Subversion Repositories configs

Rev

Details | Last modification | View Log | RSS feed

Rev Author Line No. Line
192 - 1
##
2
## Authentication processes
3
##
4
 
5
# Disable LOGIN command and all other plaintext authentications unless
6
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
7
# matches the local IP (ie. you're connecting from the same computer), the
8
# connection is considered secure and plaintext authentication is allowed.
9
# See also ssl=required setting.
10
disable_plaintext_auth = yes
11
 
12
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
13
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
14
#auth_cache_size = 0
15
# Time to live for cached data. After TTL expires the cached record is no
16
# longer used, *except* if the main database lookup returns internal failure.
17
# We also try to handle password changes automatically: If user's previous
18
# authentication was successful, but this one wasn't, the cache isn't used.
19
# For now this works only with plaintext authentication.
20
#auth_cache_ttl = 1 hour
21
# TTL for negative hits (user not found, password mismatch).
22
# 0 disables caching them completely.
23
#auth_cache_negative_ttl = 1 hour
24
 
25
# Space separated list of realms for SASL authentication mechanisms that need
26
# them. You can leave it empty if you don't want to support multiple realms.
27
# Many clients simply use the first one listed here, so keep the default realm
28
# first.
29
#auth_realms =
30
 
31
# Default realm/domain to use if none was specified. This is used for both
32
# SASL realms and appending @domain to username in plaintext logins.
33
#auth_default_realm =
34
 
35
# List of allowed characters in username. If the user-given username contains
36
# a character not listed in here, the login automatically fails. This is just
37
# an extra check to make sure user can't exploit any potential quote escaping
38
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
39
# set this value to empty.
40
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
41
 
42
# Username character translations before it's looked up from databases. The
43
# value contains series of from -> to characters. For example "#@/@" means
44
# that '#' and '/' characters are translated to '@'.
45
#auth_username_translation =
46
 
47
# Username formatting before it's looked up from databases. You can use
48
# the standard variables here, eg. %Lu would lowercase the username, %n would
49
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
50
# "-AT-". This translation is done after auth_username_translation changes.
51
#auth_username_format = %Lu
52
auth_username_format = %u
53
 
54
# If you want to allow master users to log in by specifying the master
55
# username within the normal username string (ie. not using SASL mechanism's
56
# support for it), you can specify the separator character here. The format
57
# is then <username><separator><master username>. UW-IMAP uses "*" as the
58
# separator, so that could be a good choice.
59
#auth_master_user_separator =
60
 
61
# Username to use for users logging in with ANONYMOUS SASL mechanism
62
#auth_anonymous_username = anonymous
63
 
64
# Maximum number of dovecot-auth worker processes. They're used to execute
65
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
66
# automatically created and destroyed as needed.
67
#auth_worker_max_count = 30
68
 
69
# Host name to use in GSSAPI principal names. The default is to use the
70
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
71
# entries.
72
#auth_gssapi_hostname =
73
 
74
# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
75
# default (usually /etc/krb5.keytab) if not specified. You may need to change
76
# the auth service to run as root to be able to read this file.
77
#auth_krb5_keytab =
78
 
79
# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
80
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
81
#auth_use_winbind = no
82
 
83
# Path for Samba's ntlm_auth helper binary.
84
#auth_winbind_helper_path = /usr/bin/ntlm_auth
85
 
86
# Time to delay before replying to failed authentications.
87
#auth_failure_delay = 2 secs
88
 
89
# Require a valid SSL client certificate or the authentication fails.
90
#auth_ssl_require_client_cert = no
91
 
92
# Take the username from client's SSL certificate, using
93
# X509_NAME_get_text_by_NID() which returns the subject's DN's
94
# CommonName.
95
#auth_ssl_username_from_cert = no
96
 
97
# Space separated list of wanted authentication mechanisms:
98
#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
99
#   gss-spnego
100
# NOTE: See also disable_plaintext_auth setting.
101
auth_mechanisms = plain login
102
 
103
##
104
## Password and user databases
105
##
106
 
107
#
108
# Password database is used to verify user's password (and nothing more).
109
# You can have multiple passdbs and userdbs. This is useful if you want to
110
# allow both system users (/etc/passwd) and virtual users to login without
111
# duplicating the system users into virtual database.
112
#
113
# <doc/wiki/PasswordDatabase.txt>
114
#
115
# User database specifies where mails are located and what user/group IDs
116
# own them. For single-UID configuration use "static" userdb.
117
#
118
# <doc/wiki/UserDatabase.txt>
119
 
120
#!include auth-deny.conf.ext
121
#!include auth-master.conf.ext
122
 
123
!include auth-system.conf.ext
124
!include auth-sql.conf.ext
125
#!include auth-ldap.conf.ext
126
#!include auth-passwdfile.conf.ext
127
#!include auth-checkpassword.conf.ext
128
#!include auth-vpopmail.conf.ext
129
#!include auth-static.conf.ext