=CRYPT username_format=%u /Library/Server/Mail/Config/dovecot/users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = passwd-file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = username_format=%u /Library/Server/Mail/Config/dovecot/users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Default fields that can be overridden by passwd-file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #default_fields = quota_rule=*:storage=1G
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Override fields from passwd-file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #override_fields = home=/home/virtual/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-sql.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-sql.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..d2b7765
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,32 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication for SQL users. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/AuthDatabase.SQL.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = sql
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /Library/Server/Mail/Config/dovecot/dovecot-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "prefetch" user database means that the passdb already provided the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# needed information and there's no need to do a separate userdb lookup.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/UserDatabase.Prefetch.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# driver = prefetch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = sql
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /Library/Server/Mail/Config/dovecot/dovecot-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you don't have any user-specific settings, you can avoid the user_query
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by using userdb static instead of userdb sql, for example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/UserDatabase.Static.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #driver = static
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #args = uid=vmail gid=vmail home=/var/vmail/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-static.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-static.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..5e3e58f
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-static.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,27 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Static passdb. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This can be used for situations where Dovecot doesn't need to verify the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# username or the password, or if there is a single password for all users:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - proxy frontend, where the backend verifies the password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - proxy backend, where the frontend already verified the password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - authentication with SSL certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - simple testing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# driver = static
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# args = proxy=y host=%1Mu.example.com nopassword=y
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# driver = static
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# args = password=test
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# driver = static
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# args = uid=vmail gid=vmail home=/home/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-submit.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-submit.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..7a14bc8
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-submit.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,15 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication for submit users from submission servers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = passwd-file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /Library/Server/Mail/Config/dovecot/submit.passdb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = passwd-file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /Library/Server/Mail/Config/dovecot/submit.passdb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-system.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-system.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..477826a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-system.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,76 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication for system users. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/PasswordDatabase.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/UserDatabase.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PAM authentication. Preferred nowadays by most systems.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PAM is typically used with either userdb passwd or userdb static.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = pam
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # [cache_key=<key>] [<service name>]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #args = dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# System users (NSS, /etc/passwd, or similiar).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In many systems nowadays this uses Name Service Switch, which is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #driver = passwd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # [blocking=no]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #args =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Shadow passwords for system users (NSS, /etc/shadow or similiar).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Deprecated by PAM nowadays.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/PasswordDatabase.Shadow.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #driver = shadow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # [blocking=no]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #args =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PAM-like authentication for OpenBSD.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/PasswordDatabase.BSDAuth.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #driver = bsdauth
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # [blocking=no] [cache_key=<key>]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #args =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## User databases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# System users (NSS, /etc/passwd, or similiar). In many systems nowadays this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# uses Name Service Switch, which is configured in /etc/nsswitch.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # <doc/wiki/AuthDatabase.Passwd.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = passwd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # [blocking=no]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #args =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Override fields from passwd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #override_fields = home=/home/virtual/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Static settings generated from template <doc/wiki/UserDatabase.Static.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #driver = static
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Can return anything a userdb could normally return. For example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # args = uid=500 gid=500 home=/var/mail/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # LDA and LMTP needs to look up users only from the userdb. This of course
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # doesn't work with static userdb because there is no list of users.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Normally static userdb handles this by doing a passdb lookup. This works
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # with most passdbs, with PAM being the most notable exception. If you do
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # the user verification another way, you can add allow_all_users=yes to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # the args in which case the passdb lookup is skipped.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #args =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-vpopmail.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-vpopmail.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..9207f74
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/conf.d/auth-vpopmail.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,19 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication for vpopmail users. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/AuthDatabase.VPopMail.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = vpopmail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # [cache_key=<key>] [webmail=<ip>]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = vpopmail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # [quota_template=<template>] - %q expands to Maildir++ quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = quota_template=quota_rule=*:backend=%q
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/dovecot-dict-auth.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/default/dovecot-dict-auth.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..4adce94
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/dovecot-dict-auth.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,28 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dovecot-dict-auth.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This file is commonly accessed via dict {} section in dovecot.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dictionary URI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#uri =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Key for passdb lookups
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+password_key = dovecot/passdb/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Key for userdb lookups
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+user_key = dovecot/userdb/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How to parse the value for key=value pairs. Currently we support only JSON
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# format with { "key": "value", ... } object.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#value_format = json
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Username iteration prefix. Keys under this are assumed to contain usernames.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+iterate_prefix = dovecot/userdb/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Should iteration be disabled for this userdb? If this userdb acts only as a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache there's no reason to try to iterate the (partial & duplicate) users.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#iterate_disable = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default password scheme
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_pass_scheme = MD5
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/dovecot-dict-sql.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/default/dovecot-dict-sql.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..788f709
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/dovecot-dict-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,45 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dovecot-dict-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This file is commonly accessed via dict {} section in dovecot.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#connect = host=localhost dbname=mails user=testuser password=pass
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CREATE TABLE quota (
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# username varchar(100) not null,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bytes bigint not null default 0,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# messages integer not null default 0,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# primary key (username)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# );
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+map {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ pattern = priv/quota/storage
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ table = quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ username_field = username
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ value_field = bytes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+map {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ pattern = priv/quota/messages
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ table = quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ username_field = username
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ value_field = messages
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CREATE TABLE expires (
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# username varchar(100) not null,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mailbox varchar(255) not null,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# expire_stamp integer not null,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# primary key (username, mailbox)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# );
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+map {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ pattern = shared/expire/$user/$mailbox
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ table = expires
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ value_field = expire_stamp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fields {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ username = $user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox = $mailbox
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/dovecot-ldap.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/default/dovecot-ldap.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..99b1b9f
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/dovecot-ldap.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,147 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dovecot-ldap.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This file is commonly accessed via passdb {} or userdb {} section in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# conf.d/auth-ldap.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This file is opened as root, so it should be owned by root and mode 0600.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki2.dovecot.org/AuthDatabase/LDAP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: If you're not using authentication binds, you'll need to give
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dovecot-auth read access to userPassword field in the LDAP server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# already be something like this:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access to attribute=userPassword
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by dn="<dovecot's dn>" read # add this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by anonymous auth
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by self write
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by * none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of LDAP hosts to use. host:port is allowed too.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#hosts =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# LDAP URIs to use. You can use this instead of hosts list. Note that this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# setting isn't supported by all LDAP libraries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#uris =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Distinguished Name - the username used to login to the LDAP server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Leave it commented out to bind anonymously (useful with auth_bind=yes).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#dn =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Password for LDAP server, if dn is specified.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#dnpass =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use SASL binding instead of the simple binding. Note that this changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and auth_bind=yes don't work together.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#sasl_bind = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SASL mechanism name to use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#sasl_mech =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SASL realm to use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#sasl_realm =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SASL authorization ID, ie. the dnpass is for this "master user", but the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dn is still the logged in user. Normally you want to keep this empty.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#sasl_authz_id =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use TLS to connect to the LDAP server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#tls = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TLS options, currently supported only with OpenLDAP:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#tls_ca_cert_file =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#tls_ca_cert_dir =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#tls_cipher_suite =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TLS cert/key is used only if LDAP server requires a client certificate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#tls_cert_file =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#tls_key_file =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Valid values: never, hard, demand, allow, try
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#tls_require_cert =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use the given ldaprc path.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ldaprc_path =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -1 = everything. You may need to recompile OpenLDAP with debugging enabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to get enough output.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#debug_level = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use authentication binding for verifying password's validity. This works by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logging into LDAP server using the username and password given by client.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The pass_filter is used to find the DN for the user. Note that the pass_attrs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is still used, only the password field is ignored in it. Before doing any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# search, the binding is switched back to the default DN.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_bind = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If authentication binding is used, you can save one LDAP request per login
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if users' DN can be specified with a common template. The template can use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the standard %variables (see user_filter). Note that you can't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use any pass_attrs if you use this setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you use this setting, it's a good idea to use a different
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the filename is different in userdb's args). That way one connection is used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# only for LDAP binds and another connection is used for user lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Otherwise the binding is changed to the default DN before each user lookup.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# auth_bind_userdn = cn=%u,ou=people,o=org
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_bind_userdn =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# LDAP protocol version to use. Likely 2 or 3.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ldap_version = 3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# LDAP base. %variables can be used here.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example: dc=mail, dc=example, dc=org
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+base =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dereference: never, searching, finding, always
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#deref = never
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Search scope: base, onelevel, subtree
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#scope = subtree
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# User attributes are given in LDAP-name=dovecot-internal-name list. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# internal names are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# uid - System UID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# gid - System GID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# home - Home directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail - Mail location
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# There are also other special fields which can be returned, see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki2.dovecot.org/UserDatabase/ExtraFields
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Filter for user lookup. Some variables can be used (see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki2.dovecot.org/Variables for full list):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %u - username
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %n - user part in user@domain, same as %u if there's no domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %d - domain part in user@domain, empty if user there's no domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#user_filter = (&(objectClass=posixAccount)(uid=%u))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Password checking attributes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user: Virtual user name (user@domain), if you wish to change the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user-given username to something else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# password: Password, may optionally start with {type}, eg. {crypt}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# There are also other special fields which can be returned, see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pass_attrs = uid=user,userPassword=password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# string. For example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pass_attrs = uid=user,userPassword=password,\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Filter for password lookups
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pass_filter = (&(objectClass=posixAccount)(uid=%u))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Attributes and filter to get a list of all users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#iterate_attrs = uid=user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#iterate_filter = (objectClass=posixAccount)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default password scheme. "{scheme}" before password overrides this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#default_pass_scheme = CRYPT
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/dovecot-sql.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/default/dovecot-sql.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..31ccc23
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/dovecot-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,143 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dovecot-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This file is commonly accessed via passdb {} or userdb {} section in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# conf.d/auth-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This file is opened as root, so it should be owned by root and mode 0600.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki2.dovecot.org/AuthDatabase/SQL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For the sql passdb module, you'll need a database with a table that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# contains fields for at least the username and password. If you want to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use the user@domain syntax, you might want to have a separate domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# field as well.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If your users all have the same uig/gid, and have predictable home
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# directories, you can use the static userdb module to generate the home
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dir based on the username and domain. In this case, you won't need fields
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for home, uid, or gid in the database.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you prefer to use the sql userdb module, you'll want to add fields
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for home, uid, and gid. Here is an example table:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CREATE TABLE users (
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# username VARCHAR(128) NOT NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# domain VARCHAR(128) NOT NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# password VARCHAR(64) NOT NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# home VARCHAR(255) NOT NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# uid INTEGER NOT NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# gid INTEGER NOT NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# active CHAR(1) DEFAULT 'Y' NOT NULL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# );
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Database driver: mysql, pgsql, sqlite
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#driver =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Database connection string. This is driver-specific setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HA / round-robin load-balancing is supported by giving multiple host
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# settings, like: host=sql1.host.org host=sql2.host.org
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pgsql:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For available options, see the PostgreSQL documention for the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PQconnectdb function of libpq.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use maxconns=n (default 5) to change how many connections Dovecot can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# create to pgsql.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mysql:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Basic options emulate PostgreSQL option names:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# host, port, user, password, dbname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# But also adds some new settings:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_flags - See MySQL manual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl_ca, ssl_ca_path - Set either one or both to enable SSL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl_cert, ssl_key - For sending client-side certificates to server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl_cipher - Set minimum allowed cipher security (default: HIGH)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option_file - Read options from the given file instead of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the default my.cnf location
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option_group - Read options from the given group (default: client)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that currently you can't use spaces in parameters.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sqlite:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The path to the database file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connect = host=192.168.1.1 dbname=users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connect = host=sql.example.com dbname=virtual user=virtual password=blarg
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connect = /Library/Server/Mail/Config/dovecot/authdb.sqlite
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#connect =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default password scheme.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# List of supported schemes is in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki2.dovecot.org/Authentication/PasswordSchemes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#default_pass_scheme = MD5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# passdb query to retrieve the password. It can return fields:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# password - The user's password. This field must be returned.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user - user@domain from the database. Needed with case-insensitive lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# username and domain - An alternative way to represent the "user" field.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The "user" field is often necessary with case-insensitive lookups to avoid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# e.g. "name" and "nAme" logins creating two different mail directories. If
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# your user and domain names are in separate fields, you can return "username"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and "domain" fields instead of "user".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The query can also return other fields which have a special meaning, see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Commonly used available substitutions (see http://wiki2.dovecot.org/Variables
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for full list):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %u = entire user@domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %n = user part of user@domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %d = domain part of user@domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that these can be used only as input to SQL query. If the query outputs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# any of these substitutions, they're not touched. Otherwise it would be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# difficult to have eg. usernames containing '%' characters.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# password_query = SELECT userid AS user, pw AS password \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FROM users WHERE userid = '%u' AND active = 'Y'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#password_query = \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SELECT username, domain, password \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FROM users WHERE username = '%n' AND domain = '%d'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# userdb query to retrieve the user information. It can return fields:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# uid - System UID (overrides mail_uid setting)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# gid - System GID (overrides mail_gid setting)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# home - Home directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail - Mail location (overrides mail_location setting)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# None of these are strictly required. If you use a single UID and GID, and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# home or mail directory fits to a template string, you could use userdb static
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# instead. For a list of all fields that can be returned, see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki2.dovecot.org/UserDatabase/ExtraFields
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#user_query = \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SELECT home, uid, gid \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FROM users WHERE username = '%n' AND domain = '%d'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you wish to avoid two SQL lookups (passdb + userdb), you can use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# also have to return userdb fields in password_query prefixed with "userdb_"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# string. For example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#password_query = \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SELECT userid AS user, password, \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FROM users WHERE userid = '%u'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Query to get a list of all usernames.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#iterate_query = SELECT username AS user FROM users
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/dovecot.conf b/mail/mail-server/files/prefix/etc/dovecot/default/dovecot.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..3870367
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/dovecot.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,120 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Dovecot configuration file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *** Please read this section before modifying this file ***
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several of the keys and values within this file are modified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple's Server Admin application. Each key that is automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modified by the Server Admin app is identified with a comment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceding the key with this note:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "doveconf -n" command gives a clean output of the changed settings. Use it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# instead of copy&pasting files when posting to the Dovecot mailing list.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# '#' character and everything after it is treated as comments. Extra spaces
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and tabs are ignored. If you want to use either of these explicitly, put the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value inside quotes, eg.: key = "# char and trailing whitespace "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Most (but not all) settings can be overridden by different protocols and/or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# source/destination IPs by placing the settings inside sections, for example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default values are shown for each setting, it's not required to uncomment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# those. These are exceptions to this though: No sections (e.g. namespace {})
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or plugin settings are added by default, they're listed only as examples.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Paths are also just examples with the real defaults being based on configure
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# options. The paths listed here are for configure --prefix=/usr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --sysconfdir=/Library/Server/Mail/Config --localstatedir=/var
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Protocols we want to be serving.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protocols = imap pop3 lmtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A comma separated list of IPs or hosts where to listen in for connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want to specify non-default ports or anything more complex,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# edit conf.d/master.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#listen = *, ::
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Base directory where to store runtime data.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+base_dir = /var/run/dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Name of this instance. In multi-instance setup doveadm and other commands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can use -i <instance_name> to select which instance is used (an alternative
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to -c <config_path>). The instance name is also added to Dovecot processes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in ps output.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#instance_name = dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Greeting message for clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+login_greeting = Dovecot ready.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of trusted network ranges. Connections from these
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IPs are allowed to override their IP addresses and ports (for logging and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for authentication checks). disable_plaintext_auth is also ignored for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# these networks. Typically you'd specify your IMAP proxy servers here.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#login_trusted_networks =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of login access check sockets (e.g. tcpwrap)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#login_access_sockets =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (APPLE) Push Notification Topic
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#aps_topic =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# proxying. This isn't necessary normally, but may be useful if the destination
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IP is e.g. a load balancer's IP.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_proxy_self =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Show more verbose process titles (in ps). Currently shows user name and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IP address. Useful for seeing who are actually using the IMAP processes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (eg. shared mailboxes or if same uid is used for multiple accounts).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+verbose_proctitle = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Should all processes be killed when Dovecot master process shuts down.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Setting this to "no" means that Dovecot can be upgraded without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forcing existing client connections to close (although that could also be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a problem if the upgrade is e.g. because of a security fix).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#shutdown_clients = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If non-zero, run mail commands via this many connections to doveadm server,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# instead of running them directly in the same process.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#doveadm_worker_count = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# UNIX socket or host:port used for connecting to doveadm server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#doveadm_socket_path = doveadm-server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of environment variables that are preserved on Dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# startup and passed down to all of its child processes. You can also give
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# key=value pairs to always set specific settings.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#import_environment = TZ
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Dictionary server settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dictionary can be used to store key=value lists. This is used by several
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# plugins. The dictionary can be accessed either directly or though a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dictionary server. The following dict block maps dictionary names to URIs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when the server is used. These can then be referenced using URIs in format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "proxy::<name>".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+dict {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota = mysql:/Library/Server/Mail/Config/dovecot/dovecot-dict-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #expire = sqlite:/Library/Server/Mail/Config/dovecot/dovecot-dict-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Most of the actual configuration gets included below. The filenames are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# first sorted by their ASCII value and parsed in that order. The 00-prefixes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in filenames are intended to make it easier to understand the ordering.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+!include conf.d/*.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A config file can also tried to be included without giving an error if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it's not found:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+!include_try local.conf
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/default/partition_map.conf b/mail/mail-server/files/prefix/etc/dovecot/default/partition_map.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..1c075a7
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/default/partition_map.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default:/Library/Server/Mail/Data/mail
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/dovecot.conf b/mail/mail-server/files/prefix/etc/dovecot/dovecot.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..3def055
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/dovecot.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,122 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Dovecot configuration file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Version 2.2.x (AR14759611)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# *** Please read this section before modifying this file ***
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several of the keys and values within this file are modified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Apple's Server Admin application. Each key that is automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modified by the Server Admin app is identified with a comment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceding the key with this note:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "doveconf -n" command gives a clean output of the changed settings. Use it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# instead of copy&pasting files when posting to the Dovecot mailing list.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# '#' character and everything after it is treated as comments. Extra spaces
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and tabs are ignored. If you want to use either of these explicitly, put the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value inside quotes, eg.: key = "# char and trailing whitespace "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Most (but not all) settings can be overridden by different protocols and/or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# source/destination IPs by placing the settings inside sections, for example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default values are shown for each setting, it's not required to uncomment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# those. These are exceptions to this though: No sections (e.g. namespace {})
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or plugin settings are added by default, they're listed only as examples.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Paths are also just examples with the real defaults being based on configure
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# options. The paths listed here are for configure --prefix=/usr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --sysconfdir=/Library/Server/Mail/Config --localstatedir=/var
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Protocols we want to be serving.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This key is managed by Server Admin. See above before making changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# protocols = imap pop3 lmtp sieve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IMAP for remote access, LMTP for local delivery
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protocols = imap lmtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A comma separated list of IPs or hosts where to listen in for connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want to specify non-default ports or anything more complex,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# edit conf.d/master.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#listen = *, ::
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Base directory where to store runtime data.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+base_dir = @PREFIX@/var/run/dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Name of this instance. In multi-instance setup doveadm and other commands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can use -i <instance_name> to select which instance is used (an alternative
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to -c <config_path>). The instance name is also added to Dovecot processes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in ps output.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#instance_name = dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Greeting message for clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+login_greeting = Dovecot ready.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of trusted network ranges. Connections from these
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IPs are allowed to override their IP addresses and ports (for logging and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for authentication checks). disable_plaintext_auth is also ignored for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# these networks. Typically you'd specify your IMAP proxy servers here.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#login_trusted_networks =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of login access check sockets (e.g. tcpwrap)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#login_access_sockets =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (APPLE) Push Notification Topic
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# aps_topic = com.apple.mail.XServer.d7d6581e-37ed-4a8a-8775-92c4c5a4bf28
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# proxying. This isn't necessary normally, but may be useful if the destination
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IP is e.g. a load balancer's IP.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_proxy_self =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Show more verbose process titles (in ps). Currently shows user name and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IP address. Useful for seeing who are actually using the IMAP processes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (eg. shared mailboxes or if same uid is used for multiple accounts).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+verbose_proctitle = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Should all processes be killed when Dovecot master process shuts down.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Setting this to "no" means that Dovecot can be upgraded without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forcing existing client connections to close (although that could also be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a problem if the upgrade is e.g. because of a security fix).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#shutdown_clients = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If non-zero, run mail commands via this many connections to doveadm server,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# instead of running them directly in the same process.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#doveadm_worker_count = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# UNIX socket or host:port used for connecting to doveadm server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#doveadm_socket_path = doveadm-server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of environment variables that are preserved on Dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# startup and passed down to all of its child processes. You can also give
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# key=value pairs to always set specific settings.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#import_environment = TZ
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Dictionary server settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dictionary can be used to store key=value lists. This is used by several
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# plugins. The dictionary can be accessed either directly or though a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dictionary server. The following dict block maps dictionary names to URIs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when the server is used. These can then be referenced using URIs in format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "proxy::<name>".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#dict {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota = mysql:/Library/Server/Mail/Config/dovecot/dovecot-dict-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #expire = sqlite:/Library/Server/Mail/Config/dovecot/dovecot-dict-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Most of the actual configuration gets included below. The filenames are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# first sorted by their ASCII value and parsed in that order. The 00-prefixes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in filenames are intended to make it easier to understand the ordering.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+!include conf.d/*.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A config file can also tried to be included without giving an error if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it's not found:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+!include_try local.conf
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/etc/pam.d/imap b/mail/mail-server/files/prefix/etc/dovecot/etc/pam.d/imap
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..bf7e8a8
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/etc/pam.d/imap
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# imap: auth account password session with gssapi and plain fallback
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth sufficient pam_krb5.so use_first_pass use_kcminit debug
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+account sufficient pam_krb5.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth required pam_opendirectory.so try_first_pass
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+account required pam_nologin.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+account required pam_opendirectory.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+password required pam_opendirectory.so
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/10-auth.conf b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/10-auth.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..b5b9847
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/10-auth.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,129 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Authentication processes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Disable LOGIN command and all other plaintext authentications unless
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# matches the local IP (ie. you're connecting from the same computer), the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection is considered secure and plaintext authentication is allowed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also ssl=required setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#disable_plaintext_auth = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_cache_size = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Time to live for cached data. After TTL expires the cached record is no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# longer used, *except* if the main database lookup returns internal failure.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# We also try to handle password changes automatically: If user's previous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# authentication was successful, but this one wasn't, the cache isn't used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For now this works only with plaintext authentication.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_cache_ttl = 1 hour
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TTL for negative hits (user not found, password mismatch).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0 disables caching them completely.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_cache_negative_ttl = 1 hour
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of realms for SASL authentication mechanisms that need
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# them. You can leave it empty if you don't want to support multiple realms.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Many clients simply use the first one listed here, so keep the default realm
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# first.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_realms =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default realm/domain to use if none was specified. This is used for both
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SASL realms and appending @domain to username in plaintext logins.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_default_realm =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# List of allowed characters in username. If the user-given username contains
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a character not listed in here, the login automatically fails. This is just
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an extra check to make sure user can't exploit any potential quote escaping
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set this value to empty.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Username character translations before it's looked up from databases. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value contains series of from -> to characters. For example "#@/@" means
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that '#' and '/' characters are translated to '@'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_username_translation =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Username formatting before it's looked up from databases. You can use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the standard variables here, eg. %Lu would lowercase the username, %n would
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "-AT-". This translation is done after auth_username_translation changes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_username_format = %Lu
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want to allow master users to log in by specifying the master
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# username within the normal username string (ie. not using SASL mechanism's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# support for it), you can specify the separator character here. The format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is then <username><separator><master username>. UW-IMAP uses "*" as the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# separator, so that could be a good choice.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_master_user_separator =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Username to use for users logging in with ANONYMOUS SASL mechanism
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_anonymous_username = anonymous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum number of dovecot-auth worker processes. They're used to execute
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# blocking passdb and userdb queries (eg. MySQL and PAM). They're
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# automatically created and destroyed as needed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_worker_max_count = 30
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Host name to use in GSSAPI principal names. The default is to use the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# entries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_gssapi_hostname =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default (usually /etc/krb5.keytab) if not specified. You may need to change
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the auth service to run as root to be able to read this file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_krb5_keytab =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_use_winbind = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Path for Samba's ntlm_auth helper binary.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_winbind_helper_path = /usr/bin/ntlm_auth
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Time to delay before replying to failed authentications.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_failure_delay = 2 secs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Require a valid SSL client certificate or the authentication fails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_ssl_require_client_cert = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Take the username from client's SSL certificate, using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# X509_NAME_get_text_by_NID() which returns the subject's DN's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CommonName.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_ssl_username_from_cert = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of wanted authentication mechanisms:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# gss-spnego
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: See also disable_plaintext_auth setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth_mechanisms = plain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Password and user databases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Password database is used to verify user's password (and nothing more).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can have multiple passdbs and userdbs. This is useful if you want to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allow both system users (/etc/passwd) and virtual users to login without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# duplicating the system users into virtual database.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/PasswordDatabase.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# User database specifies where mails are located and what user/group IDs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# own them. For single-UID configuration use "static" userdb.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/UserDatabase.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-deny.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-master.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-submit.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+!include auth-system.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-ldap.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-passwdfile.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-checkpassword.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-vpopmail.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!include auth-static.conf.ext
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/10-director.conf b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/10-director.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..31e97e9
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/10-director.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,61 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Director-specific settings.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Director can be used by Dovecot proxy to keep a temporary user -> mail server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mapping. As long as user has simultaneous connections, the user is always
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# redirected to the same server. Each proxy server is running its own director
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# process, and the directors are communicating the state to each others.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Directors are mainly useful with NFS-like setups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# List of IPs or hostnames to all director servers, including ourself.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Ports can be specified as ip:port. The default port is the same as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# what director service's inet_listener is using.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#director_servers =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# List of IPs or hostnames to all backend mail servers. Ranges are allowed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# too, like 10.0.0.10-10.0.0.30.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#director_mail_servers =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How long to redirect users to a specific server after it no longer has
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# any connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#director_user_expire = 15 min
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TCP/IP port that accepts doveadm connections (instead of director connections)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you enable this, you'll also need to add inet_listener for the port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#director_doveadm_port = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How the username is translated before being hashed. Useful values include
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %Ln if user can log in with or without @domain, %Ld if mailboxes are shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# within domain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#director_username_hash = %Lu
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To enable director service, uncomment the modes and assign a port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service director {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unix_listener login/director {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mode = 0666
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fifo_listener login/proxy-notify {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mode = 0666
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unix_listener director-userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mode = 0600
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ inet_listener {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #port =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enable director for the wanted login services by telling them to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connect to director socket instead of the default login socket:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service imap-login {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #executable = imap-login director
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service pop3-login {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #executable = pop3-login director
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enable director for LMTP proxying:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protocol lmtp {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #auth_socket_path = director-userdb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/10-logging.conf b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/10-logging.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..6313c18
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/10-logging.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,89 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Log destination.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log file to use for error messages. "syslog" logs to syslog,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# /dev/stderr logs to stderr.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#log_path = syslog
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log file to use for informational messages. Defaults to log_path.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#info_log_path =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log file to use for debug messages. Defaults to info_log_path.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#debug_log_path =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Syslog facility to use if you're logging to syslog. Usually if you don't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# want to use "mail", you'll use local0..local7. Also other standard
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# facilities are supported.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#syslog_facility = mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Logging verbosity and debugging.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log unsuccessful authentication attempts and the reasons why they failed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_verbose = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In case of password mismatches, log the attempted password. Valid values are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no, plain and sha1. sha1 can be useful for detecting brute force password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# attempts vs. user simply trying the same password over and over again.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_verbose_passwords = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Even more verbose logging for debugging purposes. Shows for example SQL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# queries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_debug = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In case of password mismatches, log the passwords and used scheme so the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# problem can be debugged. Enabling this also enables auth_debug.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_debug_passwords = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enable mail process debugging. This can help you figure out why Dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# isn't finding your mails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_debug = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Show protocol level SSL errors.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#verbose_ssl = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail_log plugin provides more event logging for mail processes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Events to log. Also available: flag_change append
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Available fields: uid, box, msgid, from, subject, size, vsize, flags
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # size and vsize are available only for expunge and copy events.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mail_log_fields = uid box msgid size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Log formatting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Prefix for each line written to log file. % codes are in strftime(3)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# format.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#log_timestamp = "%b %d %H:%M:%S "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space-separated list of elements we want to log. The elements which have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a non-empty variable value are joined together to form a comma-separated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# string.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Login log format. %s contains login_log_format_elements string, %$ contains
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the data we want to log.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#login_log_format = %$: %s
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# possible variables you can use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_log_prefix = "%s(%u): "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Format to use for logging mail deliveries:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %$ - Delivery status message (e.g. "saved to INBOX")
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %m / %{msgid} - Message-ID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %s / %{subject} - Subject
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %f / %{from} - From address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %p / %{size} - Physical size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %w / %{vsize} - Virtual size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %e / %{from_envelope} - MAIL FROM envelope
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %{to_envelope} - RCPT TO envelope
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %{delivery_time} - How many milliseconds it took to deliver the mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %{session_time} - How long LMTP session took, not including delivery_time
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %{storage_id} - Backend-specific ID for mail, e.g. Maildir filename
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#deliver_log_format = msgid=%m: %$
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/10-mail.conf b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/10-mail.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..38c800f
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/10-mail.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,392 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Mailbox locations and namespaces
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Location for users' mailboxes. The default is empty, which means that Dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tries to find the mailboxes automatically. This won't work if the user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# doesn't yet have any mail, so you should explicitly tell Dovecot the full
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# location.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kept. This is called the "root mail directory", and it must be the first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# path given in the mail_location setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# There are a few special variables you can use, eg.:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %u - username
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %n - user part in user@domain, same as %u if there's no domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %d - domain part in user@domain, empty if there's no domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %h - home directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See doc/wiki/Variables.txt for full list. Some examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail_location = maildir:~/Maildir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail_location = mbox:~/mail:INBOX=/var/mail/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/MailLocation.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_location =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you need to set multiple mailbox locations or want to change default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# namespace settings, you can do it by defining namespace sections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can have private, shared and public namespaces. Private namespaces
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are for user's personal mails. Shared namespaces are for accessing other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# users' mailboxes that have been shared. Public namespaces are for shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mailboxes that are managed by sysadmin. If you create any shared or public
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# namespaces you'll typically want to enable ACL plugin also, otherwise all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# users can access all the shared mailboxes, assuming they have permissions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on filesystem level to do so.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+namespace inbox {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Namespace type: private, shared or public
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #type = private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Hierarchy separator to use. You should use the same separator for all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # namespaces or some clients get confused. '/' is usually a good one.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The default however depends on the underlying mail storage format.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #separator =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Prefix required to access this namespace. This needs to be different for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # all namespaces. For example "Public/".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #prefix =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Physical location of the mailbox. This is in same format as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # mail_location, which is also the default for it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #location =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # There can be only one INBOX, and this setting defines which namespace
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # has it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ inbox = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # If namespace is hidden, it's not advertised to clients via NAMESPACE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # extension. You'll most likely also want to set list=no. This is mostly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # useful when converting from another server with different namespaces which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # you want to deprecate but still keep working. For example you can create
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #hidden = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Show the mailboxes under this namespace with LIST command. This makes the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # namespace visible for clients that don't support NAMESPACE extension.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # "children" value lists child mailboxes, but hides the namespace prefix.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #list = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Namespace handles its own subscriptions. If set to "no", the parent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # namespace handles them (empty prefix should always have this as "yes")
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #subscriptions = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # See 15-mailboxes.conf for definitions of special mailboxes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example shared namespace configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#namespace {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #type = shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #separator = /
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Mailboxes are visible under "shared/user@domain/"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # %%n, %%d and %%u are expanded to the destination user.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #prefix = shared/%%u/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Mail location for other users' mailboxes. Note that %variables and ~/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # destination user's data.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Use the default namespace for saving subscriptions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #subscriptions = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # List the shared/ namespace only if there are visible shared mailboxes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #list = children
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_shared_explicit_inbox = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# System user and group used to access mails. If you use multiple, userdb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can override these by returning uid or gid fields. You can use either numbers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or names. <doc/wiki/UserIds.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_uid =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_gid =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Group to enable temporarily for privileged operations. Currently this is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used only with INBOX when either its initial creation or dotlocking fails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Typically this is set to "mail" to give access to /var/mail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_privileged_group =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Grant access to these supplementary groups for mail processes. Typically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# these are used to set up access to shared mailboxes. Note that it may be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dangerous to set these if users can create symlinks (e.g. if "mail" group is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_access_groups =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow full filesystem access to clients. There's no access checks other than
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# what the operating system does for the active UID/GID. It works with both
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or ~user/.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_full_filesystem_access = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dictionary for key=value mailbox attributes. This is used for example by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# URLAUTH and METADATA extensions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_attribute_dict =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A comment or note that is associated with the server. This value is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# accessible for authenticated users through the IMAP METADATA server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# entry "/shared/comment".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_server_comment = ""
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Indicates a method for contacting the server administrator. According to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is currently not enforced. Use for example mailto:admin@example.com. This
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value is accessible for authenticated users through the IMAP METADATA server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# entry "/shared/admin".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_server_admin =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Mail processes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Don't use mmap() at all. This is required if you store indexes to shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# filesystems (NFS or clustered filesystem).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mmap_disable = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# since version 3, so this should be safe to use nowadays by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#dotlock_use_excl = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When to use fsync() or fdatasync() calls:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# optimized (default): Whenever necessary to avoid losing important data
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# always: Useful with e.g. NFS when write()s are delayed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# never: Never use it (best performance, but crashes can lose data)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_fsync = optimized
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Locking method for index files. Alternatives are fcntl, flock and dotlock.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dotlocking uses some tricks which may create more disk I/O than other locking
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# methods. NFS users: flock doesn't work, remember to change mmap_disable.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lock_method = fcntl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_temp_dir = /tmp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Valid UID range for users, defaults to 500 and above. This is mostly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to make sure that users can't log in as daemons or other system users.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that denying root logins is hardcoded to dovecot binary and can't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be done even if first_valid_uid is set to 0.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#first_valid_uid = 500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#last_valid_uid = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Valid GID range for users, defaults to non-root/wheel. Users having
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# non-valid GID as primary group ID aren't allowed to log in. If user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# belongs to supplementary groups with non-valid GIDs, those groups are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not set.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#first_valid_gid = 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#last_valid_gid = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum allowed length for mail keyword name. It's only forced when trying
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to create new keywords.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_max_keyword_length = 50
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ':' separated list of directories under which chrooting is allowed for mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This setting doesn't affect login_chroot, mail_chroot or auth chroot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# settings. If this setting is empty, "/./" in home dirs are ignored.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: Never add directories here which local users can modify, that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may lead to root exploit. Usually this should be done only if you don't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allow shell access for users. <doc/wiki/Chrooting.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#valid_chroot_dirs =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default chroot directory for mail processes. This can be overridden for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# specific users in user database by giving /./ in user's home directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (eg. /home/./user chroots into /home). Note that usually there is no real
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# need to do chrooting, Dovecot doesn't allow users to access files outside
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# their mail directory anyway. If your home directories are prefixed with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_chroot =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# UNIX socket path to master authentication server to find users.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is used by imap (for shared users) and lda.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_socket_path = /var/run/dovecot/auth-userdb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Directory where to look up mail plugins.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_plugin_dir = /usr/lib/dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of plugins to load for all services. Plugins specific to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IMAP, LDA, etc. are added to this list in their own .conf files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_plugins =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Mailbox handling optimizations
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# also required for IMAP NOTIFY extension to be enabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mailbox_list_index = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The minimum number of mails in a mailbox before updates are done to cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# file. This allows optimizing Dovecot's behavior to do less disk writes at
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the cost of more disk reads.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_cache_min_mail_count = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When IDLE command is running, mailbox is checked once in a while to see if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# there are any new mails or other changes. This setting defines the minimum
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# time to wait between those checks. Dovecot can also use inotify and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kqueue to find out immediately when changes occur.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mailbox_idle_check_interval = 30 secs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Save mails with CR+LF instead of plain LF. This makes sending those mails
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# But it also creates a bit more disk I/O which may just make it slower.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Also note that if other software reads the mboxes/maildirs, they may handle
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the extra CRs wrong and cause problems.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_save_crlf = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Max number of mails to keep open and prefetch to memory. This only works with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# some mailbox formats and/or operating systems.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_prefetch_count = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How often to scan for stale temporary files and delete them (0 = never).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# These should exist only after Dovecot dies in the middle of saving mails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_temp_scan_interval = 1w
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How many slow mail accesses sorting can perform before it returns failure.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The untagged SORT reply is still returned, but it's likely not correct.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_sort_max_read_count = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protocol !indexer-worker {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # If folder vsize calculation requires opening more than this many mails from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # disk (i.e. mail sizes aren't in cache already), return failure and finish
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # the calculation via indexer process. Disabled by default. This setting must
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # be 0 for indexer-worker processes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mail_vsize_bg_after_count = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Maildir-specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default LIST command returns all entries in maildir beginning with a dot.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enabling this option makes Dovecot return only entries which are directories.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is done by stat()ing each entry, so it causes more disk I/O.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (For systems setting struct dirent->d_type, this check is free and it's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# done always regardless of this setting)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#maildir_stat_dirs = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When copying a message, do it with hard links whenever possible. This makes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the performance much better, and it's unlikely to have any side effects.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#maildir_copy_with_hardlinks = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when its mtime changes unexpectedly or when we can't find the mail otherwise.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#maildir_very_dirty_syncs = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# getting the mail's physical size, except when recalculating Maildir++ quota.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This can be useful in systems where a lot of the Maildir filenames have a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# broken size. The performance hit for enabling this is very small.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#maildir_broken_filename_sizes = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Always move mails from new/ directory to cur/, even when the \Recent flags
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# aren't being reset.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#maildir_empty_new = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## mbox-specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Which locking methods to use for locking mbox. There are four available:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# solution. If you want to use /var/mail/ like directory, the users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will need write access to that directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dotlock_try: Same as dotlock, but if it fails because of permissions or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# because there isn't enough disk space, just skip it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fcntl : Use this if possible. Works with NFS too if lockd is used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flock : May not exist in all systems. Doesn't work with NFS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lockf : May not exist in all systems. Doesn't work with NFS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can use multiple locking methods; if you do the order they're declared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# locking methods as well. Some operating systems don't allow using some of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# them simultaneously.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_read_locks = fcntl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_write_locks = dotlock fcntl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum time to wait for lock (all of them) before aborting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_lock_timeout = 5 mins
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If dotlock exists but the mailbox isn't modified in any way, override the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lock file after this much time.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_dotlock_change_timeout = 2 mins
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When mbox changes unexpectedly we have to fully read it to find out what
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# changed. If the mbox is large this can take a long time. Since the change
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is usually just a newly appended mail, it'd be faster to simply read the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# new mails. If this setting is enabled, Dovecot does this but still safely
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# how it's expected to be. The only real downside to this setting is that if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# some other MUA changes message flags, Dovecot doesn't notice it immediately.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# commands.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_dirty_syncs = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_very_dirty_syncs = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# commands and when closing the mailbox). This is especially useful for POP3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# where clients often delete all mails. The downside is that our changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# aren't immediately visible to other MUAs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_lazy_writes = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If mbox size is smaller than this (e.g. 100k), don't write index files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If an index file already exists it's still read, just not updated.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_min_index_size = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mail header selection algorithm to use for MD5 POP3 UIDLs when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# algorithm, but it fails if the first Received: header isn't unique in all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mails. An alternative algorithm is "all" that selects all headers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mbox_md5 = apop3d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## mdbox-specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum dbox file size until it's rotated.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mdbox_rotate_size = 2M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum dbox file age until it's rotated. Typically in days. Day begins
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mdbox_rotate_interval = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When creating new mdbox files, immediately preallocate their size to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mdbox_rotate_size. This setting currently works only in Linux with some
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# filesystems (ext4, xfs).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mdbox_preallocate_space = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Mail attachments
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sdbox and mdbox support saving mail attachments to external files, which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# also allows single instance storage for them. Other backends don't support
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this for now.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Directory root where to store mail attachments. Disabled, if empty.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_attachment_dir =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Attachments smaller than this aren't saved externally. It's also possible to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# write a plugin to disable saving specific attachments externally.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_attachment_min_size = 128k
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Filesystem backend to use for saving attachments:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# posix : No SiS done by Dovecot (but this might help FS's own deduplication)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sis posix : SiS with immediate byte-by-byte comparison during saving
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sis-queue posix : SiS with delayed comparison and deduplication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_attachment_fs = sis posix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Hash format to use in attachment filenames. You can add any text and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_attachment_hash = %{sha1}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/10-master.conf b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/10-master.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..e3d6260
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/10-master.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,119 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#default_process_limit = 100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#default_client_limit = 1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default VSZ (virtual memory size) limit for service processes. This is mainly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# intended to catch and kill processes that leak memory before they eat up
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# everything.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#default_vsz_limit = 256M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Login user is internally used by login processes. This is the most untrusted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user in Dovecot system. It shouldn't have access to anything at all.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#default_login_user = dovenull
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Internal user is used by unprivileged processes. It should be separate from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# login user, so that login processes can't disturb other processes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#default_internal_user = dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service imap-login {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ inet_listener imap {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #port = 143
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ inet_listener imaps {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #port = 993
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ssl = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Number of connections to handle before starting a new process. Typically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # is faster. <doc/wiki/LoginProcess.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #service_count = 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Number of processes to always keep waiting for more connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #process_min_avail = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # If you set service_count=0, you probably need to grow this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #vsz_limit = $default_vsz_limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service pop3-login {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ inet_listener pop3 {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #port = 110
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ inet_listener pop3s {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #port = 995
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ssl = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service lmtp {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unix_listener lmtp {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mode = 0666
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Create inet listener only if you can't use the above UNIX socket
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #inet_listener lmtp {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Avoid making LMTP visible for the entire internet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #address =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #port =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service imap {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Most of the memory goes to mmap()ing files. You may need to increase this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # limit if you have huge mailboxes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #vsz_limit = $default_vsz_limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Max. number of IMAP processes (connections)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #process_limit = 1024
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service pop3 {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Max. number of POP3 processes (connections)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #process_limit = 1024
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service auth {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # auth_socket_path points to this userdb socket by default. It's typically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # full permissions to this socket are able to get a list of all usernames and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # get the results of everyone's userdb lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The default 0666 mode allows anyone to connect to the socket, but the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # userdb lookups will succeed only if the userdb returns an "uid" field that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # matches the caller process's UID. Also if caller's uid or gid matches the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # socket's uid or gid the lookup succeeds. Anything else causes a failure.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # To give the caller full permissions to lookup all users, set the mode to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # something else than 0666 and Dovecot lets the kernel enforce the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # permissions (e.g. 0777 allows everyone full permissions).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unix_listener auth-userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mode = 0666
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #user =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #group =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Postfix smtp-auth
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #unix_listener /var/spool/postfix/private/auth {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # mode = 0666
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Auth process is run as this user.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #user = $default_internal_user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service auth-worker {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Auth worker process is run as root by default, so that it can access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # /etc/shadow. If this isn't necessary, the user should be changed to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # $default_internal_user.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #user = root
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+service dict {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # If dict proxy is used, mail processes should have access to its socket.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # For example: mode=0660, group=vmail and global mail_access_groups=vmail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unix_listener dict {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mode = 0600
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #user =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #group =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/10-ssl.conf b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/10-ssl.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..cf651c2
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/10-ssl.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,63 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## SSL settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dropping root privileges, so keep the key file unreadable by anyone but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# root. Included doc/mkcert.sh can be used to easily generate self-signed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificate, just make sure to update the domains in dovecot-openssl.cnf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ssl_cert = </etc/ssl/certs/dovecot.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ssl_key = </etc/ssl/private/dovecot.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If key file is password protected, give the password here. Alternatively
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# give it when starting dovecot with -p parameter. Since this file is often
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# world-readable, you may want to place this setting instead to a different
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# root owned 0600 file by using ssl_key_password = <path.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_key_password =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PEM encoded trusted certificate authority. Set this only if you intend to use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_ca =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Require that CRL check succeeds for client certificates.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_require_crl = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Directory and/or file for trusted SSL CA certificates. These are used only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# directory is usually /etc/ssl/certs in Debian-based systems and the file is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# /etc/pki/tls/cert.pem in RedHat-based systems.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_client_ca_dir =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_client_ca_file =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Request client to send a certificate. If you also want to require it, set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# auth_ssl_require_client_cert=yes in auth section.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_verify_client_cert = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Which field from certificate to use for username. commonName and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# x500UniqueIdentifier are the usual choices. You'll also need to set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# auth_ssl_username_from_cert=yes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_cert_username_field = commonName
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DH parameters length to use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_dh_parameters_length = 1024
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL protocols to use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_protocols = !SSLv3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL ciphers to use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Prefer the server's order of ciphers over client's.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_prefer_server_ciphers = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL crypto device to use, for valid values run "openssl engine"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_crypto_device =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL extra options. Currently supported options are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no_compression - Disable compression.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no_ticket - Disable SSL session tickets.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ssl_options =
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/15-lda.conf b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/15-lda.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..bcee86c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/15-lda.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,48 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## LDA specific settings (also used by LMTP)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Address to use when sending rejection mails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default is postmaster@<your domain>. %d expands to recipient domain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#postmaster_address =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in LMTP replies. Default is the system's real hostname@domain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#hostname =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If user is over quota, return with temporary failure instead of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bouncing the mail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#quota_full_tempfail = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Binary to use for sending mails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#sendmail_path = /usr/sbin/sendmail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If non-empty, send mails via this SMTP host[:port] instead of sendmail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#submission_host =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Subject: header to use for rejection mails. You can use the same variables
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as for rejection_reason below.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#rejection_subject = Rejected: %s
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Human readable error message for rejection mails. You can use variables:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %n = CRLF, %r = reason, %s = original subject, %t = recipient
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#rejection_reason = Your message to <%t> was automatically rejected:%n%r
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Delimiter character between local-part and detail in email address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#recipient_delimiter = +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Header where the original recipient address (SMTP's RCPT TO: address) is taken
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from if not available elsewhere. With dovecot-lda -a parameter overrides this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A commonly used header for this is X-Original-To.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lda_original_recipient_header =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Should saving a mail to a nonexistent mailbox automatically create it?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lda_mailbox_autocreate = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Should automatically created mailboxes be also automatically subscribed?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lda_mailbox_autosubscribe = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protocol lda {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Space separated list of plugins to load (default is global mail_plugins).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mail_plugins = $mail_plugins
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/15-mailboxes.conf b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/15-mailboxes.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..cd5b21b
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/15-mailboxes.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,78 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Mailbox definitions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Each mailbox is specified in a separate mailbox section. The section name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# specifies the mailbox name. If it has spaces, you can put the name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "in quotes". These sections can contain the following mailbox settings:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# auto:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Indicates whether the mailbox with this name is automatically created
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# implicitly when it is first accessed. The user can also be automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# subscribed to the mailbox after creation. The following values are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# defined for this setting:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no - Never created automatically.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# create - Automatically created, but no automatic subscription.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# subscribe - Automatically created and subscribed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# special_use:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mailbox. There are no validity checks, so you could specify anything
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you want in here, but it's not a good idea to use flags other than the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# standard ones specified in the RFC:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# \All - This (virtual) mailbox presents all messages in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user's message store.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# \Archive - This mailbox is used to archive messages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# \Drafts - This mailbox is used to hold draft messages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# \Flagged - This (virtual) mailbox presents all messages in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user's message store marked with the IMAP \Flagged flag.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# \Junk - This mailbox is where messages deemed to be junk mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are held.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# \Sent - This mailbox is used to hold copies of messages that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# have been sent.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# \Trash - This mailbox is used to hold messages that have been
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# deleted.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# comment:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Defines a default comment or note associated with the mailbox. This
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value is accessible through the IMAP METADATA mailbox entries
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "/shared/comment" and "/private/comment". Users with sufficient
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# privileges can override the default value for entries with a custom
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+namespace inbox {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # These mailboxes are widely used and could perhaps be created automatically:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox Drafts {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ special_use = \Drafts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox Junk {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ special_use = \Junk
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox Trash {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ special_use = \Trash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # For \Sent mailboxes there are two widely used names. We'll mark both of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # them as \Sent. User typically deletes one of them if duplicates are created.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox Sent {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ special_use = \Sent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox "Sent Messages" {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ special_use = \Sent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # If you have a virtual "All messages" mailbox:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mailbox virtual/All {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # special_use = \All
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # comment = All my messages
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # If you have a virtual "Flagged" mailbox:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mailbox virtual/Flagged {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # special_use = \Flagged
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # comment = All my flagged messages
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/20-imap.conf b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/20-imap.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..2a59cd0
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/20-imap.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,88 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## IMAP specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If nothing happens for this long while client is IDLEing, move the connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to imap-hibernate process and close the old imap process. This saves memory,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# because connections use very little memory in imap-hibernate process. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# downside is that recreating the imap process back uses some resources.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_hibernate_timeout = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum IMAP command line length. Some clients generate very long command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lines with huge mailboxes, so you may need to raise this if you get
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "Too long argument" or "IMAP command line too large" errors often.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_max_line_length = 64k
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IMAP logout format string:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %i - total number of bytes read from client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %o - total number of bytes sent to client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %{fetch_hdr_count} - Number of mails with mail header data sent to client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %{fetch_hdr_bytes} - Number of bytes with mail header data sent to client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %{fetch_body_count} - Number of mails with mail body data sent to client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %{fetch_body_bytes} - Number of bytes with mail body data sent to client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %{deleted} - Number of mails where client added \Deleted flag
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %{expunged} - Number of mails that client expunged
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %{trashed} - Number of mails that client copied/moved to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# special_use=\Trash mailbox.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_logout_format = in=%i out=%o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Override the IMAP CAPABILITY response. If the value begins with '+',
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_capability =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How long to wait between "OK Still here" notifications when client is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IDLEing.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_idle_notify_interval = 2 mins
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ID field names and values to send to clients. Using * as the value makes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dovecot use the default value. The following fields have default values
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# currently: name, version, os, os-version, support-url, support-email.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_id_send =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ID fields sent by client to log. * means everything.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_id_log =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Workarounds for various client bugs:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay-newmail:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Send EXISTS/RECENT new mail notifications only when replying to NOOP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and CHECK commands. Some clients ignore them otherwise, for example OSX
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mail (<v2.1). Outlook Express breaks more badly though, without this it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may show user "Message no longer in server" errors. Note that OE6 still
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# breaks even with this workaround if synchronization is set to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "Headers Only".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tb-extra-mailbox-sep:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adds extra '/' suffixes to mailbox names. This option causes Dovecot to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ignore the extra '/' instead of treating it as invalid mailbox name.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tb-lsub-flags:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This makes Thunderbird realize they aren't selectable and show them
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# greyed out, instead of only later giving "not selectable" popup error.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The list is space-separated.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_client_workarounds =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Host allowed in URLAUTH URLs sent by client. "*" allows all.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_urlauth_host =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# What happens when FETCH fails due to some internal error:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disconnect-immediately:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The FETCH is aborted immediately and the IMAP client is disconnected.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disconnect-after:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The FETCH runs for all the requested mails returning as much data as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# possible. The client is finally disconnected without a tagged reply.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no-after:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Same as disconnect-after, but tagged NO reply is sent instead of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disconnecting the client. If the client attempts to FETCH the same failed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail more than once, the client is disconnected. This is to avoid clients
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from going into infinite loops trying to FETCH a broken mail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#imap_fetch_failure = disconnect-immediately
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protocol imap {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Space separated list of plugins to load (default is global mail_plugins).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mail_plugins = $mail_plugins
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Maximum number of IMAP connections allowed for a user from each IP address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # NOTE: The username is compared case-sensitively.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mail_max_userip_connections = 10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/20-lmtp.conf b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/20-lmtp.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..ecd83d1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/20-lmtp.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,26 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## LMTP specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Support proxying to other LMTP/SMTP servers by performing passdb lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lmtp_proxy = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When recipient address includes the detail (e.g. user+detail), try to save
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the mail to the detail mailbox. See also recipient_delimiter and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lda_mailbox_autocreate settings.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lmtp_save_to_detail_mailbox = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Verify quota before replying to RCPT TO. This adds a small overhead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lmtp_rcpt_check_quota = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Which recipient address to use for Delivered-To: header and Received:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# header. The default is "final", which is the same as the one given to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# RCPT TO command. "original" uses the address given in RCPT TO's ORCPT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# parameter, "none" uses nothing. Note that "none" is currently always used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when a mail has multiple recipients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#lmtp_hdr_delivery_address = final
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protocol lmtp {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Space separated list of plugins to load (default is global mail_plugins).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mail_plugins = $mail_plugins
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/20-pop3.conf b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/20-pop3.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..e0ba552
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/20-pop3.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,99 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## POP3 specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Don't try to set mails non-recent or seen with POP3 sessions. This is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mostly intended to reduce disk I/O. With maildir it doesn't move files
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from new/ to cur/, with mbox it doesn't write Status-header.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_no_flag_updates = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Support LAST command which exists in old POP3 specs, but has been removed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from new ones. Some clients still wish to use this though. Enabling this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# makes RSET command clear all \Seen flags from messages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_enable_last = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If mail has X-UIDL header, use it as the mail's UIDL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_reuse_xuidl = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow only one POP3 session to run simultaneously for the same user.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_lock_session = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# POP3 requires message sizes to be listed as if they had CR+LF linefeeds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Many POP3 servers violate this by returning the sizes with LF linefeeds,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# because it's faster to get. When this setting is enabled, Dovecot still
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tries to do the right thing first, but if that requires opening the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# message, it fallbacks to the easier (but incorrect) size.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_fast_size_lookups = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# POP3 UIDL (unique mail identifier) format to use. You can use following
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# variables, along with the variable modifiers described in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# doc/wiki/Variables.txt (e.g. %Uf for the filename in uppercase)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %v - Mailbox's IMAP UIDVALIDITY
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %u - Mail's IMAP UID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %m - MD5 sum of the mailbox headers in hex (mbox only)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %f - filename (maildir only)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %g - Mail's GUID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want UIDL compatibility with other POP3 servers, use:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# UW's ipop3d : %08Xv%08Xu
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Courier : %f or %v-%u (both might be used simultaneosly)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Cyrus (<= 2.1.3) : %u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Cyrus (>= 2.1.4) : %v.%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dovecot v0.99.x : %v.%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tpop3d : %Mf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that Outlook 2003 seems to have problems with %v.%u format which was
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dovecot's default, so if you're building a new server it would be a good
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# idea to change this. %08Xu%08Xv should be pretty fail-safe.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_uidl_format = %08Xu%08Xv
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Permanently save UIDLs sent to POP3 clients, so pop3_uidl_format changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# won't change those UIDLs. Currently this works only with Maildir.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_save_uidl = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# What to do about duplicate UIDLs if they exist?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allow: Show duplicates to clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# rename: Append a temporary -2, -3, etc. counter after the UIDL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_uidl_duplicates = allow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option changes POP3 behavior so that it's not possible to actually
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delete mails via POP3, only hide them from future POP3 sessions. The mails
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will still be counted towards user's quota until actually deleted via IMAP.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use e.g. "$POP3Deleted" as the value (it will be visible as IMAP keyword).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Make sure you can legally archive mails before enabling this setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_deleted_flag =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# POP3 logout format string:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %i - total number of bytes read from client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %o - total number of bytes sent to client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %t - number of TOP commands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %p - number of bytes sent to client as a result of TOP command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %r - number of RETR commands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %b - number of bytes sent to client as a result of RETR command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %d - number of deleted messages
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %{deleted_bytes} - number of bytes in deleted messages
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %m - number of messages (before deletion)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %s - mailbox size in bytes (before deletion)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %u - old/new UIDL hash. may help finding out if UIDLs changed unexpectedly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Workarounds for various client bugs:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# outlook-no-nuls:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Outlook and Outlook Express hang if mails contain NUL characters.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This setting replaces them with 0x80 character.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# oe-ns-eoh:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Outlook Express and Netscape Mail breaks if end of headers-line is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# missing. This option simply sends it if it's missing.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The list is space-separated.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pop3_client_workarounds =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protocol pop3 {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Space separated list of plugins to load (default is global mail_plugins).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mail_plugins = $mail_plugins
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Maximum number of POP3 connections allowed for a user from each IP address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # NOTE: The username is compared case-sensitively.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #mail_max_userip_connections = 10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/90-acl.conf b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/90-acl.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..f0c0e7a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/90-acl.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,19 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Mailbox access control lists.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# vfile backend reads ACLs from "dovecot-acl" file from mail directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can also optionally give a global ACL directory path where ACLs are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# applied to all users' mailboxes. The global ACL directory contains
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# specifies how many seconds to wait between stat()ing dovecot-acl file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to see if it changed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #acl = vfile:/etc/dovecot/global-acls:cache_secs=300
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To let users LIST mailboxes shared by other users, Dovecot needs a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# shared mailbox dictionary. For example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/90-plugin.conf b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/90-plugin.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..8c8fccf
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/90-plugin.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,11 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Plugin settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# All wanted plugins must be listed in mail_plugins setting before any of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# their configuration. Note that %variable expansion is done for all values.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #setting_name = value
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/90-quota.conf b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/90-quota.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..40cde63
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/90-quota.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,83 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Quota configuration.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that you also have to enable quota plugin in mail_plugins setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/Quota.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Quota limits
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Quota limits are set using "quota_rule" parameters. To get per-user quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# limits, you can set/override them by returning "quota_rule" extra field
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from userdb. It's also possible to give mailbox-specific limits, for example
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to give additional 100 MB when saving to Trash:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota_rule = *:storage=1G
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota_rule2 = Trash:storage=+100M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # LDA/LMTP allows saving the last mail to bring user from under quota to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # over quota, if the quota doesn't grow too high. Default is to allow as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota_grace = 10%%
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Quota plugin can also limit the maximum accepted mail size.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota_max_mail_size = 100M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Quota warnings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can execute a given command when user exceeds a specified quota limit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Each quota root has separate limits. Only the command for the first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# exceeded limit is excecuted, so put the highest limit first.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The commands are executed via script service by connecting to the named
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# UNIX socket (quota-warning below).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that % needs to be escaped as %%, otherwise "% " expands to empty.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota_warning = storage=95%% quota-warning 95 %u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota_warning2 = storage=80%% quota-warning 80 %u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example quota-warning service. The unix listener's permissions should be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set in a way that mail processes can connect to it. Below example assumes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that mail processes run as vmail user. If you use mode=0666, all system users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can generate quota warnings to anyone.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#service quota-warning {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# executable = script /usr/local/bin/quota-warning.sh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user = dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# unix_listener quota-warning {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user = vmail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Quota backends
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Multiple backends are supported:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dirsize: Find and sum all the files found from mail directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Extremely SLOW with Maildir. It'll eat your CPU and disk I/O.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dict: Keep quota stored in dictionary (eg. SQL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maildir: Maildir++ quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fs: Read-only support for filesystem quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota = dirsize:User quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota = maildir:User quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota = dict:User quota::proxy::quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota = fs:User quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Multiple quota roots are also possible, for example this gives each user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# their own 100MB quota and one shared 1GB quota within the domain:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+plugin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota = dict:user::proxy::quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota2 = dict:domain:%d:proxy::quota_domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota_rule = *:storage=102400
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota2_rule = *:storage=1048576
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-checkpassword.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-checkpassword.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..b2fb13a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-checkpassword.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,21 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication for checkpassword users. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/AuthDatabase.CheckPassword.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = checkpassword
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /usr/bin/checkpassword
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# passdb lookup should return also userdb info
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = prefetch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Standard checkpassword doesn't support direct userdb lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you need checkpassword userdb, the checkpassword must support
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dovecot-specific extensions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# driver = checkpassword
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# args = /usr/bin/checkpassword
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-deny.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-deny.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..ce3f1cf
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-deny.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,15 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Deny access for users. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Users can be (temporarily) disabled by adding a passdb with deny=yes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the user is found from that database, authentication will fail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The deny passdb should always be specified before others, so it gets
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# checked first.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example deny passdb using passwd-file. You can use any passdb though.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = passwd-file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ deny = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # File contains a list of usernames, one per line
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /etc/dovecot/deny-users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-dict.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-dict.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..0be4847
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-dict.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,16 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication via dict backend. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/AuthDatabase.Dict.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = dict
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Path for dict configuration file, see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # example-config/dovecot-dict-auth.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /etc/dovecot/dovecot-dict-auth.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = dict
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /etc/dovecot/dovecot-dict-auth.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-ldap.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-ldap.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..5db32fa
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-ldap.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,33 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication for LDAP users. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/AuthDatabase.LDAP.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = ldap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /etc/dovecot/dovecot-ldap.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "prefetch" user database means that the passdb already provided the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# needed information and there's no need to do a separate userdb lookup.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/UserDatabase.Prefetch.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# driver = prefetch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = ldap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /etc/dovecot/dovecot-ldap.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Default fields can be used to specify defaults that LDAP may override
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #default_fields = home=/home/virtual/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you don't have any user-specific settings, you can avoid the userdb LDAP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lookup by using userdb static instead of userdb ldap, for example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/UserDatabase.Static.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #driver = static
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #args = uid=vmail gid=vmail home=/var/vmail/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-master.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-master.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..2cf128f
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-master.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,16 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication for master users. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By adding master=yes setting inside a passdb you make the passdb a list
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of "master users", who can log in as anyone else.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/Authentication.MasterUsers.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example master user passdb using passwd-file. You can use any passdb though.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = passwd-file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ master = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /etc/dovecot/master-users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Unless you're using PAM, you probably still want the destination user to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # be looked up from passdb that it really exists. pass=yes does that.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ pass = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-passwdfile.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-passwdfile.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..c89d28c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-passwdfile.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,20 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication for passwd-file users. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# passwd-like file with specified location.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/AuthDatabase.PasswdFile.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = passwd-file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = scheme=CRYPT username_format=%u /etc/dovecot/users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = passwd-file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = username_format=%u /etc/dovecot/users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Default fields that can be overridden by passwd-file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #default_fields = quota_rule=*:storage=1G
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Override fields from passwd-file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #override_fields = home=/home/virtual/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-sql.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-sql.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..ccbea86
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,30 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication for SQL users. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/AuthDatabase.SQL.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = sql
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /etc/dovecot/dovecot-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "prefetch" user database means that the passdb already provided the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# needed information and there's no need to do a separate userdb lookup.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/UserDatabase.Prefetch.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# driver = prefetch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = sql
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = /etc/dovecot/dovecot-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you don't have any user-specific settings, you can avoid the user_query
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by using userdb static instead of userdb sql, for example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/UserDatabase.Static.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #driver = static
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #args = uid=vmail gid=vmail home=/var/vmail/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-static.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-static.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..90890c5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-static.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,24 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Static passdb. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This can be used for situations where Dovecot doesn't need to verify the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# username or the password, or if there is a single password for all users:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - proxy frontend, where the backend verifies the password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - proxy backend, where the frontend already verified the password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - authentication with SSL certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - simple testing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# driver = static
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# args = proxy=y host=%1Mu.example.com nopassword=y
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# driver = static
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# args = password=test
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# driver = static
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# args = uid=vmail gid=vmail home=/home/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-system.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-system.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..23f943c7
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-system.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,74 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication for system users. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/PasswordDatabase.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/UserDatabase.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PAM authentication. Preferred nowadays by most systems.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PAM is typically used with either userdb passwd or userdb static.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = pam
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # [cache_key=<key>] [<service name>]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #args = dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# System users (NSS, /etc/passwd, or similiar).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In many systems nowadays this uses Name Service Switch, which is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #driver = passwd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # [blocking=no]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #args =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Shadow passwords for system users (NSS, /etc/shadow or similiar).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Deprecated by PAM nowadays.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/PasswordDatabase.Shadow.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #driver = shadow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # [blocking=no]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #args =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PAM-like authentication for OpenBSD.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/PasswordDatabase.BSDAuth.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #driver = bsdauth
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # [blocking=no] [cache_key=<key>]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #args =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## User databases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# System users (NSS, /etc/passwd, or similiar). In many systems nowadays this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# uses Name Service Switch, which is configured in /etc/nsswitch.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # <doc/wiki/AuthDatabase.Passwd.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = passwd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # [blocking=no]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #args =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Override fields from passwd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #override_fields = home=/home/virtual/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Static settings generated from template <doc/wiki/UserDatabase.Static.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #driver = static
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Can return anything a userdb could normally return. For example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # args = uid=500 gid=500 home=/var/mail/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # LDA and LMTP needs to look up users only from the userdb. This of course
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # doesn't work with static userdb because there is no list of users.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Normally static userdb handles this by doing a passdb lookup. This works
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # with most passdbs, with PAM being the most notable exception. If you do
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # the user verification another way, you can add allow_all_users=yes to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # the args in which case the passdb lookup is skipped.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #args =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-vpopmail.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-vpopmail.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..f2da976
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/conf.d/auth-vpopmail.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,17 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication for vpopmail users. Included from 10-auth.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <doc/wiki/AuthDatabase.VPopMail.txt>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = vpopmail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # [cache_key=<key>] [webmail=<ip>]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ driver = vpopmail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # [quota_template=<template>] - %q expands to Maildir++ quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = quota_template=quota_rule=*:backend=%q
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/dovecot-dict-auth.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/example-config/dovecot-dict-auth.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..79f43de
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/dovecot-dict-auth.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,54 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This file is commonly accessed via passdb {} or userdb {} section in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# conf.d/auth-dict.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dictionary URI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#uri =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default password scheme
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_pass_scheme = MD5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Username iteration prefix. Keys under this are assumed to contain usernames.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+iterate_prefix = userdb/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Should iteration be disabled for this userdb? If this userdb acts only as a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache there's no reason to try to iterate the (partial & duplicate) users.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#iterate_disable = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The example here shows how to do multiple dict lookups and merge the replies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The "passdb" and "userdb" keys are JSON objects containing key/value pairs,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for example: { "uid": 1000, "gid": 1000, "home": "/home/user" }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+key passdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ key = passdb/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ format = json
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+key userdb {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ key = userdb/%u
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ format = json
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+key quota {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ key = userdb/%u/quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #format = value
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # The default_value is used if the key isn't found. If default_value setting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # isn't specified at all (even as empty), the passdb/userdb lookup fails with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # "user doesn't exist".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ default_value = 100M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of keys whose values contain key/value paired objects.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# All the key/value pairs inside the object are added as passdb fields.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+passdb_objects = passdb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#passdb_fields {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Userdb key/value object list.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb_objects = userdb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+userdb_fields {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # dict:<key> refers to key names
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ quota_rule = *:storage=%{dict:quota}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # dict:<key>.<objkey> refers to the objkey inside (JSON) object
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mail = maildir:%{dict:userdb.home}/Maildir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/dovecot-dict-sql.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/example-config/dovecot-dict-sql.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..a9a903f
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/dovecot-dict-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,41 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This file is commonly accessed via dict {} section in dovecot.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#connect = host=localhost dbname=mails user=testuser password=pass
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CREATE TABLE quota (
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# username varchar(100) not null,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bytes bigint not null default 0,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# messages integer not null default 0,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# primary key (username)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# );
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+map {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ pattern = priv/quota/storage
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ table = quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ username_field = username
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ value_field = bytes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+map {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ pattern = priv/quota/messages
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ table = quota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ username_field = username
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ value_field = messages
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CREATE TABLE expires (
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# username varchar(100) not null,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mailbox varchar(255) not null,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# expire_stamp integer not null,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# primary key (username, mailbox)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# );
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+map {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ pattern = shared/expire/$user/$mailbox
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ table = expires
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ value_field = expire_stamp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fields {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ username = $user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mailbox = $mailbox
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/dovecot-ldap.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/example-config/dovecot-ldap.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..f4a65f2
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/dovecot-ldap.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,151 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This file is commonly accessed via passdb {} or userdb {} section in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# conf.d/auth-ldap.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This file is opened as root, so it should be owned by root and mode 0600.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki2.dovecot.org/AuthDatabase/LDAP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: If you're not using authentication binds, you'll need to give
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dovecot-auth read access to userPassword field in the LDAP server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# already be something like this:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access to attribute=userPassword
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by dn="<dovecot's dn>" read # add this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by anonymous auth
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by self write
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by * none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of LDAP hosts to use. host:port is allowed too.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#hosts =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# LDAP URIs to use. You can use this instead of hosts list. Note that this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# setting isn't supported by all LDAP libraries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#uris =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Distinguished Name - the username used to login to the LDAP server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Leave it commented out to bind anonymously (useful with auth_bind=yes).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#dn =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Password for LDAP server, if dn is specified.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#dnpass =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use SASL binding instead of the simple binding. Note that this changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ldap_version automatically to be 3 if it's lower.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#sasl_bind = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SASL mechanism name to use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#sasl_mech =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SASL realm to use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#sasl_realm =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SASL authorization ID, ie. the dnpass is for this "master user", but the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dn is still the logged in user. Normally you want to keep this empty.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#sasl_authz_id =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use TLS to connect to the LDAP server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#tls = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TLS options, currently supported only with OpenLDAP:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#tls_ca_cert_file =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#tls_ca_cert_dir =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#tls_cipher_suite =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TLS cert/key is used only if LDAP server requires a client certificate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#tls_cert_file =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#tls_key_file =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Valid values: never, hard, demand, allow, try
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#tls_require_cert =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use the given ldaprc path.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ldaprc_path =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -1 = everything. You may need to recompile OpenLDAP with debugging enabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to get enough output.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#debug_level = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use authentication binding for verifying password's validity. This works by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logging into LDAP server using the username and password given by client.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The pass_filter is used to find the DN for the user. Note that the pass_attrs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is still used, only the password field is ignored in it. Before doing any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# search, the binding is switched back to the default DN.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_bind = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If authentication binding is used, you can save one LDAP request per login
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if users' DN can be specified with a common template. The template can use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the standard %variables (see user_filter). Note that you can't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use any pass_attrs if you use this setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you use this setting, it's a good idea to use a different
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the filename is different in userdb's args). That way one connection is used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# only for LDAP binds and another connection is used for user lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Otherwise the binding is changed to the default DN before each user lookup.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# auth_bind_userdn = cn=%u,ou=people,o=org
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_bind_userdn =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# LDAP protocol version to use. Likely 2 or 3.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ldap_version = 3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# LDAP base. %variables can be used here.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example: dc=mail, dc=example, dc=org
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+base =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dereference: never, searching, finding, always
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#deref = never
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Search scope: base, onelevel, subtree
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#scope = subtree
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# User attributes are given in LDAP-name=dovecot-internal-name list. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# internal names are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# uid - System UID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# gid - System GID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# home - Home directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail - Mail location
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# There are also other special fields which can be returned, see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki2.dovecot.org/UserDatabase/ExtraFields
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Filter for user lookup. Some variables can be used (see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki2.dovecot.org/Variables for full list):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %u - username
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %n - user part in user@domain, same as %u if there's no domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %d - domain part in user@domain, empty if user there's no domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#user_filter = (&(objectClass=posixAccount)(uid=%u))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Password checking attributes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user: Virtual user name (user@domain), if you wish to change the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user-given username to something else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# password: Password, may optionally start with {type}, eg. {crypt}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# There are also other special fields which can be returned, see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pass_attrs = uid=user,userPassword=password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# string. For example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pass_attrs = uid=user,userPassword=password,\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Filter for password lookups
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#pass_filter = (&(objectClass=posixAccount)(uid=%u))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Attributes and filter to get a list of all users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#iterate_attrs = uid=user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#iterate_filter = (objectClass=posixAccount)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default password scheme. "{scheme}" before password overrides this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#default_pass_scheme = CRYPT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default all LDAP lookups are performed by the auth master process.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If blocking=yes, auth worker processes are used to perform the lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Each auth worker process creates its own LDAP connection so this can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# increase parallelism. With blocking=no the auth master process can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# keep 8 requests pipelined for the LDAP connection, while with blocking=yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# each connection has a maximum of 1 request running. For small systems the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# blocking=no is sufficient and uses less resources.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#blocking = no
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/dovecot-sql.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/example-config/dovecot-sql.conf.ext
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..0f2baec
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/dovecot-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,144 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This file is commonly accessed via passdb {} or userdb {} section in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# conf.d/auth-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This file is opened as root, so it should be owned by root and mode 0600.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki2.dovecot.org/AuthDatabase/SQL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For the sql passdb module, you'll need a database with a table that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# contains fields for at least the username and password. If you want to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use the user@domain syntax, you might want to have a separate domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# field as well.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If your users all have the same uig/gid, and have predictable home
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# directories, you can use the static userdb module to generate the home
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dir based on the username and domain. In this case, you won't need fields
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for home, uid, or gid in the database.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you prefer to use the sql userdb module, you'll want to add fields
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for home, uid, and gid. Here is an example table:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CREATE TABLE users (
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# username VARCHAR(128) NOT NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# domain VARCHAR(128) NOT NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# password VARCHAR(64) NOT NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# home VARCHAR(255) NOT NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# uid INTEGER NOT NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# gid INTEGER NOT NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# active CHAR(1) DEFAULT 'Y' NOT NULL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# );
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Database driver: mysql, pgsql, sqlite
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#driver =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Database connection string. This is driver-specific setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HA / round-robin load-balancing is supported by giving multiple host
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# settings, like: host=sql1.host.org host=sql2.host.org
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pgsql:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For available options, see the PostgreSQL documention for the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PQconnectdb function of libpq.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use maxconns=n (default 5) to change how many connections Dovecot can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# create to pgsql.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mysql:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Basic options emulate PostgreSQL option names:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# host, port, user, password, dbname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# But also adds some new settings:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_flags - See MySQL manual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connect_timeout - Connect timeout in seconds (default: 5)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# read_timeout - Read timeout in seconds (default: 30)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# write_timeout - Write timeout in seconds (default: 30)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl_ca, ssl_ca_path - Set either one or both to enable SSL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl_cert, ssl_key - For sending client-side certificates to server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl_cipher - Set minimum allowed cipher security (default: HIGH)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl_verify_server_cert - Verify that the name in the server SSL certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# matches the host (default: no)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option_file - Read options from the given file instead of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the default my.cnf location
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option_group - Read options from the given group (default: client)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that currently you can't use spaces in parameters.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sqlite:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The path to the database file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connect = host=192.168.1.1 dbname=users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connect = host=sql.example.com dbname=virtual user=virtual password=blarg
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connect = /etc/dovecot/authdb.sqlite
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#connect =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default password scheme.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# List of supported schemes is in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki2.dovecot.org/Authentication/PasswordSchemes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#default_pass_scheme = MD5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# passdb query to retrieve the password. It can return fields:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# password - The user's password. This field must be returned.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user - user@domain from the database. Needed with case-insensitive lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# username and domain - An alternative way to represent the "user" field.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The "user" field is often necessary with case-insensitive lookups to avoid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# e.g. "name" and "nAme" logins creating two different mail directories. If
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# your user and domain names are in separate fields, you can return "username"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and "domain" fields instead of "user".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The query can also return other fields which have a special meaning, see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Commonly used available substitutions (see http://wiki2.dovecot.org/Variables
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for full list):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %u = entire user@domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %n = user part of user@domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %d = domain part of user@domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that these can be used only as input to SQL query. If the query outputs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# any of these substitutions, they're not touched. Otherwise it would be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# difficult to have eg. usernames containing '%' characters.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# password_query = SELECT userid AS user, pw AS password \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FROM users WHERE userid = '%u' AND active = 'Y'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#password_query = \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SELECT username, domain, password \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FROM users WHERE username = '%n' AND domain = '%d'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# userdb query to retrieve the user information. It can return fields:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# uid - System UID (overrides mail_uid setting)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# gid - System GID (overrides mail_gid setting)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# home - Home directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail - Mail location (overrides mail_location setting)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# None of these are strictly required. If you use a single UID and GID, and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# home or mail directory fits to a template string, you could use userdb static
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# instead. For a list of all fields that can be returned, see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki2.dovecot.org/UserDatabase/ExtraFields
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#user_query = \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SELECT home, uid, gid \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FROM users WHERE username = '%n' AND domain = '%d'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you wish to avoid two SQL lookups (passdb + userdb), you can use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# also have to return userdb fields in password_query prefixed with "userdb_"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# string. For example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#password_query = \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SELECT userid AS user, password, \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FROM users WHERE userid = '%u'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Query to get a list of all usernames.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#iterate_query = SELECT username AS user FROM users
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/example-config/dovecot.conf b/mail/mail-server/files/prefix/etc/dovecot/example-config/dovecot.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..5697661
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/example-config/dovecot.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,102 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Dovecot configuration file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "doveconf -n" command gives a clean output of the changed settings. Use it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# instead of copy&pasting files when posting to the Dovecot mailing list.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# '#' character and everything after it is treated as comments. Extra spaces
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and tabs are ignored. If you want to use either of these explicitly, put the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value inside quotes, eg.: key = "# char and trailing whitespace "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Most (but not all) settings can be overridden by different protocols and/or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# source/destination IPs by placing the settings inside sections, for example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default values are shown for each setting, it's not required to uncomment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# those. These are exceptions to this though: No sections (e.g. namespace {})
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or plugin settings are added by default, they're listed only as examples.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Paths are also just examples with the real defaults being based on configure
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# options. The paths listed here are for configure --prefix=/usr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --sysconfdir=/etc --localstatedir=/var
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Protocols we want to be serving.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#protocols = imap pop3 lmtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A comma separated list of IPs or hosts where to listen in for connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want to specify non-default ports or anything more complex,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# edit conf.d/master.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#listen = *, ::
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Base directory where to store runtime data.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#base_dir = /var/run/dovecot/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Name of this instance. In multi-instance setup doveadm and other commands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can use -i <instance_name> to select which instance is used (an alternative
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to -c <config_path>). The instance name is also added to Dovecot processes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in ps output.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#instance_name = dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Greeting message for clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#login_greeting = Dovecot ready.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of trusted network ranges. Connections from these
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IPs are allowed to override their IP addresses and ports (for logging and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for authentication checks). disable_plaintext_auth is also ignored for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# these networks. Typically you'd specify your IMAP proxy servers here.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#login_trusted_networks =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of login access check sockets (e.g. tcpwrap)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#login_access_sockets =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# proxying. This isn't necessary normally, but may be useful if the destination
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IP is e.g. a load balancer's IP.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#auth_proxy_self =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Show more verbose process titles (in ps). Currently shows user name and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IP address. Useful for seeing who are actually using the IMAP processes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (eg. shared mailboxes or if same uid is used for multiple accounts).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#verbose_proctitle = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Should all processes be killed when Dovecot master process shuts down.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Setting this to "no" means that Dovecot can be upgraded without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forcing existing client connections to close (although that could also be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a problem if the upgrade is e.g. because of a security fix).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#shutdown_clients = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If non-zero, run mail commands via this many connections to doveadm server,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# instead of running them directly in the same process.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#doveadm_worker_count = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# UNIX socket or host:port used for connecting to doveadm server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#doveadm_socket_path = doveadm-server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Space separated list of environment variables that are preserved on Dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# startup and passed down to all of its child processes. You can also give
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# key=value pairs to always set specific settings.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#import_environment = TZ
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Dictionary server settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dictionary can be used to store key=value lists. This is used by several
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# plugins. The dictionary can be accessed either directly or though a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dictionary server. The following dict block maps dictionary names to URIs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when the server is used. These can then be referenced using URIs in format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "proxy::<name>".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+dict {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Most of the actual configuration gets included below. The filenames are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# first sorted by their ASCII value and parsed in that order. The 00-prefixes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in filenames are intended to make it easier to understand the ordering.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+!include conf.d/*.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A config file can also tried to be included without giving an error if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it's not found:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+!include_try local.conf
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/imap.keytab.README.sh b/mail/mail-server/files/prefix/etc/dovecot/imap.keytab.README.sh
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..23ad61b
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/imap.keytab.README.sh
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,112 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!/bin/bash -x
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# GSSAPI Kerberos authentication for the imap service on macOS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1. krb5 configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Create missing edu.mit.Kerberos file, copy it to /etc/krb5.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://nusoft.fnal.gov/ifmon/maint/auth/macadmin.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo cat <<KERBEROSCONF > edu.mit.Kerberos
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[domain_realm]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .@domain@.@tld@ = @HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ @domain@.@tld@ = @HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ @host@.@domain@.@tld@ = @HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[libdefaults]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ default_realm = @HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kdc_timeout = 5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ allow_weak_crypto = false
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dns_lookup_kdc = true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ticket_lifetime = 90000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ renew_lifetime = 300000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ noaddresses = true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[realms]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ @HOST@.@DOMAIN@.@TLD@ = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ default_domain = @host@.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ admin_server = @host@.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kdc = @host@.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[logging]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kdc = CONSOLE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kdc = SYSLOG:INFO:DAEMON
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ admin_server = FILE:/private/var/log/krb5kdc/kadmin.log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+KERBEROSCONF
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo install -m 0644 -b -B .orig edu.mit.Kerberos /etc/krb5.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+rm edu.mit.Kerberos
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2. DNS configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Add these DNS URI, TXT, and SRV records to the primary zone corresponding to REALM
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo vi @PREFIX@/var/named/db.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+if false; do
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo cat <<KERBEROSDNS >> @PREFIX@/var/named/db.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ; Kerberos configuration with URI, TXT, and SRV records
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos.@HOST@.@DOMAIN@.@TLD@. IN URI 10 1 "udp://@host@.@domain@.@tld@"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos.@HOST@.@DOMAIN@.@TLD@. IN URI 20 1 "tcp://@host@.@domain@.@tld@"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos-master.@HOST@.@DOMAIN@.@TLD@. IN URI 10 1 "udp://@host@.@domain@.@tld@"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos-master.@HOST@.@DOMAIN@.@TLD@. IN URI 20 1 "tcp://@host@.@domain@.@tld@"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos.@host@.@domain@.@tld@. IN TXT "@HOST@.@DOMAIN@.@TLD@"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos-master.@host@.@domain@.@tld@. IN TXT "@HOST@.@DOMAIN@.@TLD@"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos._udp.@HOST@.@DOMAIN@.@TLD@. IN SRV 10 1 88 @host@.@domain@.@tld@.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos._tcp.@HOST@.@DOMAIN@.@TLD@. IN SRV 10 1 88 @host@.@domain@.@tld@.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos._tls._tcp.@HOST@.@DOMAIN@.@TLD@. IN SRV 10 1 88 @host@.@domain@.@tld@.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos-master._udp.@HOST@.@DOMAIN@.@TLD@. IN SRV 10 1 749 @host@.@domain@.@tld@.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos-master._tcp.@HOST@.@DOMAIN@.@TLD@. IN SRV 10 1 749 @host@.@domain@.@tld@.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos-master._tls._tcp.@HOST@.@DOMAIN@.@TLD@. IN SRV 10 1 749 @host@.@domain@.@tld@.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+KERBEROSDNS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ done
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flush DNS cache and restart named
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+dscacheutil -flushcache ; sudo killall -HUP mDNSResponder ; sudo port unload bind9 ; sudo port load bind9
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 3. PAM plain text authentication for Kerberos imap service
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo mkdir -p @PREFIX@/etc/dovecot/etc/pam.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo cat <<PAMDSMTP > @PREFIX@/etc/dovecot/etc/pam.d/imap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# imap: auth account password session with gssapi and plain fallback
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth sufficient pam_krb5.so try_first_pass
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+account sufficient pam_krb5.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth required pam_opendirectory.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+account required pam_nologin.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+account required pam_opendirectory.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+password required pam_opendirectory.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+PAMDSMTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo install -m 0644 -b -B .orig @PREFIX@/etc/dovecot/etc/pam.d/imap /etc/pam.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4. Create the imap.keytab file with _dovecot permission
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo /usr/sbin/kadmin -l
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> ext_keytab -k @PREFIX@/etc/dovecot/imap.keytab imap/@host@.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> exit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo chgrp _dovenull @PREFIX@/etc/dovecot/imap.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo chmod g+r @PREFIX@/etc/dovecot/imap.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo -u _dovenull @PREFIX@/bin/klist -e -k -t @PREFIX@/etc/dovecot/imap.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Keytab name: FILE:@PREFIX@/etc/dovecot/imap.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## KVNO Timestamp Principal
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## ---- ------------------- ------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## 1 04/25/2019 07:11:41 imap/@host@.@domain@.@tld@@@HOST@.@DOMAIN@.@TLD@ (aes256-cts-hmac-sha1-96)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## 1 04/25/2019 07:11:41 imap/@host@.@domain@.@tld@@@HOST@.@DOMAIN@.@TLD@ (aes128-cts-hmac-sha1-96)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## 1 04/25/2019 07:11:41 imap/@host@.@domain@.@tld@@@HOST@.@DOMAIN@.@TLD@ (des3-cbc-sha1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 5. Testing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://wiki.dovecot.org/TestInstallation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+openssl s_client -connect @host@.@domain@.@tld@:993
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a login "username" "password"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# b select inbox
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# c list "" *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# d lsub "" *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# e logout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6. Debugging
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# env KRB5_TRACE=/dev/stdout sudo -E kadmin -p kadmin/admin@@HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo kdestroy -p diradmin@@HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo serveradmin stop dirserv ; sudo serveradmin start dirserv
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dscacheutil -flushcache ; sudo killall -HUP mDNSResponder ; sudo port unload bind9 ; sudo port load bind9
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo /usr/sbin/ktutil list
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo @PREFIX@/bin/klist -e -k -t /etc/krb5.keytab
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/sieve-before.d/10-rspamd.sieve b/mail/mail-server/files/prefix/etc/dovecot/sieve-before.d/10-rspamd.sieve
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..7931a71
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/sieve-before.d/10-rspamd.sieve
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,5 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+require ["fileinto"];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+if header :is "X-Spam" "Yes" {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fileinto "Junk";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/sieve/report-ham.sieve b/mail/mail-server/files/prefix/etc/dovecot/sieve/report-ham.sieve
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..7cac0bc
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/sieve/report-ham.sieve
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,15 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+if environment :matches "imap.mailbox" "*" {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set "mailbox" "${1}";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+if string "${mailbox}" "Trash" {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ stop;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+if environment :matches "imap.email" "*" {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set "email" "${1}";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+pipe :copy "train-ham.sh" [ "${email}" ];
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/sieve/report-spam.sieve b/mail/mail-server/files/prefix/etc/dovecot/sieve/report-spam.sieve
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..4ed95d7
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/sieve/report-spam.sieve
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+if environment :matches "imap.email" "*" {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set "email" "${1}";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+pipe :copy "train-spam.sh" [ "${email}" ];
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/sieve/train-ham.sh b/mail/mail-server/files/prefix/etc/dovecot/sieve/train-ham.sh
</span>new file mode 100755
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..c14136f
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/sieve/train-ham.sh
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,2 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!/bin/sh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+exec @PREFIX@/bin/rspamc -h @PREFIX@/var/run/rspamd/rspamd.sock -P '@RSPAMD_CONTROL_PASSWORD@' learn_ham
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/sieve/train-spam.sh b/mail/mail-server/files/prefix/etc/dovecot/sieve/train-spam.sh
</span>new file mode 100755
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..d4c46fc
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/sieve/train-spam.sh
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,2 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!/bin/sh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+exec @PREFIX@/bin/rspamc -h @PREFIX@/var/run/rspamd/rspamd.sock -P '@RSPAMD_CONTROL_PASSWORD@' learn_spam
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/logrotate.conf b/mail/mail-server/files/prefix/etc/logrotate.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..57787ea
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/logrotate.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,24 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# see "man logrotate" for details
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Rotate log files weekly.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+weekly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Keep 4 weeks worth of backlogs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+rotate 4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Create new (empty) log files after rotating old ones.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+create
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use date as a suffix of the rotated file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+dateext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Compress log files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+compress
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use bzip2 for log file compression
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+compresscmd /usr/bin/bzip2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+uncompresscmd /usr/bin/bunzip2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+compressoptions -9
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+compressext .bz2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Add your logrotate scripts to this directory for convenient inclusion.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+include @PREFIX@/etc/logrotate.d
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/logrotate.d/mail b/mail/mail-server/files/prefix/etc/logrotate.d/mail
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..bfe00c6
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/logrotate.d/mail
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,13 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@PREFIX@/var/log/mail/*.log {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ weekly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ missingok
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# rotate 52
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ compress
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ delaycompress
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ notifempty
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ create 640 root admin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sharedscripts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ postrotate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ( @PREFIX@/sbin/postfix reload ; @PREFIX@/sbin/dovecot reload ) 1> /dev/null 2>&1 || true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ endscript
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/logrotate.d/redis b/mail/mail-server/files/prefix/etc/logrotate.d/redis
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..223bd4b
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/logrotate.d/redis
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,13 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@PREFIX@/var/log/redis.log {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ weekly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ missingok
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# rotate 52
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ compress
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ delaycompress
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ notifempty
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ create 640 root admin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sharedscripts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ postrotate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ @PREFIX@/bin/port reload redis 1> /dev/null 2>&1 || true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ endscript
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/logrotate.d/rspamd b/mail/mail-server/files/prefix/etc/logrotate.d/rspamd
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..97cb588
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/logrotate.d/rspamd
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,13 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@PREFIX@/var/log/rspamd/*.log {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ weekly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ missingok
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# rotate 52
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ compress
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ delaycompress
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ notifempty
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ create 660 _rspamd _rspamd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sharedscripts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ postrotate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ @PREFIX@/bin/port reload rspamd 1> /dev/null 2>&1 || true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ endscript
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/postfix/etc/certificates/COMODORSAOrganizationValidationSecureServerCA.pem b/mail/mail-server/files/prefix/etc/postfix/etc/certificates/COMODORSAOrganizationValidationSecureServerCA.pem
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..dd9b36d
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/postfix/etc/certificates/COMODORSAOrganizationValidationSecureServerCA.pem
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,35 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-----BEGIN CERTIFICATE-----
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBljELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Q09NT0RPIENBIExpbWl0ZWQxPDA6BgNVBAMTM0NPTU9ETyBSU0EgT3JnYW5pemF0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+aW9uIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+BQADggEPADCCAQoCggEBALkU2YXyQURX/zBEHtw8RKMXuG4B+KNfwqkhHc5Z9Ozz
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+iKkJMjyxi2OkPic284/5OGYuB5dBj0um3cNfnnM858ogDU98MgXPwS5IZUqF0B9W
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+MW2O5cYy1Bu8n32W/JjXT/j0WFb440W+kRiC5Iq+r81SN1GHTx6Xweg6rvn/RuRl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Pz/DR4MvzLhCXi1+91porl1LwKY1IfWGo8hJi5hjYA3JIUjCkjBlRrKGNQRCJX6t
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+p05LEkAAeohoXG+fo6R4ESGuPQsOvkUUI8/rddf2oPG8RWxevKEy7PNYeEIoCzoB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+dvDFoJ7BaXDej0umed/ydrbjDxN8GDuxUWxqIDnOnmkCAwEAAaOCAWUwggFhMB8G
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+A1UdIwQYMBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSa8yvaz61P
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ti+7KkhIKhK3G0LBJDAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRV
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+HSAAMAgGBmeBDAECAjBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9k
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+b2NhLmNvbS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+BgEFBQcBAQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29t
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+L0NPTU9ET1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+cC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAGmKNmiaHjtlC+B8z6ar
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+cTuvYaQ/5GQBSRDTHY/i1e1n055bl71CHgf50Ltt9zKVWiIpYvgMnFlWJzagIhIR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++kf0UclZeylKpUg1fMWXZuAnJTsVejJ1SpH7pmue4lP6DYwT+yO4CxIsru3bHUeQ
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+1dCTaXaROBU01xjqfrxrWN4qOZADRARKVtho5fV8aX6efVRL0NiGq2dmE1deiSoX
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+rS2uvUAOZu2K/1S0wQHLqeBHuhFhj62uI0gqxiV5iRxBBJXAEepXK9a0l/qx6RVi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+7Epxd/3zoZza9msAKcUy5/pO6rMqpxiXHFinQjZf7BTP+HsO993MiBWamlzI8SDH
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+0YZyoRebrrr+bKgy0QB2SXP3PyeHPLbJLfqqkJDJCgmfyWkfBxmpv966+AuIgkQW
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+EH8HwIAiX3+8MN66zQd5ZFbY//NPnDC7bh5RS+bNvRfExb/IP46xH4pGtwZDb2It
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+z1GdRcqK6ROLwMeRvlu2+jdKif7wndoTJiIsBpA+ixOYoBnW3dpKSH89D4mdJHJL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+DntE/9Q2toN2I1iLFGy4XfdhbTl27d0SPWuHiJeRvsBGAh52HN22r1xP9QDWnE2p
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+4J6ijvyxFnlcIdNFgZoMOWxtKNcl0rcRkND23m9e9Pqki2Z3ci+bkEAsUhJg+f+1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+cC6JmnkJiYEt7Fx4b4GH8fxV
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-----END CERTIFICATE-----
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/postfix/etc/pam.d/smtp b/mail/mail-server/files/prefix/etc/postfix/etc/pam.d/smtp
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..37b5a1f
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/postfix/etc/pam.d/smtp
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtp: auth account password session with gssapi and plain fallback
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth sufficient pam_krb5.so try_first_pass default_principal debug
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+account sufficient pam_krb5.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth required pam_opendirectory.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+account required pam_nologin.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+account required pam_opendirectory.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+password required pam_opendirectory.so
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/postfix/main.cf b/mail/mail-server/files/prefix/etc/postfix/main.cf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..ef31d88
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/postfix/main.cf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,1181 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Global Postfix configuration file. This file lists only a subset
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of all parameters. For the syntax, and for a complete parameter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# list, see the postconf(5) manual page (command: "man 5 postconf").
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For common configuration examples, see BASIC_CONFIGURATION_README
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and STANDARD_CONFIGURATION_README. To find these documents, use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the command "postconf html_directory readme_directory", or go to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For best results, change no more than 2-3 parameters at a time,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and test if Postfix still works after every change.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# COMPATIBILITY
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The compatibility_level determines what default settings Postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will use for main.cf and master.cf settings. These defaults will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# change over time.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To avoid breaking things, Postfix will use backwards-compatible
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default settings and log where it uses those old backwards-compatible
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default settings, until the system administrator has determined
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if any backwards-compatible default settings need to be made
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# permanent in main.cf or master.cf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When this review is complete, update the compatibility_level setting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# below as recommended in the RELEASE_NOTES file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The level below is what should be used with new (not upgrade) installs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+compatibility_level = 2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SOFT BOUNCE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The soft_bounce parameter provides a limited safety net for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# testing. When soft_bounce is enabled, mail will remain queued that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# would otherwise bounce. This parameter disables locally-generated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bounces, and prevents the SMTP server from rejecting mail permanently
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (by changing 5xx replies into 4xx replies). However, soft_bounce
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is no cure for address rewriting mistakes or mail routing mistakes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#soft_bounce = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# LOCAL PATHNAME INFORMATION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The queue_directory specifies the location of the Postfix queue.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is also the root directory of Postfix daemons that run chrooted.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the files in examples/chroot-setup for setting up Postfix chroot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# environments on different UNIX systems.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+queue_directory = @PREFIX@/var/spool/postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The command_directory parameter specifies the location of all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# postXXX commands.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+command_directory = @PREFIX@/sbin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The daemon_directory parameter specifies the location of all Postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# daemon programs (i.e. programs listed in the master.cf file). This
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# directory must be owned by root.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+daemon_directory = @PREFIX@/libexec/postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The data_directory parameter specifies the location of Postfix-writable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# data files (caches, random numbers). This directory must be owned
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by the mail_owner account (see below).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+data_directory = @PREFIX@/var/lib/postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# QUEUE AND PROCESS OWNERSHIP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The mail_owner parameter specifies the owner of the Postfix queue
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and of most Postfix daemon processes. Specify the name of a user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# USER.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mail_owner = _postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default_privs parameter specifies the default rights used by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the local delivery agent for delivery to external file or command.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# These rights are used in the absence of a recipient user context.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default_privs = nobody
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# INTERNET HOST AND DOMAIN NAMES
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The myhostname parameter specifies the internet hostname of this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail system. The default is to use the fully-qualified domain name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from gethostname(). $myhostname is used as a default value for many
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# other configuration parameters.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#myhostname = host.domain.tld
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#myhostname = virtual.domain.tld
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The mydomain parameter specifies the local internet domain name.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default is to use $myhostname minus the first component.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $mydomain is used as a default value for many other configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# parameters.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mydomain = domain.tld
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SENDING MAIL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The myorigin parameter specifies the domain that locally-posted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail appears to come from. The default is to append $myhostname,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# which is fine for small sites. If you run a domain with multiple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# machines, you should (1) change this to $mydomain and (2) set up
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a domain-wide alias database that aliases each user to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user@that.users.mailhost.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For the sake of consistency between sender and recipient addresses,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# myorigin also specifies the default domain name that is appended
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to recipient addresses that have no @domain part.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#myorigin = $myhostname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#myorigin = $mydomain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# RECEIVING MAIL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The inet_interfaces parameter specifies the network interface
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# addresses that this mail system receives mail on. By default,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the software claims all active interfaces on the machine. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# parameter also controls delivery of mail to user@[ip.address].
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also the proxy_interfaces parameter, for network addresses that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are forwarded to us via a proxy or network address translator.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: you need to stop/start Postfix when this parameter changes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#inet_interfaces = all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#inet_interfaces = $myhostname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#inet_interfaces = $myhostname, localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The proxy_interfaces parameter specifies the network interface
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# addresses that this mail system receives mail on by way of a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# proxy or network address translation unit. This setting extends
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the address list specified with the inet_interfaces parameter.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You must specify your proxy/NAT addresses when your system is a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# backup MX host for other domains, otherwise mail delivery loops
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will happen when the primary MX host is down.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#proxy_interfaces =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#proxy_interfaces = 1.2.3.4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The mydestination parameter specifies the list of domains that this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# machine considers itself the final destination for.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# These domains are routed to the delivery agent specified with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# local_transport parameter setting. By default, that is the UNIX
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# compatible delivery agent that lookups all recipients in /etc/passwd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and /etc/aliases or their equivalent.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default is $myhostname + localhost.$mydomain + localhost. On
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a mail domain gateway, you should also include $mydomain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do not specify the names of virtual domains - those domains are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# specified elsewhere (see VIRTUAL_README).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do not specify the names of domains that this machine is backup MX
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# host for. Specify those names via the relay_domains settings for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the SMTP server, or use permit_mx_backup if you are lazy (see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# STANDARD_CONFIGURATION_README).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The local machine is always the final destination for mail addressed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to user@[the.net.work.address] of an interface that the mail system
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# receives mail on (see the inet_interfaces parameter).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify a list of host or domain names, /file/name or type:table
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# patterns, separated by commas and/or whitespace. A /file/name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pattern is replaced by its contents; a type:table is matched when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a name matches a lookup key (the right-hand side is ignored).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Continue long lines by starting the next line with whitespace.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mydestination = $myhostname, localhost.$mydomain, localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail.$mydomain, www.$mydomain, ftp.$mydomain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# REJECTING MAIL FOR UNKNOWN LOCAL USERS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The local_recipient_maps parameter specifies optional lookup tables
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with all names or addresses of users that are local with respect
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to $mydestination, $inet_interfaces or $proxy_interfaces.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If this parameter is defined, then the SMTP server will reject
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail for unknown local users. This parameter is defined by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To turn off local recipient checking in the SMTP server, specify
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# local_recipient_maps = (i.e. empty).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default setting assumes that you use the default Postfix local
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delivery agent for local delivery. You need to update the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# local_recipient_maps setting if:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - You define $mydestination domain recipients in files other than
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example, you define $mydestination domain recipients in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the $virtual_mailbox_maps files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - You redefine the local delivery agent in master.cf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - You redefine the "local_transport" setting in main.cf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# feature of the Postfix local delivery agent (see local(8)).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Details are described in the LOCAL_RECIPIENT_README file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Beware: if the Postfix SMTP server runs chrooted, you probably have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to access the passwd file via the proxymap service, in order to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# overcome chroot restrictions. The alternative, having a copy of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the system passwd file in the chroot jail is just not practical.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The right-hand side of the lookup tables is conveniently ignored.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In the left-hand side, specify a bare username, an @domain.tld
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wild-card, or specify a user@domain.tld address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#local_recipient_maps = unix:passwd.byname $alias_maps
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#local_recipient_maps =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The unknown_local_recipient_reject_code specifies the SMTP server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# response code when a recipient domain matches $mydestination or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and the recipient address or address local-part is not found.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default setting is 550 (reject mail) but it is safer to start
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with 450 (try again later) until you are certain that your
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# local_recipient_maps settings are OK.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+unknown_local_recipient_reject_code = 550
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TRUST AND RELAY CONTROL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The mynetworks parameter specifies the list of "trusted" SMTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clients that have more privileges than "strangers".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In particular, "trusted" SMTP clients are allowed to relay mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# through Postfix. See the smtpd_recipient_restrictions parameter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in postconf(5).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can specify the list of "trusted" network addresses by hand
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or you can let Postfix do it for you (which is the default).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clients in the same IP subnetworks as the local machine.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# On Linux, this does works correctly only with interfaces specified
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with the "ifconfig" command.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clients in the same IP class A/B/C networks as the local machine.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Don't do this with a dialup site - it would cause Postfix to "trust"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# your entire provider's network. Instead, specify an explicit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mynetworks list by hand, as described below.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify "mynetworks_style = host" when Postfix should "trust"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# only the local machine.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mynetworks_style = class
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mynetworks_style = subnet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mynetworks_style = host
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Alternatively, you can specify the mynetworks list by hand, in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# which case Postfix ignores the mynetworks_style setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify an explicit list of network/netmask patterns, where the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mask specifies the number of bits in the network part of a host
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can also specify the absolute pathname of a pattern file instead
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of listing the patterns here. Specify type:table for table-based lookups
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (the value on the table right-hand side is not used).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mynetworks = 168.100.189.0/28, 127.0.0.0/8
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mynetworks = $config_directory/mynetworks
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mynetworks = hash:@PREFIX@/etc/postfix/network_table
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The relay_domains parameter restricts what destinations this system will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# relay mail to. See the smtpd_recipient_restrictions description in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# postconf(5) for detailed information.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, Postfix relays mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - from "trusted" clients (IP address matches $mynetworks) to any destination,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - from "untrusted" clients to destinations that match $relay_domains or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# subdomains thereof, except addresses with sender-specified routing.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default relay_domains value is $mydestination.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In addition to the above, the Postfix SMTP server by default accepts mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that Postfix is final destination for:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - destinations that match $inet_interfaces or $proxy_interfaces,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - destinations that match $mydestination
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - destinations that match $virtual_alias_domains,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - destinations that match $virtual_mailbox_domains.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# These destinations do not need to be listed in $relay_domains.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify a list of hosts or domains, /file/name patterns or type:name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lookup tables, separated by commas and/or whitespace. Continue
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# long lines by starting the next line with whitespace. A file name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is replaced by its contents; a type:name table is matched when a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (parent) domain appears as lookup key.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: Postfix will not automatically forward mail for domains that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# list this system as their primary or backup MX host. See the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# permit_mx_backup restriction description in postconf(5).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#relay_domains = $mydestination
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# INTERNET OR INTRANET
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The relayhost parameter specifies the default host to send mail to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when no entry is matched in the optional transport(5) table. When
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no relayhost is given, mail is routed directly to the destination.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# On an intranet, specify the organizational domain name. If your
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# internal DNS uses no MX records, specify the name of the intranet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# gateway host instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In the case of SMTP, specify a domain, host, host:port, [host]:port,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [address] or [address]:port; the form [host] turns off MX lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you're connected via UUCP, see also the default_transport parameter.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#relayhost = $mydomain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#relayhost = [gateway.my.domain]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#relayhost = [mailserver.isp.tld]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#relayhost = uucphost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#relayhost = [an.ip.add.ress]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# REJECTING UNKNOWN RELAY USERS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The relay_recipient_maps parameter specifies optional lookup tables
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with all addresses in the domains that match $relay_domains.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If this parameter is defined, then the SMTP server will reject
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail for unknown relay users. This feature is off by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The right-hand side of the lookup tables is conveniently ignored.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In the left-hand side, specify an @domain.tld wild-card, or specify
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a user@domain.tld address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#relay_recipient_maps = hash:@PREFIX@/etc/postfix_relay_recipients
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# INPUT RATE CONTROL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The in_flow_delay configuration parameter implements mail input
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flow control. This feature is turned on by default, although it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# still needs further development (it's disabled on SCO UNIX due
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to an SCO bug).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A Postfix process will pause for $in_flow_delay seconds before
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# accepting a new message, when the message arrival rate exceeds the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# message delivery rate. With the default 100 SMTP server process
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# limit, this limits the mail inflow to 100 messages a second more
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# than the number of messages delivered per second.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify 0 to disable the feature. Valid delays are 0..10.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#in_flow_delay = 1s
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ADDRESS REWRITING
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The ADDRESS_REWRITING_README document gives information about
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# address masquerading or other forms of address rewriting including
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# username->Firstname.Lastname mapping.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The VIRTUAL_README document gives information about the many forms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of domain hosting that Postfix supports.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "USER HAS MOVED" BOUNCE MESSAGES
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the discussion in the ADDRESS_REWRITING_README document.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TRANSPORT MAP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the discussion in the ADDRESS_REWRITING_README document.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ALIAS DATABASE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The alias_maps parameter specifies the list of alias databases used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by the local delivery agent. The default list is system dependent.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# On systems with NIS, the default is to search the local alias
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# database, then the NIS alias database. See aliases(5) for syntax
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you change the alias database, run "postalias /etc/aliases" (or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wherever your system stores the mail alias file), or simply run
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "newaliases" to build the necessary DBM or DB file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It will take a minute or so before changes become visible. Use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "postfix reload" to eliminate the delay.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#alias_maps = dbm:/etc/aliases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#alias_maps = hash:/etc/aliases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#alias_maps = hash:/etc/aliases, nis:mail.aliases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#alias_maps = netinfo:/aliases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The alias_database parameter specifies the alias database(s) that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are built with "newaliases" or "sendmail -bi". This is a separate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration parameter, because alias_maps (see above) may specify
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tables that are not necessarily all under control by Postfix.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#alias_database = dbm:/etc/aliases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#alias_database = dbm:/etc/mail/aliases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#alias_database = hash:/etc/aliases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ADDRESS EXTENSIONS (e.g., user+foo)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The recipient_delimiter parameter specifies the separator between
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user names and address extensions (user+foo). See canonical(5),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# local(8), relocated(5) and virtual(5) for the effects this has on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# aliases, canonical, virtual, relocated and .forward file lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Basically, the software tries user+foo and .forward+foo before
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# trying user and .forward.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#recipient_delimiter = +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DELIVERY TO MAILBOX
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The home_mailbox parameter specifies the optional pathname of a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mailbox file relative to a user's home directory. The default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mailbox file is /var/spool/mail/user or /var/mail/user. Specify
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "Maildir/" for qmail-style delivery (the / is required).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#home_mailbox = Mailbox
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#home_mailbox = Maildir/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The mail_spool_directory parameter specifies the directory where
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# UNIX-style mailboxes are kept. The default setting depends on the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# system type.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_spool_directory = /var/mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mail_spool_directory = /var/spool/mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The mailbox_command parameter specifies the optional external
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# command to use instead of mailbox delivery. The command is run as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the recipient with proper HOME, SHELL and LOGNAME environment settings.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Exception: delivery for root is done as $default_user.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Other environment variables of interest: USER (recipient username),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# EXTENSION (address extension), DOMAIN (domain part of address),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and LOCAL (the address localpart).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Unlike other Postfix configuration parameters, the mailbox_command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# parameter is not subjected to $parameter substitutions. This is to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# make it easier to specify shell syntax (see example below).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Avoid shell meta characters because they will force Postfix to run
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an expensive shell process. Procmail alone is expensive enough.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mailbox_command = /some/where/procmail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mailbox_command = /some/where/procmail -a "$EXTENSION"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The mailbox_transport specifies the optional transport in master.cf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to use after processing aliases and .forward files. This parameter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# has precedence over the mailbox_command, fallback_transport and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# luser_relay parameters.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify a string of the form transport:nexthop, where transport is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the name of a mail delivery transport defined in master.cf. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# :nexthop part is optional. For more details see the sample transport
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: if you use this feature for accounts not in the UNIX password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# file, then you must update the "local_recipient_maps" setting in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the main.cf file, otherwise the SMTP server will reject mail for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# non-UNIX accounts with "User unknown in local recipient table".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# subsequent line in master.cf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mailbox_transport = cyrus
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The fallback_transport specifies the optional transport in master.cf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to use for recipients that are not found in the UNIX passwd database.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This parameter has precedence over the luser_relay parameter.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify a string of the form transport:nexthop, where transport is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the name of a mail delivery transport defined in master.cf. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# :nexthop part is optional. For more details see the sample transport
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: if you use this feature for accounts not in the UNIX password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# file, then you must update the "local_recipient_maps" setting in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the main.cf file, otherwise the SMTP server will reject mail for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# non-UNIX accounts with "User unknown in local recipient table".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#fallback_transport = lmtp:unix:/file/name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#fallback_transport = cyrus
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#fallback_transport =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The luser_relay parameter specifies an optional destination address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for unknown recipients. By default, mail for unknown@$mydestination,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as undeliverable.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The following expansions are done on luser_relay: $user (recipient
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# username), $shell (recipient shell), $home (recipient home directory),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $recipient (full recipient address), $extension (recipient address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# extension), $domain (recipient domain), $local (entire recipient
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# localpart), $recipient_delimiter. Specify ${name?value} or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ${name:value} to expand value only when $name does (does not) exist.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# luser_relay works only for the default Postfix local delivery agent.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: if you use this feature for accounts not in the UNIX password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# file, then you must specify "local_recipient_maps =" (i.e. empty) in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the main.cf file, otherwise the SMTP server will reject mail for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# non-UNIX accounts with "User unknown in local recipient table".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#luser_relay = $user@other.host
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#luser_relay = $local@other.host
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#luser_relay = admin+$local
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# JUNK MAIL CONTROLS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The controls listed here are only a very small subset. The file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SMTPD_ACCESS_README provides an overview.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The header_checks parameter specifies an optional table with patterns
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that each logical message header is matched against, including
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# headers that span multiple physical lines.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, these patterns also apply to MIME headers and to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# headers of attached messages. With older Postfix versions, MIME and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# attached message headers were treated as body text.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For details, see "man header_checks".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#header_checks = regexp:@PREFIX@/etc/postfix/header_checks
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FAST ETRN SERVICE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Postfix maintains per-destination logfiles with information about
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# deferred mail, so that mail can be flushed quickly with the SMTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the ETRN_README document for a detailed description.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The fast_flush_domains parameter controls what destinations are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# eligible for this service. By default, they are all domains that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this server is willing to relay mail to.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#fast_flush_domains = $relay_domains
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SHOW SOFTWARE VERSION OR NOT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The smtpd_banner parameter specifies the text that follows the 220
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# code in the SMTP server's greeting banner. Some people like to see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the mail version advertised. By default, Postfix shows no version.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You MUST specify $myhostname at the start of the text. That is an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# RFC requirement. Postfix itself does not care.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#smtpd_banner = $myhostname ESMTP $mail_name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PARALLEL DELIVERY TO THE SAME DESTINATION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How many parallel deliveries to the same user or domain? With local
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delivery, it does not make sense to do massively parallel delivery
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to the same user, because mailbox updates must happen sequentially,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and expensive pipelines in .forward files can cause disasters when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# too many are run at the same time. With SMTP deliveries, 10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# simultaneous connections to the same domain could be sufficient to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# raise eyebrows.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Each message delivery transport has its XXX_destination_concurrency_limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# parameter. The default is $default_destination_concurrency_limit for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# most delivery transports. For the local delivery agent the default is 2.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#local_destination_concurrency_limit = 2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#default_destination_concurrency_limit = 20
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DEBUGGING CONTROL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The debug_peer_level parameter specifies the increment in verbose
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logging level when an SMTP client or server host name or address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# matches a pattern in the debug_peer_list parameter.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+debug_peer_level = 2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The debug_peer_list parameter specifies an optional list of domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or network patterns, /file/name patterns or type:name tables. When
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an SMTP client or server host name or address matches a pattern,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# increase the verbose logging level by the amount specified in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debug_peer_level parameter.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#debug_peer_list = 127.0.0.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#debug_peer_list = some.domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+debug_peer_list = mit.edu
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The debugger_command specifies the external command that is executed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when a Postfix daemon program is run with the -D option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use "command .. & sleep 5" so that the debugger can attach before
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the process marches on. If you use an X-based debugger, be sure to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set up your XAUTHORITY environment variable before starting Postfix.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+debugger_command =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ PATH=@PREFIX@/bin:/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ddd $daemon_directory/$process_name $process_id & sleep 5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you can't use X, use this to capture the call stack when a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# daemon crashes. The result is in a file in the configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# directory, and is named after the process name and the process ID.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debugger_command =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PATH=@PREFIX@/bin:/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# >$config_directory/$process_name.$process_id.log & sleep 5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Another possibility is to run gdb under a detached screen session.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To attach to the screen session, su root and run "screen -r
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <id_string>" where <id_string> uniquely matches one of the detached
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sessions (from "screen -list").
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debugger_command =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PATH=@PREFIX@/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -dmS $process_name gdb $daemon_directory/$process_name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $process_id & sleep 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# INSTALL-TIME CONFIGURATION INFORMATION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The following parameters are used when installing a new Postfix version.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sendmail_path: The full pathname of the Postfix sendmail command.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is the Sendmail-compatible mail posting interface.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sendmail_path = @PREFIX@/sbin/sendmail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# newaliases_path: The full pathname of the Postfix newaliases command.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is the Sendmail-compatible command to build alias databases.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+newaliases_path = @PREFIX@/bin/newaliases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mailq_path: The full pathname of the Postfix mailq command. This
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is the Sendmail-compatible mail queue listing command.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mailq_path = @PREFIX@/bin/mailq
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# setgid_group: The group for mail submission and queue management
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# commands. This must be a group name with a numerical group ID that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is not shared with other accounts, not even with the Postfix account.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+setgid_group = _postdrop
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# html_directory: The location of the Postfix HTML documentation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+html_directory = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# manpage_directory: The location of the Postfix on-line manual pages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+manpage_directory = @PREFIX@/share/man
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sample_directory: The location of the Postfix sample configuration files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This parameter is obsolete as of Postfix 2.1.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sample_directory = @PREFIX@/share/postfix/sample
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# readme_directory: The location of the Postfix README files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+readme_directory = @PREFIX@/share/postfix/readme
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# inet_protocols = ipv4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+inet_protocols = all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+meta_directory = @PREFIX@/etc/postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+shlib_directory = @PREFIX@/libexec/postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#======================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+############################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Open Source Server #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+############################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Based on /Library/Server_v57/Mail/Config/postfix/main.cf,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://www.c0ffee.net/blog/mail-server-guide/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Create these directories, files
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo mkdir @PREFIX@/var/log/mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chmod go-rwx @PREFIX@/var/log/mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Create @PREFIX@/etc/postfix/sasl/passwd, passwd.db with secure permissions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo rsync -a /Library/Server_v57/Mail/Config/postfix/sasl @PREFIX@/etc/postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo newaliases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo -u _postfix openssl dhparam -out @PREFIX@/var/lib/postfix/dh2048.pem 2048
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## TLS authentication of mail relays
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl s_client -showcerts -servername smtp.comcast.net -connect smtp.comcast.net:587 -starttls smtp < /dev/null > smtp_comcast_net.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## For smtp_tls_CApath:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## break into three (or the necessary trust chain #) of .pem files delineated by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## '-----BEGIN CERTIFICATE-----'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Use openssl x509 to track and check the trust chain:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl x509 -text -noout -in COMODORSAAddTrustCA.pem | less
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Download and convert issuer certs based on e.g.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## "CA Issuers - URI:http://crt.comodoca.com/COMODORSAAddTrustCA.crt"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# curl -O http://crt.comodoca.com/COMODORSAAddTrustCA.crt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl x509 -inform der -outform -pem -in COMODORSAAddTrustCA.crt -out COMODORSAAddTrustCA.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# rm COMODORSAAddTrustCA.crt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Check the certificate chain of trust
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl verify -CAfile UTN-DATACorpSGC.pem AddTrustExternalCARoot.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl verify -CAfile UTN-DATACorpSGC.pem -untrusted AddTrustExternalCARoot.pem COMODORSAAddTrustCA.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Compate SHA1 hashes of issuers in the chain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl x509 -text -noout -in smtp_comcast_net.pem | grep -A1 "Authority Key Identifier" | tail -1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl x509 -text -noout -in COMODORSAOrganizationValidationSecureServerCA.pem | grep -A1 "Subject Key Identifier" | tail -1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Create smtp_tls_CApath under ./postfix (for chroot jail) and copy the files:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo mkdir -p @PREFIX@/etc/postfix/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo cp *.pem @PREFIX@/etc/postfix/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chgrp -R mail @PREFIX@/etc/postfix/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo dseditgroup -o edit -a _postfix -t user mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo dseditgroup -o edit -a _dovecot -t user mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo dseditgroup -o edit -a _dovenull -t user mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dscacheutil -q group -a name certusers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dscacheutil -q group -a name mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## For smtp_tls_CAfile:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# vi smtp_comcast_net.pem # delete non-certificate outputs before 1st --- and after last ---
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## SASL authentication for mail relays
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo mkdir @PREFIX@/etc/postfix/sasl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo vi @PREFIX@/etc/postfix/sasl/passwd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chgrp -R _postfix @PREFIX@/etc/postfix/sasl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chmod -R o-rwx @PREFIX@/etc/postfix/sasl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo postmap @PREFIX@/etc/postfix/sasl/passwd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## NOTE: Do *not* copy over HUGE Berkeley .db files from High Sierra APNS file systems;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## this APNS/Berkeley DB bug was fixed in Mojave, which doesn't run Server.app v.5.7.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Rather,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo find /Library/Server_v57/Mail/Config -type f -name '*.db' -exec sudo du -sm {} ';' | sort -rn
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## to find affected files, then use postmap to recreate them on the new server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## The only way to fix these on an old server is to create the .db files on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## an attached HDFS drive, then create symbolic links on the High Sierra APNS drive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Observed to be necessary for /Library/Server/Mail/Data/scanner/amavis/.spamassassin/, ./postfix/*.db
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Debugging
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mailq
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo postsuper -d ALL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo vi @PREFIX@/etc/postfix/main.cf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo bash -c 'postfix reload ; sleep 1 ; nmap -p 25 localhost ; lsof -i ":25" ; postfix status ; postfix check'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sendmail -vt < ~/mail.txt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo less @PREFIX@/var/log/mail/postfix.log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## mail.txt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To: me@isp.net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Subject: postfix configuration test
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# From: admin@domain.tld
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# My first SMTP email test.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Logging
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+maillog_file = @PREFIX@/var/log/mail/postfix.log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+maillog_file_compressor = bzip2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+maillog_file_prefixes = @PREFIX@/var/log/mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maillog_file_rotate_suffix =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp_tls_loglevel = 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use 0 for Postfix >= 2.9, and 1 for earlier versions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_tls_loglevel = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration settings that do not appear elsewhere
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Commented-out settings are often specific to macOS Server.app's postfix build
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dovecot_destination_recipient_limit = 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Alias maps, database if mailman is used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# alias_maps = hash:@PREFIX@/etc/postfix/aliases, hash:@PREFIX@/var/mailman/data/aliases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# alias_database = hash:@PREFIX@/etc/postfix/aliases, hash:@PREFIX@/var/mailman/data/aliases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Protect SSL/TLS encryption keys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+tls_random_source = dev:/dev/urandom
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (APPLE) Credentials for using URLAUTH with IMAP servers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (APPLE) The SACL cache caches the results of Mail Service ACL lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Tune these to make the cache more responsive to changes in the SACL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The cache is only in memory, so bouncing the sacl-cache service clears it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use_sacl_cache = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sacl_cache_positive_expire_time = 7d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sacl_cache_negative_expire_time = 1d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sacl_cache_disabled_expire_time = 1m
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (APPLE) Reject messages having any MIME body part (attachment, etc.)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# larger than this number of bytes. 0, the default, means no limit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mime_max_body_size = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#======================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mydomain_fallback = localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mynetworks = 127.0.0.0/8, [::1]/128
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+inet_interfaces = all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration; site-specific, pre-defined
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# config_directory = /Library/Server/Mail/Config/postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtpd_require_virtual_map = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# virtual_alias_domains = $virtual_alias_maps, hash:@PREFIX@/etc/postfix/virtual_domains
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# virtual_alias_maps = $virtual_maps, hash:@PREFIX@/etc/postfix/virtual_users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# enable_server_options = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtpd_pw_server_security_options = cram-md5,digest-md5,gssapi,login,plain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# content_filter = smtp-amavis:[127.0.0.1]:10024
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtpd_use_pw_server = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+header_checks = pcre:@PREFIX@/etc/postfix/custom_header_checks
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+recipient_canonical_maps = hash:@PREFIX@/etc/postfix/system_user_maps
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+postscreen_dnsbl_sites = zen.spamhaus.org*2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mailbox_transport = lmtp:unix:private/dovecot-lmtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Added by Server.app>Mail>Filtering Settings... > Enable greylist filtering
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination check_policy_service unix:private/policy permit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SMTP Recipient and Relay Restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://www.postfix.org/SMTPD_ACCESS_README.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://bbs.archlinux.org/viewtopic.php?id=158020
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://superuser.com/questions/664516/noqueue-reject-relay-access-denied
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policy permit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+compatibility_level = 2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disable "new mail" notifications for local users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+biff = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Name of this mail server, used in the SMTP HELO for outgoing mail. Make
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sure this resolves to the same IP as your reverse DNS hostname.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+myhostname = mail.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mydomain = @domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Domains for which postfix will deliver local mail. Does not apply to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# virtual domains, which are configured below. Make sure to specify the FQDN
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of your sever, as well as localhost.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: NEVER specify any virtual domains here!!! Those come later.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Domain appended to mail sent locally from this machine - such as mail sent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# via the `sendmail` command.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+myorigin = $mydomain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# prevent spammers from searching for valid users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+disable_vrfy_command = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# require properly formatted email addresses - prevents a lot of spam
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+strict_rfc821_envelopes = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# don't give any helpful info when a mailbox doesn't exist
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+show_user_unknown_table_name = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# limit maximum e-mail size to 25MB. mailbox size must be at least as big as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the message size for the mail to be accepted, but has no meaning after
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that since we are using Dovecot for delivery.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default mailbox size limit set to no limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+message_size_limit = 25165824
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mailbox_size_limit = 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# require addresses of the form "user@domain.tld"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+allow_percent_hack = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+swap_bangpath = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allow plus-aliasing: "user+tag@domain.tld" delivers to "user" mailbox
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Handle both Postfix and qmail extensions (Postfix 2.11 and later).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# `recipient_delimiter = +` used by CalendarServer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do *not* use `smtpd_recipient_restrictions = reject_unverified_recipient …`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if `recipient_delimiter = yes` *and* dovecot-lmtp is used; also see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dovecot/conf.d/15-lda.conf and dovecot/conf.d/20-lmtp.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+recipient_delimiter = +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PKI for Client (smtp) and Server (smtpd)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server.app v.5.8 creates a symbolic link `default_certificate` to the RSA certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it creates, which will be a PEM names hostname.domainname.<SHA-1 40 hex-digit fingerprint>.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Double-check the fingerprints of certificates in Keychain Access.app, and double-check the fingerprint
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of the certificate itself with the OpenSSL command:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl x509 -noout -fingerprint -sha1 -inform pem -in <cert filename>.cert.pem | tr -d ':'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enter the filenames directly (not the `default_certificate` link) because key files are also necessary
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_tls_chain_files = @PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.decrypted /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.chain.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Put this Server.app certificate in smtp_tls_CApath; see below
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtp_tls_CAfile = @PREFIX@/etc/postfix/etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.chain.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp_tls_CAfile = @PREFIX@/etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.chain.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtp_ (postfix client) configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp_enforce_tls = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# These two lines define how postfix will connect to other mail servers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DANE is a stronger form of opportunistic TLS. You can read about it here:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://www.postfix.org/TLS_README.html#client_tls_dane
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp_tls_security_level = dane
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp_dns_support_level = dnssec
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DANE requires a DNSSEC capable resolver. If your DNS resolver doesn't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# support DNSSEC, remove the above two lines and uncomment the below:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Implement DNSSEC if named is ever put outside the firewall, and DNSSEC infrastructure uses ED25519
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtp_tls_security_level = may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp_tls_protocols = !SSLv2, !SSLv3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Trimmed cipherlist improves interoperability with old Exchange servers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and reduces exposure to obsolete and rarely used crypto. See:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://www.postfix.org/postconf.5.html#smtp_tls_exclude_ciphers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://www.postfix.org/postconf.5.html#smtpd_tls_exclude_ciphers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp_tls_exclude_ciphers = EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SMTP Relay and SASL Authentication Configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# `relayhost` is the host:port of the SMTP relay e.g. smtp.comcast.net:587
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+relayhost = [@RELAYHOST@]:submission
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# `smtp_sasl_password_maps` has SMTP server authentication credentials of the form:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [host]:port\t username:password\n [\t == <tab>, \n == <newline>]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with group ownership _postfix and no "other" permissions:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo mkdir @PREFIX@/etc/postfix/sasl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo vi @PREFIX@/etc/postfix/sasl/passwd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chgrp -R _postfix @PREFIX@/etc/postfix/sasl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chmod -R o-rwx @PREFIX@/etc/postfix/sasl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo postmap @PREFIX@/etc/postfix/sasl/passwd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp_sasl_password_maps = hash:@PREFIX@/etc/postfix/sasl/passwd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp_sasl_auth_enable = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp_sasl_security_options = noanonymous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp_sasl_tls_security_options = noanonymous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp_sasl_mechanism_filter = plain, gssapi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# `smtp_tls_CApath` is the directory with the certificate authorities for the SMTP relay and/or servers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# `postfix check` says that these must belong to root.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example retrieval of this certificate chain from ISP:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# echo "quit" | openssl s_client -showcerts -servername smtp.comcast.net -connect smtp.comcast.net:587 -starttls smtp > smtp_comcast_net.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## For smtp_tls_CApath:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## break into three (or the necessary trust chain #) of .pem files delineated by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## '-----BEGIN CERTIFICATE-----'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Use openssl x509 to track and check the trust chain:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl x509 -text -noout -in COMODORSAAddTrustCA.pem | less
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Download and convert issuer certs based on e.g.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## "CA Issuers - URI:http://crt.comodoca.com/COMODORSAAddTrustCA.crt"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# curl -O http://crt.comodoca.com/COMODORSAAddTrustCA.crt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl x509 -inform der -outform -pem -in COMODORSAAddTrustCA.crt -out COMODORSAAddTrustCA.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# rm COMODORSAAddTrustCA.crt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Check the certificate chain of trust
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl verify -CAfile UTN-DATACorpSGC.pem AddTrustExternalCARoot.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl verify -CAfile UTN-DATACorpSGC.pem -untrusted AddTrustExternalCARoot.pem COMODORSAAddTrustCA.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Compate SHA1 hashes of issuers in the chain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl x509 -text -noout -in smtp_comcast_net.pem | grep -A1 "Authority Key Identifier" | tail -1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# openssl x509 -text -noout -in COMODORSAOrganizationValidationSecureServerCA.pem | grep -A1 "Subject Key Identifier" | tail -1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Create smtp_tls_CApath under ./postfix (for chroot jail) and copy the files:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo mkdir -p @PREFIX@/etc/postfix/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo cp *.pem @PREFIX@/etc/postfix/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chgrp -R mail @PREFIX@/etc/postfix/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo dseditgroup -o edit -a _postfix -t user mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo dseditgroup -o edit -a _dovecot -t user mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo dseditgroup -o edit -a _dovenull -t user mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dscacheutil -q group -a name certusers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dscacheutil -q group -a name mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp_tls_CApath = @PREFIX@/etc/postfix/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## For smtp_tls_CAfile:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# vi smtp_comcast_net.pem # delete non-certificate outputs before 1st --- and after last ---
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# concatenate Server.app's hostname.domainname.SHA-1.cert.pem file into this file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtp_tls_CAfile = @PREFIX@/etc/postfix/etc/certificates/smtp_tls_CAfile.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IP address used by postfix to send outgoing mail. You only need this if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# your machine has multiple IP addresses - set it to your MX address to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# satisfy your SPF record.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtp_bind_address = my IP == `host $mydomain`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtp_bind_address6 = my IPv6 == `host -6 $mydomain`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration that doesn't appear elewhere
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtpd (postfix server) configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Also see this for rationale on postfix TLS configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://drownattack.com/postfix.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://serverfault.com/questions/693179/postfix-mandatory-smtp-smtpd-vs-not-mandatory-difference-and-configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allow other mail servers to connect using TLS, but don't require it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_tls_security_level = may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_enforce_tls = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_use_tls = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Here we define the options for "mandatory" TLS. In our setup, TLS is only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "mandatory" for authenticating users. I got these settings from Mozilla's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL reccomentations page.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: do not attempt to make TLS mandatory for all incoming/outgoing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections. Do not attempt to change the default cipherlist for non-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mandatory connections either. There are still a lot of mail servers out
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# there that do not use TLS, and many that do only support old ciphers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Forcing TLS for everyone *will* cause you to lose mail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# man 5 postconf /smtpd_tls_mandatory_protocols: "Explicitly listing the protocols to include, rather than protocols to exclude, is supported, but not recommended."
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: if `smtpd_tls_security_level = may`, then bad encryption is better than no encryption;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# therefore, do *not* set smtpd_tls_mandatory_protocols or smtpd_tls_protocols to be too restrictive
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_tls_protocols = !SSLv2, !SSLv3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_tls_mandatory_ciphers = high
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_tls_ciphers = medium
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# man 5 postconf /tls_high_cipherlist: "You are strongly encouraged to not change this setting."
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtpd_tls_protocols = !SSLv2, !SSLv3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# List of ciphers or cipher types to exclude from the SMTP server cipher
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# list at all TLS security levels.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtpd_tls_exclude_ciphers = SSLv2, 3DES, aNULL, ADH, eNULL, EXPORT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_tls_exclude_ciphers = SSLv2, 3DES, aNULL, ADH, eNULL, EXPORT, LOW, MD5, SEED, IDEA, RC2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enable forward-secrecy with a 2048-bit prime and the P-256 EC curve. See
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://www.postfix.org/FORWARD_SECRECY_README.html#server_fs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default DH parameters use a 2048-bit strong prime as of Postfix 3.1.0.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# man 5 postconf /smtpd_tls_dh1024_param_file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo -u _postfix openssl dhparam -out @PREFIX@/var/lib/postfix/dh512.pem 512
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo -u _postfix openssl dhparam -out @PREFIX@/var/lib/postfix/dh2048.pem 1024
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo -u _postfix openssl dhparam -out @PREFIX@/var/lib/postfix/dh2048.pem 2048
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_tls_dh1024_param_file=${data_directory}/dh2048.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_tls_eecdh_grade = ultra
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache incoming and outgoing TLS sessions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# man 5 postconf : "for Postfix >= 2.11 this parameter should generally be left empty"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tlscache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtp_tls_session_cache_database = btree:${data_directory}/smtp_tlscache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# enable SMTPD auth. Dovecot will place an `auth` socket in postfix's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# runtime directory that we will use for authentication.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_sasl_auth_enable = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Kerberos authentication settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+import_environment="KRB5_KTNAME=@PREFIX@/etc/postfix/smtp.keytab"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Kerberos REALM
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_sasl_local_domain = @HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dovecot SASL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_sasl_path = private/auth
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_sasl_type = dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## SASLAUTHD SASL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## smtpd_sasl_path = saslauthd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## smtpd_sasl_type = cyrus
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# only allow authentication over TLS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_tls_auth_only = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# don't allow plaintext auth methods on unencrypted connections
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtpd_sasl_security_options = noanonymous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtpd_sasl_security_options = noanonymous, noplaintext
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# but plaintext auth is fine when using TLS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_sasl_tls_security_options = noanonymous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# add a message header when email was recieved over TLS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_tls_received_header = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# require that connecting mail servers identify themselves - this greatly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reduces spam
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_helo_required = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The following block specifies some security restrictions for incoming
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail. The gist of it is, authenticated users and connections from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# localhost can do anything they want. Random people connecting over the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# internet are treated with more suspicion: they must have a reverse DNS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# entry and present a valid, FQDN HELO hostname. In addition, they can only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# send mail to valid mailboxes on the server, and the sender's domain must
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# actually exist.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org permit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client, zen.spamhaus.org, permit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The settings `reject_unknown_reverse_client_hostname, reject_unauth_pipelining` here cause "451 4.3.5 Server configuration error"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client, reject_unknown_reverse_client_hostname, reject_unauth_pipelining, zen.spamhaus.org, permit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you might want to consider:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reject_unknown_client_hostname,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# here. This will reject all incoming connections without a reverse DNS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# entry that resolves back to the client's IP address. This is a very
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# restrictive check and may reject legitimate mail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS Server v.5.7 configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtpd_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you might want to consider:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reject_unknown_helo_hostname,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# here. This will reject all incoming mail without a HELO hostname that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# properly resolves in DNS. This is a somewhat restrictive check and may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reject legitimate mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf); but commented out
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# !!! THIS SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ reject_unauth_destination
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# !!! DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES !!!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf); but commented out
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Added by Server.app>Mail>Filtering Settings... > Enable greylist filtering
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination check_policy_service unix:private/policy permit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # SMTP Recipient and Relay Restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # http://www.postfix.org/SMTPD_ACCESS_README.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # https://bbs.archlinux.org/viewtopic.php?id=158020
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # http://superuser.com/questions/664516/noqueue-reject-relay-access-denied
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policy permit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do *not* use `smtpd_recipient_restrictions = reject_unverified_recipient …`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if `recipient_delimiter = yes` *and* dovecot-lmtp is used; also see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dovecot/conf.d/15-lda.conf and dovecot/conf.d/20-lmtp.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_data_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_multi_recipient_bounce, reject_unauth_pipelining
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Check:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo bash -c 'port unload postfix ; port unload dovecot2 ; ( cd @PREFIX@/var/log/mail ; > postfix.log ; > mail-err.log ; > mail-debug.log ; > mail-info.log ); port load postfix ; port load dovecot2'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo cp -p /etc/pam.d/dovecot /etc/pam.d/smtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo mkdir -p @PREFIX@/var/spool/postfix/etc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo touch @PREFIX@/var/spool/postfix/etc/sasldb2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chgrp mail @PREFIX@/var/spool/postfix/etc/sasldb2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chmod 0640 @PREFIX@/var/spool/postfix/etc/sasldb2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# gtelnet @host@.@domain@.@tld@ 25
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# EHLO @host@.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# AUTH PLAIN `printf "username\000username\000password" | base64`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Test base64-encoded credentials:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# printf "username\000username\000password" | base64 | openssl based64 -d | od -c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## SASL authentication alone
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## sudo touch @PREFIX@/etc/sasldb2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## sudo chgrp mail @PREFIX@/etc/sasldb2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## sudo chmod 0640 @PREFIX@/etc/sasldb2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## sudo saslauthd -a pam
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## testsaslauthd -u username -p "password" -s smtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Virtual users. Uncomment these after LDAP authentication set up
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# deliver mail for virtual users to Dovecot's LMTP socket
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+virtual_transport = lmtp:unix:private/dovecot-lmtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# LDAP query to find which domains we accept mail for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#virtual_mailbox_domains = ldap:/usr/local/etc/postfix/ldap-virtual-mailbox-domains.cf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# LDAP query to find which email addresses we accept mail for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#virtual_mailbox_maps = ldap:/usr/local/etc/postfix/ldap-virtual-mailbox-maps.cf, hash:/usr/local/etc/postfix/system-virtual-mailboxes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# LDAP query to find a user's email aliases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#virtual_alias_maps = ldap:/usr/local/etc/postfix/ldap-virtual-alias-maps.cf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Rspamd milter [email broken_richtext.eml to test]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+milter_protocol = 6
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if rspamd is down, don't reject mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+milter_default_action = accept
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use rspamd's default worker-proxy (add $queue_directory/etc/hosts in chroot)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#smtpd_milters = inet:localhost:11332
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use rspamd's socket (add $queue_directory@PREFIX@/var/run/rspamd/milter.sock in chroot)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtpd_milters = unix:@PREFIX@/var/run/rspamd/milter.sock
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/postfix/master.cf b/mail/mail-server/files/prefix/etc/postfix/master.cf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..c967032
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/postfix/master.cf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,143 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Preparation for postfix chroot:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## see queue_directory [@PREFIX@/var/spool/postfix]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo mkdir @PREFIX@/var/spool/postfix/etc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo cp -p /etc/hosts @PREFIX@/var/spool/postfix/etc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo cp -p /etc/services @PREFIX@/var/spool/postfix/etc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Postfix master process configuration file. For details on the format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of the file, see the master(5) manual page (command: "man 5 master" or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on-line: http://www.postfix.org/master.5.html).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do not forget to execute "postfix reload" after editing this file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# chroot changes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo cp -f /etc/services @PREFIX@/var/spool/postfix/etc/services
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# service type private unpriv chroot wakeup maxproc command + args
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (yes) (yes) (no) (never) (100)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp inet n - y - - smtpd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#smtp inet n - n - 1 postscreen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#smtpd pass - - n - - smtpd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#dnsblog unix - - n - 0 dnsblog
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#tlsproxy unix - - n - 0 tlsproxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+submission inet n - y - - smtpd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -o syslog_name=postfix/submission
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -o smtpd_tls_security_level=encrypt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -o smtpd_sasl_auth_enable=yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -o smtpd_tls_auth_only=yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_reject_unlisted_recipient=no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_client_restrictions=$mua_client_restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_helo_restrictions=$mua_helo_restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_sender_restrictions=$mua_sender_restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_recipient_restrictions=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o milter_macro_daemon_name=ORIGINATING
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#smtps inet n - n - - smtpd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o syslog_name=postfix/smtps
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_tls_wrappermode=yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_sasl_auth_enable=yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_reject_unlisted_recipient=no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_client_restrictions=$mua_client_restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_helo_restrictions=$mua_helo_restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_sender_restrictions=$mua_sender_restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_recipient_restrictions=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o milter_macro_daemon_name=ORIGINATING
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#628 inet n - n - - qmqpd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+pickup unix n - n 60 1 pickup
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+cleanup unix n - n - 0 cleanup
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+qmgr unix n - n 300 1 qmgr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#qmgr unix n - n 300 1 oqmgr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+tlsmgr unix - - n 1000? 1 tlsmgr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+rewrite unix - - n - - trivial-rewrite
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+bounce unix - - n - 0 bounce
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+defer unix - - n - 0 bounce
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+trace unix - - n - 0 bounce
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+verify unix - - n - 1 verify
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+flush unix n - n 1000? 0 flush
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+proxymap unix - - n - - proxymap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+proxywrite unix - - n - 1 proxymap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp unix - - y - - smtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+relay unix - - y - - smtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -o syslog_name=postfix/$service_name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+showq unix n - n - - showq
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+error unix - - n - - error
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+retry unix - - n - - error
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+discard unix - - n - - discard
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+local unix - n n - - local
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+virtual unix - n n - - virtual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+lmtp unix - - y - - lmtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+anvil unix - - n - 1 anvil
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+scache unix - - n - 1 scache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+postlog unix-dgram n - n - 1 postlogd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Interfaces to non-Postfix software. Be sure to examine the manual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pages of the non-Postfix software to find out what options it wants.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Many of the following services use the Postfix pipe(8) delivery
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# agent. See the pipe(8) man page for information about ${recipient}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and other message envelope options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maildrop. See the Postfix MAILDROP_README file for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Also specify in main.cf: maildrop_destination_recipient_limit=1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#maildrop unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify in cyrus.conf:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify in main.cf one or more of the following:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mailbox_transport = lmtp:inet:localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# virtual_transport = lmtp:inet:localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Cyrus 2.1.5 (Amos Gouaux)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Also specify in main.cf: cyrus_destination_recipient_limit=1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#cyrus unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Old example of delivery via Cyrus.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#old-cyrus unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the Postfix UUCP_README file for configuration details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#uucp unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Other external delivery methods.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ifmail unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#bsmtp unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#scalemail-backend unix - n n - 2 pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ${nexthop} ${user} ${extension}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mailman unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ${nexthop} ${user}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/postfix/master.cf.chroot b/mail/mail-server/files/prefix/etc/postfix/master.cf.chroot
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..c967032
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/postfix/master.cf.chroot
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,143 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Preparation for postfix chroot:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## see queue_directory [@PREFIX@/var/spool/postfix]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo mkdir @PREFIX@/var/spool/postfix/etc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo cp -p /etc/hosts @PREFIX@/var/spool/postfix/etc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo cp -p /etc/services @PREFIX@/var/spool/postfix/etc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Postfix master process configuration file. For details on the format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of the file, see the master(5) manual page (command: "man 5 master" or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on-line: http://www.postfix.org/master.5.html).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do not forget to execute "postfix reload" after editing this file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# chroot changes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo cp -f /etc/services @PREFIX@/var/spool/postfix/etc/services
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# service type private unpriv chroot wakeup maxproc command + args
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (yes) (yes) (no) (never) (100)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp inet n - y - - smtpd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#smtp inet n - n - 1 postscreen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#smtpd pass - - n - - smtpd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#dnsblog unix - - n - 0 dnsblog
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#tlsproxy unix - - n - 0 tlsproxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+submission inet n - y - - smtpd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -o syslog_name=postfix/submission
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -o smtpd_tls_security_level=encrypt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -o smtpd_sasl_auth_enable=yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -o smtpd_tls_auth_only=yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_reject_unlisted_recipient=no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_client_restrictions=$mua_client_restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_helo_restrictions=$mua_helo_restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_sender_restrictions=$mua_sender_restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_recipient_restrictions=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o milter_macro_daemon_name=ORIGINATING
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#smtps inet n - n - - smtpd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o syslog_name=postfix/smtps
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_tls_wrappermode=yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_sasl_auth_enable=yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_reject_unlisted_recipient=no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_client_restrictions=$mua_client_restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_helo_restrictions=$mua_helo_restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_sender_restrictions=$mua_sender_restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_recipient_restrictions=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o milter_macro_daemon_name=ORIGINATING
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#628 inet n - n - - qmqpd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+pickup unix n - n 60 1 pickup
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+cleanup unix n - n - 0 cleanup
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+qmgr unix n - n 300 1 qmgr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#qmgr unix n - n 300 1 oqmgr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+tlsmgr unix - - n 1000? 1 tlsmgr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+rewrite unix - - n - - trivial-rewrite
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+bounce unix - - n - 0 bounce
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+defer unix - - n - 0 bounce
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+trace unix - - n - 0 bounce
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+verify unix - - n - 1 verify
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+flush unix n - n 1000? 0 flush
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+proxymap unix - - n - - proxymap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+proxywrite unix - - n - 1 proxymap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp unix - - y - - smtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+relay unix - - y - - smtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -o syslog_name=postfix/$service_name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+showq unix n - n - - showq
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+error unix - - n - - error
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+retry unix - - n - - error
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+discard unix - - n - - discard
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+local unix - n n - - local
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+virtual unix - n n - - virtual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+lmtp unix - - y - - lmtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+anvil unix - - n - 1 anvil
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+scache unix - - n - 1 scache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+postlog unix-dgram n - n - 1 postlogd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Interfaces to non-Postfix software. Be sure to examine the manual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pages of the non-Postfix software to find out what options it wants.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Many of the following services use the Postfix pipe(8) delivery
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# agent. See the pipe(8) man page for information about ${recipient}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and other message envelope options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maildrop. See the Postfix MAILDROP_README file for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Also specify in main.cf: maildrop_destination_recipient_limit=1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#maildrop unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify in cyrus.conf:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify in main.cf one or more of the following:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mailbox_transport = lmtp:inet:localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# virtual_transport = lmtp:inet:localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Cyrus 2.1.5 (Amos Gouaux)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Also specify in main.cf: cyrus_destination_recipient_limit=1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#cyrus unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Old example of delivery via Cyrus.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#old-cyrus unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the Postfix UUCP_README file for configuration details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#uucp unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Other external delivery methods.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ifmail unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#bsmtp unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#scalemail-backend unix - n n - 2 pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ${nexthop} ${user} ${extension}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mailman unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ${nexthop} ${user}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/postfix/master.cf.nochroot b/mail/mail-server/files/prefix/etc/postfix/master.cf.nochroot
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..17962fb
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/postfix/master.cf.nochroot
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,133 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Postfix master process configuration file. For details on the format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of the file, see the master(5) manual page (command: "man 5 master" or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on-line: http://www.postfix.org/master.5.html).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do not forget to execute "postfix reload" after editing this file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# service type private unpriv chroot wakeup maxproc command + args
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (yes) (yes) (no) (never) (100)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp inet n - n - - smtpd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#smtp inet n - n - 1 postscreen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#smtpd pass - - n - - smtpd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#dnsblog unix - - n - 0 dnsblog
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#tlsproxy unix - - n - 0 tlsproxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+submission inet n - n - - smtpd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -o syslog_name=postfix/submission
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -o smtpd_tls_security_level=encrypt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -o smtpd_sasl_auth_enable=yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -o smtpd_tls_auth_only=yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_reject_unlisted_recipient=no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_client_restrictions=$mua_client_restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_helo_restrictions=$mua_helo_restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_sender_restrictions=$mua_sender_restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_recipient_restrictions=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o milter_macro_daemon_name=ORIGINATING
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#smtps inet n - n - - smtpd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o syslog_name=postfix/smtps
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_tls_wrappermode=yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_sasl_auth_enable=yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_reject_unlisted_recipient=no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_client_restrictions=$mua_client_restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_helo_restrictions=$mua_helo_restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_sender_restrictions=$mua_sender_restrictions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_recipient_restrictions=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o milter_macro_daemon_name=ORIGINATING
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#628 inet n - n - - qmqpd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+pickup unix n - n 60 1 pickup
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+cleanup unix n - n - 0 cleanup
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+qmgr unix n - n 300 1 qmgr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#qmgr unix n - n 300 1 oqmgr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+tlsmgr unix - - n 1000? 1 tlsmgr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+rewrite unix - - n - - trivial-rewrite
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+bounce unix - - n - 0 bounce
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+defer unix - - n - 0 bounce
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+trace unix - - n - 0 bounce
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+verify unix - - n - 1 verify
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+flush unix n - n 1000? 0 flush
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+proxymap unix - - n - - proxymap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+proxywrite unix - - n - 1 proxymap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+smtp unix - - n - - smtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+relay unix - - n - - smtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -o syslog_name=postfix/$service_name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+showq unix n - n - - showq
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+error unix - - n - - error
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+retry unix - - n - - error
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+discard unix - - n - - discard
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+local unix - n n - - local
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+virtual unix - n n - - virtual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+lmtp unix - - n - - lmtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+anvil unix - - n - 1 anvil
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+scache unix - - n - 1 scache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+postlog unix-dgram n - n - 1 postlogd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Interfaces to non-Postfix software. Be sure to examine the manual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pages of the non-Postfix software to find out what options it wants.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Many of the following services use the Postfix pipe(8) delivery
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# agent. See the pipe(8) man page for information about ${recipient}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and other message envelope options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maildrop. See the Postfix MAILDROP_README file for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Also specify in main.cf: maildrop_destination_recipient_limit=1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#maildrop unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify in cyrus.conf:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify in main.cf one or more of the following:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mailbox_transport = lmtp:inet:localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# virtual_transport = lmtp:inet:localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Cyrus 2.1.5 (Amos Gouaux)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Also specify in main.cf: cyrus_destination_recipient_limit=1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#cyrus unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Old example of delivery via Cyrus.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#old-cyrus unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the Postfix UUCP_README file for configuration details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#uucp unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Other external delivery methods.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ifmail unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#bsmtp unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#scalemail-backend unix - n n - 2 pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ${nexthop} ${user} ${extension}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#mailman unix - n n - - pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ${nexthop} ${user}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/postfix/sasl/passwd b/mail/mail-server/files/prefix/etc/postfix/sasl/passwd
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..7c476ea
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/postfix/sasl/passwd
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[@RELAYHOST@]:submission myusername:mypassword
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/postfix/sasl/smtpd.conf b/mail/mail-server/files/prefix/etc/postfix/sasl/smtpd.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..b21406d
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/postfix/sasl/smtpd.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,2 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+pwcheck_method: saslauthd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mech_list: PLAIN GSSAPI
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/postfix/smtp.keytab.README.sh b/mail/mail-server/files/prefix/etc/postfix/smtp.keytab.README.sh
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..4c7e17e
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/postfix/smtp.keytab.README.sh
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,179 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#!/bin/bash -x
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# GSSAPI Kerberos authentication for the smtp service on macOS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1. krb5 configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Create missing edu.mit.Kerberos file, copy it to /etc/krb5.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://nusoft.fnal.gov/ifmon/maint/auth/macadmin.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo cat <<KERBEROSCONF > edu.mit.Kerberos
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[domain_realm]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .@domain@.@tld@ = @HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ @domain@.@tld@ = @HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ @host@.@domain@.@tld@ = @HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[libdefaults]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ default_realm = @HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kdc_timeout = 5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ allow_weak_crypto = false
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dns_lookup_kdc = true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ticket_lifetime = 90000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ renew_lifetime = 300000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ noaddresses = true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[realms]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ @HOST@.@DOMAIN@.@TLD@ = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ default_domain = @host@.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ admin_server = @host@.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kdc = @host@.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+[logging]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kdc = CONSOLE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kdc = SYSLOG:INFO:DAEMON
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ admin_server = FILE:/private/var/log/krb5kdc/kadmin.log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+KERBEROSCONF
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo install -m 0644 -b -B .orig edu.mit.Kerberos /etc/krb5.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+rm edu.mit.Kerberos
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2. DNS configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Add these DNS URI, TXT, and SRV records to the primary zone corresponding to REALM
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo vi @PREFIX@/var/named/db.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+if false; do
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo cat <<KERBEROSDNS >> @PREFIX@/var/named/db.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ; Kerberos configuration with URI, TXT, and SRV records
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos.@HOST@.@DOMAIN@.@TLD@. IN URI 10 1 "udp://@host@.@domain@.@tld@"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos.@HOST@.@DOMAIN@.@TLD@. IN URI 20 1 "tcp://@host@.@domain@.@tld@"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos-master.@HOST@.@DOMAIN@.@TLD@. IN URI 10 1 "udp://@host@.@domain@.@tld@"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos-master.@HOST@.@DOMAIN@.@TLD@. IN URI 20 1 "tcp://@host@.@domain@.@tld@"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos.@host@.@domain@.@tld@. IN TXT "@HOST@.@DOMAIN@.@TLD@"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos-master.@host@.@domain@.@tld@. IN TXT "@HOST@.@DOMAIN@.@TLD@"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos._udp.@HOST@.@DOMAIN@.@TLD@. IN SRV 10 1 88 @host@.@domain@.@tld@.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos._tcp.@HOST@.@DOMAIN@.@TLD@. IN SRV 10 1 88 @host@.@domain@.@tld@.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos._tls._tcp.@HOST@.@DOMAIN@.@TLD@. IN SRV 10 1 88 @host@.@domain@.@tld@.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos-master._udp.@HOST@.@DOMAIN@.@TLD@. IN SRV 10 1 749 @host@.@domain@.@tld@.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos-master._tcp.@HOST@.@DOMAIN@.@TLD@. IN SRV 10 1 749 @host@.@domain@.@tld@.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _kerberos-master._tls._tcp.@HOST@.@DOMAIN@.@TLD@. IN SRV 10 1 749 @host@.@domain@.@tld@.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+KERBEROSDNS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ done
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flush DNS cache and restart named
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+dscacheutil -flushcache ; sudo killall -HUP mDNSResponder ; sudo port unload bind9 ; sudo port load bind9
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 3. PAM plain text authentication for Kerberos smtp service
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo mkdir -p @PREFIX@/etc/postfix/etc/pam.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo cat <<PAMDSMTP > @PREFIX@/etc/postfix/etc/pam.d/smtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtp: auth account password session with gssapi and plain fallback
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth sufficient pam_krb5.so try_first_pass
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+account sufficient pam_krb5.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth required pam_opendirectory.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+account required pam_nologin.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+account required pam_opendirectory.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+password required pam_opendirectory.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+PAMDSMTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo install -m 0644 -b -B .orig @PREFIX@/etc/dovecot/etc/pam.d/smtp /etc/pam.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4. Create the smtp.keytab file with _postfix permission
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo /usr/sbin/kadmin -l
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> ext_keytab -k @PREFIX@/etc/postfix/smtp.keytab smtp/@host@.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kadmin> exit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo chgrp _postfix @PREFIX@/etc/postfix/smtp.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo chmod g+r @PREFIX@/etc/postfix/smtp.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo -u _postfix @PREFIX@/bin/klist -e -k -t @PREFIX@/etc/postfix/smtp.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Keytab name: FILE:@PREFIX@/etc/postfix/smtp.keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## KVNO Timestamp Principal
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## ---- ------------------- ------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## 1 04/25/2019 06:35:54 smtp/@host@.@domain@.@tld@@@HOST@.@DOMAIN@.@TLD@ (aes256-cts-hmac-sha1-96)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## 1 04/25/2019 06:35:54 smtp/@host@.@domain@.@tld@@@HOST@.@DOMAIN@.@TLD@ (aes128-cts-hmac-sha1-96)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## 1 04/25/2019 06:35:54 smtp/@host@.@domain@.@tld@@@HOST@.@DOMAIN@.@TLD@ (des3-cbc-sha1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 5. Testing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Kerberos-only authentication, with debugging;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# assume that ./master.cf doesn't run postfix in chroot jail,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# otherwise edit @PREFIX@/etc/dovecot/etc/pam.d/smtp /etc/pam.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo cat <<PAMDSMTP > /etc/pam.d/smtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smtp: auth account password session with gssapi and plain fallback
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth required pam_krb5.so try_first_pass debug
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+account required pam_krb5.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+PAMDSMTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 5.1 Test with saslauthd observed to work
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo touch @PREFIX@/etc/sasldb2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo chgrp mail @PREFIX@/etc/sasldb2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mail sudo chmod 0640 @PREFIX@/etc/sasldb2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo saslauthd -a pam
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+testsaslauthd -u username -p password -s smtp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo log show --last 10s | less
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# search for krb5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo killall saslauthd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 5.1 Test with smtpd is *not* (yet) observed to work
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (After postfix configured and loaded)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+### /opt/.local/etc/postfix/main.cf (part)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## shlib_directory = @PREFIX@/libexec/postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # Logging
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## maillog_file = @PREFIX@/var/log/mail/postfix.log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## maillog_file_compressor = bzip2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## maillog_file_prefixes = @PREFIX@/var/log/mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # SMTPD SASL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## smtpd_sasl_auth_enable = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## smtpd_tls_security_level = none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## import_environment="KRB5_KTNAME=@PREFIX@/etc/postfix/smtp.keytab"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## smtpd_sasl_local_domain = @host@.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## broken_sasl_auth_clients = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # Dovecot SASL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## smtpd_sasl_path = private/auth
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## smtpd_sasl_type = dovecot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## ## SASLAUTHD SASL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## ## smtpd_sasl_path = saslauthd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## ## smtpd_sasl_type = cyrus
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # only allow authentication over TLS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # (Not set in /Library/Server_v57/Mail/Config/postfix/main.cf)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## # smtpd_tls_auth_only = yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## smtpd_tls_auth_only = no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## smtpd_recipient_restrictions = permit_mynetworks,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## permit_sasl_authenticated, reject_unauth_destination
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Check:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo bash -c 'port unload postfix ; port unload dovecot2 ; ( cd @PREFIX@/var/log/mail ; > postfix.log ; > mail-err.log ; > mail-debug.log ; > mail-info.log ); port load postfix ; port load dovecot2'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo mkdir -p @PREFIX@/var/spool/postfix/etc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+touch @PREFIX@/var/spool/postfix/etc/sasldb2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo chgrp _postfix @PREFIX@/var/spool/postfix/etc/sasldb2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo chmod 0640 @PREFIX@/var/spool/postfix/etc/sasldb2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+gtelnet @host@.@domain@.@tld@ 25
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# EHLO @host@.@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use the actual base64 value here:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# AUTH PLAIN `printf "username\000username\000password" | base64`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Test base64-encoded credentials:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+printf "username\000username\000password" | base64 | openssl based64 -d | od -c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo less @PREFIX@/var/log/mail/postfix.log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# restore /etc/pam.d/smtp to original above
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+sudo cp @PREFIX@/etc/dovecot/etc/pam.d/smtp /etc/pam.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6. Debugging
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# env KRB5_TRACE=/dev/stdout sudo -E kadmin -p kadmin/admin@@HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo kdestroy -p diradmin@@HOST@.@DOMAIN@.@TLD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo serveradmin stop dirserv ; sudo serveradmin start dirserv
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dscacheutil -flushcache ; sudo killall -HUP mDNSResponder ; sudo port unload bind9 ; sudo port load bind9
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo /usr/sbin/ktutil list
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo @PREFIX@/bin/klist -e -k -t /etc/krb5.keytab
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/redis.conf b/mail/mail-server/files/prefix/etc/redis.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..af37958
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/redis.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,1385 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redis configuration file example.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that in order to read the configuration file, Redis must be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# started with the file path as first argument:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ./redis-server /path/to/redis.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note on units: when memory size is needed, it is possible to specify
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it in the usual form of 1k 5GB 4M and so forth:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1k => 1000 bytes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1kb => 1024 bytes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1m => 1000000 bytes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1mb => 1024*1024 bytes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1g => 1000000000 bytes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1gb => 1024*1024*1024 bytes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# units are case insensitive so 1GB 1Gb 1gB are all the same.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+################################## INCLUDES ###################################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Include one or more other config files here. This is useful if you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# have a standard template that goes to all Redis servers but also need
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to customize a few per-server settings. Include files can include
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# other files, so use this wisely.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notice option "include" won't be rewritten by command "CONFIG REWRITE"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from admin or Redis Sentinel. Since Redis always uses the last processed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# line as value of a configuration directive, you'd better put includes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# at the beginning of this file to avoid overwriting config change at runtime.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If instead you are interested in using includes to override configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# options, it is better to use include as the last line.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# include /path/to/local.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# include /path/to/other.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+################################## MODULES #####################################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Load modules at startup. If the server is not able to load modules
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it will abort. It is possible to use multiple loadmodule directives.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# loadmodule /path/to/my_module.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# loadmodule /path/to/other_module.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+################################## NETWORK #####################################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, if no "bind" configuration directive is specified, Redis listens
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for connections from all the network interfaces available on the server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It is possible to listen to just one or multiple selected interfaces using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the "bind" configuration directive, followed by one or more IP addresses.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bind 192.168.1.100 10.0.0.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bind 127.0.0.1 ::1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# internet, binding to all the interfaces is dangerous and will expose the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# instance to everybody on the internet. So by default we uncomment the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# following bind directive, that will force Redis to listen only into
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the IPv4 loopback interface address (this means Redis will be able to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# accept connections only from clients running into the same computer it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is running).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# JUST COMMENT THE FOLLOWING LINE.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+bind 127.0.0.1 ::1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Protected mode is a layer of security protection, in order to avoid that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redis instances left open on the internet are accessed and exploited.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When protected mode is on and if:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1) The server is not binding explicitly to a set of addresses using the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "bind" directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2) No password is configured.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The server only accepts connections from clients connecting from the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sockets.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default protected mode is enabled. You should disable it only if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you are sure you want clients from other hosts to connect to Redis
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# even if no authentication is configured, nor a specific set of interfaces
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are explicitly listed using the "bind" directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+protected-mode yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Accept connections on the specified port, default is 6379 (IANA #815344).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If port 0 is specified Redis will not listen on a TCP socket.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# port 6379
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# unix socket only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+port 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TCP listen() backlog.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In high requests-per-second environments you need an high backlog in order
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to avoid slow clients connections issues. Note that the Linux kernel
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will silently truncate it to the value of /proc/sys/net/core/somaxconn so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# make sure to raise both the value of somaxconn and tcp_max_syn_backlog
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in order to get the desired effect.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+tcp-backlog 511
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Unix socket.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify the path for the Unix socket that will be used to listen for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# incoming connections. There is no default, so Redis will not listen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on a unix socket when not specified.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# unixsocket /tmp/redis.sock
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# unixsocketperm 700
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+unixsocket @PREFIX@/var/run/redis/redis.sock
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chgrp mail @PREFIX@/var/run/redis
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+unixsocketperm 0660
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Close the connection after a client is idle for N seconds (0 to disable)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+timeout 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TCP keepalive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If non-zero, use SO_KEEPALIVE to send TCP ACKs to clients in absence
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of communication. This is useful for two reasons:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1) Detect dead peers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2) Take the connection alive from the point of view of network
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# equipment in the middle.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# On Linux, the specified value (in seconds) is the period used to send ACKs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that to close the connection the double of the time is needed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# On other kernels the period depends on the kernel configuration.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A reasonable value for this option is 300 seconds, which is the new
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redis default starting with Redis 3.2.1.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+tcp-keepalive 300
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+################################# GENERAL #####################################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default Redis does not run as a daemon. Use 'yes' if you need it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that Redis will write a pid file in /var/run/redis.pid when daemonized.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+daemonize no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you run Redis from upstart or systemd, Redis can interact with your
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# supervision tree. Options:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# supervised no - no supervision interaction
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# supervised upstart - signal upstart by putting Redis into SIGSTOP mode
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# supervised auto - detect upstart or systemd method based on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# UPSTART_JOB or NOTIFY_SOCKET environment variables
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: these supervision methods only signal "process is ready."
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# They do not enable continuous liveness pings back to your supervisor.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+supervised no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If a pid file is specified, Redis writes it where specified at startup
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and removes it at exit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When the server runs non daemonized, no pid file is created if none is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# specified in the configuration. When the server is daemonized, the pid file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is used even if not specified, defaulting to "/var/run/redis.pid".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Creating a pid file is best effort: if Redis is not able to create it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# nothing bad happens, the server will start and run normally.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+pidfile @PREFIX@/var/run/redis/redis_6379.pid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify the server verbosity level.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This can be one of:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debug (a lot of information, useful for development/testing)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# verbose (many rarely useful info, but not a mess like the debug level)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# notice (moderately verbose, what you want in production probably)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# warning (only very important / critical messages are logged)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+loglevel notice
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify the log file name. Also the empty string can be used to force
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redis to log on the standard output. Note that if you use standard
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# output for logging but daemonize, logs will be sent to /dev/null
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+logfile @PREFIX@/var/log/redis.log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To enable logging to the system logger, just set 'syslog-enabled' to yes,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and optionally update the other syslog parameters to suit your needs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# syslog-enabled no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify the syslog identity.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# syslog-ident redis
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# syslog-facility local0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set the number of databases. The default database is DB 0, you can select
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a different one on a per-connection basis using SELECT <dbid> where
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dbid is a number between 0 and 'databases'-1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+databases 16
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default Redis shows an ASCII art logo only when started to log to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# standard output and if the standard output is a TTY. Basically this means
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that normally a logo is displayed only in interactive sessions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# However it is possible to force the pre-4.0 behavior and always show a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ASCII art logo in startup logs by setting the following option to yes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+always-show-logo yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+################################ SNAPSHOTTING ################################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Save the DB on disk:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# save <seconds> <changes>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Will save the DB if both the given number of seconds and the given
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# number of write operations against the DB occurred.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In the example below the behaviour will be to save:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# after 900 sec (15 min) if at least 1 key changed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# after 300 sec (5 min) if at least 10 keys changed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# after 60 sec if at least 10000 keys changed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: you can disable saving completely by commenting out all "save" lines.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It is also possible to remove all the previously configured save
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# points by adding a save directive with a single empty string argument
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# like in the following example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# save ""
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+save 900 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+save 300 10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+save 60 10000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default Redis will stop accepting writes if RDB snapshots are enabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (at least one save point) and the latest background save failed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This will make the user aware (in a hard way) that data is not persisting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on disk properly, otherwise chances are that no one will notice and some
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disaster will happen.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the background saving process will start working again Redis will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# automatically allow writes again.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# However if you have setup your proper monitoring of the Redis server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and persistence, you may want to disable this feature so that Redis will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# continue to work as usual even if there are problems with disk,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# permissions, and so forth.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+stop-writes-on-bgsave-error yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Compress string objects using LZF when dump .rdb databases?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For default that's set to 'yes' as it's almost always a win.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want to save some CPU in the saving child set it to 'no' but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the dataset will likely be bigger if you have compressible values or keys.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+rdbcompression yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Since version 5 of RDB a CRC64 checksum is placed at the end of the file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This makes the format more resistant to corruption but there is a performance
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hit to pay (around 10%) when saving and loading RDB files, so you can disable it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for maximum performances.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# RDB files created with checksum disabled have a checksum of zero that will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tell the loading code to skip the check.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+rdbchecksum yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The filename where to dump the DB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+dbfilename dump.rdb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The working directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The DB will be written inside this directory, with the filename specified
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# above using the 'dbfilename' configuration directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The Append Only File will also be created inside this directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that you must specify a directory here, not a file name.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+dir @PREFIX@/var/db/redis
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+################################# REPLICATION #################################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Master-Replica replication. Use replicaof to make a Redis instance a copy of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# another Redis server. A few things to understand ASAP about Redis replication.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# +------------------+ +---------------+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# | Master | ---> | Replica |
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# | (receive writes) | | (exact copy) |
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# +------------------+ +---------------+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1) Redis replication is asynchronous, but you can configure a master to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# stop accepting writes if it appears to be not connected with at least
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a given number of replicas.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2) Redis replicas are able to perform a partial resynchronization with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# master if the replication link is lost for a relatively small amount of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# time. You may want to configure the replication backlog size (see the next
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sections of this file) with a sensible value depending on your needs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 3) Replication is automatic and does not need user intervention. After a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# network partition replicas automatically try to reconnect to masters
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and resynchronize with them.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replicaof <masterip> <masterport>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the master is password protected (using the "requirepass" configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# directive below) it is possible to tell the replica to authenticate before
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# starting the replication synchronization process, otherwise the master will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# refuse the replica request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# masterauth <master-password>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When a replica loses its connection with the master, or when the replication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is still in progress, the replica can act in two different ways:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1) if replica-serve-stale-data is set to 'yes' (the default) the replica will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# still reply to client requests, possibly with out of date data, or the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# data set may just be empty if this is the first synchronization.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2) if replica-serve-stale-data is set to 'no' the replica will reply with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an error "SYNC with master in progress" to all the kind of commands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# but to INFO, replicaOF, AUTH, PING, SHUTDOWN, REPLCONF, ROLE, CONFIG,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SUBSCRIBE, UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# COMMAND, POST, HOST: and LATENCY.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+replica-serve-stale-data yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can configure a replica instance to accept writes or not. Writing against
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a replica instance may be useful to store some ephemeral data (because data
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# written on a replica will be easily deleted after resync with the master) but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may also cause problems if clients are writing to it because of a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# misconfiguration.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Since Redis 2.6 by default replicas are read-only.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: read only replicas are not designed to be exposed to untrusted clients
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on the internet. It's just a protection layer against misuse of the instance.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Still a read only replica exports by default all the administrative commands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# such as CONFIG, DEBUG, and so forth. To a limited extent you can improve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# security of read only replicas using 'rename-command' to shadow all the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# administrative / dangerous commands.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+replica-read-only yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Replication SYNC strategy: disk or socket.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: DISKLESS REPLICATION IS EXPERIMENTAL CURRENTLY
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# New replicas and reconnecting replicas that are not able to continue the replication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# process just receiving differences, need to do what is called a "full
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# synchronization". An RDB file is transmitted from the master to the replicas.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The transmission can happen in two different ways:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1) Disk-backed: The Redis master creates a new process that writes the RDB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# file on disk. Later the file is transferred by the parent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# process to the replicas incrementally.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2) Diskless: The Redis master creates a new process that directly writes the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# RDB file to replica sockets, without touching the disk at all.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# With disk-backed replication, while the RDB file is generated, more replicas
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can be queued and served with the RDB file as soon as the current child producing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the RDB file finishes its work. With diskless replication instead once
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the transfer starts, new replicas arriving will be queued and a new transfer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will start when the current one terminates.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When diskless replication is used, the master waits a configurable amount of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# time (in seconds) before starting the transfer in the hope that multiple replicas
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will arrive and the transfer can be parallelized.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# With slow disks and fast (large bandwidth) networks, diskless replication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# works better.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+repl-diskless-sync no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When diskless replication is enabled, it is possible to configure the delay
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the server waits in order to spawn the child that transfers the RDB via socket
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to the replicas.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is important since once the transfer starts, it is not possible to serve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# new replicas arriving, that will be queued for the next RDB transfer, so the server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# waits a delay in order to let more replicas arrive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The delay is specified in seconds, and by default is 5 seconds. To disable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it entirely just set it to 0 seconds and the transfer will start ASAP.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+repl-diskless-sync-delay 5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Replicas send PINGs to server in a predefined interval. It's possible to change
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this interval with the repl_ping_replica_period option. The default value is 10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# seconds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# repl-ping-replica-period 10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The following option sets the replication timeout for:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1) Bulk transfer I/O during SYNC, from the point of view of replica.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2) Master timeout from the point of view of replicas (data, pings).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 3) Replica timeout from the point of view of masters (REPLCONF ACK pings).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It is important to make sure that this value is greater than the value
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# specified for repl-ping-replica-period otherwise a timeout will be detected
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# every time there is low traffic between the master and the replica.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# repl-timeout 60
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Disable TCP_NODELAY on the replica socket after SYNC?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you select "yes" Redis will use a smaller number of TCP packets and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# less bandwidth to send data to replicas. But this can add a delay for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the data to appear on the replica side, up to 40 milliseconds with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Linux kernels using a default configuration.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you select "no" the delay for data to appear on the replica side will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be reduced but more bandwidth will be used for replication.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default we optimize for low latency, but in very high traffic conditions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or when the master and replicas are many hops away, turning this to "yes" may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be a good idea.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+repl-disable-tcp-nodelay no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set the replication backlog size. The backlog is a buffer that accumulates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replica data when replicas are disconnected for some time, so that when a replica
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wants to reconnect again, often a full resync is not needed, but a partial
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# resync is enough, just passing the portion of data the replica missed while
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disconnected.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The bigger the replication backlog, the longer the time the replica can be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disconnected and later be able to perform a partial resynchronization.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The backlog is only allocated once there is at least a replica connected.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# repl-backlog-size 1mb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# After a master has no longer connected replicas for some time, the backlog
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will be freed. The following option configures the amount of seconds that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# need to elapse, starting from the time the last replica disconnected, for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the backlog buffer to be freed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that replicas never free the backlog for timeout, since they may be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# promoted to masters later, and should be able to correctly "partially
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# resynchronize" with the replicas: hence they should always accumulate backlog.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A value of 0 means to never release the backlog.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# repl-backlog-ttl 3600
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The replica priority is an integer number published by Redis in the INFO output.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It is used by Redis Sentinel in order to select a replica to promote into a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# master if the master is no longer working correctly.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A replica with a low priority number is considered better for promotion, so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for instance if there are three replicas with priority 10, 100, 25 Sentinel will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pick the one with priority 10, that is the lowest.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# However a special priority of 0 marks the replica as not able to perform the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# role of master, so a replica with priority of 0 will never be selected by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redis Sentinel for promotion.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default the priority is 100.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+replica-priority 100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It is possible for a master to stop accepting writes if there are less than
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# N replicas connected, having a lag less or equal than M seconds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The N replicas need to be in "online" state.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The lag in seconds, that must be <= the specified value, is calculated from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the last ping received from the replica, that is usually sent every second.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option does not GUARANTEE that N replicas will accept the write, but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will limit the window of exposure for lost writes in case not enough replicas
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are available, to the specified number of seconds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example to require at least 3 replicas with a lag <= 10 seconds use:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# min-replicas-to-write 3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# min-replicas-max-lag 10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Setting one or the other to 0 disables the feature.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default min-replicas-to-write is set to 0 (feature disabled) and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# min-replicas-max-lag is set to 10.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A Redis master is able to list the address and port of the attached
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replicas in different ways. For example the "INFO replication" section
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# offers this information, which is used, among other tools, by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redis Sentinel in order to discover replica instances.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Another place where this info is available is in the output of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "ROLE" command of a master.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The listed IP and address normally reported by a replica is obtained
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in the following way:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IP: The address is auto detected by checking the peer address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of the socket used by the replica to connect with the master.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Port: The port is communicated by the replica during the replication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# handshake, and is normally the port that the replica is using to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# listen for connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# However when port forwarding or Network Address Translation (NAT) is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used, the replica may be actually reachable via different IP and port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pairs. The following two options can be used by a replica in order to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# report to its master a specific set of IP and port, so that both INFO
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and ROLE will report those values.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# There is no need to use both the options if you need to override just
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the port or the IP address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replica-announce-ip 5.5.5.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replica-announce-port 1234
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+################################## SECURITY ###################################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Require clients to issue AUTH <PASSWORD> before processing any other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# commands. This might be useful in environments in which you do not trust
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# others with access to the host running redis-server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This should stay commented out for backward compatibility and because most
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# people do not need auth (e.g. they run their own servers).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Warning: since Redis is pretty fast an outside user can try up to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 150k passwords per second against a good box. This means that you should
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use a very strong password otherwise it will be very easy to break.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requirepass foobared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Command renaming.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It is possible to change the name of dangerous commands in a shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# environment. For instance the CONFIG command may be renamed into something
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hard to guess so that it will still be available for internal-use tools
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# but not available for general clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It is also possible to completely kill a command by renaming it into
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an empty string:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# rename-command CONFIG ""
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Please note that changing the name of commands that are logged into the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# AOF file or transmitted to replicas may cause problems.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+################################### CLIENTS ####################################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set the max number of connected clients at the same time. By default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this limit is set to 10000 clients, however if the Redis server is not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# able to configure the process file limit to allow for the specified limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the max number of allowed clients is set to the current file limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# minus 32 (as Redis reserves a few file descriptors for internal uses).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Once the limit is reached Redis will close all the new connections sending
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an error 'max number of clients reached'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maxclients 10000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+############################## MEMORY MANAGEMENT ################################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set a memory usage limit to the specified amount of bytes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When the memory limit is reached Redis will try to remove keys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# according to the eviction policy selected (see maxmemory-policy).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If Redis can't remove keys according to the policy, or if the policy is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set to 'noeviction', Redis will start to reply with errors to commands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that would use more memory, like SET, LPUSH, and so on, and will continue
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to reply to read-only commands like GET.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option is usually useful when using Redis as an LRU or LFU cache, or to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set a hard memory limit for an instance (using the 'noeviction' policy).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: If you have replicas attached to an instance with maxmemory on,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the size of the output buffers needed to feed the replicas are subtracted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from the used memory count, so that network problems / resyncs will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not trigger a loop where keys are evicted, and in turn the output
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# buffer of replicas is full with DELs of keys evicted triggering the deletion
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of more keys, and so forth until the database is completely emptied.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In short... if you have replicas attached it is suggested that you set a lower
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# limit for maxmemory so that there is some free RAM on the system for replica
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# output buffers (but this is not needed if the policy is 'noeviction').
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maxmemory <bytes>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+maxmemory 512mb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# MAXMEMORY POLICY: how Redis will select what to remove when maxmemory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is reached. You can select among five behaviors:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# volatile-lru -> Evict using approximated LRU among the keys with an expire set.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allkeys-lru -> Evict any key using approximated LRU.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# volatile-lfu -> Evict using approximated LFU among the keys with an expire set.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allkeys-lfu -> Evict any key using approximated LFU.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# volatile-random -> Remove a random key among the ones with an expire set.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allkeys-random -> Remove a random key, any key.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# volatile-ttl -> Remove the key with the nearest expire time (minor TTL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# noeviction -> Don't evict anything, just return an error on write operations.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# LRU means Least Recently Used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# LFU means Least Frequently Used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Both LRU, LFU and volatile-ttl are implemented using approximated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# randomized algorithms.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: with any of the above policies, Redis will return an error on write
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# operations, when there are no suitable keys for eviction.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# At the date of writing these commands are: set setnx setex append
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# getset mset msetnx exec sort
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default is:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maxmemory-policy noeviction
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+maxmemory-policy volatile-lru
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# LRU, LFU and minimal TTL algorithms are not precise algorithms but approximated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# algorithms (in order to save memory), so you can tune it for speed or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# accuracy. For default Redis will check five keys and pick the one that was
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used less recently, you can change the sample size using the following
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default of 5 produces good enough results. 10 Approximates very closely
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# true LRU but costs more CPU. 3 is faster but not very accurate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maxmemory-samples 5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Starting from Redis 5, by default a replica will ignore its maxmemory setting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (unless it is promoted to master after a failover or manually). It means
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that the eviction of keys will be just handled by the master, sending the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DEL commands to the replica as keys evict in the master side.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This behavior ensures that masters and replicas stay consistent, and is usually
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# what you want, however if your replica is writable, or you want the replica to have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a different memory setting, and you are sure all the writes performed to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replica are idempotent, then you may change this default (but be sure to understand
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# what you are doing).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that since the replica by default does not evict, it may end using more
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# memory than the one set via maxmemory (there are certain buffers that may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be larger on the replica, or data structures may sometimes take more memory and so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forth). So make sure you monitor your replicas and make sure they have enough
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# memory to never hit a real out-of-memory condition before the master hits
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the configured maxmemory setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replica-ignore-maxmemory yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+############################# LAZY FREEING ####################################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redis has two primitives to delete keys. One is called DEL and is a blocking
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# deletion of the object. It means that the server stops processing new commands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in order to reclaim all the memory associated with an object in a synchronous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# way. If the key deleted is associated with a small object, the time needed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in order to execute the DEL command is very small and comparable to most other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# O(1) or O(log_N) commands in Redis. However if the key is associated with an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# aggregated value containing millions of elements, the server can block for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a long time (even seconds) in order to complete the operation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For the above reasons Redis also offers non blocking deletion primitives
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# such as UNLINK (non blocking DEL) and the ASYNC option of FLUSHALL and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FLUSHDB commands, in order to reclaim memory in background. Those commands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are executed in constant time. Another thread will incrementally free the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# object in the background as fast as possible.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DEL, UNLINK and ASYNC option of FLUSHALL and FLUSHDB are user-controlled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It's up to the design of the application to understand when it is a good
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# idea to use one or the other. However the Redis server sometimes has to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delete keys or flush the whole database as a side effect of other operations.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifically Redis deletes objects independently of a user call in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# following scenarios:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1) On eviction, because of the maxmemory and maxmemory policy configurations,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in order to make room for new data, without going over the specified
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# memory limit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2) Because of expire: when a key with an associated time to live (see the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# EXPIRE command) must be deleted from memory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 3) Because of a side effect of a command that stores data on a key that may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# already exist. For example the RENAME command may delete the old key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# content when it is replaced with another one. Similarly SUNIONSTORE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or SORT with STORE option may delete existing keys. The SET command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# itself removes any old content of the specified key in order to replace
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it with the specified string.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4) During replication, when a replica performs a full resynchronization with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# its master, the content of the whole database is removed in order to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# load the RDB file just transferred.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In all the above cases the default is to delete objects in a blocking way,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# like if DEL was called. However you can configure each case specifically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in order to instead release memory in a non-blocking way like if UNLINK
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# was called, using the following configuration directives:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+lazyfree-lazy-eviction no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+lazyfree-lazy-expire no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+lazyfree-lazy-server-del no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+replica-lazy-flush no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+############################## APPEND ONLY MODE ###############################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default Redis asynchronously dumps the dataset on disk. This mode is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# good enough in many applications, but an issue with the Redis process or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a power outage may result into a few minutes of writes lost (depending on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the configured save points).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The Append Only File is an alternative persistence mode that provides
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# much better durability. For instance using the default data fsync policy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (see later in the config file) Redis can lose just one second of writes in a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dramatic event like a server power outage, or a single write if something
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wrong with the Redis process itself happens, but the operating system is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# still running correctly.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# AOF and RDB persistence can be enabled at the same time without problems.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the AOF is enabled on startup Redis will load the AOF, that is the file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with the better durability guarantees.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Please check http://redis.io/topics/persistence for more information.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+appendonly no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The name of the append only file (default: "appendonly.aof")
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+appendfilename "appendonly.aof"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The fsync() call tells the Operating System to actually write data on disk
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# instead of waiting for more data in the output buffer. Some OS will really flush
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# data on disk, some other OS will just try to do it ASAP.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redis supports three different modes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no: don't fsync, just let the OS flush the data when it wants. Faster.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# always: fsync after every write to the append only log. Slow, Safest.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# everysec: fsync only one time every second. Compromise.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default is "everysec", as that's usually the right compromise between
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# speed and data safety. It's up to you to understand if you can relax this to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "no" that will let the operating system flush the output buffer when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it wants, for better performances (but if you can live with the idea of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# some data loss consider the default persistence mode that's snapshotting),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or on the contrary, use "always" that's very slow but a bit safer than
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# everysec.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# More details please check the following article:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://antirez.com/post/redis-persistence-demystified.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If unsure, use "everysec".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# appendfsync always
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+appendfsync everysec
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# appendfsync no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When the AOF fsync policy is set to always or everysec, and a background
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# saving process (a background save or AOF log background rewriting) is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# performing a lot of I/O against the disk, in some Linux configurations
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redis may block too long on the fsync() call. Note that there is no fix for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this currently, as even performing fsync in a different thread will block
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# our synchronous write(2) call.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In order to mitigate this problem it's possible to use the following option
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that will prevent fsync() from being called in the main process while a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# BGSAVE or BGREWRITEAOF is in progress.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This means that while another child is saving, the durability of Redis is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the same as "appendfsync none". In practical terms, this means that it is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# possible to lose up to 30 seconds of log in the worst scenario (with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default Linux settings).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you have latency problems turn this to "yes". Otherwise leave it as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "no" that is the safest pick from the point of view of durability.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+no-appendfsync-on-rewrite no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Automatic rewrite of the append only file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redis is able to automatically rewrite the log file implicitly calling
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# BGREWRITEAOF when the AOF log size grows by the specified percentage.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is how it works: Redis remembers the size of the AOF file after the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# latest rewrite (if no rewrite has happened since the restart, the size of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the AOF at startup is used).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This base size is compared to the current size. If the current size is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bigger than the specified percentage, the rewrite is triggered. Also
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you need to specify a minimal size for the AOF file to be rewritten, this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is useful to avoid rewriting the AOF file even if the percentage increase
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is reached but it is still pretty small.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify a percentage of zero in order to disable the automatic AOF
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# rewrite feature.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auto-aof-rewrite-percentage 100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auto-aof-rewrite-min-size 64mb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# An AOF file may be found to be truncated at the end during the Redis
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# startup process, when the AOF data gets loaded back into memory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This may happen when the system where Redis is running
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# crashes, especially when an ext4 filesystem is mounted without the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# data=ordered option (however this can't happen when Redis itself
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# crashes or aborts but the operating system still works correctly).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redis can either exit with an error when this happens, or load as much
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# data as possible (the default now) and start if the AOF file is found
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to be truncated at the end. The following option controls this behavior.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If aof-load-truncated is set to yes, a truncated AOF file is loaded and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the Redis server starts emitting a log to inform the user of the event.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Otherwise if the option is set to no, the server aborts with an error
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and refuses to start. When the option is set to no, the user requires
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to fix the AOF file using the "redis-check-aof" utility before to restart
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that if the AOF file will be found to be corrupted in the middle
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the server will still exit with an error. This option only applies when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redis will try to read more data from the AOF file but not enough bytes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will be found.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+aof-load-truncated yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When rewriting the AOF file, Redis is able to use an RDB preamble in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# AOF file for faster rewrites and recoveries. When this option is turned
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on the rewritten AOF file is composed of two different stanzas:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [RDB file][AOF tail]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When loading Redis recognizes that the AOF file starts with the "REDIS"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# string and loads the prefixed RDB file, and continues loading the AOF
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+aof-use-rdb-preamble yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+################################ LUA SCRIPTING ###############################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Max execution time of a Lua script in milliseconds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the maximum execution time is reached Redis will log that a script is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# still in execution after the maximum allowed time and will start to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply to queries with an error.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When a long running script exceeds the maximum execution time only the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used to stop a script that did not yet called write commands. The second
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is the only way to shut down the server in the case a write command was
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# already issued by the script but the user doesn't want to wait for the natural
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# termination of the script.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set it to 0 or a negative value for unlimited execution without warnings.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+lua-time-limit 5000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+################################ REDIS CLUSTER ###############################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING EXPERIMENTAL: Redis Cluster is considered to be stable code, however
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in order to mark it as "mature" we need to wait for a non trivial percentage
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of users to deploy it in production.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Normal Redis instances can't be part of a Redis Cluster; only nodes that are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# started as cluster nodes can. In order to start a Redis instance as a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cluster node enable the cluster support uncommenting the following:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cluster-enabled yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Every cluster node has a cluster configuration file. This file is not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# intended to be edited by hand. It is created and updated by Redis nodes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Every Redis Cluster node requires a different cluster configuration file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Make sure that instances running in the same system do not have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# overlapping cluster configuration file names.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cluster-config-file nodes-6379.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Cluster node timeout is the amount of milliseconds a node must be unreachable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for it to be considered in failure state.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Most other internal time limits are multiple of the node timeout.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cluster-node-timeout 15000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A replica of a failing master will avoid to start a failover if its data
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# looks too old.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# There is no simple way for a replica to actually have an exact measure of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# its "data age", so the following two checks are performed:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1) If there are multiple replicas able to failover, they exchange messages
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in order to try to give an advantage to the replica with the best
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replication offset (more data from the master processed).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Replicas will try to get their rank by offset, and apply to the start
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of the failover a delay proportional to their rank.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2) Every single replica computes the time of the last interaction with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# its master. This can be the last ping or command received (if the master
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is still in the "connected" state), or the time that elapsed since the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disconnection with the master (if the replication link is currently down).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the last interaction is too old, the replica will not try to failover
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# at all.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The point "2" can be tuned by user. Specifically a replica will not perform
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the failover if, since the last interaction with the master, the time
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# elapsed is greater than:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (node-timeout * replica-validity-factor) + repl-ping-replica-period
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# So for example if node-timeout is 30 seconds, and the replica-validity-factor
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is 10, and assuming a default repl-ping-replica-period of 10 seconds, the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replica will not try to failover if it was not able to talk with the master
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for longer than 310 seconds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A large replica-validity-factor may allow replicas with too old data to failover
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a master, while a too small value may prevent the cluster from being able to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# elect a replica at all.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For maximum availability, it is possible to set the replica-validity-factor
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to a value of 0, which means, that replicas will always try to failover the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# master regardless of the last time they interacted with the master.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (However they'll always try to apply a delay proportional to their
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# offset rank).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Zero is the only value able to guarantee that when all the partitions heal
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the cluster will always be able to continue.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cluster-replica-validity-factor 10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Cluster replicas are able to migrate to orphaned masters, that are masters
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that are left without working replicas. This improves the cluster ability
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to resist to failures as otherwise an orphaned master can't be failed over
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in case of failure if it has no working replicas.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Replicas migrate to orphaned masters only if there are still at least a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# given number of other working replicas for their old master. This number
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is the "migration barrier". A migration barrier of 1 means that a replica
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will migrate only if there is at least 1 other working replica for its master
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and so forth. It usually reflects the number of replicas you want for every
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# master in your cluster.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default is 1 (replicas migrate only if their masters remain with at least
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# one replica). To disable migration just set it to a very large value.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A value of 0 can be set but is useful only for debugging and dangerous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in production.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cluster-migration-barrier 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default Redis Cluster nodes stop accepting queries if they detect there
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is at least an hash slot uncovered (no available node is serving it).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This way if the cluster is partially down (for example a range of hash slots
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are no longer covered) all the cluster becomes, eventually, unavailable.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It automatically returns available as soon as all the slots are covered again.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# However sometimes you want the subset of the cluster which is working,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to continue to accept queries for the part of the key space that is still
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# covered. In order to do so, just set the cluster-require-full-coverage
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option to no.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cluster-require-full-coverage yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option, when set to yes, prevents replicas from trying to failover its
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# master during master failures. However the master can still perform a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# manual failover, if forced to do so.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is useful in different scenarios, especially in the case of multiple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# data center operations, where we want one side to never be promoted if not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in the case of a total DC failure.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cluster-replica-no-failover no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In order to setup your cluster make sure to read the documentation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# available at http://redis.io web site.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+########################## CLUSTER DOCKER/NAT support ########################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In certain deployments, Redis Cluster nodes address discovery fails, because
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# addresses are NAT-ted or because ports are forwarded (the typical case is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Docker and other containers).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In order to make Redis Cluster working in such environments, a static
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration where each node knows its public address is needed. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# following two options are used for this scope, and are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * cluster-announce-ip
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * cluster-announce-port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * cluster-announce-bus-port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Each instruct the node about its address, client port, and cluster message
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bus port. The information is then published in the header of the bus packets
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# so that other nodes will be able to correctly map the address of the node
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# publishing the information.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the above options are not used, the normal Redis Cluster auto-detection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will be used instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that when remapped, the bus port may not be at the fixed offset of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clients port + 10000, so you can specify any port and bus-port depending
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on how they get remapped. If the bus-port is not set, a fixed offset of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 10000 will be used as usually.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cluster-announce-ip 10.1.1.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cluster-announce-port 6379
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cluster-announce-bus-port 6380
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+################################## SLOW LOG ###################################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The Redis Slow Log is a system to log queries that exceeded a specified
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# execution time. The execution time does not include the I/O operations
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# like talking with the client, sending the reply and so forth,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# but just the time needed to actually execute the command (this is the only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# stage of command execution where the thread is blocked and can not serve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# other requests in the meantime).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can configure the slow log with two parameters: one tells Redis
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# what is the execution time, in microseconds, to exceed in order for the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# command to get logged, and the other parameter is the length of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# slow log. When a new command is logged the oldest one is removed from the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# queue of logged commands.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The following time is expressed in microseconds, so 1000000 is equivalent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to one second. Note that a negative number disables the slow log, while
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a value of zero forces the logging of every command.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+slowlog-log-slower-than 10000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# There is no limit to this length. Just be aware that it will consume memory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can reclaim memory used by the slow log with SLOWLOG RESET.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+slowlog-max-len 128
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+################################ LATENCY MONITOR ##############################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The Redis latency monitoring subsystem samples different operations
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# at runtime in order to collect data related to possible sources of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# latency of a Redis instance.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Via the LATENCY command this information is available to the user that can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# print graphs and obtain reports.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The system only logs operations that were performed in a time equal or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# greater than the amount of milliseconds specified via the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# latency-monitor-threshold configuration directive. When its value is set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to zero, the latency monitor is turned off.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default latency monitoring is disabled since it is mostly not needed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if you don't have latency issues, and collecting data has a performance
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# impact, that while very small, can be measured under big load. Latency
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# monitoring can easily be enabled at runtime using the command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "CONFIG SET latency-monitor-threshold <milliseconds>" if needed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+latency-monitor-threshold 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+############################# EVENT NOTIFICATION ##############################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redis can notify Pub/Sub clients about events happening in the key space.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This feature is documented at http://redis.io/topics/notifications
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For instance if keyspace events notification is enabled, and a client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# performs a DEL operation on key "foo" stored in the Database 0, two
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# messages will be published via Pub/Sub:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PUBLISH __keyspace@0__:foo del
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PUBLISH __keyevent@0__:del foo
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It is possible to select the events that Redis will notify among a set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of classes. Every class is identified by a single character:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# K Keyspace events, published with __keyspace@<db>__ prefix.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# E Keyevent events, published with __keyevent@<db>__ prefix.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# g Generic commands (non-type specific) like DEL, EXPIRE, RENAME, ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ String commands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# l List commands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# s Set commands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# h Hash commands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# z Sorted set commands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# x Expired events (events generated every time a key expires)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# e Evicted events (events generated when a key is evicted for maxmemory)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A Alias for g$lshzxe, so that the "AKE" string means all the events.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The "notify-keyspace-events" takes as argument a string that is composed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of zero or multiple characters. The empty string means that notifications
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example: to enable list and generic events, from the point of view of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# event name, use:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# notify-keyspace-events Elg
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example 2: to get the stream of the expired keys subscribing to channel
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# name __keyevent@0__:expired use:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# notify-keyspace-events Ex
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default all notifications are disabled because most users don't need
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this feature and the feature has some overhead. Note that if you don't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# specify at least one of K or E, no events will be delivered.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+notify-keyspace-events ""
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+############################### ADVANCED CONFIG ###############################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Hashes are encoded using a memory efficient data structure when they have a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# small number of entries, and the biggest entry does not exceed a given
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# threshold. These thresholds can be configured using the following directives.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+hash-max-ziplist-entries 512
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+hash-max-ziplist-value 64
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Lists are also encoded in a special way to save a lot of space.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The number of entries allowed per internal list node can be specified
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as a fixed maximum size or a maximum number of elements.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For a fixed maximum size, use -5 through -1, meaning:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -5: max size: 64 Kb <-- not recommended for normal workloads
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -4: max size: 32 Kb <-- not recommended
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -3: max size: 16 Kb <-- probably not recommended
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -2: max size: 8 Kb <-- good
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -1: max size: 4 Kb <-- good
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Positive numbers mean store up to _exactly_ that number of elements
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# per list node.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# but if your use case is unique, adjust the settings as necessary.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+list-max-ziplist-size -2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Lists may also be compressed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Compress depth is the number of quicklist ziplist nodes from *each* side of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the list to *exclude* from compression. The head and tail of the list
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are always uncompressed for fast push/pop operations. Settings are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0: disable all list compression
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1: depth 1 means "don't start compressing until after 1 node into the list,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# going from either the head or tail"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# So: [head]->node->node->...->node->[tail]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [head], [tail] will always be uncompressed; inner nodes will compress.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2: [head]->[next]->node->node->...->node->[prev]->[tail]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2 here means: don't compress head or head->next or tail->prev or tail,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# but compress all nodes between them.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 3: [head]->[next]->[next]->node->node->...->node->[prev]->[prev]->[tail]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# etc.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+list-compress-depth 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets have a special encoding in just one case: when a set is composed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of just strings that happen to be integers in radix 10 in the range
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of 64 bit signed integers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The following configuration setting sets the limit in the size of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set in order to use this special memory saving encoding.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set-max-intset-entries 512
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Similarly to hashes and lists, sorted sets are also specially encoded in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# order to save a lot of space. This encoding is only used when the length and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# elements of a sorted set are below the following limits:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+zset-max-ziplist-entries 128
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+zset-max-ziplist-value 64
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HyperLogLog sparse representation bytes limit. The limit includes the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 16 bytes header. When an HyperLogLog using the sparse representation crosses
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this limit, it is converted into the dense representation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A value greater than 16000 is totally useless, since at that point the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dense representation is more memory efficient.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The suggested value is ~ 3000 in order to have the benefits of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the space efficient encoding without slowing down too much PFADD,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# which is O(N) with the sparse encoding. The value can be raised to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ~ 10000 when CPU is not a concern, but space is, and the data set is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# composed of many HyperLogLogs with cardinality in the 0 - 15000 range.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+hll-sparse-max-bytes 3000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Streams macro node max size / items. The stream data structure is a radix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tree of big nodes that encode multiple items inside. Using this configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it is possible to configure how big a single node can be in bytes, and the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maximum number of items it may contain before switching to a new node when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# appending new stream entries. If any of the following settings are set to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# zero, the limit is ignored, so for instance it is possible to set just a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# max entires limit by setting max-bytes to 0 and max-entries to the desired
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+stream-node-max-bytes 4096
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+stream-node-max-entries 100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# order to help rehashing the main Redis hash table (the one mapping top-level
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# keys to values). The hash table implementation Redis uses (see dict.c)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# performs a lazy rehashing: the more operation you run into a hash table
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that is rehashing, the more rehashing "steps" are performed, so if the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# server is idle the rehashing is never complete and some more memory is used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by the hash table.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default is to use this millisecond 10 times every second in order to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# actively rehash the main dictionaries, freeing memory when possible.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If unsure:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use "activerehashing no" if you have hard latency requirements and it is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not a good thing in your environment that Redis can reply from time to time
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to queries with 2 milliseconds delay.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use "activerehashing yes" if you don't have such hard requirements but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# want to free memory asap when possible.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+activerehashing yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The client output buffer limits can be used to force disconnection of clients
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that are not reading data from the server fast enough for some reason (a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# common reason is that a Pub/Sub client can't consume messages as fast as the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# publisher can produce them).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The limit can be set differently for the three different classes of clients:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# normal -> normal clients including MONITOR clients
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replica -> replica clients
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pubsub -> clients subscribed to at least one pubsub channel or pattern
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The syntax of every client-output-buffer-limit directive is the following:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client-output-buffer-limit <class> <hard limit> <soft limit> <soft seconds>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A client is immediately disconnected once the hard limit is reached, or if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the soft limit is reached and remains reached for the specified number of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# seconds (continuously).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# So for instance if the hard limit is 32 megabytes and the soft limit is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 16 megabytes / 10 seconds, the client will get disconnected immediately
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if the size of the output buffers reach 32 megabytes, but will also get
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disconnected if the client reaches 16 megabytes and continuously overcomes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the limit for 10 seconds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default normal clients are not limited because they don't receive data
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# without asking (in a push way), but just after a request, so only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# asynchronous clients may create a scenario where data is requested faster
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# than it can read.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Instead there is a default limit for pubsub and replica clients, since
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# subscribers and replicas receive data in a push fashion.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Both the hard or the soft limit can be disabled by setting them to zero.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+client-output-buffer-limit normal 0 0 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+client-output-buffer-limit replica 256mb 64mb 60
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+client-output-buffer-limit pubsub 32mb 8mb 60
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Client query buffers accumulate new commands. They are limited to a fixed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# amount by default in order to avoid that a protocol desynchronization (for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# instance due to a bug in the client) will lead to unbound memory usage in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the query buffer. However you can configure it here if you have very special
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# needs, such us huge multi/exec requests or alike.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client-query-buffer-limit 1gb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In the Redis protocol, bulk requests, that are, elements representing single
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# strings, are normally limited ot 512 mb. However you can change this limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# here.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# proto-max-bulk-len 512mb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redis calls an internal function to perform many background tasks, like
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# closing connections of clients in timeout, purging expired keys that are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# never requested, and so forth.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Not all tasks are performed with the same frequency, but Redis checks for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tasks to perform according to the specified "hz" value.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default "hz" is set to 10. Raising the value will use more CPU when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redis is idle, but at the same time will make Redis more responsive when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# there are many keys expiring at the same time, and timeouts may be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# handled with more precision.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The range is between 1 and 500, however a value over 100 is usually not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a good idea. Most users should use the default of 10 and raise this up to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 100 only in environments where very low latency is required.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+hz 10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Normally it is useful to have an HZ value which is proportional to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# number of clients connected. This is useful in order, for instance, to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# avoid too many clients are processed for each background task invocation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in order to avoid latency spikes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Since the default HZ value by default is conservatively set to 10, Redis
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# offers, and enables by default, the ability to use an adaptive HZ value
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# which will temporary raise when there are many connected clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When dynamic HZ is enabled, the actual configured HZ will be used as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as a baseline, but multiples of the configured HZ value will be actually
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used as needed once more clients are connected. In this way an idle
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# instance will use very little CPU time while a busy instance will be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# more responsive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+dynamic-hz yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When a child rewrites the AOF file, if the following option is enabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the file will be fsync-ed every 32 MB of data generated. This is useful
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in order to commit the file to the disk more incrementally and avoid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# big latency spikes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+aof-rewrite-incremental-fsync yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When redis saves RDB file, if the following option is enabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the file will be fsync-ed every 32 MB of data generated. This is useful
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in order to commit the file to the disk more incrementally and avoid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# big latency spikes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+rdb-save-incremental-fsync yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redis LFU eviction (see maxmemory setting) can be tuned. However it is a good
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# idea to start with the default settings and only change them after investigating
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# how to improve the performances and how the keys LFU change over time, which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is possible to inspect via the OBJECT FREQ command.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# There are two tunable parameters in the Redis LFU implementation: the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# counter logarithm factor and the counter decay time. It is important to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# understand what the two parameters mean before changing them.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The LFU counter is just 8 bits per key, it's maximum value is 255, so Redis
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# uses a probabilistic increment with logarithmic behavior. Given the value
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of the old counter, when a key is accessed, the counter is incremented in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this way:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1. A random number R between 0 and 1 is extracted.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2. A probability P is calculated as 1/(old_value*lfu_log_factor+1).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 3. The counter is incremented only if R < P.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default lfu-log-factor is 10. This is a table of how the frequency
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# counter changes with a different number of accesses with different
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logarithmic factors:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# +--------+------------+------------+------------+------------+------------+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# | factor | 100 hits | 1000 hits | 100K hits | 1M hits | 10M hits |
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# +--------+------------+------------+------------+------------+------------+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# | 0 | 104 | 255 | 255 | 255 | 255 |
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# +--------+------------+------------+------------+------------+------------+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# | 1 | 18 | 49 | 255 | 255 | 255 |
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# +--------+------------+------------+------------+------------+------------+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# | 10 | 10 | 18 | 142 | 255 | 255 |
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# +--------+------------+------------+------------+------------+------------+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# | 100 | 8 | 11 | 49 | 143 | 255 |
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# +--------+------------+------------+------------+------------+------------+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: The above table was obtained by running the following commands:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# redis-benchmark -n 1000000 incr foo
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# redis-cli object freq foo
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE 2: The counter initial value is 5 in order to give new objects a chance
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to accumulate hits.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The counter decay time is the time, in minutes, that must elapse in order
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for the key counter to be divided by two (or decremented if it has a value
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# less <= 10).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default value for the lfu-decay-time is 1. A Special value of 0 means to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# decay the counter every time it happens to be scanned.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lfu-log-factor 10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lfu-decay-time 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+########################### ACTIVE DEFRAGMENTATION #######################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING THIS FEATURE IS EXPERIMENTAL. However it was stress tested
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# even in production and manually tested by multiple engineers for some
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# time.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# What is active defragmentation?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Active (online) defragmentation allows a Redis server to compact the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# spaces left between small allocations and deallocations of data in memory,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# thus allowing to reclaim back memory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Fragmentation is a natural process that happens with every allocator (but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# less so with Jemalloc, fortunately) and certain workloads. Normally a server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# restart is needed in order to lower the fragmentation, or at least to flush
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# away all the data and create it again. However thanks to this feature
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# implemented by Oran Agra for Redis 4.0 this process can happen at runtime
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in an "hot" way, while the server is running.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Basically when the fragmentation is over a certain level (see the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration options below) Redis will start to create new copies of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# values in contiguous memory regions by exploiting certain specific Jemalloc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# features (in order to understand if an allocation is causing fragmentation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and to allocate it in a better place), and at the same time, will release the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# old copies of the data. This process, repeated incrementally for all the keys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will cause the fragmentation to drop back to normal values.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Important things to understand:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1. This feature is disabled by default, and only works if you compiled Redis
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to use the copy of Jemalloc we ship with the source code of Redis.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is the default with Linux builds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2. You never need to enable this feature if you don't have fragmentation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# issues.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 3. Once you experience fragmentation, you can enable this feature when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# needed with the command "CONFIG SET activedefrag yes".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The configuration parameters are able to fine tune the behavior of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# defragmentation process. If you are not sure about what they mean it is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a good idea to leave the defaults untouched.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enabled active defragmentation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# activedefrag yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Minimum amount of fragmentation waste to start active defrag
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# active-defrag-ignore-bytes 100mb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Minimum percentage of fragmentation to start active defrag
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# active-defrag-threshold-lower 10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum percentage of fragmentation at which we use maximum effort
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# active-defrag-threshold-upper 100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Minimal effort for defrag in CPU percentage
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# active-defrag-cycle-min 5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximal effort for defrag in CPU percentage
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# active-defrag-cycle-max 75
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum number of set/hash/zset/list fields that will be processed from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the main dictionary scan
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# active-defrag-max-scan-fields 1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/dkim_paths.map b/mail/mail-server/files/prefix/etc/rspamd/dkim_paths.map
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..6eb236d
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/dkim_paths.map
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@domain@.@tld@ @PREFIX@/var/lib/rspamd/dkim/@domain@.@tld@.$selector.key
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/dkim_selectors.map b/mail/mail-server/files/prefix/etc/rspamd/dkim_selectors.map
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..64851cb
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/dkim_selectors.map
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@domain@.@tld@ dkim
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/antivirus.conf b/mail/mail-server/files/prefix/etc/rspamd/local.d/antivirus.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..3628f3e
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/antivirus.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,39 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+clamav {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # If set force this action if any virus is found (default unset: no action is forced)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ action = "reject";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ message = '${SCANNER}: virus found: "${VIRUS}"';
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Scan mime_parts seperately - otherwise the complete mail will be transfered to AV Scanner
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ scan_mime_parts = true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Scanning Text is suitable for some av scanner databases (e.g. Sanesecurity)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ scan_text_mime = false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ scan_image_mime = false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # If `max_size` is set, messages > n bytes in size are not scanned
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ max_size = 20000000;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # symbol to add (add it to metric if you want non-zero weight)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ symbol = "CLAM_VIRUS";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # type of scanner: "clamav", "fprot", "sophos" or "savapi"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ type = "clamav";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # For "savapi" you must also specify the following variable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #product_id = 12345;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # You can enable logging for clean messages
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # log_clean = true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # servers to query (if port is unspecified, scanner-specific default is used)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # can be specified multiple times to pool servers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # can be set to a path to a unix socket
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Enable this in local.d/antivirus.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # servers = "127.0.0.1:3310";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ servers = "@PREFIX@/var/run/clamav/clamd.socket";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # if `patterns` is specified virus name will be matched against provided regexes and the related
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # symbol will be yielded if a match is found. If no match is found, default symbol is yielded.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patterns {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # symbol_name = "pattern";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ JUST_EICAR = '^Eicar-Test-Signature$';
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patterns_fail {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # symbol_name = "pattern";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CLAM_PROTOCOL_ERROR = '^unhandled response';
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CLAM_LIMITS_EXCEEDED = '^Heuristics\.Limits\.Exceeded$';
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # `whitelist` points to a map of IP addresses. Mail from these addresses is not scanned.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ whitelist = "@PREFIX@/etc/rspamd/antivirus.wl";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/arc.conf.do_not_use b/mail/mail-server/files/prefix/etc/rspamd/local.d/arc.conf.do_not_use
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..ee3d82f
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/arc.conf.do_not_use
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,11 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: DKIM signing is performed by the mail relay [comcast.net]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and is unncessary in this setup.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Test: Send email to non-Comcast address and inspect headers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo mkdir @PREFIX@/var/lib/rspamd/dkim
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chown _rspamd:_rspamd @PREFIX@/var/lib/rspamd/dkim
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chmod 0750 @PREFIX@/var/lib/rspamd/dkim
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo -u _rspamd rspamadm dkim_keygen -k @PREFIX@/var/lib/rspamd/dkim/@domain@.@tld@.dkim.key -s dkim -t ed25519 -d @domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+path = "@PREFIX@/var/lib/rspamd/dkim/$domain.$selector.key";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+selector = "dkim";
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/classifier-bayes.conf b/mail/mail-server/files/prefix/etc/rspamd/local.d/classifier-bayes.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..ad85f2e
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/classifier-bayes.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,2 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+backend = "redis";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+autolearn = true;
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/dcc.conf b/mail/mail-server/files/prefix/etc/rspamd/local.d/dcc.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..7667176
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/dcc.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,3 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# path to dcc socket
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+host = "@PREFIX@/etc/dcc/dccifd";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+timeout = 5.0;
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/dkim_signing.conf b/mail/mail-server/files/prefix/etc/rspamd/local.d/dkim_signing.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..09d4ded
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/dkim_signing.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,32 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: DKIM signing is performed by the mail relay [comcast.net]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and is unncessary in this setup.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Test: Send email to non-Comcast address and inspect headers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo mkdir @PREFIX@/var/lib/rspamd/dkim
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chown _rspamd:_rspamd @PREFIX@/var/lib/rspamd/dkim
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chmod 0750 @PREFIX@/var/lib/rspamd/dkim
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo -u _rspamd rspamadm dkim_keygen -k @PREFIX@/var/lib/rspamd/dkim/@domain@.@tld@.dkim_rsa2048.key -s dkim_rsa2048 -t rsa -b 2048 -d @domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo -u _rspamd rspamadm dkim_keygen -k @PREFIX@/var/lib/rspamd/dkim/@domain@.@tld@.dkim_ed25519.key -s dkim_ed25519 -t ed25519 -d @domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+use_domain = "header";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+auth_only = true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+allow_username_mismatch = true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+path = "@PREFIX@/var/lib/rspamd/dkim/@domain@.@tld@.dkim_rsa2048.key";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+selector = "dkim_rsa2048";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Domain specific settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# domain {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# @domain@.@tld@ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# selectors [
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# { # Private key path and selector
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# path = "@PREFIX@/var/lib/rspamd/dkim/@domain@.@tld@.dkim_rsa2048.key";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# selector = "dkim_rsa2048";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# { # multiple dkim signature
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# path = "@PREFIX@/var/lib/rspamd/dkim/@domain@.@tld@.dkim_ed25519.key";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# selector = "dkim_ed25519";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# }
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/dmarc.conf b/mail/mail-server/files/prefix/etc/rspamd/local.d/dmarc.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..bca8ae2
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/dmarc.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+servers = "@PREFIX@/var/run/redis/redis.sock";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+reporting = true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Actions to enforce based on DMARC disposition (empty by default)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+actions = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ quarantine = "add_header";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ reject = "reject";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/greylist-whitelist-domains.inc b/mail/mail-server/files/prefix/etc/rspamd/local.d/greylist-whitelist-domains.inc
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..f678019
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/greylist-whitelist-domains.inc
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,2 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@domain@.@tld@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+mit.edu
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/greylist.conf b/mail/mail-server/files/prefix/etc/rspamd/local.d/greylist.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..fa5159b
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/greylist.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+servers = "@PREFIX@/var/run/redis/redis.sock";
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/history_redis.conf b/mail/mail-server/files/prefix/etc/rspamd/local.d/history_redis.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..d34c8eb
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/history_redis.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,2 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redis server to store history
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+servers = "@PREFIX@/var/run/redis/redis.sock";
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/logging.inc b/mail/mail-server/files/prefix/etc/rspamd/local.d/logging.inc
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..3f12936
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/logging.inc
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,24 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Included from top-level .conf file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+level = "info";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# level = "debug";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+log_format =<<EOD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+id: <$mid>,$if_qid{ qid: <$>,}$if_ip{ ip: $,}$if_user{ user: $,}$if_smtp_from{ from: <$>,}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(default: $is_spam ($action): [$scores] [$symbols_scores_params]),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+len: $len, time: $time_real real, $time_virtual virtual, dns req: $dns_req,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+digest: <$digest>$if_smtp_rcpts{, rcpts: <$>}$if_mime_rcpts{, mime_rcpts: <$>}$if_filename{, file: $}$if_forced_action{, forced: $}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+EOD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Show statistics for regular expressions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+log_re_cache = true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Can be used for console logging
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+color = false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log with microseconds resolution
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+log_usec = false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enable debug for specific modules (e.g. `debug_modules = ["dkim", "re_cache"];`)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#debug_modules = [];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+debug_modules = ["dkim_signing"];
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/milter_headers.conf b/mail/mail-server/files/prefix/etc/rspamd/local.d/milter_headers.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..e3af422
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/milter_headers.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,6 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://rspamd.com/doc/modules/milter_headers.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+extended_spam_headers = true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+authenticated_headers = ["authentication-results"];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+use = ["x-spamd-bar", "authentication-results"];
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/mx_check.conf b/mail/mail-server/files/prefix/etc/rspamd/local.d/mx_check.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..89f6e08
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/mx_check.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,4 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set this to enable the module
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+enabled = true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+servers = "@PREFIX@/var/run/redis/redis.sock";
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/options.inc b/mail/mail-server/files/prefix/etc/rspamd/local.d/options.inc
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..1026da2
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/options.inc
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,2 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cores_dir = "/cores";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# max_cores_size = 1G;
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/phishing.conf b/mail/mail-server/files/prefix/etc/rspamd/local.d/phishing.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..dcb1caf
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/phishing.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,3 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# check messages against some anti-phishing databases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+openphish_enabled = true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+phishtank_enabled = true;
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/ratelimit.conf b/mail/mail-server/files/prefix/etc/rspamd/local.d/ratelimit.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..fa5159b
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/ratelimit.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+servers = "@PREFIX@/var/run/redis/redis.sock";
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/redis.conf b/mail/mail-server/files/prefix/etc/rspamd/local.d/redis.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..aea44ed
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/redis.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,2 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# just specifying a server enables redis for all modules that can use it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+servers = "@PREFIX@/var/run/redis/redis.sock";
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/replies.conf b/mail/mail-server/files/prefix/etc/rspamd/local.d/replies.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..382764d
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/replies.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,2 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# whitelist messages from threads that have been replied to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+action = "no action";
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/surbl.conf b/mail/mail-server/files/prefix/etc/rspamd/local.d/surbl.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..18833d5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/surbl.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,2 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# follow redirects when checking URLs in emails for spaminess
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+redirector_hosts_map = "@PREFIX@/etc/rspamd/redirectors.inc";
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/url_tags.conf b/mail/mail-server/files/prefix/etc/rspamd/local.d/url_tags.conf
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..61832fb
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/url_tags.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,2 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache some URL tags in redis
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+enabled = true;
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/worker-controller.inc b/mail/mail-server/files/prefix/etc/rspamd/local.d/worker-controller.inc
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..8aa6eab
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/worker-controller.inc
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,13 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# generate a password hash using the `rspamadm pw` command and put it here
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this one is the hash for 'foobar'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# password = "$2$p4oabgj4wersc73owwt8dyi4iokuhrw7$15p5am33jpfxxnfxeazrf8tjfr4ck5x39ku731yj973wdux9r5ub";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# enable_password = "$2$p4oabgj4wersc73owwt8dyi4iokuhrw7$15p5am33jpfxxnfxeazrf8tjfr4ck5x39ku731yj973wdux9r5ub";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+password = "@RSPAMD_CONTROL_PASSWORD_HASH@";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+enable_password = "@RSPAMD_CONTROL_PASSWORD_HASH@";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dovecot will use this socket to communicate with rspamd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it must be rw by any mail user accounts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+bind_socket = "$RUNDIR/rspamd.sock mode=0666 owner=_rspamd";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you can comment this out if you don't need the web interface
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+bind_socket = "127.0.0.1:11334";
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/worker-normal.inc b/mail/mail-server/files/prefix/etc/rspamd/local.d/worker-normal.inc
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..ffa77f5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/worker-normal.inc
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,3 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# we're not running rspamd in a distributed setup, so this can be disabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the proxy worker will handle all the spam filtering
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+enabled = false;
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/rspamd/local.d/worker-proxy.inc b/mail/mail-server/files/prefix/etc/rspamd/local.d/worker-proxy.inc
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..ed2bec9
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/rspamd/local.d/worker-proxy.inc
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,23 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this worker will be used as postfix milter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+milter = yes;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Proxy worker is listening on *:11332 by default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#bind_socket = localhost:11332;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use this socket if postfix is *not* run in *chroot*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chgrp mail @PREFIX@/var/run/rspamd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bind_socket = "$RUNDIR/milter.sock mode=0660 owner=_rspamd group=mail";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use this socket if postfix is run in chroot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo mkdir -p @PREFIX@/var/spool/postfix@PREFIX@/var/run/rspamd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chgrp mail @PREFIX@/var/spool/postfix@PREFIX@/var/run/rspamd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sudo chmod 0750 @PREFIX@/var/spool/postfix@PREFIX@/var/run/rspamd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+bind_socket = "@PREFIX@/var/spool/postfix$RUNDIR/milter.sock mode=0660 owner=_rspamd group=mail";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the following specifies self-scan mode, for when rspamd is on the same
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# machine as postfix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+timeout = 120s;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+upstream "local" {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ default = yes;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ self_scan = yes;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/var/solr/dovecot/conf/schema.xml b/mail/mail-server/files/prefix/var/solr/dovecot/conf/schema.xml
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..601a290
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/var/solr/dovecot/conf/schema.xml
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,48 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+<?xml version="1.0" encoding="UTF-8"?>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+<schema name="dovecot" version="2.0">
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <fieldType name="string" class="solr.StrField" omitNorms="true" sortMissingLast="true"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <fieldType name="long" class="solr.LongPointField" positionIncrementGap="0"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <fieldType name="boolean" class="solr.BoolField" sortMissingLast="true"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <fieldType name="text" class="solr.TextField" autoGeneratePhraseQueries="true" positionIncrementGap="100">
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <analyzer type="index">
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <tokenizer class="solr.StandardTokenizerFactory"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <filter class="solr.StopFilterFactory" words="stopwords.txt" ignoreCase="true"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <filter class="solr.WordDelimiterGraphFilterFactory" catenateNumbers="1" generateNumberParts="1" splitOnCaseChange="1" generateWordParts="1" splitOnNumerics="1" catenateAll="1" catenateWords="1"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <filter class="solr.FlattenGraphFilterFactory"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <filter class="solr.LowerCaseFilterFactory"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <filter class="solr.KeywordMarkerFilterFactory" protected="protwords.txt"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <filter class="solr.PorterStemFilterFactory"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ </analyzer>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <analyzer type="query">
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <tokenizer class="solr.StandardTokenizerFactory"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <filter class="solr.SynonymGraphFilterFactory" expand="true" ignoreCase="true" synonyms="synonyms.txt"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <filter class="solr.FlattenGraphFilterFactory"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <filter class="solr.StopFilterFactory" words="stopwords.txt" ignoreCase="true"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <filter class="solr.WordDelimiterGraphFilterFactory" catenateNumbers="1" generateNumberParts="1" splitOnCaseChange="1" generateWordParts="1" splitOnNumerics="1" catenateAll="1" catenateWords="1"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <filter class="solr.LowerCaseFilterFactory"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <filter class="solr.KeywordMarkerFilterFactory" protected="protwords.txt"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <filter class="solr.PorterStemFilterFactory"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ </analyzer>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ </fieldType>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <field name="id" type="string" indexed="true" required="true" stored="true"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <field name="uid" type="long" indexed="true" required="true" stored="true"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <field name="box" type="string" indexed="true" required="true" stored="true"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <field name="user" type="string" indexed="true" required="true" stored="true"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <field name="hdr" type="text" indexed="true" stored="false"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <field name="body" type="text" indexed="true" stored="false"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <field name="from" type="text" indexed="true" stored="false"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <field name="to" type="text" indexed="true" stored="false"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <field name="cc" type="text" indexed="true" stored="false"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <field name="bcc" type="text" indexed="true" stored="false"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <field name="subject" type="text" indexed="true" stored="false"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- Used by Solr internally: -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <field name="_version_" type="long" indexed="true" stored="true"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <uniqueKey>id</uniqueKey>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+</schema>
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/var/solr/dovecot/conf/solrconfig.xml b/mail/mail-server/files/prefix/var/solr/dovecot/conf/solrconfig.xml
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..3ecd0f2
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/var/solr/dovecot/conf/solrconfig.xml
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,289 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+<?xml version="1.0" encoding="UTF-8" ?>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+<!-- This is the default config with stuff non-essential to Dovecot removed. -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+<config>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- Controls what version of Lucene various components of Solr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ adhere to. Generally, you want to use the latest version to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ get all bug fixes and improvements. It is highly recommended
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ that you fully re-index after changing this setting as it can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ affect both how text is indexed and queried.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <luceneMatchVersion>8.0.0</luceneMatchVersion>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- A 'dir' option by itself adds any files found in the directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ to the classpath, this is useful for including all jars in a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ When a 'regex' is specified in addition to a 'dir', only the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ files in that directory which completely match the regex
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (anchored on both ends) will be included.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ If a 'dir' option (with or without a regex) is used and nothing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ is found that matches, a warning will be logged.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ The examples below can be used to load some solr-contribs along
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ with their external dependencies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <lib dir="${solr.install.dir:../../../..}/contrib/extraction/lib" regex=".*\.jar" />
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-cell-\d.*\.jar" />
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <lib dir="${solr.install.dir:../../../..}/contrib/clustering/lib/" regex=".*\.jar" />
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-clustering-\d.*\.jar" />
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <lib dir="${solr.install.dir:../../../..}/contrib/langid/lib/" regex=".*\.jar" />
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-langid-\d.*\.jar" />
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <lib dir="${solr.install.dir:../../../..}/contrib/velocity/lib" regex=".*\.jar" />
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-velocity-\d.*\.jar" />
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- Data Directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Used to specify an alternate directory to hold all index data
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ other than the default ./data under the Solr home. If
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ replication is in use, this should match the replication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configuration.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <dataDir>${solr.data.dir:}</dataDir>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- The default high-performance update handler -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <updateHandler class="solr.DirectUpdateHandler2">
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- Enables a transaction log, used for real-time get, durability, and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ and solr cloud replica recovery. The log can grow as big as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ uncommitted changes to the index, so use of a hard autoCommit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ is recommended (see below).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "dir" - the target directory for transaction logs, defaults to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ solr data directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "numVersionBuckets" - sets the number of buckets used to keep
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ track of max version values when checking for re-ordered
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ updates; increase this value to reduce the cost of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ synchronizing access to version buckets during high-volume
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ indexing, this requires 8 bytes (long) * numVersionBuckets
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ of heap space per Solr core.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <updateLog>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <str name="dir">${solr.ulog.dir:}</str>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <int name="numVersionBuckets">${solr.ulog.numVersionBuckets:65536}</int>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ </updateLog>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- AutoCommit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Perform a hard commit automatically under certain conditions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Instead of enabling autoCommit, consider using "commitWithin"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ when adding documents.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ http://wiki.apache.org/solr/UpdateXmlMessages
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ maxDocs - Maximum number of documents to add since the last
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ commit before automatically triggering a new commit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ maxTime - Maximum amount of time in ms that is allowed to pass
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ since a document was added before automatically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ triggering a new commit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openSearcher - if false, the commit causes recent index changes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ to be flushed to stable storage, but does not cause a new
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ searcher to be opened to make those changes visible.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ If the updateLog is enabled, then it's highly recommended to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ have some sort of hard autoCommit to limit the log size.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <autoCommit>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <maxTime>${solr.autoCommit.maxTime:15000}</maxTime>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <openSearcher>false</openSearcher>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ </autoCommit>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- softAutoCommit is like autoCommit except it causes a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 'soft' commit which only ensures that changes are visible
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ but does not ensure that data is synced to disk. This is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ faster and more near-realtime friendly than a hard commit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <autoSoftCommit>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <maxTime>${solr.autoSoftCommit.maxTime:-1}</maxTime>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ </autoSoftCommit>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- Update Related Event Listeners
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Various IndexWriter related events can trigger Listeners to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ take actions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ postCommit - fired after every commit or optimize command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ postOptimize - fired after every optimize command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ </updateHandler>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Query section - these settings control query time things like caches
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <query>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- Solr Internal Query Caches
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ There are two implementations of cache available for Solr,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ LRUCache, based on a synchronized LinkedHashMap, and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ FastLRUCache, based on a ConcurrentHashMap.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ FastLRUCache has faster gets and slower puts in single
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ threaded operation and thus is generally faster than LRUCache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ when the hit ratio of the cache is high (> 75%), and may be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ faster under other scenarios on multi-cpu systems.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- Filter Cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Cache used by SolrIndexSearcher for filters (DocSets),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unordered sets of *all* documents that match a query. When a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ new searcher is opened, its caches may be prepopulated or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "autowarmed" using data from caches in the old searcher.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ autowarmCount is the number of items to prepopulate. For
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ LRUCache, the autowarmed items will be the most recently
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ accessed items.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Parameters:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ class - the SolrCache implementation LRUCache or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (LRUCache or FastLRUCache)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ size - the maximum number of entries in the cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ initialSize - the initial capacity (number of entries) of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ the cache. (see java.util.HashMap)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ autowarmCount - the number of entries to prepopulate from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ and old cache.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ maxRamMB - the maximum amount of RAM (in MB) that this cache is allowed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ to occupy. Note that when this option is specified, the size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ and initialSize parameters are ignored.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <filterCache class="solr.FastLRUCache"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ size="512"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ initialSize="512"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ autowarmCount="0"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- Query Result Cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Caches results of searches - ordered lists of document ids
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (DocList) based on a query, a sort, and the range of documents requested.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Additional supported parameter by LRUCache:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ maxRamMB - the maximum amount of RAM (in MB) that this cache is allowed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ to occupy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <queryResultCache class="solr.LRUCache"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ size="512"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ initialSize="512"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ autowarmCount="0"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- Document Cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Caches Lucene Document objects (the stored fields for each
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ document). Since Lucene internal document ids are transient,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ this cache will not be autowarmed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <documentCache class="solr.LRUCache"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ size="512"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ initialSize="512"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ autowarmCount="0"/>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- custom cache currently used by block join -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <cache name="perSegFilter"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ class="solr.search.LRUCache"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ size="10"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ initialSize="0"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ autowarmCount="10"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ regenerator="solr.NoOpRegenerator" />
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- Lazy Field Loading
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ If true, stored fields that are not requested will be loaded
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ lazily. This can result in a significant speed improvement
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if the usual case is to not load all stored fields,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ especially if the skipped fields are large compressed text
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fields.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <enableLazyFieldLoading>true</enableLazyFieldLoading>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- Result Window Size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ An optimization for use with the queryResultCache. When a search
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ is requested, a superset of the requested number of document ids
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ are collected. For example, if a search for a particular query
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ requests matching documents 10 through 19, and queryWindowSize is 50,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ then documents 0 through 49 will be collected and cached. Any further
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ requests in that range can be satisfied via the cache.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <queryResultWindowSize>20</queryResultWindowSize>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- Maximum number of documents to cache for any entry in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ queryResultCache.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <queryResultMaxDocsCached>200</queryResultMaxDocsCached>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- Use Cold Searcher
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ If a search request comes in and there is no current
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ registered searcher, then immediately register the still
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ warming searcher and use it. If "false" then all requests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ will block until the first searcher is done warming.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <useColdSearcher>false</useColdSearcher>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ </query>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- Request Dispatcher
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ This section contains instructions for how the SolrDispatchFilter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ should behave when processing requests for this SolrCore.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <requestDispatcher>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <httpCaching never304="true" />
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ </requestDispatcher>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- Request Handlers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ http://wiki.apache.org/solr/SolrRequestHandler
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Incoming queries will be dispatched to a specific handler by name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ based on the path specified in the request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ If a Request Handler is declared with startup="lazy", then it will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ not be initialized until the first request that uses it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- SearchHandler
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ http://wiki.apache.org/solr/SearchHandler
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ For processing Search Queries, the primary Request Handler
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ provided with Solr is "SearchHandler" It delegates to a sequent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ of SearchComponents (see below) and supports distributed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ queries across multiple shards
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <requestHandler name="/select" class="solr.SearchHandler">
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- default values for query parameters can be specified, these
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ will be overridden by parameters in the request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <lst name="defaults">
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <str name="echoParams">explicit</str>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <int name="rows">10</int>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ </lst>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ </requestHandler>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <initParams path="/update/**,/select">
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <lst name="defaults">
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <str name="hdr">_text_</str>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ </lst>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ </initParams>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <!-- Response Writers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ http://wiki.apache.org/solr/QueryResponseWriter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Request responses will be written using the writer specified by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ the 'wt' request parameter matching the name of a registered
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ writer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ The "default" writer is the default and will be used if 'wt' is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ not specified in the request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -->
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ <queryResponseWriter name="xml"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ default="true"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ class="solr.XMLResponseWriter" />
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+</config>
</span></pre><pre style='margin:0'>
</pre>