123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441 |
- '\" t
- .\" Title: kopano-gateway.cfg
- .\" Author: [see the "Author" section]
- .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
- .\" Date: November 2016
- .\" Manual: Kopano Core user reference
- .\" Source: Kopano 8
- .\" Language: English
- .\"
- .TH "KOPANO\-GATEWAY\&.CF" "5" "November 2016" "Kopano 8" "Kopano Core user reference"
- .\" -----------------------------------------------------------------
- .\" * Define some portability stuff
- .\" -----------------------------------------------------------------
- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- .\" http://bugs.debian.org/507673
- .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- .ie \n(.g .ds Aq \(aq
- .el .ds Aq '
- .\" -----------------------------------------------------------------
- .\" * set default formatting
- .\" -----------------------------------------------------------------
- .\" disable hyphenation
- .nh
- .\" disable justification (adjust text to left margin only)
- .ad l
- .\" -----------------------------------------------------------------
- .\" * MAIN CONTENT STARTS HERE *
- .\" -----------------------------------------------------------------
- .SH "NAME"
- kopano-gateway.cfg \- The Kopano gateway configuration file
- .SH "SYNOPSIS"
- .PP
- \fBgateway\&.cfg\fR
- .SH "DESCRIPTION"
- .PP
- The
- gateway\&.cfg
- is a configuration file for the Kopano Gateway\&.
- gateway\&.cfg
- contains instructions for the software to set up the logging system and to enable or disable the POP3, POP3S, IMAP or IMAPS part of the service\&.
- .SH "FILE FORMAT"
- .PP
- The file consists of one big section, but parameters can be grouped by functionality\&.
- .PP
- The parameters are written in the form:
- .PP
- \fBname\fR
- =
- \fIvalue\fR
- .PP
- The file is line\-based\&. Each newline\-terminated line represents either a comment, nothing, a parameter or a directive\&. A line beginning with `#\*(Aq is considered a comment, and will be ignored by Kopano\&. Parameter names are case sensitive\&. Lines beginning with `!\*(Aq are directives\&.
- .PP
- Directives are written in the form:
- .PP
- !\fBdirective\fR
- \fI[argument(s)] \fR
- .PP
- The following directives exist:
- .PP
- \fBinclude\fR
- .RS 4
- Include and process
- \fIargument\fR
- .sp
- Example: !include common\&.cfg
- .RE
- .SH "EXPLANATION OF EACH PARAMETER"
- .PP
- \fBserver_bind\fR
- .RS 4
- IP address to bind to\&. Leave empty to bind to all addresses\&.
- .sp
- Default: (empty)
- .RE
- .PP
- \fBserver_hostname\fR
- .RS 4
- Hostname of the server to print to a client in the logon greeting\&. Leave empty to use DNS to find the hostname\&.
- .sp
- Default:
- .RE
- .PP
- \fBserver_hostname_greeting\fR
- .RS 4
- Whether to show the hostname in the logon greeting to clients\&. This config option is reloadable using the HUP signal\&.
- .sp
- Default:
- \fIno\fR
- .RE
- .PP
- \fBpop3_enable\fR
- .RS 4
- Enable POP3 service with value yes\&. All other values disable the service\&.
- .sp
- Default:
- \fIyes\fR
- .RE
- .PP
- \fBpop3_port\fR
- .RS 4
- The POP3 service will listen on this port for incoming connections\&.
- .sp
- Default:
- \fI110\fR
- .RE
- .PP
- \fBpop3s_enable\fR
- .RS 4
- Enable POP3S service with value yes\&. All other values disable the service\&.
- .sp
- Default:
- \fIyes\fR
- .RE
- .PP
- \fBpop3s_port\fR
- .RS 4
- The POP3S service will listen on this port for incoming connections\&.
- .sp
- Default:
- \fI995\fR
- .RE
- .PP
- \fBimap_enable\fR
- .RS 4
- Enable IMAP service with value yes\&. All other values disable the service\&.
- .sp
- Default:
- \fIyes\fR
- .RE
- .PP
- \fBimap_port\fR
- .RS 4
- The IMAP service will listen on this port for incoming connections\&.
- .sp
- Default:
- \fI143\fR
- .RE
- .PP
- \fBimaps_enable\fR
- .RS 4
- Enable IMAPS service with value yes\&. All other values disable the service\&.
- .sp
- Default:
- \fIyes\fR
- .RE
- .PP
- \fBimaps_port\fR
- .RS 4
- The IMAPS service will listen on this port for incoming connections\&.
- .sp
- Default:
- \fI993\fR
- .RE
- .PP
- \fBserver_socket\fR
- .RS 4
- The http address of the storage server\&.
- .sp
- Default:
- \fIhttp://localhost:236/\fR
- .sp
- It is not advised to specify the UNIX socket here, but the http address instead\&. In default configuration the gateway will then be trusted by the storage server (as set in its local_admin_users configuration setting)\&. Unless is run as an untrusted user, by specifying the
- \fBrun_as_user\fR, the gateway always authenticates users even if they provide no or wrong credentials!
- .RE
- .PP
- \fBrun_as_user\fR
- .RS 4
- After correctly starting, the gateway process will become this user, dropping root privileges\&. Note that the log file needs to be writeable by this user, and the directory too to create new logfiles after logrotation\&. This can also be achieved by setting the correct group and permissions\&.
- .sp
- Default value is empty, not changing the user after starting\&.
- .RE
- .PP
- \fBrun_as_group\fR
- .RS 4
- After correctly starting, the gateway process will become this group, dropping root privileges\&.
- .sp
- Default value is empty, not changing the group after starting\&.
- .RE
- .PP
- \fBpid_file\fR
- .RS 4
- Write the process ID number to this file\&. This is used by the init\&.d script to correctly stop/restart the service\&.
- .sp
- Default:
- \fI/var/run/kopano/gateway\&.pid\fR
- .RE
- .PP
- \fBrunning_path\fR
- .RS 4
- Change directory to this path when running in daemonize mode\&. When using the \-F switch to run in the foreground the directory will not be changed\&.
- .sp
- Default:
- \fI/\fR
- .RE
- .PP
- \fBprocess_model\fR
- .RS 4
- You can change the process model between
- \fIfork\fR
- and
- \fIthread\fR\&. The forked model uses somewhat more resources, but if a crash is triggered, this will only affect one user\&. In the threaded model, a crash means all users are affected, and will not be able to use the service\&.
- .sp
- Default:
- \fIfork\fR
- .RE
- .PP
- \fBbypass_auth\fR
- .RS 4
- This parameter can be used to skip password verification when connecting over the UNIX socket\&. Connecting through the UNIX socket can have a big performance gain, compared to the TCP socket of kopano-server\&. As kopano-gateway is usually running as the user kopano (which is a local_admin_user in kopano-server) this would normally mean that kopano-gateway would only verify usernames and no password (because its running as an administrator)\&. When set to \fIno\fR (default value) forces verification of passwords, even when running as an administrator\&. For migrations you will want to set \fIyes\fR\&.
- .sp
- Default:
- \fIno\fR
- .RE
- .PP
- \fBimap_only_mailfolders\fR
- .RS 4
- Enable the IMAP and IMAPS service to only show the mailfolders\&. This is the default behaviour\&. When this option is set to \*(Aqno\*(Aq, you will also be able to select you calendar and contacts and such\&. These views will not contain all information, since these items cannot be converted to a rfc\-822 mail item\&.
- .sp
- Default:
- \fIyes\fR
- .RE
- .PP
- \fBimap_public_folders\fR
- .RS 4
- Enable the IMAP and IMAPS service to also show the public store with subfolders\&. This is the default behaviour\&. When this option is set to \*(Aqno\*(Aq, IMAP clients will only see the users\*(Aq folder\&.
- .sp
- Default:
- \fIyes\fR
- .RE
- .PP
- \fBimap_capability_idle\fR
- .RS 4
- Allow IMAP clients to issue the IDLE command\&. When an IMAP client is idle, it may receive notifications from the server about changes of the selected folder\&. This may increase load on the server when many users are using the IMAP service\&.
- .sp
- Default:
- \fIyes\fR
- .RE
- .PP
- \fBimap_generate_utf8\fR
- .RS 4
- Normally e\-mails specify the correct charset for their contents\&. This may be altered to make it always UTF\-8\&. This will only happen on e\-mails that do not have the extra imap data properties, which is true for users without the \*(Aqimap\*(Aq feature enabled\&.
- .sp
- Default:
- \fIno\fR
- .RE
- .PP
- \fBimap_max_messagesize\fR
- .RS 4
- Limit the maximum message size (in bytes) which can be created by an IMAP client\&. The maximum of this value is 4GB although this is not recommended\&. If the value is too high it will cause a segmentation fault\&. This value may contain a k, m or g multiplier\&.
- .sp
- Default:
- \fI128M\fR
- .RE
- .PP
- \fBimap_expunge_on_delete\fR
- .RS 4
- Normally when you delete an e\-mail in an IMAP client, it will only be marked as deleted, and not removed from the folder\&. The client should send the EXPUNGE command to actually remove the item from the folder (where Kopano will place it in the soft\-delete system)\&. When this option is set to
- \fIyes\fR, the kopano\-gateway will issue the expunge command itself directly after a \*(Aqmark as delete\*(Aq command was received\&.
- .sp
- Default:
- \fIno\fR
- .RE
- .PP
- \fBimap_store_rfc822\fR
- .RS 4
- Store the rfc822 data with the message in MAPI\&. The Kopano Gateway stores the original rfc822 data of an APPENDed message in the database for later retrieval\&. This makes sure that the exact message that was delivered into the Kopano gateway is available for retrieval later, which is the behaviour when set to
- \fIyes\fR\&. If set to no, the kopano\-gateway will not store the original rfc822 text\&. This means that the rfc822 data must be re\-created when retrieved\&. This may cause changes in encoding or charset and some loss of fidelity\&. This will also invalidate any signatures in the stored messages\&.
- .sp
- Default:
- \fIyes\fR
- .RE
- .PP
- \fBimap_max_fail_commands\fR
- .RS 4
- Maximum of failed commands before forcibly closing connection of client\&. This makes sure that a client which does repeatedly fails on a specific connection (like opening folders over and over again which do not exist) does not affect the overall performance of the gateway process\&. With the default value set to
- \fI10\fR, normal operation will work for most productionenvironments\&. With IMAP migrations, this value should be set higher as many traditional IMAP migration tools try to fetch folders which do not necessarily exist before, so in a migration scenario this value should be set higher, at minimum to the number of folders to be migrated from the largest mailbox\&.
- .sp
- Default:
- \fI10\fR
- .RE
- .PP
- \fBdisable_plaintext_auth\fR
- .RS 4
- Disable all plaintext POP3 and IMAP authentications unless SSL/TLS is used (except for connections originating from localhost, to allow saslauthd with rimap)\&. Obviously, this requires at least
- \fIssl_private_key_file\fR
- and
- \fIssl_certificate_file\fR
- to take effect\&.
- .sp
- Default:
- \fIno\fR
- .RE
- .PP
- \fBssl_private_key_file\fR
- .RS 4
- The gateway will use this file as private key for SSL TLS\&. This file can be created with:
- \fBopenssl genrsa \-out /etc/kopano/gateway/privkey\&.pem 2048\fR\&.
- .sp
- Default:
- \fI/etc/kopano/gateway/privkey\&.pem\fR
- .RE
- .PP
- \fBssl_certificate_file\fR
- .RS 4
- The gateway will use this file as certificate for SSL TLS\&. A self\-signed certificate can be created with:
- \fBopenssl req \-new \-x509 \-key /etc/kopano/gateway/privkey\&.pem \-out /etc/kopano/gateway/cert\&.pem \-days 1095\fR\&.
- .sp
- Default:
- \fI/etc/kopano/gateway/cert\&.pem\fR
- .RE
- .PP
- \fBssl_verify_client\fR
- .RS 4
- Enable client certificate verification with value yes\&. All other values disable the verification\&.
- .sp
- Default:
- \fIno\fR
- .RE
- .PP
- \fBssl_verify_file\fR
- .RS 4
- The file to verify the clients certificates with\&.
- .sp
- Default: value not set\&.
- .RE
- .PP
- \fBssl_verify_path\fR
- .RS 4
- The path with the files to verify the clients certificates with\&.
- .sp
- Default: value not set\&.
- .RE
- .PP
- \fBssl_protocols\fR
- .RS 4
- Disabled or enabled protocol names\&. Supported protocol names are
- \fISSLv3\fR
- and
- \fITLSv1\fR\&. If Kopano was linked against OpenSSL 1\&.0\&.1 or later there is additional support for the new protocols
- \fITLSv1\&.1\fR
- and
- \fITLSv1\&.2\fR\&. To exclude both SSLv3 and TLSv1, set
- \fBserver_ssl_protocols\fR
- to
- \fI!SSLv3 !TLSv1\fR\&.
- .sp
- Default: SSLv2 being disabled
- .RE
- .PP
- \fBssl_ciphers\fR
- .RS 4
- SSL ciphers to use, set to
- \fIALL\fR
- for backward compatibility\&.
- .sp
- Default:
- \fIALL:!LOW:!SSLv2:!EXP:!aNULL\fR
- .RE
- .PP
- \fBssl_prefer_server_ciphers\fR
- .RS 4
- Prefer the server\*(Aqs order of SSL ciphers over client\*(Aqs\&.
- .sp
- Default:
- \fIno\fR
- .RE
- .PP
- \fBlog_method\fR
- .RS 4
- The method which should be used for logging\&. Valid values are:
- .PP
- \fIsyslog\fR
- .RS 4
- Use the Linux system log\&. All messages will be written to the mail facility\&. See also
- \fBsyslog.conf\fR(5)\&.
- .RE
- .PP
- \fIfile\fR
- .RS 4
- Log to a file\&. The filename will be specified in
- \fBlog_file\fR\&.
- .RE
- .sp
- Default:
- \fIfile\fR
- .RE
- .PP
- \fBlog_file\fR
- .RS 4
- When logging to a file, specify the filename in this parameter\&. Use
- \fI\-\fR
- (minus sign) for stderr output\&.
- .sp
- Default:
- \fI/var/log/kopano/gateway\&.log\fR
- .RE
- .PP
- \fBlog_level\fR
- .RS 4
- The level of output for logging in the range from 0 to 5\&. 0=no logging, 5=full logging\&.
- .sp
- Default:
- \fI2\fR
- .RE
- .PP
- \fBlog_timestamp\fR
- .RS 4
- Specify whether to prefix each log line with a timestamp in \*(Aqfile\*(Aq logging mode\&.
- .sp
- Default:
- \fI1\fR
- .RE
- .PP
- \fBlog_buffer_size\fR
- .RS 4
- Buffer logging in what sized blocks\&. The special value 0 selects line buffering\&.
- .sp
- Default:
- \fI0\fR
- .RE
- .SH "RELOADING"
- .PP
- The following options are reloadable by sending the kopano\-gateway process a HUP signal:
- .PP
- log_level
- .RS 4
- .RE
- .SH "FILES"
- .PP
- /etc/kopano/gateway\&.cfg
- .RS 4
- The Kopano gateway configuration file\&.
- .RE
- .SH "AUTHOR"
- .PP
- Written by Kopano\&.
- .SH "SEE ALSO"
- .PP
- \fBkopano-gateway\fR(8)
|