-
Notifications
You must be signed in to change notification settings - Fork 47
/
Copy pathimap.8gx
237 lines (237 loc) · 7.78 KB
/
imap.8gx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
.\" SPDX-License-Identifier: CC-BY-SA-4.0 or-later
.\" SPDX-FileCopyrightText: 2020-2022 grommunio GmbH
.TH imap 8gx "" "Gromox" "Gromox admin reference"
.SH Name
imap \(em Gromox IMAP server
.SH Authentication
The IMAP server supports impersonation. The username given to the IMAP login
normally specifies both the mailbox and the user performing the access. To use
a different identity for authentication, prefix the mailbox name by the user
identity and separate it with an exclamation mark, e.g.
"[email protected][email protected]". Accessing a store in such
manner is only possible when the authenticating user has store ownership over
the mailbox.
.SH Synopsis
\fBimap\fP [\fB\-c\fP \fIconfig\fP]
.SH Options
.TP
\fB\-c\fP \fIconfig\fP
Read configuration directives from the given file. If this option is not
specified, /etc/gromox/imap.cfg will be read if it exists.
.TP
\fB\-\-version\fP
Output version information and exit.
.TP
\fB\-?\fP
Display option summary.
.PP
All time-based command-line options and configuration file directives are
subject to the syntax described in gromox(7), section "Duration
specifications".
.SH Configuration directives (gromox.cfg)
.PP
The following directives are recognized when reading from
/etc/gromox/gromox.cfg, or when the \fB\-c\fP option is used to specify a
custom file:
.TP
\fBdaemons_fd_limit\fP
In gromox-imap, this is treated as an alias for imap_fd_limit.
.TP
\fBimap_fd_limit\fP
Request that the file descriptor table be at least this large. The magic value
0 indicates that the system default hard limit (rlim_max, cf. setrlimit(2))
should be used.
.br
Default: \fI0\fP
.TP
\fBimap_accept_haproxy\fP
This directive sets the expectation for incoming connections to carry haproxy's
"PROXY" protocol extension version 2 (2), or no such header (0). When a
(reverse) proxy is placed in front of gromox\-imap, the address that gximap
normally sees is the proxy address (e.g. ::1). A proxy can use this protocol
extension to convey the actual client address, and gximap can pick this up for
its own reporting, which in turn is useful for e.g. fail2ban setups.
.br
Default: \fI0\fP
.SH Configuration directives (imap.cfg)
The following directives are recognized when reading from /etc/gromox/imap.cfg,
or when the \fB\-c\fP option is used to specify a custom file:
.TP
\fBblock_interval_auths\fP
The amount of time a user is blocked from connecting to the service after too
many failed logins.
.br
Default: \fI1 minute\fP
.TP
\fBconfig_file_path\fP
Colon-separated list of directories in which further configuration files,
especially those used by plugin instances, will be searched.
.br
Default: \fI/etc/gromox/imap:/etc/gromox\fP
.TP
\fBcontext_average_mem\fP
Default: \fI128K\fP
.TP
\fBcontext_average_mitem\fP
The expected average upper bound of number of mails for a folder. Together with
context_num, this directive controls the size of the memory pool for listings.
.br
Default: \fI64K\fP
.TP
\fBcontext_num\fP
Maximum number of concurrently active sessions.
.br
Default: \fI200\fP
.TP
\fBdata_file_path\fP
Colon-separated list of directories in which static data files will be
searched.
.br
Default: \fI/usr/share/gromox/imap\fP
.TP
\fBdefault_lang\fP
Default: \fIen\fP
.TP
\fBenable_rfc2971_commands\fP
RFC 2971 specifies the "ID" command with which a client can inquire the program
name and version of the server. This is disabled by default, as it can
facilitate potential attackers' information gathering.
.br
Default: \fIno\fP
.TP
\fBhost_id\fP
A unique identifier for this system. It is used in the IMAP protocol greeting
lines (positive as well as negative). It is furthermore used as a unique
identifier among the set of all midb(8gx) clients to construct filenames for
the MIDB database/EML cache. The identifier should only use characters allowed
for hostnames.
.br
Default: (system hostname)
.TP
\fBimap_auth_times\fP
The number of login tries a user is allowed before the account is blocked.
.br
Default: \fI10\fP
.TP
\fBimap_autologout_time\fP
If an authenticated IMAP connection is idle for the given period, the
connection is terminated. RFC 2060 §5.4 recommends 30 minutes minimum.
(Connections that have not authenticated are subject to the regular
imap_conn_timeout.)
.br
Default: \fI30 minutes\fP
.TP
\fBimap_certificate_passwd\fP
The password to unlock TLS certificates.
.br
Default: (unset)
.TP
\fBimap_certificate_path\fP
A colon-separated list of TLS certificate files. The complete certificate chain
should be present (as there is no other config directive to pull CA certs in,
and implicit loading from system directories is not guaranteed by Gromox).
.br
Default: (unset)
.TP
\fBimap_cmd_debug\fP
Log every incoming IMAP command and the return code of the operation in a
minimal fashion to stderr. Level 1 emits commands that have failed execution,
level 2 emits all commands. (The response text is \fBnot\fP sent to the log,
because of size. Deep analysis can be done with socat/telnet/tcpdump; shallow
analysis for end-users is possible with the protocol-compliant error-reporting
MUA "Alpine" <https://alpineapp.email/>.)
.br
Default: \fI0\fP
.TP
\fBimap_conn_timeout\fP
If an IMAP connection stalls (writing responses to client) for the given
period, the connection is terminated. If unauthenticated IMAP connections do
not have any activity (requests from clients) for the given period, the
connection is terminated.
.br
Default: \fI3 minutes\fP
.TP
\fBimap_force_tls\fP
This flag controls whether clients must utilize TLS, either by way of implicit
TLS (cf. \fBimap_listen_tls_port\fP), or through the STARTTLS command.
.br
Default: \fIfalse\fP
.TP
\fBimap_listen_addr\fP
AF_INET6 socket address to bind the IMAP service to.
.br
Default: \fI::\fP
.TP
\fBimap_listen_port\fP
The TCP port to expose the IMAP protocol service on. (The IP address is fixed
to the wildcard address.)
.br
Default: \fI143\fP
.TP
\fBimap_listen_tls_port\fP
The TCP port to expose implicit-TLS IMAP protocol service (IMAPS) on. (The IP
address is fixed to the wildcard address.)
.br
Default: (unset)
.TP
\fBimap_log_file\fP
Target for log messages here. Special values: "\fI-\fP" (stderr/syslog
depending on parent PID) or "\fIsyslog\fP" are recognized.
.br
Default: \fI-\fP (auto)
.TP
\fBimap_log_level\fP
Maximum verbosity of logging. 1=crit, 2=error, 3=warn, 4=notice, 5=info, 6=debug.
.br
Default: \fI4\fP (notice)
.TP
\fBimap_private_key_path\fP
A colon-separated list of TLS certificate private key files.
.br
Default: (unset)
.TP
\fBimap_rfc9051\fP
Enable RFC 9051 (IMAP 4.2) related logic and protocol elements.
.br
Default: \fIyes\fP
.TP
\fBimap_support_tls\fP
This flag controls the offering of TLS modes. This affects both the implicit TLS
port as well as the advertisement of the STARTTLS extension and availability of
the STARTTLS command (RFC 2595) to clients.
.br
Default: \fIfalse\fP
.TP
\fBimap_thread_charge_num\fP
Connection load factor (oversubscription ratio) for a processing thread.
.br
Default: \fI40\fP
.TP
\fBimap_thread_init_num\fP
The initial and also minimum number of client processing threads to keep
around. This is similar to php-fpm's start_servers/min_spare_servere. (The
maximum number of threads, i.e. what would be max_spare_servers, is determined
by: context_num divided by imap_thread_charge_num)
.br
Default: \fI5\fP
.TP
\fBrunning_identity\fP
An unprivileged user account to switch the process to after startup.
.br
Default: \fIgromox\fP
.TP
\fBtls_min_proto\fP
The lowest TLS version to offer. Possible values are: \fBtls1.0\fP,
\fBtls1.1\fP, \fBtls1.2\fP, and, if supported by the system, \fBtls1.3\fP.
.br
Default: \fItls1.2\fP
.SH Files
.IP \(bu 4
\fIdata_file_path\fP/folder_lang.txt: Translations for IMAP folder names.
.IP \(bu 4
\fIdata_file_path\fP/imap_code.txt: Mapping from internal IMAP error codes to
textual descriptions.
.IP \(bu 4
/usr/lib/gromox/libgxs_*.so: service plugins
.SH See also
\fBgromox\fP(7), \fBmidb_agent\fP(4gx)