| imap(8gx) | Gromox admin reference | imap(8gx) |
Name¶
imap — Gromox IMAP server
Authentication¶
The IMAP server supports impersonation. The username given to the IMAP login normally specifies both the mailbox and the user performing the access. To use a different identity for authentication, prefix the mailbox name by the user identity and separate it with an exclamation mark, e.g. "myaccount@domain.example!sharedmbox@domain.example". Accessing a store in such manner is only possible when the authenticating user has store ownership over the mailbox.
Synopsis¶
imap [-c config]
Options¶
- -c config
- Read configuration directives from the given file. If this option is not specified, /etc/gromox/imap.cfg will be read if it exists.
- --version
- Output version information and exit.
- -?
- Display option summary.
All time-based command-line options and configuration file directives are subject to the syntax described in gromox(7), section "Duration specifications".
Configuration directives (gromox.cfg)¶
The following directives are recognized when reading from /etc/gromox/gromox.cfg, or when the -c option is used to specify a custom file:
- daemons_fd_limit
- In gromox-imap, this is treated as an alias for imap_fd_limit.
- imap_fd_limit
- Request that the file descriptor table be at least this large. The magic
value 0 indicates that the system default hard limit (rlim_max, cf.
setrlimit(2)) should be used.
Default: 0 - imap_accept_haproxy
- This directive sets the expectation for incoming connections to carry
haproxy's "PROXY" protocol extension version 2 (2), or no such
header (0). When a (reverse) proxy is placed in front of gromox-imap, the
address that gximap normally sees is the proxy address (e.g. ::1). A proxy
can use this protocol extension to convey the actual client address, and
gximap can pick this up for its own reporting, which in turn is useful for
e.g. fail2ban setups.
Default: 0
Configuration directives (imap.cfg)¶
The following directives are recognized when reading from /etc/gromox/imap.cfg, or when the -c option is used to specify a custom file:
- block_interval_auths
- The amount of time a user is blocked from connecting to the service after
too many failed logins.
Default: 1 minute - config_file_path
- Colon-separated list of directories in which further configuration files,
especially those used by plugin instances, will be searched.
Default: /etc/gromox/imap:/etc/gromox - context_average_mem
- Default: 128K
- context_average_mitem
- The expected average upper bound of number of mails for a folder. Together
with context_num, this directive controls the size of the memory pool for
listings.
Default: 64K - context_max_mem
- Default: 2M
- context_num
- Maximum number of concurrently active sessions.
Default: 200 - data_file_path
- Colon-separated list of directories in which static data files will be
searched.
Default: /usr/share/gromox/imap - default_lang
- Default: en
- enable_rfc2971_commands
- RFC 2971 specifies the "ID" command with which a client can
inquire the program name and version of the server. This is disabled by
default, as it can facilitate potential attackers' information gathering.
Default: no - host_id
- A unique identifier for this system. It is used in the IMAP protocol
greeting lines (positive as well as negative). It is furthermore used as a
unique identifier among the set of all midb(8gx) clients to construct
filenames for the MIDB database/EML cache. The identifier should only use
characters allowed for hostnames.
Default: (system hostname) - imap_auth_times
- The number of login tries a user is allowed before the account is blocked.
Default: 10 - imap_autologout_time
- If an authenticated IMAP connection is idle for the given period, the
connection is terminated. RFC 2060 §5.4 recommends 30 minutes
minimum. (Connections that have not authenticated are subject to the
regular imap_conn_timeout.)
Default: 30 minutes - imap_certificate_passwd
- The password to unlock TLS certificates.
Default: (unset) - imap_certificate_path
- A colon-separated list of TLS certificate files. The complete certificate
chain should be present (as there is no other config directive to pull CA
certs in, and implicit loading from system directories is not guaranteed
by Gromox).
Default: (unset) - imap_cmd_debug
- Log every incoming IMAP command and the return code of the operation in a
minimal fashion to stderr. Level 1 emits commands that have failed
execution, level 2 emits all commands.
Default: 0 - imap_conn_timeout
- If an IMAP connection stalls (writing responses to client) for the given
period, the connection is terminated. If unauthenticated IMAP connections
do not have any activity (requests from clients) for the given period, the
connection is terminated.
Default: 3 minutes - imap_force_tls
- This flag controls whether clients must utilize TLS, either by way of
implicit TLS (cf. imap_listen_tls_port), or through the STARTTLS
command.
Default: false - imap_listen_addr
- AF_INET6 socket address to bind the IMAP service to.
Default: :: - imap_listen_port
- The TCP port to expose the IMAP protocol service on. (The IP address is
fixed to the wildcard address.)
Default: 143 - imap_listen_tls_port
- The TCP port to expose implicit-TLS IMAP protocol service (IMAPS) on. (The
IP address is fixed to the wildcard address.)
Default: (unset) - imap_log_file
- Target for log messages here. Special values: "-"
(stderr/syslog depending on parent PID) or "syslog" are
recognized.
Default: - (auto) - imap_log_level
- Maximum verbosity of logging. 1=crit, 2=error, 3=warn, 4=notice, 5=info,
6=debug.
Default: 4 (notice) - imap_private_key_path
- A colon-separated list of TLS certificate private key files.
Default: (unset) - imap_rfc9051
- Enable RFC 9051 (IMAP 4.2) related logic and protocol elements.
Default: yes - imap_support_tls
- This flag controls the offering of TLS modes. This affects both the
implicit TLS port as well as the advertisement of the STARTTLS extension
and availability of the STARTTLS command (RFC 2595) to clients.
Default: false - imap_thread_charge_num
- Connection load factor (oversubscription ratio) for a processing thread.
Default: 40 - imap_thread_init_num
- The initial and also minimum number of client processing threads to keep
around. This is similar to php-fpm's start_servers/min_spare_servere. (The
maximum number of threads, i.e. what would be max_spare_servers, is
determined by: context_num divided by imap_thread_charge_num)
Default: 5 - running_identity
- An unprivileged user account to switch the process to after startup.
Default: gromox - tls_min_proto
- The lowest TLS version to offer. Possible values are: tls1.0,
tls1.1, tls1.2, and, if supported by the system,
tls1.3.
Default: tls1.2
Files¶
- data_file_path/folder_lang.txt: Translations for IMAP folder names.
- data_file_path/imap_code.txt: Mapping from internal IMAP error codes to textual descriptions.
- /usr/lib/gromox/libgxs_*.so: service plugins
See also¶
gromox(7), midb_agent(4gx)
| Gromox |