thomas
/
sovereign
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
No Description
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
413 Commits
1 Branch
Tree: d5ecf673d3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd5ecf673d3'
${ noResults }
sovereign/roles/mailserver/files/etc_dovecot_conf.d_10-auth....

etc_dovecot_conf.d_10-auth.conf 5.1KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127 
  1. ##

  2. ## Authentication processes

  3. ##

  4. 

  5. # Disable LOGIN command and all other plaintext authentications unless

  6. # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP

  7. # matches the local IP (ie. you're connecting from the same computer), the

  8. # connection is considered secure and plaintext authentication is allowed.

  9. disable_plaintext_auth = yes

  10. 

  11. # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that

  12. # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.

  13. #auth_cache_size = 0

  14. # Time to live for cached data. After TTL expires the cached record is no

  15. # longer used, *except* if the main database lookup returns internal failure.

  16. # We also try to handle password changes automatically: If user's previous

  17. # authentication was successful, but this one wasn't, the cache isn't used.

  18. # For now this works only with plaintext authentication.

  19. #auth_cache_ttl = 1 hour

  20. # TTL for negative hits (user not found, password mismatch).

  21. # 0 disables caching them completely.

  22. #auth_cache_negative_ttl = 1 hour

  23. 

  24. # Space separated list of realms for SASL authentication mechanisms that need

  25. # them. You can leave it empty if you don't want to support multiple realms.

  26. # Many clients simply use the first one listed here, so keep the default realm

  27. # first.

  28. #auth_realms =

  29. 

  30. # Default realm/domain to use if none was specified. This is used for both

  31. # SASL realms and appending @domain to username in plaintext logins.

  32. #auth_default_realm = 

  33. 

  34. # List of allowed characters in username. If the user-given username contains

  35. # a character not listed in here, the login automatically fails. This is just

  36. # an extra check to make sure user can't exploit any potential quote escaping

  37. # vulnerabilities with SQL/LDAP databases. If you want to allow all characters,

  38. # set this value to empty.

  39. #auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

  40. 

  41. # Username character translations before it's looked up from databases. The

  42. # value contains series of from -> to characters. For example "#@/@" means

  43. # that '#' and '/' characters are translated to '@'.

  44. #auth_username_translation =

  45. 

  46. # Username formatting before it's looked up from databases. You can use

  47. # the standard variables here, eg. %Lu would lowercase the username, %n would

  48. # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into

  49. # "-AT-". This translation is done after auth_username_translation changes.

  50. #auth_username_format = %Lu

  51. 

  52. # If you want to allow master users to log in by specifying the master

  53. # username within the normal username string (ie. not using SASL mechanism's

  54. # support for it), you can specify the separator character here. The format

  55. # is then <username><separator><master username>. UW-IMAP uses "*" as the

  56. # separator, so that could be a good choice.

  57. #auth_master_user_separator =

  58. 

  59. # Username to use for users logging in with ANONYMOUS SASL mechanism

  60. #auth_anonymous_username = anonymous

  61. 

  62. # Maximum number of dovecot-auth worker processes. They're used to execute

  63. # blocking passdb and userdb queries (eg. MySQL and PAM). They're

  64. # automatically created and destroyed as needed.

  65. #auth_worker_max_count = 30

  66. 

  67. # Host name to use in GSSAPI principal names. The default is to use the

  68. # name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab

  69. # entries.

  70. #auth_gssapi_hostname =

  71. 

  72. # Kerberos keytab to use for the GSSAPI mechanism. Will use the system

  73. # default (usually /etc/krb5.keytab) if not specified. You may need to change

  74. # the auth service to run as root to be able to read this file.

  75. #auth_krb5_keytab = 

  76. 

  77. # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and

  78. # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>

  79. #auth_use_winbind = no

  80. 

  81. # Path for Samba's ntlm_auth helper binary.

  82. #auth_winbind_helper_path = /usr/bin/ntlm_auth

  83. 

  84. # Time to delay before replying to failed authentications.

  85. #auth_failure_delay = 2 secs

  86. 

  87. # Require a valid SSL client certificate or the authentication fails.

  88. #auth_ssl_require_client_cert = no

  89. 

  90. # Take the username from client's SSL certificate, using 

  91. # X509_NAME_get_text_by_NID() which returns the subject's DN's

  92. # CommonName. 

  93. #auth_ssl_username_from_cert = no

  94. 

  95. # Space separated list of wanted authentication mechanisms:

  96. #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey

  97. #   gss-spnego

  98. # NOTE: See also disable_plaintext_auth setting.

  99. auth_mechanisms = plain login

  100. 

  101. ##

  102. ## Password and user databases

  103. ##

  104. 

  105. #

  106. # Password database is used to verify user's password (and nothing more).

  107. # You can have multiple passdbs and userdbs. This is useful if you want to

  108. # allow both system users (/etc/passwd) and virtual users to login without

  109. # duplicating the system users into virtual database.

  110. #

  111. # <doc/wiki/PasswordDatabase.txt>

  112. #

  113. # User database specifies where mails are located and what user/group IDs

  114. # own them. For single-UID configuration use "static" userdb.

  115. #

  116. # <doc/wiki/UserDatabase.txt>

  117. 

  118. #!include auth-deny.conf.ext

  119. #!include auth-master.conf.ext

  120. 

  121. #!include auth-system.conf.ext

  122. !include auth-sql.conf.ext

  123. #!include auth-ldap.conf.ext

  124. #!include auth-passwdfile.conf.ext

  125. #!include auth-checkpassword.conf.ext

  126. #!include auth-vpopmail.conf.ext

  127. #!include auth-static.conf.ext