## ## Master config settings ## ## Version 2.2.x (AR14759611) # -------------------------------------------------------------------- # *** Please read this section before modifying this file *** # # Several of the keys and values within this file are modified by # Apple's Server Admin application. Each key that is automatically # modified by the Server Admin app is identified with a comment # preceding the key with this note: # # Note: This key is managed by Server Admin. See above before making changes # # -------------------------------------------------------------------- #default_process_limit = 100 #default_client_limit = 1000 # Default VSZ (virtual memory size) limit for service processes. This is mainly # intended to catch and kill processes that leak memory before they eat up # everything. #default_vsz_limit = 256M # Login user is internally used by login processes. This is the most untrusted # user in Dovecot system. It shouldn't have access to anything at all. default_login_user = _dovenull # Internal user is used by unprivileged processes. It should be separate from # login user, so that login processes can't disturb other processes. default_internal_user = _dovecot default_internal_group = _dovenull service imap-login { # plain-text IMAP should only be accessible from localhost inet_listener imap { address = 127.0.0.1, ::1 port = 143 } inet_listener imaps { port = 993 ssl = yes } ## enable high-performance mode, described here: ## https://wiki.dovecot.org/LoginProcess # Number of connections to handle before starting a new process. Typically # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 # is faster. service_count = 0 # set to the number of CPU cores on your server process_min_avail = 6 # If you set service_count=0, you probably need to grow this. #vsz_limit = $default_vsz_limit vsz_limit = 2G } # macOS Server v.5.6 configuration: # service pop3-login { # inet_listener pop3 { # port = 110 # } # inet_listener pop3s { # port = 995 # ssl = yes # } # } # expose an LMTP socket for postfix to deliver mail service lmtp { unix_listener @PREFIX@/var/spool/postfix/private/dovecot-lmtp { mode = 0660 user = _postfix group = mail } # Create inet listener only if you can't use the above UNIX socket #inet_listener lmtp { # Avoid making LMTP visible for the entire internet #address = #port = #} } service imap { # Most of the memory goes to mmap()ing files. You may need to increase this # limit if you have huge mailboxes. #vsz_limit = $default_vsz_limit # Max. number of IMAP processes (connections) process_limit = 200 # set to the number of CPU cores on your server process_min_avail = 6 } # *Note*: Do *not* set `client_limit` or `service_count` on multi-user server # Results in imap userdb Fatal setuid errors # See: https://dovecot.org/pipermail/dovecot/2019-May/116014.html # macOS Server v.5.6 configuration: # service pop3 { # # Max. number of POP3 processes (connections) # process_limit = 200 # # client_limit = 5 # service_count = 0 # } # expose an auth socket for postfix to authenticate users service auth { # macOS Server v.5.6 configuration: # auth_socket_path points to this userdb socket by default. It's typically # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have # full permissions to this socket are able to get a list of all usernames and # get the results of everyone's userdb lookups. # # The default 0666 mode allows anyone to connect to the socket, but the # userdb lookups will succeed only if the userdb returns an "uid" field that # matches the caller process's UID. Also if caller's uid or gid matches the # socket's uid or gid the lookup succeeds. Anything else causes a failure. # # To give the caller full permissions to lookup all users, set the mode to # something else than 0666 and Dovecot lets the kernel enforce the # permissions (e.g. 0777 allows everyone full permissions). # unix_listener auth-userdb { # #mode = 0600 # user = _dovecot # #group = mail # } # Postfix smtp-auth unix_listener @PREFIX@/var/spool/postfix/private/auth { mode = 0660 #mode = 0777 user = _postfix group = mail } # Auth process is run as this user. #user = $default_internal_user # APPLE - keep auth alive for a while for the cache idle_kill = 15m # Allow access to keytab extra_groups = _keytabusers } # test: run as root:mail to determine if setuid issues solved service auth-worker { # Auth worker process is run as root by default, so that it can access # /etc/shadow. If this isn't necessary, the user should be changed to # $default_internal_user. # user = $default_internal_user user = root group = mail } # macOS Server v.5.6 configuration: # service auth-worker { # # Auth worker process is run as root by default, so that it can access # # /etc/shadow. If this isn't necessary, the user should be changed to # # $default_internal_user. # #user = root # } # macOS Server v.5.6 configuration: # service dict { # # If dict proxy is used, mail processes should have access to its socket. # # For example: mode=0660, group=vmail and global mail_access_groups=vmail # unix_listener dict { # #mode = 0600 # #user = # #group = # } # } # macOS Server v.5.6 configuration: service dns-client { unix_listener dns-client { mode = 0600 } } # macOS Server v.5.6 configuration: # # for stats plugin, if enabled # service stats { # fifo_listener stats-mail { # user = _dovecot # mode = 0600 # } # } # To reduce indexer-workers' CPU and disk I/O load, change process_limit. service indexer-worker { # necessary default: # user = root # user = _dovecot # process_limit = 10 }