|
| 1 | +## |
| 2 | +## Authentication processes |
| 3 | +## |
| 4 | + |
| 5 | +# Disable LOGIN command and all other plaintext authentications unless |
| 6 | +# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP |
| 7 | +# matches the local IP (ie. you're connecting from the same computer), the |
| 8 | +# connection is considered secure and plaintext authentication is allowed. |
| 9 | +disable_plaintext_auth = yes |
| 10 | + |
| 11 | +# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that |
| 12 | +# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used. |
| 13 | +#auth_cache_size = 0 |
| 14 | +# Time to live for cached data. After TTL expires the cached record is no |
| 15 | +# longer used, *except* if the main database lookup returns internal failure. |
| 16 | +# We also try to handle password changes automatically: If user's previous |
| 17 | +# authentication was successful, but this one wasn't, the cache isn't used. |
| 18 | +# For now this works only with plaintext authentication. |
| 19 | +#auth_cache_ttl = 1 hour |
| 20 | +# TTL for negative hits (user not found, password mismatch). |
| 21 | +# 0 disables caching them completely. |
| 22 | +#auth_cache_negative_ttl = 1 hour |
| 23 | + |
| 24 | +# Space separated list of realms for SASL authentication mechanisms that need |
| 25 | +# them. You can leave it empty if you don't want to support multiple realms. |
| 26 | +# Many clients simply use the first one listed here, so keep the default realm |
| 27 | +# first. |
| 28 | +#auth_realms = |
| 29 | + |
| 30 | +# Default realm/domain to use if none was specified. This is used for both |
| 31 | +# SASL realms and appending @domain to username in plaintext logins. |
| 32 | +#auth_default_realm = |
| 33 | + |
| 34 | +# List of allowed characters in username. If the user-given username contains |
| 35 | +# a character not listed in here, the login automatically fails. This is just |
| 36 | +# an extra check to make sure user can't exploit any potential quote escaping |
| 37 | +# vulnerabilities with SQL/LDAP databases. If you want to allow all characters, |
| 38 | +# set this value to empty. |
| 39 | +#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ |
| 40 | + |
| 41 | +# Username character translations before it's looked up from databases. The |
| 42 | +# value contains series of from -> to characters. For example "#@/@" means |
| 43 | +# that '#' and '/' characters are translated to '@'. |
| 44 | +#auth_username_translation = |
| 45 | + |
| 46 | +# Username formatting before it's looked up from databases. You can use |
| 47 | +# the standard variables here, eg. %Lu would lowercase the username, %n would |
| 48 | +# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into |
| 49 | +# "-AT-". This translation is done after auth_username_translation changes. |
| 50 | +#auth_username_format = |
| 51 | + |
| 52 | +# If you want to allow master users to log in by specifying the master |
| 53 | +# username within the normal username string (ie. not using SASL mechanism's |
| 54 | +# support for it), you can specify the separator character here. The format |
| 55 | +# is then <username><separator><master username>. UW-IMAP uses "*" as the |
| 56 | +# separator, so that could be a good choice. |
| 57 | +#auth_master_user_separator = |
| 58 | + |
| 59 | +# Username to use for users logging in with ANONYMOUS SASL mechanism |
| 60 | +#auth_anonymous_username = anonymous |
| 61 | + |
| 62 | +# Maximum number of dovecot-auth worker processes. They're used to execute |
| 63 | +# blocking passdb and userdb queries (eg. MySQL and PAM). They're |
| 64 | +# automatically created and destroyed as needed. |
| 65 | +#auth_worker_max_count = 30 |
| 66 | + |
| 67 | +# Host name to use in GSSAPI principal names. The default is to use the |
| 68 | +# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab |
| 69 | +# entries. |
| 70 | +#auth_gssapi_hostname = |
| 71 | + |
| 72 | +# Kerberos keytab to use for the GSSAPI mechanism. Will use the system |
| 73 | +# default (usually /etc/krb5.keytab) if not specified. You may need to change |
| 74 | +# the auth service to run as root to be able to read this file. |
| 75 | +#auth_krb5_keytab = |
| 76 | + |
| 77 | +# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and |
| 78 | +# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt> |
| 79 | +#auth_use_winbind = no |
| 80 | + |
| 81 | +# Path for Samba's ntlm_auth helper binary. |
| 82 | +#auth_winbind_helper_path = /usr/bin/ntlm_auth |
| 83 | + |
| 84 | +# Time to delay before replying to failed authentications. |
| 85 | +#auth_failure_delay = 2 secs |
| 86 | + |
| 87 | +# Require a valid SSL client certificate or the authentication fails. |
| 88 | +#auth_ssl_require_client_cert = no |
| 89 | + |
| 90 | +# Take the username from client's SSL certificate, using |
| 91 | +# X509_NAME_get_text_by_NID() which returns the subject's DN's |
| 92 | +# CommonName. |
| 93 | +#auth_ssl_username_from_cert = no |
| 94 | + |
| 95 | +# Space separated list of wanted authentication mechanisms: |
| 96 | +# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey |
| 97 | +# gss-spnego |
| 98 | +# NOTE: See also disable_plaintext_auth setting. |
| 99 | +auth_mechanisms = plain login |
| 100 | + |
| 101 | +## |
| 102 | +## Password and user databases |
| 103 | +## |
| 104 | + |
| 105 | +# |
| 106 | +# Password database is used to verify user's password (and nothing more). |
| 107 | +# You can have multiple passdbs and userdbs. This is useful if you want to |
| 108 | +# allow both system users (/etc/passwd) and virtual users to login without |
| 109 | +# duplicating the system users into virtual database. |
| 110 | +# |
| 111 | +# <doc/wiki/PasswordDatabase.txt> |
| 112 | +# |
| 113 | +# User database specifies where mails are located and what user/group IDs |
| 114 | +# own them. For single-UID configuration use "static" userdb. |
| 115 | +# |
| 116 | +# <doc/wiki/UserDatabase.txt> |
| 117 | + |
| 118 | +#!include auth-deny.conf.ext |
| 119 | +#!include auth-master.conf.ext |
| 120 | + |
| 121 | +#!include auth-system.conf.ext |
| 122 | +!include auth-sql.conf.ext |
| 123 | +#!include auth-ldap.conf.ext |
| 124 | +#!include auth-passwdfile.conf.ext |
| 125 | +#!include auth-checkpassword.conf.ext |
| 126 | +#!include auth-vpopmail.conf.ext |
| 127 | +#!include auth-static.conf.ext |
0 commit comments