xref: /dports/mail/cyrus-imapd32/cyrus-imapd-3.2.8/docsrc/imap/reference/manpages/configs/imapd.conf.rst

.. auto-generated by config2rst 1.6rst


.. cyrusman:: imapd.conf(5)

.. _imap-reference-manpages-configs-imapd.conf:

==============
**imapd.conf**
==============









IMAP configuration file

DESCRIPTION
===========

    **/etc/imapd.conf**
    is the configuration file for the Cyrus IMAP server.  It defines
    local parameters for IMAP.

    Each line of the **/etc/imapd.conf** file has the form
        *option*: *value*

    where *option* is the name of the configuration option being set
    and *value* is the value that the configuration option is being
    set to.

    Although there is no limit to the length of a line, a \`\`\\''
    (backslash) character may be used as the last character on a line to
    force it to continue on the next one.  No additional whitespace is
    inserted before or after the \`\`\\''.  Note that a line that is split
    using \`\`\\'' character(s) is still considered a single line.

    For example
        *option*:\\

         *value*\ 1 *value*\ 2 \\

          *value*\ 3

    is equivalent to
        *option*: *value*\ 1 *value*\ 2   *value*\ 3

    Blank lines and lines beginning with \`\`#'' are ignored.

    For boolean and enumerated options, the values \`\`yes'', \`\`on'', \`\`t'',
    \`\`true'' and \`\`\ 1'' turn the option on, the values \`\`no'', \`\`off'',
    \`\`f'', \`\`false'' and \`\`\ 0'' turn the option off.

    Duration options take the form of a number followed by a unit, for example
    **\ 32m** (32 minutes).  Units are **d** (days), **h** (hours), **m**
    (minutes) and **s** (seconds).  Multiple units can be combined and will
    be summed together, for example **\ 1h30m** is equivalent to **\ 90m**.  If
    no unit is specified, an option-specific backward-compatible default unit
    is assumed (documented on an option-by-option basis).  These are simple time
    units: 1d=24h, 1h=60m, 1m=60s (daylight savings, timezones, leap adjustments,
    etc are not considered).

FIELD DESCRIPTIONS
==================


    The sections below detail options that can be placed in the
    **/etc/imapd.conf** file, and show each option's default value.
    Some options have no default value, these are listed with
    \`\`<no default>''.  Some options default to the empty string, these
    are listed with \`\`<none>''.


    .. startblob addressbookprefix

    ``addressbookprefix:`` #addressbooks

        The prefix for the addressbook mailboxes hierarchies.  The hierarchy
        delimiter will be automatically appended.  The public addressbook
        hierarchy will be at the toplevel of the shared namespace.  A
        user's personal addressbook hierarchy will be a child of their Inbox.

    .. endblob addressbookprefix

    .. startblob admins

    ``admins:`` <empty string>

        The list of userids with administrative rights.  Separate each userid
        with a space.  Sites using Kerberos authentication may use
        separate "admin" instances.

        Note that accounts used by users should not be administrators.
        Administrative accounts should not receive mail.  That is, if user
        "jbRo" is a user reading mail, he should not also be in the admins line.
        Some problems may occur otherwise, most notably the ability of
        administrators to create top-level mailboxes visible to users,
        but not writable by users.

    .. endblob admins

    .. startblob afspts_localrealms

    ``afspts_localrealms:`` <none>

        The list of realms which are to be treated as local, and thus stripped
        during identifier canonicalization (for the AFSPTS ptloader module).
        This is different from loginrealms in that it occurs later in the
        authorization process (as the user id is canonified for PTS lookup)

    .. endblob afspts_localrealms

    .. startblob afspts_mycell

    ``afspts_mycell:`` <none>

        Cell to use for AFS PTS lookups.  Defaults to the local cell.


    .. endblob afspts_mycell

    .. startblob allowallsubscribe

    ``allowallsubscribe:`` 0

        Allow subscription to nonexistent mailboxes.  This option is
        typically used on backend servers in a Murder so that users can
        subscribe to mailboxes that don't reside on their "home" server.
        This option can also be used as a workaround for IMAP clients which
        don't play well with nonexistent or unselectable mailboxes (e.g.,
        Microsoft Outlook).

    .. endblob allowallsubscribe

    .. startblob allowanonymouslogin

    ``allowanonymouslogin:`` 0

        Permit logins by the user "anonymous" using any password.  Also
        allows use of the SASL ANONYMOUS mechanism.

    .. endblob allowanonymouslogin

    .. startblob allowapop

    ``allowapop:`` 1

        Allow use of the POP3 APOP authentication command.

        Note that this command requires that SASL is compiled with APOP
        support, that the plaintext passwords are available in a SASL auxprop
        backend (e.g., sasldb), and that the system can provide enough entropy
        (e.g., from /dev/urandom) to create a challenge in the banner.

    .. endblob allowapop

    .. startblob allowdeleted

    ``allowdeleted:`` 0

        Allow access to deleted and expunged data via vendor.cmu-\* access


    .. endblob allowdeleted

    .. startblob allownewnews

    ``allownewnews:`` 0

        Allow use of the NNTP NEWNEWS command.

        Note that this is a very expensive command and should only be
        enabled when absolutely necessary.

    .. endblob allownewnews

    .. startblob allowplaintext

    ``allowplaintext:`` 0

        If enabled, allows the use of cleartext passwords on the wire.

        By default, the use of cleartext passwords requires a TLS/SSL
        encryption layer to be negotiated prior to any cleartext
        authentication mechanisms being advertised or allowed.  To require a
        TLS/SSL encryption layer to be negotiated prior to ANY
        authentication, see the *tls_required* option.

    .. endblob allowplaintext

    .. startblob allowsetacl

    ``allowsetacl:`` 1

        Defaults to enabled.  If disabled, disallows the use of the SETACL
        command at all via IMAP.

    .. endblob allowsetacl

    .. startblob allowusermoves

    ``allowusermoves:`` 0

        Allow moving user accounts (with associated meta-data) via RENAME
        or XFER.

        Note that measures should be taken to make sure that the user being
        moved is not logged in, and cannot login during the move.  Failure
        to do so may result in the user's meta-data (seen state,
        subscriptions, etc) being corrupted or out of date.

    .. endblob allowusermoves

    .. startblob altnamespace

    ``altnamespace:`` 1

        Use the alternate IMAP namespace, where personal folders reside at the
        same level in the hierarchy as INBOX.

        This option ONLY applies where interaction takes place with the
        client/user.  Currently this is limited to the IMAP protocol (imapd)
        and Sieve scripts (lmtpd).  This option does NOT apply to admin tools
        such as cyradm (admins ONLY), reconstruct, quota, etc., NOR does it
        affect LMTP delivery of messages directly to mailboxes via
        plus-addressing.  The default changed in 3.0 from off to on.

    .. endblob altnamespace

    .. startblob altprefix

    ``altprefix:`` Alt Folders

        Alternative INBOX spellings that can't be accessed in altnamespace
        otherwise go under here

    .. endblob altprefix

    .. startblob annotation_db

    ``annotation_db:`` twoskip

        The cyrusdb backend to use for mailbox annotations.

        Allowed values: *skiplist*, *twoskip*, *zeroskip*


    .. endblob annotation_db

    .. startblob annotation_db_path

    ``annotation_db_path:`` <none>

        The absolute path to the annotations db file.  If not specified,
        will be configdirectory/annotations.db

    .. endblob annotation_db_path

    .. startblob anyoneuseracl

    ``anyoneuseracl:`` 1

        Should non-admin users be allowed to set ACLs for the 'anyone'
        user on their mailboxes?  In a large organization this can cause
        support problems, but it's enabled by default.

    .. endblob anyoneuseracl

    .. startblob annotation_allow_undefined

    ``annotation_allow_undefined:`` 0

        Allow clients to store values for entries which are not
        defined either by Cyrus or in the annotations_definitions
        file.

    .. endblob annotation_allow_undefined

    .. startblob annotation_definitions

    ``annotation_definitions:`` <none>

        File containing external (third-party) annotation definitions.

        Each line of the file specifies the properties of an annotation and
        has the following form:

            *name*, *scope*, *attrib-type*, *proxy-type*,
            *attrib-names*, *acl*

        *name*
            is the hierarchical name as in :rfc:`5257` or :rfc:`5464` (in the latter case,
            without the leading **/shared** or **/private**).  For example,
            /vendor/acme/blurdybloop.

        *scope*
            specifies whether the annotation is for the **server**, a
            **mailbox**, or a **message**.

        *attrib-type*
                specifies the attribute data type, which is used only to check the
                string value passed by clients when setting annotations.  The
                *attrib-type* is one of:

            **string**
                any value is accepted.

            **content-type**
                this obsolete data type, which was useful for early drafts of the standard,
                is accepted but silently translated to **string**.

            **boolean**
                only the strings "true" or "false" are accepted.  Checking is
                case-insensitive but the value is forced to lowercase.

            **int**
                integers are accepted.

            **uint**
                non-negative integers are accepted.


        *proxy-type*
            specifies whether this attribute is for the **backend** or
            **proxy** servers or both (**proxy_and_backend**)

        *attrib-names*
            is the space-separated list of available attributes for the
            annotation. Possible attribute names are **value.shared**,
            **value.priv**, and **value** (which permits both **value.priv**
            and **value.shared**).  The attribute names **size**,
            **size.shared**, and **size.priv** are accepted but ignored; these
            attributes are automatically provided by the server if the corresponding
            **value** attribute is specified.  Some obsolete attributes, which were
            defined early drafts of the standard, are accepted and ignored with a
            warning.

        *extra-permissions*
            is the extra ACL permission bits required for setting this annotation, in
            standard IMAP ACL permission bit string format.  Note that this is
            in addition to the permission bits specified in :rfc:`5257` and :rfc:`5464`,
            so leaving this field empty is harmless.  Note also that there is no way
            to specify that an annotation can only be set by an admin user; in
            particular the **a** permission bit does not achieve this.

            Blank lines and lines beginning with \`\`#'' are ignored.


    .. endblob annotation_definitions

    .. startblob annotation_callout

    ``annotation_callout:`` <none>

        The pathname of a callout to be used to automatically add annotations
        or flags to a message when it is appended to a mailbox.  The path can
        be either an executable (including a script), or a UNIX domain
        socket.

    .. endblob annotation_callout

    .. startblob annotation_callout_disable_append

    ``annotation_callout_disable_append:`` 0

        Disables annotations on append with xrunannotator


    .. endblob annotation_callout_disable_append

    .. startblob annotation_enable_legacy_commands

    ``annotation_enable_legacy_commands:`` 0

        Whether to enable the legacy GETANNOTATION/SETANNOTATION commands.
        These commands are deprecated and will be removed in the future,
        but might be useful in the meantime for supporting old clients that
        do not implement the :rfc:`5464` IMAP METADATA extension.

    .. endblob annotation_enable_legacy_commands

    .. startblob aps_topic

    ``aps_topic:`` <none>

        Topic for Apple Push Service registration.


    .. endblob aps_topic

    .. startblob aps_topic_caldav

    ``aps_topic_caldav:`` <none>

        Topic for Apple Push Service registration for CalDAV.


    .. endblob aps_topic_caldav

    .. startblob aps_topic_carddav

    ``aps_topic_carddav:`` <none>

        Topic for Apple Push Service registration for CardDAV.


    .. endblob aps_topic_carddav

    .. startblob archive_enabled

    ``archive_enabled:`` 0

        Is archiving enabled for this server.  You also need to have an
        archivepartition for the mailbox.  Archiving allows older email
        to be stored on slower, cheaper disks - even within the same
        mailbox, as distinct from partitions.

    .. endblob archive_enabled

    .. startblob archive_days

    ``archive_days:`` <none>

        Deprecated in favour of *archive_after*.


    .. endblob archive_days

    .. startblob archive_after

    ``archive_after:`` 7d

        The duration after which to move messages to the archive partition
        if archiving is enabled.

        For backward compatibility, if no unit is specified, days is
        assumed.

    .. endblob archive_after

    .. startblob archive_maxsize

    ``archive_maxsize:`` 1024

        The size in kilobytes of the largest message that won't be archived
        immediately.  Default is 1Mb

    .. endblob archive_maxsize

    .. startblob archive_keepflagged

    ``archive_keepflagged:`` 0

        If set, messages with the \\Flagged system flag won't be archived,
        provided they are smaller than **archive_maxsize**.

    .. endblob archive_keepflagged

    .. startblob archivepartition-name

    ``archivepartition-name:`` <none>

        The pathname of the archive partition *name*, corresponding to
        spool partition **partition-name**.  For any mailbox residing in
        a directory on **partition-name**, the archived messages will be
        stored in a corresponding directory on **archivepartition-name**.
        Note that not every **partition-name** option is strictly required
        to have a corresponding **archivepartition-name** option, but that
        without one there's no benefit to enabling archiving.

    .. endblob archivepartition-name

    .. startblob auditlog

    ``auditlog:`` 0

        Should cyrus output log entries for every action taken on a message
        file or mailboxes list entry?  It's noisy so disabled by default, but
        can be very useful for tracking down what happened if things look strange

    .. endblob auditlog

    .. startblob auth_mech

    ``auth_mech:`` unix

        The authorization mechanism to use.

        Allowed values: *unix*, *pts*, *krb*, *krb5*


    .. endblob auth_mech

    .. startblob autocreateinboxfolders

    ``autocreateinboxfolders:`` <none>

        Deprecated in favor of *autocreate_inbox_folders*.


    .. endblob autocreateinboxfolders

    .. startblob autocreatequota

    ``autocreatequota:`` 0

        Deprecated in favor of *autocreate_quota*.


    .. endblob autocreatequota

    .. startblob autocreatequotamsg

    ``autocreatequotamsg:`` -1

        Deprecated in favor of *autocreate_quota_messages*.


    .. endblob autocreatequotamsg

    .. startblob autosievefolders

    ``autosievefolders:`` <none>

        Deprecated in favor of *autocreate_sieve_folders*.


    .. endblob autosievefolders

    .. startblob generate_compiled_sieve_script

    ``generate_compiled_sieve_script:`` 0

        Deprecated in favor of *autocreate_sieve_script_compile*.


    .. endblob generate_compiled_sieve_script

    .. startblob autocreate_sieve_compiled_script

    ``autocreate_sieve_compiled_script:`` <none>

        Deprecated in favor of *autocreate_sieve_script_compiled*.


    .. endblob autocreate_sieve_compiled_script

    .. startblob autosubscribeinboxfolders

    ``autosubscribeinboxfolders:`` <none>

        Deprecated in favor of *autocreate_subscribe_folders*.


    .. endblob autosubscribeinboxfolders

    .. startblob autosubscribesharedfolders

    ``autosubscribesharedfolders:`` <none>

        Deprecated in favor of *autocreate_subscribe_sharedfolders*.


    .. endblob autosubscribesharedfolders

    .. startblob autosubscribe_all_sharedfolders

    ``autosubscribe_all_sharedfolders:`` 0

        Deprecated in favor of *autocreate_subscribe_sharedfolders_all*.


    .. endblob autosubscribe_all_sharedfolders

    .. startblob autocreate_acl

    ``autocreate_acl:`` <none>

        If folders are to be created by *autocreate_inbox_folders*, this
        setting can be used to apply additional ACLs to the autocreated
        folders.  The syntax is "autocreate_acl folder identifier rights",
        where *folder* must match one of the *autocreate_inbox_folders*
        folders, *identifier* must be a valid cyrus identifier, and
        *rights* must be a valid cyrus rights string.  Multiple
        identifier|rights pairs can be assigned to a single folder by providing
        this setting multiple times.

        For example, "autocreate_acl Plus anyone p" would allow lmtp delivery
        to a folder named "Plus".


    .. endblob autocreate_acl

    .. startblob autocreate_inbox_folders

    ``autocreate_inbox_folders:`` <none>

        If a user does not have an INBOX already, and the INBOX is to be
        created, create the list of folders in this setting as well.
        *autocreate_inbox_folders* is a list of INBOX's subfolders
        separated by a "|", that are automatically created by the server
        under the following two scenarios. Leading and trailing whitespace is
        stripped, so "Junk | Trash" results in two folders: "Junk" and
        "Trash".  See also the *xlist-flag* option, for setting
        special-use flags on autocreated folders.

        INBOX folders are created under both the following conditions:

        1.
            The user logins via the IMAP or the POP3 protocol.
            *autocreate_quota* option must have a value of zero or greater.

        2.
            A message arrives for the user through the *lmtpd(8)*.
            *autocreate_post* option must be enabled.



    .. endblob autocreate_inbox_folders

    .. startblob autocreate_post

    ``autocreate_post:`` 0

        If enabled, when *lmtpd(8)* receives an incoming mail for an
        INBOX that does not exist, then the INBOX is automatically created
        by *lmtpd(8)* and delivery of the message continues.

    .. endblob autocreate_post

    .. startblob autocreate_quota

    ``autocreate_quota:`` -1

        If set to a value of zero or higher, users have their INBOX folders
        created upon a successful login event or upon *lmtpd(8)*
        message delivery if *autocreate_post* is enabled, provided their
        INBOX did not yet already exist.

        The user's quota is set to the value if it is greater than zero,
        otherwise the user has unlimited quota.

        Note that quota is specified in kilobytes.

    .. endblob autocreate_quota

    .. startblob autocreate_quota_messages

    ``autocreate_quota_messages:`` -1

        If set to a value of zero or higher, users who have their INBOX
        folders created upon a successful login event (see
        *autocreate_quota*), or upon *lmtpd(8)* message delivery if
        *autocreate_post* is enabled, receive the message quota
        configured in this option.

        The default of -1 disables assigning message quota.

        For consistency with *autocreate_quota*, a value of zero is treated
        as unlimited message quota, rather than a message quota of zero.

    .. endblob autocreate_quota_messages

    .. startblob autocreate_sieve_folders

    ``autocreate_sieve_folders:`` <none>

        A "|" separated list of subfolders of INBOX that will be
        automatically created, if requested by a sieve filter, through the
        "fileinto" action. The default is to create no folders
        automatically.

        Leading and trailing whitespace is stripped from each folder, so a
        setting of "Junk | Trash" will create two folders: "Junk" and
        "Trash".

    .. endblob autocreate_sieve_folders

    .. startblob autocreate_sieve_script

    ``autocreate_sieve_script:`` <none>

        The full path of a file that contains a sieve script. This script
        automatically becomes a user's initial default sieve filter script.

        When this option is not defined, no default sieve filter is created.
        The file must be readable by the Cyrus daemon.

    .. endblob autocreate_sieve_script

    .. startblob autocreate_sieve_script_compile

    ``autocreate_sieve_script_compile:`` 0

        If set to yes and no compiled sieve script file exists, the sieve script which is
        compiled on the fly will be saved in the file name that autocreate_sieve_compiledscript
        option points to. In order a compiled script to be generated, autocreate_sieve_script and
        autocreate_sieve_compiledscript must have valid values

    .. endblob autocreate_sieve_script_compile

    .. startblob autocreate_sieve_script_compiled

    ``autocreate_sieve_script_compiled:`` <none>

        The full path of a file that contains a compiled in bytecode sieve script. This script
        automatically becomes a user's initial default sieve filter script.  If this option is
        not specified, or the filename doesn't exist then the script defined by
        autocreate_sieve_script is compiled on the fly and installed as the user's default
        sieve script

    .. endblob autocreate_sieve_script_compiled

    .. startblob autocreate_subscribe_folders

    ``autocreate_subscribe_folders:`` <none>

        A list of folder names, separated by "|", that the users get automatically subscribed to,
        when their INBOX is created. These folder names must have been included in the
        autocreateinboxfolders option of the imapd.conf.

    .. endblob autocreate_subscribe_folders

    .. startblob autocreate_subscribe_sharedfolders

    ``autocreate_subscribe_sharedfolders:`` <none>

        A list of shared folders (bulletin boards), separated by "|", that the users get
        automatically subscribed to, after their INBOX is created. The shared folder must
        have been created and the user must have the required permissions to get subscribed
        to it. Otherwise, subscribing to the shared folder fails.

    .. endblob autocreate_subscribe_sharedfolders

    .. startblob autocreate_subscribe_sharedfolders_all

    ``autocreate_subscribe_sharedfolders_all:`` 0

        If set to yes, the user is automatically subscribed to all shared folders, one has permission
        to subscribe to.

    .. endblob autocreate_subscribe_sharedfolders_all

    .. startblob autocreate_users

    ``autocreate_users:`` anyone

        A space separated list of users and/or groups that are allowed their INBOX to be
        automatically created.

    .. endblob autocreate_users

    .. startblob autoexpunge

    ``autoexpunge:`` 0

        If set to yes, then all \Deleted messages will be automatically expunged whenever
        an index is closed, whether CLOSE, UNSELECT, SELECT or on disconnect

    .. endblob autoexpunge

    .. startblob backuppartition-name

    ``backuppartition-name:`` <none>

        The pathname of the backup partition *name*.  At least one backup
        partition pathname MUST be specified if backups are in use.  Note that
        there is no relationship between spool partitions and backup partitions.

    .. endblob backuppartition-name

    .. startblob backup_compact_minsize

    ``backup_compact_minsize:`` 0

        The minimum size in kilobytes of chunks in each backup.  The compact tool
        will try to combine adjacent chunks that are smaller than this.

        Setting this value to zero or negative disables combining of chunks.

    .. endblob backup_compact_minsize

    .. startblob backup_compact_maxsize

    ``backup_compact_maxsize:`` 0

        The maximum size in kilobytes of chunks in each backup.  The compact tool
        will try to split chunks larger than this into smaller chunks.

        Setting this value to zero or negative disables splitting of chunks.

    .. endblob backup_compact_maxsize

    .. startblob backup_compact_work_threshold

    ``backup_compact_work_threshold:`` 1

        The number of chunks that must obviously need compaction before the compact
        tool will go ahead with the compaction.  If set to less than one, the value
        is treated as being one.

    .. endblob backup_compact_work_threshold

    .. startblob backup_staging_path

    ``backup_staging_path:`` <none>

        The absolute path of the backup staging area.  If not specified,
        will be temp_path/backup

    .. endblob backup_staging_path

    .. startblob backup_retention_days

    ``backup_retention_days:`` <none>

        Deprecated in favor of *backup_retention*.


    .. endblob backup_retention_days

    .. startblob backup_retention

    ``backup_retention:`` 7d

        How long to keep content in backup after it has been deleted
        from the source.  If set to a negative value or zero, deleted content
        will be kept indefinitely.

        For backward compatibility, if no unit is specified, days is
        assumed.

    .. endblob backup_retention

    .. startblob backup_db

    ``backup_db:`` twoskip

        The cyrusdb backend to use for the backup locations database.

        Allowed values: *skiplist*, *sql*, *twoskip*, *zeroskip*


    .. endblob backup_db

    .. startblob backup_db_path

    ``backup_db_path:`` <none>

        The absolute path to the backup db file.  If not specified,
        will be configdirectory/backups.db

    .. endblob backup_db_path

    .. startblob backup_keep_previous

    ``backup_keep_previous:`` 0

        Whether the **ctl_backups compact** and **ctl_backups reindex**
        commands should preserve the original file.  The original file will
        be named with a timestamped suffix.  This is mostly useful for
        debugging.

        Note that with this enabled, compacting a backup will actually
        increase the disk used by it (because there will now be an extra
        copy: the original version, and the compacted version).

    .. endblob backup_keep_previous

    .. startblob boundary_limit

    ``boundary_limit:`` 1000

        messages are parsed recursively and a deep enough MIME structure
        can cause a stack overflow.  Do not parse deeper than this many
        layers of MIME structure.  The default of 1000 is much higher
        than any sane message should have.

    .. endblob boundary_limit

    .. startblob caldav_allowattach

    ``caldav_allowattach:`` 1

        Enable managed attachments support on the CalDAV server.


    .. endblob caldav_allowattach

    .. startblob caldav_allowcalendaradmin

    ``caldav_allowcalendaradmin:`` 0

        Enable per-user calendar administration web UI on the CalDAV server.


    .. endblob caldav_allowcalendaradmin

    .. startblob caldav_allowscheduling

    ``caldav_allowscheduling:`` on

        Enable calendar scheduling operations. If set to "apple", the
        server will emulate Apple CalendarServer behavior as closely as
        possible.
        Allowed values: *off*, *on*, *apple*


    .. endblob caldav_allowscheduling

    .. startblob caldav_create_attach

    ``caldav_create_attach:`` 1

        Create the 'Attachments' collection if it doesn't already exist


    .. endblob caldav_create_attach

    .. startblob caldav_create_default

    ``caldav_create_default:`` 1

        Create the 'Default' calendar if it doesn't already exist


    .. endblob caldav_create_default

    .. startblob caldav_create_sched

    ``caldav_create_sched:`` 1

        Create the 'Inbox' and 'Outbox' calendars if they don't already exist


    .. endblob caldav_create_sched

    .. startblob caldav_historical_age

    ``caldav_historical_age:`` 7d

        How long after an occurrence of event or task has concluded
        that it is considered 'historical'.  Changes to historical
        occurrences of events or tasks WILL NOT have invite or reply
        messages sent for them.  A negative value means that events
        and tasks are NEVER considered historical.

        For backward compatibility, if no unit is specified, days is
        assumed.

    .. endblob caldav_historical_age

    .. startblob caldav_maxdatetime

    ``caldav_maxdatetime:`` 20380119T031407Z

        The latest date and time accepted by the server (ISO format).  This
        value is also used for expanding non-terminating recurrence rules.

        Note that increasing this value will require the DAV databases for
        calendars to be reconstructed with the **dav_reconstruct**
        utility in order to see its effect on serer-side time-based
        queries.

    .. endblob caldav_maxdatetime

    .. startblob caldav_mindatetime

    ``caldav_mindatetime:`` 19011213T204552Z

        The earliest date and time accepted by the server (ISO format).


    .. endblob caldav_mindatetime

    .. startblob caldav_realm

    ``caldav_realm:`` <none>

        The realm to present for HTTP authentication of CalDAV resources.
        If not set (the default), the value of the "servername" option will
        be used.

    .. endblob caldav_realm

    .. startblob calendarprefix

    ``calendarprefix:`` #calendars

        The prefix for the calendar mailboxes hierarchies.  The hierarchy
        delimiter will be automatically appended.  The public calendar
        hierarchy will be at the toplevel of the shared namespace.  A
        user's personal calendar hierarchy will be a child of their Inbox.

    .. endblob calendarprefix

    .. startblob calendar_user_address_set

    ``calendar_user_address_set:`` <none>

        Space-separated list of domains corresponding to calendar user
        addresses for which the server is responsible.  If not set (the
        default), the value of the "servername" option will be used.

    .. endblob calendar_user_address_set

    .. startblob calendar_component_set

    ``calendar_component_set:`` VEVENT VTODO VJOURNAL VFREEBUSY VAVAILABILITY VPOLL

        Space-separated list of iCalendar component types that calendar
        object resources may contain in a calendar collection.
        This restriction is only set at calendar creation time and only
        if the CalDAV client hasn't specified a restriction in the creation
        request.
        Allowed values: *VEVENT*, *VTODO*, *VJOURNAL*, *VFREEBUSY*, *VAVAILABILITY*, *VPOLL*


    .. endblob calendar_component_set

    .. startblob carddav_allowaddmember

    ``carddav_allowaddmember:`` 0

        Enable support for POST add-member on the CardDAV server.


    .. endblob carddav_allowaddmember

    .. startblob carddav_allowaddressbookadmin

    ``carddav_allowaddressbookadmin:`` 0

        Enable per-user addressbook administration web UI on the CardDAV server.


    .. endblob carddav_allowaddressbookadmin

    .. startblob carddav_realm

    ``carddav_realm:`` <none>

        The realm to present for HTTP authentication of CardDAV resources.
        If not set (the default), the value of the "servername" option will
        be used.

    .. endblob carddav_realm

    .. startblob carddav_repair_vcard

    ``carddav_repair_vcard:`` 0

        If enabled, VCARDs with invalid content are attempted to be repaired
        during creation.

    .. endblob carddav_repair_vcard

    .. startblob chatty

    ``chatty:`` 0

        If yes, syslog tags and commands for every IMAP command, mailboxes
        for every lmtp connection, every POP3 command, etc

    .. endblob chatty

    .. startblob client_bind

    ``client_bind:`` 0

        If enabled, a specific IP will be bound when performing a client
        connection.  **client_bind_name** is used if it is set, otherwise
        **servername** is used.  This is useful on multi-homed servers where
        Cyrus should not use other services' interfaces.

        If not enabled (the default), no bind will be performed.  Client
        connections will use an IP chosen by the operating system.

    .. endblob client_bind

    .. startblob client_bind_name

    ``client_bind_name:`` <none>

        IPv4, IPv6 address or hostname to bind for client connections when
        **client_bind** is enabled.  If not set (the default),
        servername will be used.

    .. endblob client_bind_name

    .. startblob client_timeout

    ``client_timeout:`` 10s

        Time to wait before returning a timeout failure when performing a
        client connection (e.g. in a murder environment).

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob client_timeout

    .. startblob commandmintimer

    ``commandmintimer:`` <none>

        Time in seconds. Any imap command that takes longer than this
        time is logged.

    .. endblob commandmintimer

    .. startblob configdirectory

    ``configdirectory:`` <none>

        The pathname of the IMAP configuration directory.  This field is
        required.

    .. endblob configdirectory

    .. startblob createonpost

    ``createonpost:`` 0

        Deprecated in favor of *autocreate_post*.


    .. endblob createonpost

    .. startblob conversations

    ``conversations:`` 0

        Enable the XCONVERSATIONS extensions.  Extract conversation
        tracking information from incoming messages and track them
        in per-user databases.

    .. endblob conversations

    .. startblob conversations_counted_flags

    ``conversations_counted_flags:`` <none>

        space-separated list of flags for which per-conversation counts
        will be kept.  Note that you need to reconstruct the conversations
        database with ctl_conversationsdb if you change this option on a
        running server, or the counts will be wrong.

    .. endblob conversations_counted_flags

    .. startblob conversations_db

    ``conversations_db:`` skiplist

        The cyrusdb backend to use for the per-user conversations database.

        Allowed values: *skiplist*, *sql*, *twoskip*, *zeroskip*


    .. endblob conversations_db

    .. startblob conversations_expire_days

    ``conversations_expire_days:`` <none>

        Deprecated in favor of *conversations_expire_after*.


    .. endblob conversations_expire_days

    .. startblob conversations_expire_after

    ``conversations_expire_after:`` 90d

        How long the conversations database keeps the message tracking
        information needed for receiving new messages in existing
        conversations.

        For backward compatibility, if no unit is specified, days is
        assumed.

    .. endblob conversations_expire_after

    .. startblob conversations_max_thread

    ``conversations_max_thread:`` 100

        maximum size for a single thread.  Threads will split if they have this many
        \* messages in them and another message arrives

    .. endblob conversations_max_thread

    .. startblob crossdomains

    ``crossdomains:`` 0

        Enable cross domain sharing.  This works best with alt namespace and
        unix hierarchy separators on, so you get Other Users/foo@example.com/...

    .. endblob crossdomains

    .. startblob crossdomains_onlyother

    ``crossdomains_onlyother:`` 0

        only show the domain for users in other domains than your own (for
        backwards compatibility if you're already sharing

    .. endblob crossdomains_onlyother

    .. startblob cyrus_group

    ``cyrus_group:`` <none>

        The name of the group Cyrus services will run as.  If not configured, the
        primary group of cyrus_user will be used. Can be further overridden by
        setting the $CYRUS_GROUP environment variable.

    .. endblob cyrus_group

    .. startblob cyrus_user

    ``cyrus_user:`` <none>

        The username to use as the 'cyrus' user.  If not configured, the compile
        time default will be used. Can be further overridden by setting the
        $CYRUS_USER environment variable.

    .. endblob cyrus_user

    .. startblob davdriveprefix

    ``davdriveprefix:`` #drive

        The prefix for the DAV storage mailboxes hierarchies.  The hierarchy
        delimiter will be automatically appended.  The public storage
        hierarchy will be at the toplevel of the shared namespace.  A
        user's personal storage hierarchy will be a child of their Inbox.

    .. endblob davdriveprefix

    .. startblob davnotificationsprefix

    ``davnotificationsprefix:`` #notifications

        The prefix for the DAV notifications hierarchy.  The hierarchy
        delimiter will be automatically appended.  The public notifications
        hierarchy will be at the toplevel of the shared namespace.  A
        user's personal notifications hierarchy will be a child of their Inbox.

    .. endblob davnotificationsprefix

    .. startblob dav_realm

    ``dav_realm:`` <none>

        The realm to present for HTTP authentication of generic DAV
        resources (principals).  If not set (the default), the value of the
        "servername" option will be used.

    .. endblob dav_realm

    .. startblob dav_lock_timeout

    ``dav_lock_timeout:`` 20s

        The maximum time to wait for a write lock on the per-user DAV database
        before timeout. For HTTP requests, the HTTP status code 503 is returned
        if the lock can not be obtained within this time.

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob dav_lock_timeout

    .. startblob debug_command

    ``debug_command:`` <none>

        Debug command to be used by processes started with -D option.  The string
        is a C format string that gets 3 options: the first is the name of the
        executable (as specified in the cmd parameter in cyrus.conf). The second
        is the pid (integer) and the third is the service ID.
        Example: /usr/local/bin/gdb /usr/cyrus/bin/%s %d

    .. endblob debug_command

    .. startblob defaultacl

    ``defaultacl:`` anyone lrs

        The Access Control List (ACL) placed on a newly-created (non-user)
        mailbox that does not have a parent mailbox.

    .. endblob defaultacl

    .. startblob defaultdomain

    ``defaultdomain:`` internal

        The default domain for virtual domain support


    .. endblob defaultdomain

    .. startblob defaultpartition

    ``defaultpartition:`` <none>

        The partition name used by default for new mailboxes.  If not
        specified, the partition with the most free space will be used for
        new mailboxes.

        Note that the partition specified by this option must also be
        specified as *partition-name*, where you substitute 'name'
        for the alphanumeric string you set *defaultpartition* to.

    .. endblob defaultpartition

    .. startblob defaultsearchtier

    ``defaultsearchtier:`` <empty string>

        Name of the default tier that messages will be indexed to. Search
        indexes can be organized in tiers to allow index storage in different
        directories and physical media. See the man page of squatter for
        details. The default search tier also requires the definition
        of an according *searchtierpartition-name* entry.

        This option MUST be specified for xapian search.

    .. endblob defaultsearchtier

    .. startblob defaultserver

    ``defaultserver:`` <none>

        The backend server name used by default for new mailboxes.  If not
        specified, the server with the most free space will be used for new
        mailboxes.

    .. endblob defaultserver

    .. startblob deletedprefix

    ``deletedprefix:`` DELETED

        With **delete_mode** set to *delayed*, the
        **deletedprefix** setting defines the prefix for the hierarchy of
        deleted mailboxes.

        The hierarchy delimiter will be automatically appended.


    .. endblob deletedprefix

    .. startblob delete_mode

    ``delete_mode:`` delayed

        The manner in which mailboxes are deleted. In the default
        *delayed* mode, mailboxes that are being deleted are renamed to
        a special mailbox hierarchy under the **deletedprefix**, to be
        removed later by **cyr_expire(8)**.

        In *immediate* mode, the mailbox is removed from the filesystem
        immediately.

        Allowed values: *immediate*, *delayed*


    .. endblob delete_mode

    .. startblob delete_unsubscribe

    ``delete_unsubscribe:`` 0

        Whether to also unsubscribe from mailboxes when they are deleted.
        Note that this behaviour contravenes :rfc:`3501` section 6.3.9, but
        may be useful for avoiding user/client software confusion.
        The default is 'no'.

    .. endblob delete_unsubscribe

    .. startblob deleteright

    ``deleteright:`` c

        Deprecated - only used for backwards compatibility with existing
        installations.  Lists the old :rfc:`2086` right which was used to
        grant the user the ability to delete a mailbox.  If a user has this
        right, they will automatically be given the new 'x' right.

    .. endblob deleteright

    .. startblob disable_user_namespace

    ``disable_user_namespace:`` 0

        Preclude list command on user namespace.  If set to 'yes', the
        LIST response will never include any other user's mailbox.  Admin
        users will always see all mailboxes.  The default is 'no'

    .. endblob disable_user_namespace

    .. startblob disable_shared_namespace

    ``disable_shared_namespace:`` 0

        Preclude list command on shared namespace.  If set to 'yes', the
        LIST response will never include any non-user mailboxes.  Admin
        users will always see all mailboxes.  The default is 'no'

    .. endblob disable_shared_namespace

    .. startblob disconnect_on_vanished_mailbox

    ``disconnect_on_vanished_mailbox:`` 0

        If enabled, IMAP/POP3/NNTP clients will be disconnected by the
        server if the currently selected mailbox is (re)moved by another
        session.  Otherwise, the missing mailbox is treated as empty while
        in use by the client.

    .. endblob disconnect_on_vanished_mailbox

    .. startblob ischedule_dkim_domain

    ``ischedule_dkim_domain:`` <none>

        The domain to be reported as doing iSchedule DKIM signing.


    .. endblob ischedule_dkim_domain

    .. startblob ischedule_dkim_key_file

    ``ischedule_dkim_key_file:`` <none>

        File containing the private key for iSchedule DKIM signing.


    .. endblob ischedule_dkim_key_file

    .. startblob ischedule_dkim_required

    ``ischedule_dkim_required:`` 1

        A DKIM signature is required on received iSchedule requests.


    .. endblob ischedule_dkim_required

    .. startblob ischedule_dkim_selector

    ``ischedule_dkim_selector:`` <none>

        Name of the selector subdividing the domain namespace.  This
        specifies the actual key used for iSchedule DKIM signing within the
        domain.

    .. endblob ischedule_dkim_selector

    .. startblob duplicate_db

    ``duplicate_db:`` twoskip

        The cyrusdb backend to use for the duplicate delivery suppression
        and sieve.
        Allowed values: *skiplist*, *sql*, *twoskip*, *zeroskip*


    .. endblob duplicate_db

    .. startblob duplicate_db_path

    ``duplicate_db_path:`` <none>

        The absolute path to the duplicate db file.  If not specified,
        will be configdirectory/deliver.db

    .. endblob duplicate_db_path

    .. startblob duplicatesuppression

    ``duplicatesuppression:`` 1

        If enabled, lmtpd will suppress delivery of a message to a mailbox if
        a message with the same message-id (or resent-message-id) is recorded
        as having already been delivered to the mailbox.  Records the mailbox
        and message-id/resent-message-id of all successful deliveries.

    .. endblob duplicatesuppression

    .. startblob event_content_inclusion_mode

    ``event_content_inclusion_mode:`` standard

        The mode in which message content may be included with MessageAppend and
        MessageNew. "standard" mode is the default behavior in which message is
        included up to a size with the notification. In "message" mode, the message
        is included and may be truncated to a size. In "header" mode, it includes
        headers truncated to a size. In "body" mode, it includes body truncated
        to a size. In "headerbody" mode, it includes full headers and body truncated
        to a size
        Allowed values: *standard*, *message*, *header*, *body*, *headerbody*


    .. endblob event_content_inclusion_mode

    .. startblob event_content_size

    ``event_content_size:`` 0

        Truncate the message content that may be included with MessageAppend and
        MessageNew. Set 0 to include the entire message itself

    .. endblob event_content_size

    .. startblob event_exclude_flags

    ``event_exclude_flags:`` <none>

        Don't send event notification for given IMAP flag(s)


    .. endblob event_exclude_flags

    .. startblob event_exclude_specialuse

    ``event_exclude_specialuse:`` \\Junk

        Don't send event notification for folder with given special-use attributes.
        Set ALL for any folder

    .. endblob event_exclude_specialuse

    .. startblob event_extra_params

    ``event_extra_params:`` timestamp

        Space-separated list of extra parameters to add to any appropriated event.

        Allowed values: *bodyStructure*, *clientAddress*, *diskUsed*, *flagNames*, *messageContent*, *messageSize*, *messages*, *modseq*, *service*, *timestamp*, *uidnext*, *vnd.cmu.midset*, *vnd.cmu.unseenMessages*, *vnd.cmu.envelope*, *vnd.cmu.sessionId*, *vnd.cmu.mailboxACL*, *vnd.cmu.mbtype*, *vnd.cmu.davFilename*, *vnd.cmu.davUid*, *vnd.fastmail.clientId*, *vnd.fastmail.sessionId*, *vnd.fastmail.convExists*, *vnd.fastmail.convUnseen*, *vnd.fastmail.cid*, *vnd.fastmail.counters*, *vnd.cmu.emailid*, *vnd.cmu.threadid*


    .. endblob event_extra_params

    .. startblob event_groups

    ``event_groups:`` message mailbox

        Space-separated list of groups of related events to turn on notification

        Allowed values: *message*, *quota*, *flags*, *access*, *mailbox*, *subscription*, *calendar*, *applepushservice*


    .. endblob event_groups

    .. startblob event_notifier

    ``event_notifier:`` <none>

        Notifyd(8) method to use for "EVENT" notifications which are based on
        the :rfc:`5423`.  If not set, "EVENT" notifications are disabled.

    .. endblob event_notifier

    .. startblob expunge_mode

    ``expunge_mode:`` delayed

        The mode in which messages (and their corresponding cache entries)
        are expunged.  "semidelayed" mode is the old behavior in which the
        message files are purged at the time of the EXPUNGE, but index
        and cache records are retained to facilitate QRESYNC.
        In "delayed" mode, which is the default since Cyrus 2.5.0,
        the message files are also retained, allowing unexpunge to
        rescue them.  In "immediate" mode, both the message files and the
        index records are removed as soon as possible.  In all cases,
        nothing will be finally purged until all other processes have
        closed the mailbox to ensure they never see data disappear under
        them.  In "semidelayed" or "delayed" mode, a later run of "cyr_expire"
        will clean out the retained records (and possibly message files).
        This reduces the amount of I/O that takes place at the time of
        EXPUNGE and should result in greater responsiveness for the client,
        especially when expunging a large number of messages.
        Allowed values: *immediate*, *semidelayed*, *delayed*


    .. endblob expunge_mode

    .. startblob failedloginpause

    ``failedloginpause:`` 3s

        Time to pause after a failed login.

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob failedloginpause

    .. startblob flushseenstate

    ``flushseenstate:`` 1

        Deprecated. No longer used


    .. endblob flushseenstate

    .. startblob foolstupidclients

    ``foolstupidclients:`` 0

        If enabled, only list the personal namespace when a LIST "\*" is performed
        (it changes the request to a LIST "INBOX\*").

    .. endblob foolstupidclients

    .. startblob force_sasl_client_mech

    ``force_sasl_client_mech:`` <none>

        Force preference of a given SASL mechanism for client side operations
        (e.g., murder environments).  This is separate from (and overridden by)
        the ability to use the <host shortname>_mechs option to set preferred
        mechanisms for a specific host

    .. endblob force_sasl_client_mech

    .. startblob fulldirhash

    ``fulldirhash:`` 0

        If enabled, uses an improved directory hashing scheme which hashes
        on the entire username instead of using just the first letter as
        the hash.  This changes hash algorithm used for quota and user
        directories and if *hashimapspool* is enabled, the entire mail
        spool.

        Note that this option CANNOT be changed on a live system.  The
        server must be quiesced and then the directories moved with the
        **rehash** utility.

    .. endblob fulldirhash

    .. startblob hashimapspool

    ``hashimapspool:`` 0

        If enabled, the partitions will also be hashed, in addition to the
        hashing done on configuration directories.  This is recommended if
        one partition has a very bushy mailbox tree.

    .. endblob hashimapspool

    .. startblob debug

    ``debug:`` 0

        If enabled, allow syslog() to pass LOG_DEBUG messages.


    .. endblob debug

    .. startblob hostname_mechs

    ``hostname_mechs:`` <none>

        Force a particular list of SASL mechanisms to be used when authenticating
        to the backend server hostname (where hostname is the short hostname of
        the server in question). If it is not specified it will query the server
        for available mechanisms and pick one to use. - Cyrus Murder

    .. endblob hostname_mechs

    .. startblob hostname_password

    ``hostname_password:`` <none>

        The password to use for authentication to the backend server hostname
        (where hostname is the short hostname of the server) - Cyrus Murder

    .. endblob hostname_password

    .. startblob httpallowcompress

    ``httpallowcompress:`` 1

        If enabled, the server will compress response payloads if the client
        indicates that it can accept them.  Note that the compressed data
        will appear in telemetry logs, leaving only the response headers as
        human-readable.

    .. endblob httpallowcompress

    .. startblob httpallowcors

    ``httpallowcors:`` <none>

        A wildmat pattern specifying a list of origin URIs ( scheme "://"
        host [ ":" port ] ) that are allowed to make Cross-Origin Resource
        Sharing (CORS) requests on the server.  By default, CORS requests
        are disabled.

        Note that the scheme and host should both be lowercase, the port
        should be omitted if using the default for the scheme (80 for http,
        443 for https), and there should be no trailing '/' (e.g.:
        "http://www.example.com:8080", "https://example.org").

    .. endblob httpallowcors

    .. startblob httpallowtrace

    ``httpallowtrace:`` 0

        Allow use of the TRACE method.

        Note that sensitive data might be disclosed by the response.

    .. endblob httpallowtrace

    .. startblob httpallowedurls

    ``httpallowedurls:`` <none>

        Space-separated list of relative URLs (paths) rooted at
        "httpdocroot" (see below) to be served by httpd.  If set, this
        option will limit served static content to only those paths specified
        (returning "404 Not Found" to any other client requested URLs).
        Otherwise, httpd will serve any content found in "httpdocroot".

        Note that any path specified by "rss_feedlist_template" is an
        exception to this rule.

    .. endblob httpallowedurls

    .. startblob httpcontentmd5

    ``httpcontentmd5:`` 0

        If enabled, HTTP responses will include a Content-MD5 header for
        the purpose of providing an end-to-end message integrity check
        (MIC) of the payload body.  Note that enabling this option will
        use additional CPU to generate the MD5 digest, which may be ignored
        by clients anyways.

    .. endblob httpcontentmd5

    .. startblob httpdocroot

    ``httpdocroot:`` <none>

        If set, http will serve the static content (html/text/jpeg/gif
        files, etc) rooted at this directory.  Otherwise, httpd will not
        serve any static content.

    .. endblob httpdocroot

    .. startblob httpkeepalive

    ``httpkeepalive:`` 20s

        Set the length of the HTTP server's keepalive heartbeat.  The
        default is 20 seconds.  The minimum value is 0, which will disable
        the keepalive heartbeat.  When enabled, if a request takes longer
        than *httpkeepalive* to process, the server will send the client
        provisional responses every *httpkeepalive* until the final
        response can be sent.

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob httpkeepalive

    .. startblob httpmodules

    ``httpmodules:`` <empty string>

        Space-separated list of HTTP modules that will be enabled in
        httpd(8).  This option has no effect on modules that are disabled
        at compile time due to missing dependencies (e.g. libical).

        Note that "domainkey" depends on "ischedule" being enabled, and
        that both "freebusy" and "ischedule" depend on "caldav" being
        enabled.
        Allowed values: *admin*, *caldav*, *carddav*, *cgi*, *domainkey*, *freebusy*, *ischedule*, *jmap*, *prometheus*, *rss*, *tzdist*, *webdav*


    .. endblob httpmodules

    .. startblob httpprettytelemetry

    ``httpprettytelemetry:`` 0

        If enabled, HTTP response payloads including server-generated
        markup languages (HTML, XML) will utilize line breaks and
        indentation to promote better human-readability in telemetry logs.
        Note that enabling this option will increase the amount of data
        sent across the wire.

    .. endblob httpprettytelemetry

    .. startblob httptimeout

    ``httptimeout:`` 5m

        Set the length of the HTTP server's inactivity autologout timer.
        The default is 5 minutes.  The minimum value is 0, which will
        disable persistent connections.

        For backwards compatibility, if no unit is specified, minutes
        is assumed.

    .. endblob httptimeout

    .. startblob idlesocket

    ``idlesocket:`` {configdirectory}/socket/idle

        Unix domain socket that idled listens on.


    .. endblob idlesocket

    .. startblob ignorereference

    ``ignorereference:`` 0

        For backwards compatibility with Cyrus 1.5.10 and earlier -- ignore
        the reference argument in LIST or LSUB commands.

    .. endblob ignorereference

    .. startblob imapidlepoll

    ``imapidlepoll:`` 60s

        The interval for polling for mailbox changes and ALERTs while running
        the IDLE command.  This option is used when idled is not enabled or
        cannot be contacted.  The minimum value is 1 second.  A value of 0
        will disable IDLE.

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob imapidlepoll

    .. startblob imapidresponse

    ``imapidresponse:`` 1

        If enabled, the server responds to an ID command with a parameter
        list containing: version, vendor, support-url, os, os-version,
        command, arguments, environment.  Otherwise the server returns NIL.

    .. endblob imapidresponse

    .. startblob imapmagicplus

    ``imapmagicplus:`` 0

        Only list a restricted set of mailboxes via IMAP by using
        userid+namespace syntax as the authentication/authorization id.
        Using userid+ (with an empty namespace) will list only subscribed
        mailboxes.

    .. endblob imapmagicplus

    .. startblob imipnotifier

    ``imipnotifier:`` <none>

        Notifyd(8) method to use for "IMIP" notifications which are based on
        the :rfc:`6047`.  If not set, "IMIP" notifications are disabled.

    .. endblob imipnotifier

    .. startblob implicit_owner_rights

    ``implicit_owner_rights:`` lkxan

        The implicit Access Control List (ACL) for the owner of a mailbox.


    .. endblob implicit_owner_rights

    .. startblob @include

    ``@include:`` <none>

        Directive which includes the specified file as part of the
        configuration.  If the path to the file is not absolute, CYRUS_PATH
        is prepended.

    .. endblob @include

    .. startblob improved_mboxlist_sort

    ``improved_mboxlist_sort:`` 0

        If enabled, a special comparator will be used which will correctly
        sort mailbox names that contain characters such as ' ' and '-'.

        Note that this option SHOULD NOT be changed on a live system.  The
        mailboxes database should be dumped (ctl_mboxlist) before the
        option is changed, removed, and then undumped after changing the
        option.  When not using flat files for the subscriptions databases
        the same has to be done (cyr_dbtool) for each subscription database
        See improved_mboxlist_sort.html.

    .. endblob improved_mboxlist_sort

    .. startblob jmap_emailsearch_db_path

    ``jmap_emailsearch_db_path:`` <none>

        The absolute path to the JMAP email search cache file.  If not
        specified, JMAP Email/query and Email/queryChanges will not
        cache email search results.

    .. endblob jmap_emailsearch_db_path

    .. startblob jmap_preview_annot

    ``jmap_preview_annot:`` <none>

        The name of the per-message annotation, if any, to store message
        previews.

    .. endblob jmap_preview_annot

    .. startblob jmap_imagesize_annot

    ``jmap_imagesize_annot:`` <none>

        The name of the per-message annotation, if any, that stores a
        JSON object, mapping message part numbers of MIME image types
        to an array of their image dimensions. The array must have at
        least two entries, where the first entry denotes the width
        and the second entry the height of the image. Any additional
        values are ignored.

        For example, if message part 1.2 contains an image of width 300
        and height 200, then the value of this annotation would be:

        { "1.2" : [ 300, 200 ] }


    .. endblob jmap_imagesize_annot

    .. startblob jmap_inlinedcids_annot

    ``jmap_inlinedcids_annot:`` <none>

        The name of the per-message annotation, if any, that stores a
        JSON object, mapping :rfc:`2392` Content-IDs referenced in HTML bodies
        to the respective HTML body part number.

        For example, if message part 1.2 contains HTML and references an
        inlined image at "cid:foo", then the value of this annotation
        would be:

        { "<foo>" : "1.2" }

        Note that the Content-ID key must be URL-unescaped and enclosed in
        angular brackets, as defined in :rfc:`2392`.

    .. endblob jmap_inlinedcids_annot

    .. startblob jmap_preview_length

    ``jmap_preview_length:`` 64

        The maximum byte length of dynamically generated message previews. Previews
        stored in jmap_preview_annot take precedence.

    .. endblob jmap_preview_length

    .. startblob jmap_max_size_upload

    ``jmap_max_size_upload:`` 1048576

        The maximum size (in kilobytes) that the JMAP API accepts
        for blob uploads. Returned as the maxSizeUpload property
        value of the JMAP \"urn:ietf:params:jmap:core\" capabilities object.
        Default is 1Gb.

    .. endblob jmap_max_size_upload

    .. startblob jmap_max_concurrent_upload

    ``jmap_max_concurrent_upload:`` 5

        The value to return for the maxConcurrentUpload property of
        the JMAP \"urn:ietf:params:jmap:core\" capabilities object. The Cyrus JMAP
        implementation does not enforce this rate-limit.

    .. endblob jmap_max_concurrent_upload

    .. startblob jmap_max_size_request

    ``jmap_max_size_request:`` 10240

        The maximum size (in kilobytes) that the JMAP API accepts
        for requests at the API endpoint. Returned as the
        maxSizeRequest property value of the JMAP \"urn:ietf:params:jmap:core\"
        capabilities object. Default is 10Mb.

    .. endblob jmap_max_size_request

    .. startblob jmap_max_concurrent_requests

    ``jmap_max_concurrent_requests:`` 5

        The value to return for the maxConcurrentRequests property of
        the JMAP \"urn:ietf:params:jmap:core\" capabilities object. The Cyrus JMAP
        implementation does not enforce this rate-limit.

    .. endblob jmap_max_concurrent_requests

    .. startblob jmap_max_calls_in_request

    ``jmap_max_calls_in_request:`` 50

        The maximum number of calls per JMAP request object.
        Returned as the maxCallsInRequest property value of the
        JMAP \"urn:ietf:params:jmap:core\" capabilities object.

    .. endblob jmap_max_calls_in_request

    .. startblob jmap_max_delayed_send

    ``jmap_max_delayed_send:`` 512d

        The value to return for the maxDelayedSend property of
        the JMAP \"urn:ietf:params:jmap:emailsubmission\" capabilities object.
        The Cyrus JMAP implementation does not enforce this limit.

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob jmap_max_delayed_send

    .. startblob jmap_max_objects_in_get

    ``jmap_max_objects_in_get:`` 4096

        The maximum number of ids that a JMAP client may request in
        a single \"/get\" type method call. The actual number
        of returned objects in the response may exceed this number
        if the JMAP object type supports unbounded \"/get\" calls.
        Returned as the maxObjectsInGet property value of the
        JMAP \"urn:ietf:params:jmap:core\" capabilities object.

    .. endblob jmap_max_objects_in_get

    .. startblob jmap_max_objects_in_set

    ``jmap_max_objects_in_set:`` 4096

        The maximum number of objects a JMAP client may send to create,
        update or destroy in a single /set type method call.
        Returned as the maxObjectsInSet property value of the
        JMAP \"urn:ietf:params:jmap:core\" capabilities object.

    .. endblob jmap_max_objects_in_set

    .. startblob jmap_mail_max_size_attachments_per_email

    ``jmap_mail_max_size_attachments_per_email:`` 10240

        The value (in kilobytes) to return for the maxSizeAttachmentsPerEmail
        property of the JMAP \"urn:ietf:params:jmap:mail\" capabilities object. The Cyrus
        JMAP implementation does not enforce this size limit. Default is 10 Mb.

    .. endblob jmap_mail_max_size_attachments_per_email

    .. startblob jmap_nonstandard_extensions

    ``jmap_nonstandard_extensions:`` 0

        If enabled, support non-standard JMAP extensions.  If not enabled,
        only IETF standard JMAP functionality is supported.

    .. endblob jmap_nonstandard_extensions

    .. startblob jmap_set_has_attachment

    ``jmap_set_has_attachment:`` 1

        If enabled, the $hasAttachment flag is determined and set for new messages
        created with the JMAP Email/set or Email/import methods. This option should
        typically be enabled, but installations using Cyrus-external message
        annatotors to determine the $hasAttachment flag might want to disable it.

    .. endblob jmap_set_has_attachment

    .. startblob jmap_vacation

    ``jmap_vacation:`` 1

        If enabled, support the JMAP vacation extension


    .. endblob jmap_vacation

    .. startblob jmapuploadfolder

    ``jmapuploadfolder:`` #jmap

        the name of the folder for JMAP uploads (#jmap)


    .. endblob jmapuploadfolder

    .. startblob jmapsubmission_deleteonsend

    ``jmapsubmission_deleteonsend:`` 1

        If enabled (the default) then delete the EmailSubmission as soon as the email
        \* has been sent

    .. endblob jmapsubmission_deleteonsend

    .. startblob jmapsubmissionfolder

    ``jmapsubmissionfolder:`` #jmapsubmission

        the name of the folder for JMAP Submissions (#jmapsubmission)


    .. endblob jmapsubmissionfolder

    .. startblob jmappushsubscriptionfolder

    ``jmappushsubscriptionfolder:`` #jmappushsubscription

        the name of the folder for JMAP Push Subscriptions (#jmappushsubscription)


    .. endblob jmappushsubscriptionfolder

    .. startblob iolog

    ``iolog:`` 0

        Should cyrus output I/O log entries


    .. endblob iolog

    .. startblob ldap_authz

    ``ldap_authz:`` <none>

        SASL authorization ID for the LDAP server


    .. endblob ldap_authz

    .. startblob ldap_base

    ``ldap_base:`` <empty string>

        Contains the LDAP base dn for the LDAP ptloader module


    .. endblob ldap_base

    .. startblob ldap_bind_dn

    ``ldap_bind_dn:`` <none>

        Bind DN for the connection to the LDAP server (simple bind).
        Do not use for anonymous simple binds

    .. endblob ldap_bind_dn

    .. startblob ldap_deref

    ``ldap_deref:`` never

        Specify how aliases dereferencing is handled during search.

        Allowed values: *search*, *find*, *always*, *never*


    .. endblob ldap_deref

    .. startblob ldap_domain_base_dn

    ``ldap_domain_base_dn:`` <empty string>

        Base DN to search for domain name spaces.


    .. endblob ldap_domain_base_dn

    .. startblob ldap_domain_filter

    ``ldap_domain_filter:`` (&(objectclass=domainrelatedobject)(associateddomain=%s))

        Filter to use searching for domains


    .. endblob ldap_domain_filter

    .. startblob ldap_domain_name_attribute

    ``ldap_domain_name_attribute:`` associateddomain

        The attribute name for domains.


    .. endblob ldap_domain_name_attribute

    .. startblob ldap_domain_scope

    ``ldap_domain_scope:`` sub

        Search scope

        Allowed values: *sub*, *one*, *base*


    .. endblob ldap_domain_scope

    .. startblob ldap_domain_result_attribute

    ``ldap_domain_result_attribute:`` inetdomainbasedn

        Result attribute


    .. endblob ldap_domain_result_attribute

    .. startblob ldap_filter

    ``ldap_filter:`` (uid=%u)

        Specify a filter that searches user identifiers.  The following tokens can be
        used in the filter string:

        %%   = %
        %u   = user
        %U   = user portion of %u (%U = test when %u = test@domain.tld)
        %d   = domain portion of %u if available (%d = domain.tld when %u =
        test@domain.tld), otherwise same as %R
        %R   = domain portion of %u starting with @ (%R = @domain.tld
        when %u = test@domain.tld)
        %D   = user dn.  (use when ldap_member_method: filter)
        %1-9 = domain tokens (%1 = tld, %2 = domain when %d = domain.tld)

        ldap_filter is not used when ldap_sasl is enabled.

    .. endblob ldap_filter

    .. startblob ldap_group_base

    ``ldap_group_base:`` <empty string>

        LDAP base dn for ldap_group_filter.


    .. endblob ldap_group_base

    .. startblob ldap_group_filter

    ``ldap_group_filter:`` (cn=%u)

        Specify a filter that searches for group identifiers.
        See ldap_filter for more options.

    .. endblob ldap_group_filter

    .. startblob ldap_group_scope

    ``ldap_group_scope:`` sub

        Specify search scope for ldap_group_filter.

        Allowed values: *sub*, *one*, *base*


    .. endblob ldap_group_scope

    .. startblob ldap_id

    ``ldap_id:`` <none>

        SASL authentication ID for the LDAP server


    .. endblob ldap_id

    .. startblob ldap_mech

    ``ldap_mech:`` <none>

        SASL mechanism for LDAP authentication


    .. endblob ldap_mech

    .. startblob ldap_user_attribute

    ``ldap_user_attribute:`` <none>

        Specify LDAP attribute to use as canonical user id


    .. endblob ldap_user_attribute

    .. startblob ldap_member_attribute

    ``ldap_member_attribute:`` <none>

        See ldap_member_method.


    .. endblob ldap_member_attribute

    .. startblob ldap_member_base

    ``ldap_member_base:`` <empty string>

        LDAP base dn for ldap_member_filter.


    .. endblob ldap_member_base

    .. startblob ldap_member_filter

    ``ldap_member_filter:`` (member=%D)

        Specify a filter for "ldap_member_method: filter".
        See ldap_filter for more options.

    .. endblob ldap_member_filter

    .. startblob ldap_member_method

    ``ldap_member_method:`` attribute

        Specify a group method.  The "attribute" method retrieves groups from
        a multi-valued attribute specified in ldap_member_attribute.

        The "filter" method uses a filter, specified by ldap_member_filter, to find
        groups; ldap_member_attribute is a single-value attribute group name.
        Allowed values: *attribute*, *filter*


    .. endblob ldap_member_method

    .. startblob ldap_member_scope

    ``ldap_member_scope:`` sub

        Specify search scope for ldap_member_filter.

        Allowed values: *sub*, *one*, *base*


    .. endblob ldap_member_scope

    .. startblob ldap_password

    ``ldap_password:`` <none>

        Password for the connection to the LDAP server (SASL and simple bind).
        Do not use for anonymous simple binds

    .. endblob ldap_password

    .. startblob ldap_realm

    ``ldap_realm:`` <none>

        SASL realm for LDAP authentication


    .. endblob ldap_realm

    .. startblob ldap_referrals

    ``ldap_referrals:`` 0

        Specify whether or not the client should follow referrals.


    .. endblob ldap_referrals

    .. startblob ldap_restart

    ``ldap_restart:`` 1

        Specify whether or not LDAP I/O operations are automatically restarted
        if they abort prematurely.

    .. endblob ldap_restart

    .. startblob ldap_sasl

    ``ldap_sasl:`` 1

        Use SASL for LDAP binds in the LDAP PTS module.


    .. endblob ldap_sasl

    .. startblob ldap_sasl_authc

    ``ldap_sasl_authc:`` <none>

        Deprecated.  Use ldap_id


    .. endblob ldap_sasl_authc

    .. startblob ldap_sasl_authz

    ``ldap_sasl_authz:`` <none>

        Deprecated.  Use ldap_authz


    .. endblob ldap_sasl_authz

    .. startblob ldap_sasl_mech

    ``ldap_sasl_mech:`` <none>

        Deprecated.  Use ldap_mech


    .. endblob ldap_sasl_mech

    .. startblob ldap_sasl_password

    ``ldap_sasl_password:`` <none>

        Deprecated.  User ldap_password


    .. endblob ldap_sasl_password

    .. startblob ldap_sasl_realm

    ``ldap_sasl_realm:`` <none>

        Deprecated.  Use ldap_realm


    .. endblob ldap_sasl_realm

    .. startblob ldap_scope

    ``ldap_scope:`` sub

        Specify search scope.

        Allowed values: *sub*, *one*, *base*


    .. endblob ldap_scope

    .. startblob ldap_servers

    ``ldap_servers:`` ldap://localhost/

        Deprecated.  Use ldap_uri


    .. endblob ldap_servers

    .. startblob ldap_size_limit

    ``ldap_size_limit:`` 1

        Specify a number of entries for a search request to return.


    .. endblob ldap_size_limit

    .. startblob ldap_start_tls

    ``ldap_start_tls:`` 0

        Use transport layer security for ldap:// using STARTTLS. Do not use
        ldaps:// in 'ldap_uri' with this option enabled.

    .. endblob ldap_start_tls

    .. startblob ldap_time_limit

    ``ldap_time_limit:`` 5s

        How long to wait for a search request to complete.

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob ldap_time_limit

    .. startblob ldap_timeout

    ``ldap_timeout:`` 5s

        How long a search can take before timing out.

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob ldap_timeout

    .. startblob ldap_ca_dir

    ``ldap_ca_dir:`` <none>

        Path to a directory with CA (Certificate Authority) certificates.


    .. endblob ldap_ca_dir

    .. startblob ldap_ca_file

    ``ldap_ca_file:`` <none>

        Path to a file containing CA (Certificate Authority) certificate(s).


    .. endblob ldap_ca_file

    .. startblob ldap_ciphers

    ``ldap_ciphers:`` <none>

        List of SSL/TLS ciphers to allow.  The format of the string is
        described in ciphers(1).

    .. endblob ldap_ciphers

    .. startblob ldap_client_cert

    ``ldap_client_cert:`` <none>

        File containing the client certificate.


    .. endblob ldap_client_cert

    .. startblob ldap_client_key

    ``ldap_client_key:`` <none>

        File containing the private client key.


    .. endblob ldap_client_key

    .. startblob ldap_verify_peer

    ``ldap_verify_peer:`` 0

        Require and verify server certificate.  If this option is yes,
        you must specify ldap_ca_file or ldap_ca_dir.

    .. endblob ldap_verify_peer

    .. startblob ldap_tls_cacert_dir

    ``ldap_tls_cacert_dir:`` <none>

        Deprecated in favor of *ldap_ca_dir*.


    .. endblob ldap_tls_cacert_dir

    .. startblob ldap_tls_cacert_file

    ``ldap_tls_cacert_file:`` <none>

        Deprecated in favor of *ldap_ca_file*.


    .. endblob ldap_tls_cacert_file

    .. startblob ldap_tls_cert

    ``ldap_tls_cert:`` <none>

        Deprecated in favor of *ldap_client_cert*.


    .. endblob ldap_tls_cert

    .. startblob ldap_tls_key

    ``ldap_tls_key:`` <none>

        Deprecated in favor of *ldap_client_key*.


    .. endblob ldap_tls_key

    .. startblob ldap_tls_check_peer

    ``ldap_tls_check_peer:`` 0

        Deprecated in favor of *ldap_verify_peer*.


    .. endblob ldap_tls_check_peer

    .. startblob ldap_tls_ciphers

    ``ldap_tls_ciphers:`` <none>

        Deprecated in favor of *ldap_ciphers*.


    .. endblob ldap_tls_ciphers

    .. startblob ldap_uri

    ``ldap_uri:`` <none>

        Contains a list of the URLs of all the LDAP servers when using the
        LDAP PTS module.

    .. endblob ldap_uri

    .. startblob ldap_version

    ``ldap_version:`` 3

        Specify the LDAP protocol version.  If ldap_start_tls and/or
        ldap_use_sasl are enabled, ldap_version will be automatically
        set to 3.

    .. endblob ldap_version

    .. startblob literalminus

    ``literalminus:`` 0

        if enabled, CAPABILITIES will reply with LITERAL- rather than
        LITERAL+ (:rfc:`7888`).  Doesn't actually size-restrict uploads though

    .. endblob literalminus

    .. startblob lmtp_downcase_rcpt

    ``lmtp_downcase_rcpt:`` 1

        If enabled, lmtpd will convert the recipient addresses to lowercase
        (up to a '+' character, if present).

    .. endblob lmtp_downcase_rcpt

    .. startblob lmtp_exclude_specialuse

    ``lmtp_exclude_specialuse:`` \\Snoozed

        Don't allow delivery to folders with given special-use attributes.

        Note that "snoozing" of emails can currently only be done via the
        JMAP protocol, so delivery directly to the \Snoozed mailbox is
        prohibited by default as it will not be moved back into INBOX
        automatically.

    .. endblob lmtp_exclude_specialuse

    .. startblob lmtp_fuzzy_mailbox_match

    ``lmtp_fuzzy_mailbox_match:`` 0

        If enabled, and the mailbox specified in the detail part of the
        recipient (everything after the '+') does not exist, lmtpd will try
        to find the closest match (ignoring case, ignoring whitespace,
        falling back to parent) to the specified mailbox name.

    .. endblob lmtp_fuzzy_mailbox_match

    .. startblob lmtp_over_quota_perm_failure

    ``lmtp_over_quota_perm_failure:`` 0

        If enabled, lmtpd returns a permanent failure code when a user's
        mailbox is over quota.  By default, the failure is temporary,
        causing the MTA to queue the message and retry later.

    .. endblob lmtp_over_quota_perm_failure

    .. startblob lmtp_strict_quota

    ``lmtp_strict_quota:`` 0

        If enabled, lmtpd returns a failure code when the incoming message
        will cause the user's mailbox to exceed its quota.  By default, the
        failure won't occur until the mailbox is already over quota.

    .. endblob lmtp_strict_quota

    .. startblob lmtp_strict_rfc2821

    ``lmtp_strict_rfc2821:`` 1

        By default, lmtpd will be strict (per :rfc:`2821`) with regards to which
        envelope addresses are allowed.  If this option is set to false, 8bit
        characters in the local-part of envelope addresses are changed to 'X'
        instead.  This is useful to avoid generating backscatter with
        certain MTAs like Postfix or Exim which accept such messages.

    .. endblob lmtp_strict_rfc2821

    .. startblob lmtpsocket

    ``lmtpsocket:`` {configdirectory}/socket/lmtp

        Unix domain socket that lmtpd listens on, used by deliver(8). This should
        match the path specified in cyrus.conf(5).

    .. endblob lmtpsocket

    .. startblob lmtptxn_timeout

    ``lmtptxn_timeout:`` 5m

        Timeout used during a lmtp transaction to a remote backend (e.g. in a
        murder environment).  Can be used to prevent hung lmtpds on proxy hosts
        when a backend server becomes unresponsive during a lmtp transaction.
        The default is 5 minutes - change to zero for infinite.

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob lmtptxn_timeout

    .. startblob lock_debugtime

    ``lock_debugtime:`` <none>

        A floating point number of seconds.  If set, time how long we wait for
        any lock, and syslog the filename and time if it's longer than this
        value.  The default of NULL means not to time locks.

    .. endblob lock_debugtime

    .. startblob loginrealms

    ``loginrealms:`` <empty string>

        The list of remote realms whose users may authenticate using cross-realm
        authentication identifiers.  Separate each realm name by a space.  (A
        cross-realm identity is considered any identity returned by SASL
        with an "@" in it.).

    .. endblob loginrealms

    .. startblob loginuseacl

    ``loginuseacl:`` 0

        If enabled, any authentication identity which has **a** rights on a
        user's INBOX may log in as that user.

    .. endblob loginuseacl

    .. startblob logtimestamps

    ``logtimestamps:`` 0

        Include notations in the protocol telemetry logs indicating the number of
        seconds since the last command or response.

    .. endblob logtimestamps

    .. startblob mailbox_default_options

    ``mailbox_default_options:`` 0

        Default "options" field for the mailbox on create.  You'll want to know
        what you're doing before setting this, but it can apply some default
        annotations like duplicate suppression

    .. endblob mailbox_default_options

    .. startblob mailbox_initial_flags

    ``mailbox_initial_flags:`` <none>

        space-separated list of permanent flags which will be pre-set in every
        newly created mailbox.  If you know you will require particular
        flag names then this avoids a possible race condition against a client
        that fills the entire 128 available slots.  Default is NULL, which is
        no flags.  Example: $Label1 $Label2 $Label3 NotSpam Spam

    .. endblob mailbox_initial_flags

    .. startblob mailnotifier

    ``mailnotifier:`` <none>

        Notifyd(8) method to use for "MAIL" notifications.  If not set, "MAIL"
        notifications are disabled.

    .. endblob mailnotifier

    .. startblob master_bind_errors_fatal

    ``master_bind_errors_fatal:`` 0

        If enabled, failure to bind a port during startup is treated as a fatal
        error, causing master to shut down immediately.  The default is to keep
        running, with the affected service disabled until the next SIGHUP causes
        it to retry.

        Note that this only applies during startup.  New services that fail to
        come up in response to a reconfig+SIGHUP will just be logged and disabled
        like the default behaviour, without causing master to exit.

    .. endblob master_bind_errors_fatal

    .. startblob maxheaderlines

    ``maxheaderlines:`` 1000

        Maximum number of lines of header that will be processed into cache
        records.  Default 1000.  If set to zero, it is unlimited.
        If a message hits the limit, an error will be logged and the rest of
        the lines in the header will be skipped.  This is to avoid malformed
        messages causing giant cache records

    .. endblob maxheaderlines

    .. startblob maxlogins_per_host

    ``maxlogins_per_host:`` 0

        Maximum number of logged in sessions allowed per host,
        zero means no limit

    .. endblob maxlogins_per_host

    .. startblob maxlogins_per_user

    ``maxlogins_per_user:`` 0

        Maximum number of logged in sessions allowed per user,
        zero means no limit

    .. endblob maxlogins_per_user

    .. startblob maxmessagesize

    ``maxmessagesize:`` 0

        Maximum incoming LMTP message size.  If non-zero, lmtpd will reject
        messages larger than *maxmessagesize* bytes.  If set to 0, this
        will allow messages of any size (the default).

    .. endblob maxmessagesize

    .. startblob maxquoted

    ``maxquoted:`` 131072

        Maximum size of a single quoted string for the parser.  Default 128k


    .. endblob maxquoted

    .. startblob maxword

    ``maxword:`` 131072

        Maximum size of a single word for the parser.  Default 128k


    .. endblob maxword

    .. startblob mboxkey_db

    ``mboxkey_db:`` twoskip

        The cyrusdb backend to use for mailbox keys.

        Allowed values: *skiplist*, *twoskip*, *zeroskip*


    .. endblob mboxkey_db

    .. startblob mboxlist_db

    ``mboxlist_db:`` twoskip

        The cyrusdb backend to use for the mailbox list.

        Allowed values: *flat*, *skiplist*, *sql*, *twoskip*, *zeroskip*


    .. endblob mboxlist_db

    .. startblob mboxlist_db_path

    ``mboxlist_db_path:`` <none>

        The absolute path to the mailboxes db file.  If not specified
        will be configdirectory/mailboxes.db

    .. endblob mboxlist_db_path

    .. startblob mboxname_lockpath

    ``mboxname_lockpath:`` <none>

        Path to mailbox name lock files (default $conf/lock)


    .. endblob mboxname_lockpath

    .. startblob metapartition_files

    ``metapartition_files:`` <empty string>

        Space-separated list of metadata files to be stored on a
        *metapartition* rather than in the mailbox directory on a spool
        partition.
        Allowed values: *header*, *index*, *cache*, *expunge*, *squat*, *annotations*, *lock*, *dav*, *archivecache*


    .. endblob metapartition_files

    .. startblob metapartition-name

    ``metapartition-name:`` <none>

        The pathname of the metadata partition *name*, corresponding to
        spool partition **partition-name**.  For any mailbox residing in
        a directory on **partition-name**, the metadata files listed in
        *metapartition_files* will be stored in a corresponding directory on
        **metapartition-name**.   Note that not every
        **partition-name** option is required to have a corresponding
        **metapartition-name** option, so that you can selectively choose
        which spool partitions will have separate metadata partitions.

    .. endblob metapartition-name

    .. startblob mupdate_authname

    ``mupdate_authname:`` <none>

        The SASL username (Authentication Name) to use when authenticating to the
        mupdate server (if needed).

    .. endblob mupdate_authname

    .. startblob mupdate_config

    ``mupdate_config:`` standard

        The configuration of the mupdate servers in the Cyrus Murder.
        The "standard" config is one in which there are discreet frontend
        (proxy) and backend servers.  The "unified" config is one in which
        a server can be both a frontend and backend.  The "replicated"
        config is one in which multiple backend servers all share the same
        mailspool, but each have their own "replicated" copy of
        mailboxes.db.
        Allowed values: *standard*, *unified*, *replicated*


    .. endblob mupdate_config

    .. startblob munge8bit

    ``munge8bit:`` 1

        If enabled, lmtpd munges messages with 8-bit characters in the
        headers.  The 8-bit characters are changed to \`X'.  If
        **reject8bit** is enabled, setting **munge8bit** has no effect.
        (A proper solution to non-ASCII characters in headers is offered by
        :rfc:`2047` and its predecessors.)

    .. endblob munge8bit

    .. startblob mupdate_connections_max

    ``mupdate_connections_max:`` 128

        The max number of connections that a mupdate process will allow, this
        is related to the number of file descriptors in the mupdate process.
        Beyond this number connections will be immediately issued a BYE response.

    .. endblob mupdate_connections_max

    .. startblob mupdate_password

    ``mupdate_password:`` <none>

        The SASL password (if needed) to use when authenticating to the
        mupdate server.

    .. endblob mupdate_password

    .. startblob mupdate_port

    ``mupdate_port:`` 3905

        The port of the mupdate server for the Cyrus Murder


    .. endblob mupdate_port

    .. startblob mupdate_realm

    ``mupdate_realm:`` <none>

        The SASL realm (if needed) to use when authenticating to the mupdate
        server.

    .. endblob mupdate_realm

    .. startblob mupdate_retry_delay

    ``mupdate_retry_delay:`` 20

        The base time to wait between connection retries to the mupdate server.


    .. endblob mupdate_retry_delay

    .. startblob mupdate_server

    ``mupdate_server:`` <none>

        The mupdate server for the Cyrus Murder


    .. endblob mupdate_server

    .. startblob mupdate_username

    ``mupdate_username:`` <empty string>

        The SASL username (Authorization Name) to use when authenticating to
        the mupdate server

    .. endblob mupdate_username

    .. startblob mupdate_workers_max

    ``mupdate_workers_max:`` 50

        The maximum number of mupdate worker threads (overall)


    .. endblob mupdate_workers_max

    .. startblob mupdate_workers_maxspare

    ``mupdate_workers_maxspare:`` 10

        The maximum number of idle mupdate worker threads


    .. endblob mupdate_workers_maxspare

    .. startblob mupdate_workers_minspare

    ``mupdate_workers_minspare:`` 2

        The minimum number of idle mupdate worker threads


    .. endblob mupdate_workers_minspare

    .. startblob mupdate_workers_start

    ``mupdate_workers_start:`` 5

        The number of mupdate worker threads to start


    .. endblob mupdate_workers_start

    .. startblob netscapeurl

    ``netscapeurl:`` <none>

        If enabled at compile time, this specifies a URL to reply when
        Netscape asks the server where the mail administration HTTP server
        is.  Administrators should set this to a local resource.

    .. endblob netscapeurl

    .. startblob newsaddheaders

    ``newsaddheaders:`` to

        Space-separated list of headers to be added to incoming usenet
        articles.  Added *To:* headers will contain email
        delivery addresses corresponding to each newsgroup in the
        *Newsgroups:* header.  Added *Reply-To:* headers will
        contain email delivery addresses corresponding to each newsgroup in
        the *Followup-To:* or *Newsgroups:* header.  If the
        specified header(s) already exist in an article, the email
        delivery addresses will be appended to the original header body(s).


        This option applies if and only if the **newspostuser** option is
        set.
        Allowed values: *to*, *replyto*


    .. endblob newsaddheaders

    .. startblob newsgroups

    ``newsgroups:`` \*

        A wildmat pattern specifying which mailbox hierarchies should be
        treated as newsgroups.  Only mailboxes matching the wildmat will
        accept and/or serve articles via NNTP.  If not set, a default
        wildmat of "\*" (ALL shared mailboxes) will be used.  If the
        *newsprefix* option is also set, the default wildmat will be
        translated to "<newsprefix>.\*"

    .. endblob newsgroups

    .. startblob newsmaster

    ``newsmaster:`` news

        Userid that is used for checking access controls when executing
        Usenet control messages.  For instance, to allow articles to be
        automatically deleted by cancel messages, give the "news" user
        the 'd' right on the desired mailboxes.  To allow newsgroups to be
        automatically created, deleted and renamed by the corresponding
        control messages, give the "news" user the 'c' right on the desired
        mailbox hierarchies.

    .. endblob newsmaster

    .. startblob newspeer

    ``newspeer:`` <none>

        A list of whitespace-separated news server specifications to which
        articles should be fed.  Each server specification is a string of
        the form [user[:pass]@]host[:port][/wildmat] where 'host' is the fully
        qualified hostname of the server, 'port' is the port on which the
        server is listening, 'user' and 'pass' are the authentication
        credentials and 'wildmat' is a pattern that specifies which groups
        should be fed.  If no 'port' is specified, port 119 is used.  If
        no 'wildmat' is specified, all groups are fed.  If 'user' is specified
        (even if empty), then the NNTP POST command will be used to feed
        the article to the server, otherwise the IHAVE command will be
        used.


        A '@' may be used in place of '!' in the wildmat to prevent feeding
        articles cross-posted to the given group, otherwise cross-posted
        articles are fed if any part of the wildmat matches.  For example,
        the string "peer.example.com:\*,!control.\*,@local.\*" would feed all
        groups except control messages and local groups to
        peer.example.com.  In the case of cross-posting to local groups,
        these articles would not be fed.

    .. endblob newspeer

    .. startblob newspostuser

    ``newspostuser:`` <none>

        Userid used to deliver usenet articles to newsgroup folders
        (usually via lmtp2nntp).  For example, if set to "post", email sent
        to "post+comp.mail.imap" would be delivered to the "comp.mail.imap"
        folder.


        When set, the Cyrus NNTP server will add the header(s) specified in
        the **newsaddheaders** option to each incoming usenet article.
        The added header(s) will contain email delivery addresses
        corresponding to each relevant newsgroup.  If not set, no headers
        are added to usenet articles.

    .. endblob newspostuser

    .. startblob newsprefix

    ``newsprefix:`` <none>

        Prefix to be prepended to newsgroup names to make the corresponding
        IMAP mailbox names.

    .. endblob newsprefix

    .. startblob newsrc_db_path

    ``newsrc_db_path:`` <none>

        The absolute path to the newsrc db file.  If not specified,
        will be configdirectory/fetchnews.db

    .. endblob newsrc_db_path

    .. startblob nntptimeout

    ``nntptimeout:`` 3m

        Set the length of the NNTP server's inactivity autologout timer.
        The minimum value is 3 minutes, also the default.

        For backward compatibility, if no unit is specified, minutes is
        assumed.

    .. endblob nntptimeout

    .. startblob notesmailbox

    ``notesmailbox:`` <none>

        The top level mailbox in each user's account which is used to store
        \* Apple-style Notes.  Default is blank (disabled)

    .. endblob notesmailbox

    .. startblob notifysocket

    ``notifysocket:`` {configdirectory}/socket/notify

        Unix domain socket that the mail notification daemon listens on.


    .. endblob notifysocket

    .. startblob notify_external

    ``notify_external:`` <none>

        Path to the external program that notifyd(8) will call to send mail
        notifications.

        The external program will be called with the following
        command line options:

            .. option:: -c    class

            .. option:: -p    priority

            .. option:: -u    user

            .. option:: -m    mailbox

            And the notification message will be available on *stdin*.


    .. endblob notify_external

    .. startblob partition-name

    ``partition-name:`` <none>

        The pathname of the partition *name*.  At least one partition
        pathname MUST be specified.  If the **defaultpartition** option is
        used, then its pathname MUST be specified.  For example, if the
        value of the **defaultpartion** option is **part1**, then the
        **partition-part1** field is required.

    .. endblob partition-name

    .. startblob partition_select_mode

    ``partition_select_mode:`` freespace-most

        Partition selection mode.

        *random*
            (pseudo-)random selection

        *freespace-most*
            partition with the most free space (KiB)

        *freespace-percent-most*
            partition with the most free space (%)

        *freespace-percent-weighted*
            each partition is weighted according to its free space (%); the more free space
            the partition has, the more chances it has to be selected

        *freespace-percent-weighted-delta*
            each partition is weighted according to its difference of free space (%)
            compared to the most used partition; the more the partition is lagging behind
            the most used partition, the more chances it has to be selected

            Note that actually even the most used partition has a few chances to be
            selected, and those chances increase when other partitions get closer

            Allowed values: *random*, *freespace-most*, *freespace-percent-most*, *freespace-percent-weighted*, *freespace-percent-weighted-delta*


    .. endblob partition_select_mode

    .. startblob partition_select_exclude

    ``partition_select_exclude:`` <none>

        List of partitions to exclude from selection mode.


    .. endblob partition_select_exclude

    .. startblob partition_select_usage_reinit

    ``partition_select_usage_reinit:`` 0

        For a given session, number of **operations** (e.g. partition selection)
        for which partitions usage data are cached.

    .. endblob partition_select_usage_reinit

    .. startblob partition_select_soft_usage_limit

    ``partition_select_soft_usage_limit:`` 0

        Limit of partition usage (%): if a partition is over that limit, it is
        automatically excluded from selection mode.

        If all partitions are over that limit, this feature is not used anymore.


    .. endblob partition_select_soft_usage_limit

    .. startblob plaintextloginpause

    ``plaintextloginpause:`` <none>

        Time to pause after a successful plaintext login.  For systems that
        support strong authentication, this permits users to perceive a cost
        of using plaintext passwords.  (This does not affect the use of PLAIN
        in SASL authentications.)

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob plaintextloginpause

    .. startblob plaintextloginalert

    ``plaintextloginalert:`` <none>

        Message to send to client after a successful plaintext login.


    .. endblob plaintextloginalert

    .. startblob popexpiretime

    ``popexpiretime:`` -1

        The duration advertised as being the minimum a message may be
        left on the POP server before it is deleted (via the CAPA command,
        defined in the POP3 Extension Mechanism, which some clients may
        support).  This duration has a granularity of whole days, with partial
        days truncated (so e.g. "45m" is effectively "0d").  "NEVER", the
        default, may be specified with a negative number.

        The Cyrus POP3 server never deletes mail, no matter what the value of
        this parameter is.  However, if a site implements a less liberal policy,
        it needs to change this parameter accordingly.

        For backward compatibility, if no unit is specified, days is
        assumed.

    .. endblob popexpiretime

    .. startblob popminpoll

    ``popminpoll:`` <none>

        Set the minimum amount of time the server forces users to wait
        between successive POP logins.

        For backward compatibility, if no unit is specified, minutes is
        assumed.

    .. endblob popminpoll

    .. startblob popsubfolders

    ``popsubfolders:`` 0

        Allow access to subfolders of INBOX via POP3 by using
        userid+subfolder syntax as the authentication/authorization id.

    .. endblob popsubfolders

    .. startblob poppollpadding

    ``poppollpadding:`` 1

        Create a softer minimum poll restriction.  Allows *poppollpadding*
        connections before the minpoll restriction is triggered.  Additionally,
        one padding entry is recovered every *popminpoll* minutes.
        This allows for the occasional polling rate faster than popminpoll,
        (i.e., for clients that require a send/receive to send mail) but still
        enforces the rate long-term.  Default is 1 (disabled).


        The easiest way to think of it is a queue of past connections, with one
        slot being filled for every connection, and one slot being cleared
        every *popminpoll* minutes. When the queue is full, the user
        will not be able to check mail again until a slot is cleared.  If the
        user waits a sufficient amount of time, they will get back many or all
        of the slots.

    .. endblob poppollpadding

    .. startblob poptimeout

    ``poptimeout:`` 10m

        Set the length of the POP server's inactivity autologout timer.
        The minimum value is 10 minutes, the default.

        For backward compatibility, if no unit is specified, minutes is
        assumed.

    .. endblob poptimeout

    .. startblob popuseacl

    ``popuseacl:`` 0

        Enforce IMAP ACLs in the pop server.  Due to the nature of the POP3
        protocol, the only rights which are used by the pop server are 'r',
        't', and 's' for the owner of the mailbox.  The 'r' right allows the
        user to open the mailbox and list/retrieve messages.  The 't' right
        allows the user to delete messages.  The 's' right allows messages
        retrieved by the user to have the \\Seen flag set (only if
        *popuseimapflags* is also enabled).

    .. endblob popuseacl

    .. startblob popuseimapflags

    ``popuseimapflags:`` 0

        If enabled, the pop server will set and obey IMAP flags.  Messages
        having the \\Deleted flag are ignored as if they do not exist.
        Messages that are retrieved by the client will have the \\Seen flag
        set.  All messages will have the \\Recent flag unset.

    .. endblob popuseimapflags

    .. startblob postmaster

    ``postmaster:`` postmaster

        Username that is used as the 'From' address in rejection MDNs produced
        by sieve.

    .. endblob postmaster

    .. startblob postuser

    ``postuser:`` <empty string>

        Userid used to deliver messages to shared folders.  For example, if
        set to "bb", email sent to "bb+shared.blah" would be delivered to
        the "shared.blah" folder.  By default, an email address of
        "+shared.blah" would be used.

    .. endblob postuser

    .. startblob proc_path

    ``proc_path:`` <none>

        Path to proc directory.  Default is NULL - must be an absolute path
        if specified.  If not specified, the path $configdirectory/proc/ will be
        used.

    .. endblob proc_path

    .. startblob prometheus_enabled

    ``prometheus_enabled:`` 0

        Whether tracking of service metrics for Prometheus is enabled.


    .. endblob prometheus_enabled

    .. startblob prometheus_need_auth

    ``prometheus_need_auth:`` admin

        Authentication level required to fetch Prometheus metrics.

        Allowed values: *none*, *user*, *admin*


    .. endblob prometheus_need_auth

    .. startblob prometheus_update_freq

    ``prometheus_update_freq:`` 10s

        Frequency in at which promstatsd should re-collate its statistics
        report.  The minimum value is 1 second, the default is 10 seconds.

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob prometheus_update_freq

    .. startblob prometheus_stats_dir

    ``prometheus_stats_dir:`` <none>

        Directory to use for gathering prometheus statistics.  If specified,
        must be an absolute path.  If not specified, the default path
        $configdirectory/stats/ will be used.  It may be advantageous to locate this
        directory on ephemeral storage.

    .. endblob prometheus_stats_dir

    .. startblob proxy_authname

    ``proxy_authname:`` proxy

        The authentication name to use when authenticating to a backend server
        in the Cyrus Murder.

    .. endblob proxy_authname

    .. startblob proxy_compress

    ``proxy_compress:`` 0

        Try to enable protocol-specific compression when performing a client
        connection to a backend server in the Cyrus Murder.

        Note that this should only be necessary over slow network
        connections.  Also note that currently only IMAP and MUPDATE support
        compression.

    .. endblob proxy_compress

    .. startblob proxy_password

    ``proxy_password:`` <none>

        The default password to use when authenticating to a backend server
        in the Cyrus Murder.  May be overridden on a host-specific basis using
        the hostname_password option.

    .. endblob proxy_password

    .. startblob proxy_realm

    ``proxy_realm:`` <none>

        The authentication realm to use when authenticating to a backend server
        in the Cyrus Murder

    .. endblob proxy_realm

    .. startblob proxyd_allow_status_referral

    ``proxyd_allow_status_referral:`` 0

        Set to true to allow proxyd to issue referrals to clients that support it
        when answering the STATUS command.  This is disabled by default since
        some clients issue many STATUS commands in a row, and do not cache the
        connections that these referrals would cause, thus resulting in a higher
        authentication load on the respective backend server.

    .. endblob proxyd_allow_status_referral

    .. startblob proxyd_disable_mailbox_referrals

    ``proxyd_disable_mailbox_referrals:`` 0

        Set to true to disable the use of mailbox-referrals on the
        proxy servers.

    .. endblob proxyd_disable_mailbox_referrals

    .. startblob proxyservers

    ``proxyservers:`` <none>

        A list of users and groups that are allowed to proxy for other
        users, separated by spaces.  Any user listed in this will be
        allowed to login for any other user: use with caution.
        In a standard murder this option should ONLY be set on backends.
        DO NOT SET on frontends or things won't work properly.

    .. endblob proxyservers

    .. startblob pts_module

    ``pts_module:`` afskrb

        The PTS module to use.

        Allowed values: *afskrb*, *ldap*


    .. endblob pts_module

    .. startblob ptloader_sock

    ``ptloader_sock:`` <none>

        Unix domain socket that ptloader listens on.
        (defaults to configdirectory/ptclient/ptsock)

    .. endblob ptloader_sock

    .. startblob ptscache_db

    ``ptscache_db:`` twoskip

        The cyrusdb backend to use for the pts cache.

        Allowed values: *skiplist*, *twoskip*, *zeroskip*


    .. endblob ptscache_db

    .. startblob ptscache_db_path

    ``ptscache_db_path:`` <none>

        The absolute path to the ptscache db file.  If not specified,
        will be configdirectory/ptscache.db

    .. endblob ptscache_db_path

    .. startblob ptscache_timeout

    ``ptscache_timeout:`` 3h

        The timeout for the PTS cache database when using the auth_krb_pts
        authorization method (default: 3 hours).

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob ptscache_timeout

    .. startblob ptskrb5_convert524

    ``ptskrb5_convert524:`` 1

        When using the AFSKRB ptloader module with Kerberos 5 canonicalization,
        do the final 524 conversion to get a n AFS style name (using '.' instead
        of '/', and using short names

    .. endblob ptskrb5_convert524

    .. startblob ptskrb5_strip_default_realm

    ``ptskrb5_strip_default_realm:`` 1

        When using the AFSKRB ptloader module with Kerberos 5 canonicalization,
        strip the default realm from the userid (this does not affect the stripping
        of realms specified by the afspts_localrealms option)

    .. endblob ptskrb5_strip_default_realm

    .. startblob qosmarking

    ``qosmarking:`` cs0

        This specifies the Class Selector or Differentiated Services Code Point
        designation on IP headers (in the ToS field).
        Allowed values: *cs0*, *cs1*, *cs2*, *cs3*, *cs4*, *cs5*, *cs6*, *cs7*, *af11*, *af12*, *af13*, *af21*, *af22*, *af23*, *af31*, *af32*, *af33*, *af41*, *af42*, *af43*, *ef*


    .. endblob qosmarking

    .. startblob quota_db

    ``quota_db:`` quotalegacy

        The cyrusdb backend to use for quotas.

        Allowed values: *flat*, *skiplist*, *sql*, *quotalegacy*, *twoskip*, *zeroskip*


    .. endblob quota_db

    .. startblob quota_db_path

    ``quota_db_path:`` <none>

        The absolute path for the quota database (if you choose a single-file
        quota DB type - or the base path if you choose quotalegacy).  If
        not specified will be configdirectory/quotas.db or configdirectory/quota/

    .. endblob quota_db_path

    .. startblob quotawarn

    ``quotawarn:`` 90

        The percent of quota utilization over which the server generates
        warnings.

    .. endblob quotawarn

    .. startblob quotawarnkb

    ``quotawarnkb:`` 0

        The maximum amount of free space (in kB) at which to give a quota
        warning (if this value is 0, or if the quota is smaller than this
        amount, then warnings are always given).

    .. endblob quotawarnkb

    .. startblob quotawarnmsg

    ``quotawarnmsg:`` 0

        The maximum amount of messages at which to give a quota warning
        (if this value is 0, or if the quota is smaller than this
        amount, then warnings are always given).

    .. endblob quotawarnmsg

    .. startblob reject8bit

    ``reject8bit:`` 0

        If enabled, lmtpd rejects messages with 8-bit characters in the
        headers.

    .. endblob reject8bit

    .. startblob restore_authname

    ``restore_authname:`` <none>

        The authentication used by the restore tool when authenticating
        to an IMAP/sync server.

    .. endblob restore_authname

    .. startblob restore_password

    ``restore_password:`` <none>

        The password used by the restore tool when authenticating to an
        IMAP/sync server.

    .. endblob restore_password

    .. startblob restore_realm

    ``restore_realm:`` <none>

        The authentication realm used by the restore tool when
        authenticating to an IMAP/sync server.

    .. endblob restore_realm

    .. startblob reverseacls

    ``reverseacls:`` 0

        At startup time, ctl_cyrusdb -r will check this value and it
        will either add or remove reverse ACL pointers from mailboxes.db

    .. endblob reverseacls

    .. startblob rfc2046_strict

    ``rfc2046_strict:`` 0

        If enabled, imapd will be strict (per :rfc:`2046`) when matching MIME
        boundary strings.  This means that boundaries containing other
        boundaries as substrings will be treated as identical.  Since
        enabling this option will break some messages created by Eudora 5.1
        (and earlier), it is recommended that it be left disabled unless
        there is good reason to do otherwise.

    .. endblob rfc2046_strict

    .. startblob rfc2047_utf8

    ``rfc2047_utf8:`` 0

        If enabled, imapd will parse any non-encoded character sequence in
        MIME header values as UTF8. This is useful for installations that
        either advertise the UTF8SMTP (:rfc:`5335`) extension or receive mails
        with improperly escaped UTF-8 byte sequences. It is recommended that
        this option is left disabled unless there is good reason to do
        otherwise.

    .. endblob rfc2047_utf8

    .. startblob rfc3028_strict

    ``rfc3028_strict:`` 1

        If enabled, Sieve will be strict (per :rfc:`3028`) with regards to
        which headers are allowed to be used in address and envelope tests.
        This means that only those headers which are defined to contain addresses
        will be allowed in address tests and only "to" and "from" will be
        allowed in envelope tests.  When disabled, ANY grammatically correct header
        will be allowed.

    .. endblob rfc3028_strict

    .. startblob rss_feedlist_template

    ``rss_feedlist_template:`` <none>

        File containing HTML that will be used as a template for displaying
        the list of available RSS feeds.  A single instance of the variable
        %RSS_FEEDLIST% should appear in the file, which will be replaced by
        a nested unordered list of feeds.  The toplevel unordered list will
        be tagged with an id of "feed" (<ul id='feed'>) which can be used
        by stylesheet(s) in your template.  The dynamically created list of
        feeds based on the HTML template will be accessible at the "/rss"
        URL on the server.

    .. endblob rss_feedlist_template

    .. startblob rss_feeds

    ``rss_feeds:`` \*

        A wildmat pattern specifying which mailbox hierarchies should be
        treated as RSS feeds.  Only mailboxes matching the wildmat will
        have their messages available via RSS.  If not set, a default
        wildmat of "\*" (ALL mailboxes) will be used.

    .. endblob rss_feeds

    .. startblob rss_maxage

    ``rss_maxage:`` <none>

        Maximum age of items to display in an RSS channel.  If non-zero,
        httpd will only display items received within this time period.
        If set to 0, all available items will be displayed (the default).

        For backward compatibility, if no unit is specified, days is
        assumed.

    .. endblob rss_maxage

    .. startblob rss_maxitems

    ``rss_maxitems:`` 0

        Maximum number of items to display in an RSS channel.  If non-zero,
        httpd will display no more than the *rss_maxitems* most recent
        items.  If set to 0, all available items will be displayed (the
        default).

    .. endblob rss_maxitems

    .. startblob rss_maxsynopsis

    ``rss_maxsynopsis:`` 0

        Maximum RSS item synopsis length.  If non-zero, httpd will display
        no more than the first *rss_maxsynopsis* characters of an
        item's synopsis.  If set to 0, the entire synopsis will be
        displayed (the default).

    .. endblob rss_maxsynopsis

    .. startblob rss_realm

    ``rss_realm:`` <none>

        The realm to present for HTTP authentication of RSS feeds.  If not
        set (the default), the value of the "servername" option will be
        used.

    .. endblob rss_realm

    .. startblob sasl_auto_transition

    ``sasl_auto_transition:`` 0

        If enabled, the SASL library will automatically create authentication
        secrets when given a plaintext password.  See the SASL documentation.

    .. endblob sasl_auto_transition

    .. startblob sasl_maximum_layer

    ``sasl_maximum_layer:`` 256

        Maximum SSF (security strength factor) that the server will allow a
        client to negotiate.

    .. endblob sasl_maximum_layer

    .. startblob sasl_minimum_layer

    ``sasl_minimum_layer:`` 0

        The minimum SSF that the server will allow a client to negotiate.
        A value of 1 requires integrity protection; any higher value
        requires some amount of encryption.

    .. endblob sasl_minimum_layer

    .. startblob sasl_option

    ``sasl_option:`` 0

        Any SASL option can be set by preceding it with **sasl_**.  This
        file overrides the SASL configuration file.

    .. endblob sasl_option

    .. startblob sasl_pwcheck_method

    ``sasl_pwcheck_method:`` <none>

        The mechanism used by the server to verify plaintext passwords.
        Possible values include "auxprop", "saslauthd", and "pwcheck".

    .. endblob sasl_pwcheck_method

    .. startblob search_batchsize

    ``search_batchsize:`` 20

        The number of messages to be indexed in one batch (default 20).
        Note that long batches may delay user commands or mail delivery.

    .. endblob search_batchsize

    .. startblob search_attachment_extractor_url

    ``search_attachment_extractor_url:`` <none>


        Reserved for future use.


    .. endblob search_attachment_extractor_url

    .. startblob search_index_language

    ``search_index_language:`` 0


        Reserved for future use.


    .. endblob search_index_language

    .. startblob search_index_parts

    ``search_index_parts:`` 0


        Deprecated. No longer used.


    .. endblob search_index_parts

    .. startblob search_query_language

    ``search_query_language:`` 0


        Reserved for future use.


    .. endblob search_query_language

    .. startblob search_normalisation_max

    ``search_normalisation_max:`` 1000

        A resource bound for the combinatorial explosion of search expression
        tree complexity caused by normalising expressions with many OR nodes.
        These can use more CPU time to optimise than they save IO time in scanning
        folders.

    .. endblob search_normalisation_max

    .. startblob search_engine

    ``search_engine:`` none

        The indexing engine used to speed up searching.

        Allowed values: *none*, *squat*, *xapian*


    .. endblob search_engine

    .. startblob search_fuzzy_always

    ``search_fuzzy_always:`` 0

        Whether to enable :rfc:`6203` FUZZY search for all IMAP SEARCH. If turned
        on, search attributes will be searched using FUZZY search by default.
        If turned off, clients have to explicitly use the FUZZY search key to
        enable fuzzy search for regular SEARCH commands.

    .. endblob search_fuzzy_always

    .. startblob search_index_headers

    ``search_index_headers:`` 1

        Whether to index headers other than From, To, Cc, Bcc, and Subject.
        Experiment shows that some headers such as Received and DKIM-Signature
        can contribute up to 2/3rds of the index size but almost nothing to
        the utility of searching.  Note that if header indexing is disabled,
        headers can still be searched, the searches will just be slower.


    .. endblob search_index_headers

    .. startblob search_indexed_db

    ``search_indexed_db:`` twoskip

        The cyrusdb backend to use for the search latest indexed uid state.  Xapian only.

        Allowed values: *flat*, *skiplist*, *twoskip*, *zeroskip*


    .. endblob search_indexed_db

    .. startblob search_maxtime

    ``search_maxtime:`` <none>

        The maximum number of seconds to run a search for before aborting.  Default
        of no value means search "forever" until other timeouts.

    .. endblob search_maxtime

    .. startblob search_queryscan

    ``search_queryscan:`` 5000

        The minimum number of records require to do a direct scan of all G keys
        \* rather than indexed lookups.  A value of 0 means always do indexed lookups.


    .. endblob search_queryscan

    .. startblob search_skipdiacrit

    ``search_skipdiacrit:`` 1

        When searching, should diacriticals be stripped from the search
        terms.  The default is "true", a search for "hav" will match
        "Håvard".  This is not :rfc:`5051` compliant, but it backwards
        compatible, and may be preferred by some sites.

    .. endblob search_skipdiacrit

    .. startblob search_skiphtml

    ``search_skiphtml:`` 0

        If enabled, HTML parts of messages are skipped, i.e. not indexed and
        not searchable.  Otherwise, they're indexed.

    .. endblob search_skiphtml

    .. startblob search_whitespace

    ``search_whitespace:`` merge

        When searching, how whitespace should be handled.  Options are:
        "skip" (default in 2.3 and earlier series) - where a search for
        "equi" would match "the quick brown fox".  "merge" - the default,
        where "he  qu" would match "the quick   brownfox", and "keep",
        where whitespace must match exactly.  The default of "merge" is
        recommended for most cases - it's a good compromise which
        keeps words separate.
        Allowed values: *skip*, *merge*, *keep*


    .. endblob search_whitespace

    .. startblob search_snippet_length

    ``search_snippet_length:`` 255

        The maximum byte length of a snippet generated by the XSNIPPETS
        command. Only supported by the Xapian search backend, which
        attempts to always fill search_snippet_length bytes in the
        generated snippet.

    .. endblob search_snippet_length

    .. startblob search_stopword_path

    ``search_stopword_path:`` <none>

        The absolute base path to the search stopword lists. If not specified,
        no stopwords will be taken into account during search indexing. Currently,
        the only supported and default stop word file is english.txt.

    .. endblob search_stopword_path

    .. startblob searchpartition-name

    ``searchpartition-name:`` <none>

        The pathname where to store the xapian search indexes of *searchtier*
        for mailboxes of partition *name*. This must be configured for the
        *defaultsearchtier* and any additional search tier (see squatter for
        details).

        For example: if *defaultpartition* is defined as part1 and
        *defaultsearchtier* as tier1 then the configuration must contain
        an entry *tier1searchpartition-part1* that defines the path where to
        store this tier1's search index for the part1 partition.

        This option MUST be specified for xapian search.

    .. endblob searchpartition-name

    .. startblob seenstate_db

    ``seenstate_db:`` twoskip

        The cyrusdb backend to use for the seen state.

        Allowed values: *flat*, *skiplist*, *twoskip*, *zeroskip*


    .. endblob seenstate_db

    .. startblob sendmail

    ``sendmail:`` /usr/lib/sendmail

        The pathname of the sendmail executable.  Sieve invokes sendmail
        for sending rejections, redirects and vacation responses.

    .. endblob sendmail

    .. startblob sendmail_auth_id

    ``sendmail_auth_id:`` CYRUS_SENDMAIL_AUTH_ID

        The name of an environment variable to set when invoking sendmail.
        The value of this environment variable will contain the user id
        of the currently authenticated user. If no user is authenticated
        the environment variable is not set.

    .. endblob sendmail_auth_id

    .. startblob serverlist

    ``serverlist:`` <none>

        Whitespace separated list of backend server names.  Used for
        finding server with the most available free space for proxying
        CREATE.

    .. endblob serverlist

    .. startblob serverlist_select_mode

    ``serverlist_select_mode:`` freespace-most

        Server selection mode.

        *random*
            (pseudo-)random selection

        *freespace-most*
            backend with the most (total) free space (KiB)

        *freespace-percent-most*
            backend whose partition has the most free space (%)

        *freespace-percent-weighted*
            same as for partition selection, comparing the free space (%) of the least used
            partition of each backend

        *freespace-percent-weighted-delta*
            same as for partition selection, comparing the free space (%) of the least used
            partition of each backend.


            Allowed values: *random*, *freespace-most*, *freespace-percent-most*, *freespace-percent-weighted*, *freespace-percent-weighted-delta*


    .. endblob serverlist_select_mode

    .. startblob serverlist_select_usage_reinit

    ``serverlist_select_usage_reinit:`` 0

        For a given session, number of **operations** (e.g. backend selection)
        for which backend usage data are cached.

    .. endblob serverlist_select_usage_reinit

    .. startblob serverlist_select_soft_usage_limit

    ``serverlist_select_soft_usage_limit:`` 0

        Limit of backend usage (%): if a backend is over that limit, it is
        automatically excluded from selection mode.

        If all backends are over that limit, this feature is not used anymore.


    .. endblob serverlist_select_soft_usage_limit

    .. startblob servername

    ``servername:`` <none>

        This is the hostname visible in the greeting messages of the POP,
        IMAP and LMTP daemons. If it is unset, then the result returned
        from gethostname(2) is used.  This is also the value used by murder
        clusters to identify the host name.  It should be resolvable by
        DNS to the correct host, and unique within an active cluster.  If
        you are using low level replication (e.g. drbd) then it should be
        the same on each copy and the DNS name should also be moved to
        the new master on failover.

    .. endblob servername

    .. startblob serverinfo

    ``serverinfo:`` on

        The server information to display in the greeting and capability
        responses. Information is displayed as follows:

            "off" = no server information in the greeting or capabilities

            "min" = *servername* in the greeting; no server information in the capabilities

            "on" = *servername* and product version in the greeting;
            product version in the capabilities


            Allowed values: *off*, *min*, *on*


    .. endblob serverinfo

    .. startblob sharedprefix

    ``sharedprefix:`` Shared Folders

        If using the alternate IMAP namespace, the prefix for the shared
        namespace.  The hierarchy delimiter will be automatically appended.


    .. endblob sharedprefix

    .. startblob sieve_allowreferrals

    ``sieve_allowreferrals:`` 1

        If enabled, timsieved will issue referrals to clients when the
        user's scripts reside on a remote server (in a Murder).
        Otherwise, timsieved will proxy traffic to the remote server.

    .. endblob sieve_allowreferrals

    .. startblob sieve_duplicate_max_expiration

    ``sieve_duplicate_max_expiration:`` 90d

        Maximum expiration time for duplicate message tracking records.

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob sieve_duplicate_max_expiration

    .. startblob sieve_extensions

    ``sieve_extensions:`` fileinto reject vacation vacation-seconds imapflags notify include envelope environment body relational regex subaddress copy date index imap4flags mailbox mboxmetadata servermetadata variables editheader extlists duplicate ihave fcc special-use redirect-dsn redirect-deliverby mailboxid x-cyrus-log x-cyrus-jmapquery x-cyrus-snooze

        Space-separated list of Sieve extensions allowed to be used in
        sieve scripts, enforced at submission by timsieved(8).  Any
        previously installed script will be unaffected by this option and
        will continue to execute regardless of the extensions used.  This
        option has no effect on options that are disabled at compile time
        (e.g., "regex").
        Allowed values: *fileinto*, *reject*, *vacation*, *vacation-seconds*, *imapflags*, *notify*, *include*, *envelope*, *environment*, *body*, *relational*, *regex*, *subaddress*, *copy*, *date*, *index*, *imap4flags*, *mailbox*, *mboxmetadata*, *servermetadata*, *variables*, *editheader*, *extlists*, *duplicate*, *ihave*, *fcc*, *special-use*, *redirect-dsn*, *redirect-deliverby*, *mailboxid*, *x-cyrus-log*, *x-cyrus-jmapquery*, *x-cyrus-snooze*


    .. endblob sieve_extensions

    .. startblob sieve_maxscriptsize

    ``sieve_maxscriptsize:`` 32

        Maximum size (in kilobytes) any sieve script can be, enforced at
        submission by timsieved(8).

    .. endblob sieve_maxscriptsize

    .. startblob sieve_maxscripts

    ``sieve_maxscripts:`` 5

        Maximum number of sieve scripts any user may have, enforced at
        submission by timsieved(8).

    .. endblob sieve_maxscripts

    .. startblob sieve_utf8fileinto

    ``sieve_utf8fileinto:`` 0

        If enabled, the sieve engine expects folder names for the
        *fileinto* action in scripts to use UTF8 encoding.  Otherwise,
        modified UTF7 encoding should be used.

    .. endblob sieve_utf8fileinto

    .. startblob sieve_sasl_send_unsolicited_capability

    ``sieve_sasl_send_unsolicited_capability:`` 0

        If enabled, timsieved will emit a capability response after a successful
        SASL authentication, per draft-martin-managesieve-12.txt .

    .. endblob sieve_sasl_send_unsolicited_capability

    .. startblob sieve_use_lmtp_reject

    ``sieve_use_lmtp_reject:`` 1

        Enabled by default.  If reject can be done via LMTP, then return a 550
        rather than generating the bounce message in Cyrus.

    .. endblob sieve_use_lmtp_reject

    .. startblob sieve_vacation_min_response

    ``sieve_vacation_min_response:`` 3d

        Minimum time interval between consecutive vacation responses, per
        draft-ietf-vacation-seconds.txt.  The default is 3 days.

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob sieve_vacation_min_response

    .. startblob sieve_vacation_max_response

    ``sieve_vacation_max_response:`` 90d

        Maximum time interval between consecutive vacation responses, per
        draft-ietf-vacation-seconds.txt.  The default is 90 days.  The
        minimum is 7 days.

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob sieve_vacation_max_response

    .. startblob sievedir

    ``sievedir:`` /usr/sieve

        If sieveusehomedir is false, this directory is searched for Sieve
        scripts.

    .. endblob sievedir

    .. startblob sievenotifier

    ``sievenotifier:`` <none>

        Notifyd(8) method to use for "SIEVE" notifications.  If not set, "SIEVE"
        notifications are disabled.

        This method is only used when no method is specified in the script.

    .. endblob sievenotifier

    .. startblob sieveusehomedir

    ``sieveusehomedir:`` 0

        If enabled, lmtpd will look for Sieve scripts in user's home
        directories: ~user/.sieve.

    .. endblob sieveusehomedir

    .. startblob anysievefolder

    ``anysievefolder:`` 0

        It must be "yes" in order to permit the autocreation of any INBOX subfolder
        requested by a sieve filter, through the "fileinto" action. (default = no)

    .. endblob anysievefolder

    .. startblob singleinstancestore

    ``singleinstancestore:`` 1

        If enabled, imapd, lmtpd and nntpd attempt to only write one copy
        of a message per partition and create hard links, resulting in a
        potentially large disk savings.

    .. endblob singleinstancestore

    .. startblob skiplist_always_checkpoint

    ``skiplist_always_checkpoint:`` 1

        If enabled, this option forces the skiplist cyrusdb backend to
        always checkpoint when doing a recovery.  This causes slightly
        more IO, but on the other hand leads to more efficient databases,
        and the entire file is already "hot".

    .. endblob skiplist_always_checkpoint

    .. startblob skiplist_unsafe

    ``skiplist_unsafe:`` 0

        If enabled, this option forces the skiplist cyrusdb backend to
        not sync writes to the disk.  Enabling this option is NOT RECOMMENDED.

    .. endblob skiplist_unsafe

    .. startblob smtp_backend

    ``smtp_backend:`` sendmail

        The SMTP backend to use for sending email.

        The \"host\" backend sends message submissions via
        a TCP socket to the SMTP host defined in the config
        option smtp_host.

        The \"sendmail\" backend forks the Cyrus process into
        the executable defined in the config option sendmail.
        The executable must accept \"-bs\" as command line
        argument, read from stdin and must implement the minimum
        SMTP protocol as defined in section 4.5.1 of :rfc:`5321`.

        If the SMTP EHLO command reports AUTH (:rfc:`4954`) as a
        supported extension, then the MAIL FROM command includes
        the AUTH parameter, with its value set to the name of any
        authenticated user which triggered the email. The AUTH
        parameter is omitted if the user is unknown to the calling
        process.

        If the directory
        *configdirectory*/log/smtpclient.\ *smtp_backend*
        exists, then telemetry logs for outgoing SMTP sessions will
        be created in this directory.

        Allowed values: *host*, *sendmail*


    .. endblob smtp_backend

    .. startblob smtp_host

    ``smtp_host:`` localhost:587

        The SMTP host to use for sending mail (also see the
        smtp_backend option). The value of this option must
        the name or IP address of a TCP host, followed optionally
        by a colon and the port or service to use. The default
        port is 587. TLS may be activated by appending \"/tls\"
        to the value. Authentication is enabled if smtp_auth_authname
        is set. Authentication can be explicitly disabled by appending
        \"/noauth\" to the host address.

    .. endblob smtp_host

    .. startblob smtp_auth_authname

    ``smtp_auth_authname:`` <none>

        The authentication name to use when authenticating to the SMTP
        server defined in smtp_host.

    .. endblob smtp_auth_authname

    .. startblob smtp_auth_password

    ``smtp_auth_password:`` <none>

        The password to use when authenticating to the SMTP server defined
        in smtp_host.

    .. endblob smtp_auth_password

    .. startblob smtp_auth_realm

    ``smtp_auth_realm:`` <none>

        The authentication SASL realm to use when authenticating to a SMTP
        server.

    .. endblob smtp_auth_realm

    .. startblob soft_noauth

    ``soft_noauth:`` 1

        If enabled, lmtpd returns temporary failures if the client does not
        successfully authenticate.  Otherwise lmtpd returns permanent failures
        (causing the mail to bounce immediately).

    .. endblob soft_noauth

    .. startblob sortcache_db

    ``sortcache_db:`` twoskip

        The cyrusdb backend to use for caching sort results (currently only
        used for xconvmultisort)
        Allowed values: *skiplist*, *twoskip*, *zeroskip*


    .. endblob sortcache_db

    .. startblob specialuse_extra

    ``specialuse_extra:`` <none>

        Whitespace separated list of extra special-use attributes
        that can be set on a mailbox. :rfc:`6154` currently lists
        what special-use attributes can be set. This allows
        extending that list in the future or adding your own
        if needed.

    .. endblob specialuse_extra

    .. startblob specialuse_protect

    ``specialuse_protect:`` \\Archive \\Drafts \\Important \\Junk \\Sent \\Trash

        Whitespace separated list of special-use attributes
        to protect the mailboxes for.  If set, don't allow
        mailboxes with these special use attributes to be deleted
        or renamed to have a different parent. Default is the built-in list

    .. endblob specialuse_protect

    .. startblob specialusealways

    ``specialusealways:`` 1

        If enabled, this option causes LIST and LSUB output to always include
        the XLIST "special-use" flags

    .. endblob specialusealways

    .. startblob sql_database

    ``sql_database:`` <none>

        Name of the database which contains the cyrusdb table(s).


    .. endblob sql_database

    .. startblob sql_engine

    ``sql_engine:`` <none>

        Name of the SQL engine to use.

        Allowed values: *mysql*, *pgsql*, *sqlite*


    .. endblob sql_engine

    .. startblob sql_hostnames

    ``sql_hostnames:`` <empty string>

        Comma separated list of SQL servers (in host[:port] format).


    .. endblob sql_hostnames

    .. startblob sql_passwd

    ``sql_passwd:`` <none>

        Password to use for authentication to the SQL server.


    .. endblob sql_passwd

    .. startblob sql_user

    ``sql_user:`` <none>

        Username to use for authentication to the SQL server.


    .. endblob sql_user

    .. startblob sql_usessl

    ``sql_usessl:`` 0

        If enabled, a secure connection will be made to the SQL server.


    .. endblob sql_usessl

    .. startblob srs_alwaysrewrite

    ``srs_alwaysrewrite:`` 0

        If true, perform SRS rewriting for ALL forwarding, even when not required.


    .. endblob srs_alwaysrewrite

    .. startblob srs_domain

    ``srs_domain:`` <none>

        The domain to use in rewritten addresses. This must point only to machines
        which know the encoding secret used by this system. When present, SRS is
        enabled.

    .. endblob srs_domain

    .. startblob srs_hashlength

    ``srs_hashlength:`` 0

        The hash length to generate in a rewritten address.


    .. endblob srs_hashlength

    .. startblob srs_secrets

    ``srs_secrets:`` <none>

        A list of secrets with which to generate addresses.


    .. endblob srs_secrets

    .. startblob srs_separator

    ``srs_separator:`` <none>

        The separator to appear immediately after SRS[01] in rewritten addresses.


    .. endblob srs_separator

    .. startblob srvtab

    ``srvtab:`` <empty string>

        The pathname of *srvtab* file containing the server's private
        key.  This option is passed to the SASL library and overrides its
        default setting.

    .. endblob srvtab

    .. startblob submitservers

    ``submitservers:`` <none>

        A list of users and groups that are allowed to resolve "urlauth=submit+"
        IMAP URLs, separated by spaces.  Any user listed in this will be
        allowed to fetch the contents of any valid "urlauth=submit+" IMAP URL:
        use with caution.

    .. endblob submitservers

    .. startblob subscription_db

    ``subscription_db:`` flat

        The cyrusdb backend to use for the subscriptions list.

        Allowed values: *flat*, *skiplist*, *twoskip*, *zeroskip*


    .. endblob subscription_db

    .. startblob suppress_capabilities

    ``suppress_capabilities:`` <none>

        Suppress the named capabilities from any capability response.  Use the
        exact case as it appears in the response, e.g.
        "suppress_capabilities: ESEARCH QRESYNC WITHIN XLIST LIST-EXTENDED"
        if you have a murder with 2.3.x backends and don't want clients being
        confused by new capabilities that some backends don't support.

    .. endblob suppress_capabilities

    .. startblob statuscache

    ``statuscache:`` 0

        Enable/disable the imap status cache.


    .. endblob statuscache

    .. startblob statuscache_db

    ``statuscache_db:`` twoskip

        The cyrusdb backend to use for the imap status cache.

        Allowed values: *skiplist*, *sql*, *twoskip*, *zeroskip*


    .. endblob statuscache_db

    .. startblob statuscache_db_path

    ``statuscache_db_path:`` <none>

        The absolute path to the statuscache db file.  If not specified,
        will be configdirectory/statuscache.db

    .. endblob statuscache_db_path

    .. startblob sync_authname

    ``sync_authname:`` <none>

        The authentication name to use when authenticating to a sync server.
        Prefix with a channel name to only apply for that channel

    .. endblob sync_authname

    .. startblob sync_batchsize

    ``sync_batchsize:`` 8192

        the number of messages to upload in a single mailbox replication.
        Default is 8192.  If there are more than this many messages appended
        to the mailbox, generate a synthetic partial state and send that.

    .. endblob sync_batchsize

    .. startblob sync_host

    ``sync_host:`` <none>

        Name of the host (replica running sync_server(8)) to which
        replication actions will be sent by sync_client(8).
        Prefix with a channel name to only apply for that channel

    .. endblob sync_host

    .. startblob sync_log

    ``sync_log:`` 0

        Enable replication action logging by lmtpd(8), imapd(8), pop3d(8),
        and nntpd(8).  The log {configdirectory}/sync/log is used by
        sync_client(8) for "rolling" replication.

    .. endblob sync_log

    .. startblob sync_log_chain

    ``sync_log_chain:`` 0

        Enable replication action logging by sync_server as well, allowing
        chaining of replicas.  Use this on 'B' for A => B => C replication layout

    .. endblob sync_log_chain

    .. startblob sync_log_channels

    ``sync_log_channels:`` <none>

        If specified, log all events to multiple log files in directories
        specified by each "channel".  Each channel can then be processed
        separately, such as by multiple sync_client(8)s in a mesh replication
        scheme, or by squatter(8) for rolling search index updates.

        You can use "" (the two-character string U+22 U+22) to mean the
        default sync channel.

    .. endblob sync_log_channels

    .. startblob sync_log_unsuppressable_channels

    ``sync_log_unsuppressable_channels:`` squatter

        If specified, the named channels are exempt from the effect of setting
        sync_log_chain:off, i.e. they are always logged to by the sync_server
        process.  This is only really useful to allow rolling search indexing
        on a replica.

    .. endblob sync_log_unsuppressable_channels

    .. startblob sync_password

    ``sync_password:`` <none>

        The default password to use when authenticating to a sync server.
        Prefix with a channel name to only apply for that channel

    .. endblob sync_password

    .. startblob sync_port

    ``sync_port:`` <none>

        Name of the service (or port number) of the replication service on
        replica host.  Prefix with a channel name to only apply for that
        channel.  If not specified, and if sync_try_imap is set to "yes"
        (the default), then the replication client will first try "imap"
        (port 143) to check if imapd supports replication.  otherwise it
        will default to "csync" (usually port 2005).

    .. endblob sync_port

    .. startblob sync_realm

    ``sync_realm:`` <none>

        The authentication realm to use when authenticating to a sync server.
        Prefix with a channel name to only apply for that channel

    .. endblob sync_realm

    .. startblob sync_repeat_interval

    ``sync_repeat_interval:`` 1s

        Minimum interval between replication runs in rolling replication
        mode. If a replication run takes longer than this time, we repeat
        immediately.  Prefix with a channel name to only apply for that
        channel.

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob sync_repeat_interval

    .. startblob sync_shutdown_file

    ``sync_shutdown_file:`` <none>

        Simple latch used to tell sync_client(8) that it should shut down at the
        next opportunity. Safer than sending signals to running processes.
        Prefix with a channel name to only apply for that channel

    .. endblob sync_shutdown_file

    .. startblob sync_timeout

    ``sync_timeout:`` 30m

        How long to wait for a response before returning a timeout failure
        when talking to a replication peer (client or server).  The minimum
        duration is 3 seconds, the default is 30 minutes.

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob sync_timeout

    .. startblob sync_try_imap

    ``sync_try_imap:`` 1

        Whether sync_client should try to perform an IMAP connection
        before falling back to csync.  If this is set to "no",
        sync_client will only use csync.  Prefix with a channel name to
        apply only for that channel

    .. endblob sync_try_imap

    .. startblob syslog_prefix

    ``syslog_prefix:`` <none>

        String to be prepended to the process name in syslog entries. Can
        be further overridden by setting the $CYRUS_SYSLOG_PREFIX environment
        variable.

        Using the $CYRUS_SYSLOG_PREFIX environment variable has the additional
        advantage that it can be set before the **imapd.conf** is read, so
        errors while reading the config file can be syslogged with the correct
        prefix.

    .. endblob syslog_prefix

    .. startblob syslog_facility

    ``syslog_facility:`` <none>

        Configure a syslog facility.  The default is whatever is compiled
        in.  Allowed values are: DAEMON, MAIL, NEWS, USER, and LOCAL0
        through to LOCAL7

    .. endblob syslog_facility

    .. startblob tcp_keepalive

    ``tcp_keepalive:`` 0

        Enable keepalive on TCP connections


    .. endblob tcp_keepalive

    .. startblob tcp_keepalive_cnt

    ``tcp_keepalive_cnt:`` 0

        Number of TCP keepalive probes to send before declaring the
        connection dead (0 == system default)

    .. endblob tcp_keepalive_cnt

    .. startblob tcp_keepalive_idle

    ``tcp_keepalive_idle:`` 0

        How long a connection must be idle before keepalive probes are sent
        (0 == system default).

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob tcp_keepalive_idle

    .. startblob tcp_keepalive_intvl

    ``tcp_keepalive_intvl:`` 0

        Time between keepalive probes (0 == system default).

        For backward compatibility, if no unit is specified, seconds is
        assumed.

    .. endblob tcp_keepalive_intvl

    .. startblob temp_path

    ``temp_path:`` /tmp

        The pathname to store temporary files in


    .. endblob temp_path

    .. startblob telemetry_bysessionid

    ``telemetry_bysessionid:`` 0

        If true, log by sessionid instead of PID for telemetry


    .. endblob telemetry_bysessionid

    .. startblob timeout

    ``timeout:`` 32m

        The length of the IMAP server's inactivity autologout timer.
        The minimum value is 30 minutes.  The default is 32 minutes,
        to allow a bit of leeway for clients that try to NOOP every
        30 minutes.

        For backward compatibility, if no unit is specified, minutes
        is assumed.

    .. endblob timeout

    .. startblob imapidletimeout

    ``imapidletimeout:`` <none>

        Timeout for idling clients (:rfc:`2177`).  If not set (the default),
        the value of "timeout" will be used instead.

        For backward compatibility, if no unit is specified, minutes
        is assumed.

    .. endblob imapidletimeout

    .. startblob tls_ca_file

    ``tls_ca_file:`` <none>

        Deprecated in favor of *tls_client_ca_file*.


    .. endblob tls_ca_file

    .. startblob tls_ca_path

    ``tls_ca_path:`` <none>

        Deprecated in favor of *tls_client_ca_dir*.


    .. endblob tls_ca_path

    .. startblob tlscache_db

    ``tlscache_db:`` twoskip

        Deprecated in favor of *tls_sessions_db*.


    .. endblob tlscache_db

    .. startblob tlscache_db_path

    ``tlscache_db_path:`` <none>

        Deprecated in favor of *tls_sessions_db_path*.


    .. endblob tlscache_db_path

    .. startblob tls_cert_file

    ``tls_cert_file:`` <none>

        Deprecated in favor of *tls_server_cert*.


    .. endblob tls_cert_file

    .. startblob tls_cipher_list

    ``tls_cipher_list:`` DEFAULT

        Deprecated in favor of *tls_ciphers*.


    .. endblob tls_cipher_list

    .. startblob tls_ciphers

    ``tls_ciphers:`` DEFAULT

        The list of SSL/TLS ciphers to allow.  The format of the string
        (and definition of "DEFAULT") is described in **ciphers(1)**.

        See also Mozilla's server-side TLS recommendations:

        https://wiki.mozilla.org/Security/Server_Side_TLS

    .. endblob tls_ciphers

    .. startblob tls_crl_file

    ``tls_crl_file:`` <none>

        Path to a file containing the Certificate Revocation List


    .. endblob tls_crl_file

    .. startblob tls_client_ca_dir

    ``tls_client_ca_dir:`` <none>

        Path to a directory containing the CA certificates used to verify
        client SSL certificates used for authentication.

    .. endblob tls_client_ca_dir

    .. startblob tls_client_ca_file

    ``tls_client_ca_file:`` <none>

        Path to a file containing the CA certificate(s) used to verify
        client SSL certificates used for authentication.

    .. endblob tls_client_ca_file

    .. startblob tls_client_cert

    ``tls_client_cert:`` <none>

        File containing the certificate presented to a server for authentication
        during STARTTLS. A value of "disabled" will disable this server's use
        of certificate-based authentication.

    .. endblob tls_client_cert

    .. startblob tls_client_certs

    ``tls_client_certs:`` optional

        Disable ("off"), allow ("optional", default) or require ("require") the
        use of SSL certificates by clients to authenticate themselves.
        Allowed values: *off*, *optional*, *require*


    .. endblob tls_client_certs

    .. startblob tls_client_key

    ``tls_client_key:`` <none>

        File containing the private key belonging to the tls_client_cert
        certificate. A value of "disabled" will disable this server's use
        of certificate-based authentication.

    .. endblob tls_client_key

    .. startblob tls_eccurve

    ``tls_eccurve:`` prime256v1

        The elliptic curve used for ECDHE. Default is NIST Suite B prime256.
        See 'openssl ecparam -list_curves' for possible values.

    .. endblob tls_eccurve

    .. startblob tls_key_file

    ``tls_key_file:`` <none>

        Deprecated in favor of *tls_server_key*.


    .. endblob tls_key_file

    .. startblob tls_required

    ``tls_required:`` 0

        If enabled, require a TLS/SSL encryption layer to be negotiated
        prior to ANY authentication mechanisms being advertised or allowed.

    .. endblob tls_required

    .. startblob tls_prefer_server_ciphers

    ``tls_prefer_server_ciphers:`` 0

        Prefer the ciphers on the server side instead of client side.


    .. endblob tls_prefer_server_ciphers

    .. startblob tls_server_ca_dir

    ``tls_server_ca_dir:`` <none>

        Path to a directory with CA certificates used to verify certificates
        offered by the server, when cyrus acts as client. This directory must
        have filenames with the hashed value of the certificates (see
        openssl(1)).

    .. endblob tls_server_ca_dir

    .. startblob tls_server_ca_file

    ``tls_server_ca_file:`` <none>

        Path to a file containing CA certificates used to verify certificates
        offered by the server, when cyrus acts as client.

    .. endblob tls_server_ca_file

    .. startblob tls_server_cert

    ``tls_server_cert:`` <none>

        File containing the certificate, including the full chain, presented to clients.
        Two certificates can be set, e.g RSA and EC, if the filenames are separated with
        comma without spaces.

    .. endblob tls_server_cert

    .. startblob tls_server_dhparam

    ``tls_server_dhparam:`` <none>

        File containing the DH parameters belonging to the certificate in
        tls_server_cert.

    .. endblob tls_server_dhparam

    .. startblob tls_server_key

    ``tls_server_key:`` <none>

        File containing the private key belonging to the certificate in
        tls_server_cert.  If not set, tls_server_cert must contain both private and
        public key.  Two files with keys can be set, if two certificates are used, in
        which case the files must be separated with comma without spaces

    .. endblob tls_server_key

    .. startblob tls_sessions_db

    ``tls_sessions_db:`` twoskip

        The cyrusdb backend to use for the TLS cache.

        Allowed values: *skiplist*, *sql*, *twoskip*, *zeroskip*


    .. endblob tls_sessions_db

    .. startblob tls_sessions_db_path

    ``tls_sessions_db_path:`` <none>

        The absolute path to the TLS sessions db file. If not specified,
        will be configdirectory/tls_sessions.db

    .. endblob tls_sessions_db_path

    .. startblob tls_session_timeout

    ``tls_session_timeout:`` 24h

        The length of time that a TLS session will be cached for later
        reuse.  The maximum value is 24 hours, also the default.  A
        value of 0 will disable session caching.

        For backward compatibility, if no unit is specified, minutes is
        assumed.

    .. endblob tls_session_timeout

    .. startblob tls_versions

    ``tls_versions:`` tls1_0 tls1_1 tls1_2 tls1_3

        A list of SSL/TLS versions to not disable. Cyrus IMAP SSL/TLS starts
        with all protocols, and subtracts protocols not in this list. Newer
        versions of SSL/TLS will need to be added here to allow them to get
        disabled.

    .. endblob tls_versions

    .. startblob uidl_format

    ``uidl_format:`` cyrus

        Choose the format for UIDLs in pop3.  Possible values are "uidonly",
        "cyrus", "dovecot" and "courier".  "uidonly" forces the old default
        of UID, "cyrus" is UIDVALIDITY.UID.  Dovecot is 8 digits of leading
        hex (lower case) each UID UIDVALIDITY. Courier is UIDVALIDITY-UID.
        Allowed values: *uidonly*, *cyrus*, *dovecot*, *courier*


    .. endblob uidl_format

    .. startblob umask

    ``umask:`` 077

        The umask value used by various Cyrus IMAP programs.


    .. endblob umask

    .. startblob userdeny_db

    ``userdeny_db:`` flat

        The cyrusdb backend to use for the user access list.

        Allowed values: *flat*, *skiplist*, *sql*, *twoskip*, *zeroskip*


    .. endblob userdeny_db

    .. startblob userdeny_db_path

    ``userdeny_db_path:`` <none>

        The absolute path to the userdeny db file.  If not specified,
        will be configdirectory/user_deny.db

    .. endblob userdeny_db_path

    .. startblob username_tolower

    ``username_tolower:`` 1

        Convert usernames to all lowercase before login/authentication.  This
        is useful with authentication backends which ignore case during
        username lookups (such as LDAP).

    .. endblob username_tolower

    .. startblob userprefix

    ``userprefix:`` Other Users

        If using the alternate IMAP namespace, the prefix for the other users
        namespace.  The hierarchy delimiter will be automatically appended.

    .. endblob userprefix

    .. startblob unix_group_enable

    ``unix_group_enable:`` 1

        Should we look up groups when using auth_unix (disable this if you are
        not using groups in ACLs for your IMAP server, and you are using auth_unix
        with a backend (such as LDAP) that can make getgrent() calls very
        slow)

    .. endblob unix_group_enable

    .. startblob unixhierarchysep

    ``unixhierarchysep:`` 1

        Use the UNIX separator character '/' for delimiting levels of
        mailbox hierarchy.  Turn off to use the netnews separator
        character '.'. Note that with the newnews separator, no dots may
        occur in mailbox names.  The default switched in 3.0 from off to on.

    .. endblob unixhierarchysep

    .. startblob virtdomains

    ``virtdomains:`` off

        Configure virtual domain support.

        off
            Cyrus does not know or care about domains. Only the local part of email
            addresses is ever considered.  This is not recommended for any deployment,
            but is currently the default.

        userid
            The user's domain is determined by splitting a fully qualified userid at the
            last '@' or '%' symbol.  If the userid is unqualified, the *defaultdomain*
            will be used.  This is the recommended configuration for all deployments.
            If you wish to provide calendaring services you must use this configuration.

        on
            Fully qualified userids are respected, as per "userid".  Unqualified userids
            will have their domain determined by doing a reverse lookup on the IP address
            of the incoming network interface, or if no record is found, the
            *defaultdomain* will be used.



            Allowed values: *off*, *userid*, *on*


    .. endblob virtdomains

    .. startblob virusscan_notification_subject

    ``virusscan_notification_subject:`` Automatically deleted mail

        The text used in the subject of email notifications created by
        **cyr_virusscan(8)** when deleting infected mail.

    .. endblob virusscan_notification_subject

    .. startblob virusscan_notification_template

    ``virusscan_notification_template:`` <none>

        The absolute path to a file containing a template to use to describe
        infected messages that have been deleted by **cyr_virusscan(8)**.
        See **cyr_virusscan(8)** for specification of the format of this file.
        If not specified, the builtin default template will be used.

    .. endblob virusscan_notification_template

    .. startblob xbackup_enabled

    ``xbackup_enabled:`` 0

        Enable support for the XBACKUP command in imapd.  If enabled, admin
        users can use this command to provoke a replication of specified users
        to the named backup channel.

    .. endblob xbackup_enabled

    .. startblob xlist-flag

    ``xlist-flag:`` <none>

        Set the special-use flag *flag* on the specified folder when it
        is autocreated (see the *autocreate_inbox_folders* option).  For
        example, if **xlist-junk: Spam** is set, and the folder **Spam**
        is autocreated, the special-use flag **\\Junk** will be set on it.

        (This option is so named for backward compatibility with old config
        files.)


    .. endblob xlist-flag

    .. startblob lmtp_catchall_mailbox

    ``lmtp_catchall_mailbox:`` <none>

        Mail sent to mailboxes which do not exist, will be delivered to
        this user.  NOTE: This must be an existing local user name with an
        INBOX, NOT an email address!

    .. endblob lmtp_catchall_mailbox

    .. startblob zoneinfo_db

    ``zoneinfo_db:`` twoskip

        The cyrusdb backend to use for zoneinfo.  This database is used by the
        "tzdist" *httpmodules*, and is managed by **ctl_zoneinfo(8)**.
        Allowed values: *flat*, *skiplist*, *twoskip*, *zeroskip*


    .. endblob zoneinfo_db

    .. startblob zoneinfo_db_path

    ``zoneinfo_db_path:`` <none>

        The absolute path to the zoneinfo db file.  If not specified,
        will be configdirectory/zoneinfo.db

    .. endblob zoneinfo_db_path

    .. startblob zoneinfo_dir

    ``zoneinfo_dir:`` <none>

        The absolute path to the zoneinfo directory, containing timezone
        definitions as generated by the vzic tool.  If not specified, whatever
        definitions libical finds will be used.

        If you are providing a Time Zone Data Distribution Service (i.e. you have
        "tzdist" listed in *httpmodules*), then this configuration option MUST
        be specified.

    .. endblob zoneinfo_dir

    .. startblob object_storage_enabled

    ``object_storage_enabled:`` 0

        Is Object storage enabled for this server.  You also need to have
        archiving enabled and archivepartition for the mailbox.
        Only email files will be stored on object Storage archive partition will be
        used to store any other files

    .. endblob object_storage_enabled

    .. startblob object_storage_dummy_spool

    ``object_storage_dummy_spool:`` <none>

        Dummy object storage spool; this is for test only.
        Spool where user directory (container) will be created to store all emails
        in a flat structure

    .. endblob object_storage_dummy_spool

    .. startblob openio_namespace

    ``openio_namespace:`` <none>

        The OpenIO namespace used to store archived email messages. A namespace
        identifies the physical platform cyrus must contact. This directive is used
        by the OpenIO's SDK to locate its platform entry point.

    .. endblob openio_namespace

    .. startblob openio_account

    ``openio_account:`` <none>

        The OpenIO account used to account for stored emails. Accounts are unique
        in their namespace. They provides virtual partitions, with quotas and QoS
        features.

    .. endblob openio_account

    .. startblob openio_rawx_timeout

    ``openio_rawx_timeout:`` 30s

        The OpenIO timeout to query to the RAWX services (default 30 sec).


    .. endblob openio_rawx_timeout

    .. startblob openio_proxy_timeout

    ``openio_proxy_timeout:`` 5s

        The OpenIO timeout to query to the PROXY services (default 5 sec).


    .. endblob openio_proxy_timeout

    .. startblob openio_autocreate

    ``openio_autocreate:`` 0

        Allow the OpenIO SDK to autocreate containers. Mainly destined to be turned
        on development environments. In production, the container should have been
        provisioned with the mailboxes.

    .. endblob openio_autocreate

    .. startblob openio_verbosity

    ``openio_verbosity:`` <none>

        Sets the logging verbosity of the OpenIO's internal behavior. Admissible
        values are: "warning", "notice", "info", "debug", "trace", "quiet".
        The default verbosity is "warning". Set to "notice" for a few lines on a
        per-client basis. Set to "info" for a few lines on a per-request basis. Set
        to "debug" Set to "trace" to activate the underlying libcurl debug
        output. Enabling a verbosity higher to equal than "debug" requires
        the cyrus to be set in debug mode. The special "quiet" value disables all
        kinds of logging at the GLib level.

    .. endblob openio_verbosity

    .. startblob caringo_hostname

    ``caringo_hostname:`` <none>

        The Caringo hostname used to store archived email messages. A hostname
        identifies the physical platform cyrus must contact. This directive is used
        by the Caringo's SDK (CastorSDK: Caringo Simple Content Storage Protocol (SCSP)
        on HTTP 1.1 using a RESTful architecture

    .. endblob caringo_hostname

    .. startblob caringo_port

    ``caringo_port:`` 80

        The port of the caringo server (caringo_hostname); default is 80.


    .. endblob caringo_port

    .. startblob fastmailsharing

    ``fastmailsharing:`` 0

        If enabled, use FastMail style sharing (oldschool full server paths)


    .. endblob fastmailsharing


SEE ALSO
========


    **imapd(8)**, **pop3d(8)**, **nntpd(8)**, **lmtpd(8)**,
    **httpd(8)**, **timsieved(8)**, **idled(8)**, **notifyd(8)**,
    **deliver(8)**, **master(8)**, **ciphers(1)**