10-auth.conf.erb 6.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129
  1. # Generated by Chef
  2. ##
  3. ## Authentication processes
  4. ##
  5. # Disable LOGIN command and all other plaintext authentications unless
  6. # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
  7. # matches the local IP (ie. you're connecting from the same computer), the
  8. # connection is considered secure and plaintext authentication is allowed.
  9. <%= Dovecot::Conf.attribute(@conf, 'disable_plaintext_auth', true) %>
  10. # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
  11. # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
  12. <%= Dovecot::Conf.attribute(@conf, 'auth_cache_size', 0) %>
  13. # Time to live for cached data. After TTL expires the cached record is no
  14. # longer used, *except* if the main database lookup returns internal failure.
  15. # We also try to handle password changes automatically: If user's previous
  16. # authentication was successful, but this one wasn't, the cache isn't used.
  17. # For now this works only with plaintext authentication.
  18. <%= Dovecot::Conf.attribute(@conf, 'auth_cache_ttl', '1 hour') %>
  19. # TTL for negative hits (user not found, password mismatch).
  20. # 0 disables caching them completely.
  21. <%= Dovecot::Conf.attribute(@conf, 'auth_cache_negative_ttl', '1 hour') %>
  22. # Space separated list of realms for SASL authentication mechanisms that need
  23. # them. You can leave it empty if you don't want to support multiple realms.
  24. # Many clients simply use the first one listed here, so keep the default realm
  25. # first.
  26. <%= Dovecot::Conf.attribute(@conf, 'auth_realms') %>
  27. # Default realm/domain to use if none was specified. This is used for both
  28. # SASL realms and appending @domain to username in plaintext logins.
  29. <%= Dovecot::Conf.attribute(@conf, 'auth_default_realm') %>
  30. # List of allowed characters in username. If the user-given username contains
  31. # a character not listed in here, the login automatically fails. This is just
  32. # an extra check to make sure user can't exploit any potential quote escaping
  33. # vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
  34. # set this value to empty.
  35. <%= Dovecot::Conf.attribute(@conf, 'auth_username_chars', 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@') %>
  36. # Username character translations before it's looked up from databases. The
  37. # value contains series of from -> to characters. For example "#@/@" means
  38. # that '#' and '/' characters are translated to '@'.
  39. <%= Dovecot::Conf.attribute(@conf, 'auth_username_translation') %>
  40. # Username formatting before it's looked up from databases. You can use
  41. # the standard variables here, eg. %Lu would lowercase the username, %n would
  42. # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
  43. # "-AT-". This translation is done after auth_username_translation changes.
  44. <%= Dovecot::Conf.attribute(@conf, 'auth_username_format') %>
  45. # If you want to allow master users to log in by specifying the master
  46. # username within the normal username string (ie. not using SASL mechanism's
  47. # support for it), you can specify the separator character here. The format
  48. # is then <username><separator><master username>. UW-IMAP uses "*" as the
  49. # separator, so that could be a good choice.
  50. <%= Dovecot::Conf.attribute(@conf, 'auth_master_user_separator') %>
  51. # Username to use for users logging in with ANONYMOUS SASL mechanism
  52. <%= Dovecot::Conf.attribute(@conf, 'auth_anonymous_username', 'anonymous') %>
  53. # Maximum number of dovecot-auth worker processes. They're used to execute
  54. # blocking passdb and userdb queries (eg. MySQL and PAM). They're
  55. # automatically created and destroyed as needed.
  56. <%= Dovecot::Conf.attribute(@conf, 'auth_worker_max_count', 30) %>
  57. # Host name to use in GSSAPI principal names. The default is to use the
  58. # name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
  59. # entries.
  60. <%= Dovecot::Conf.attribute(@conf, 'auth_gssapi_hostname') %>
  61. # Kerberos keytab to use for the GSSAPI mechanism. Will use the system
  62. # default (usually /etc/krb5.keytab) if not specified. You may need to change
  63. # the auth service to run as root to be able to read this file.
  64. <%= Dovecot::Conf.attribute(@conf, 'auth_krb5_keytab') %>
  65. # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
  66. # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
  67. <%= Dovecot::Conf.attribute(@conf, 'auth_use_winbind', false) %>
  68. # Path for Samba's ntlm_auth helper binary.
  69. <%= Dovecot::Conf.attribute(@conf, 'auth_winbind_helper_path', '/usr/bin/ntlm_auth') %>
  70. # Time to delay before replying to failed authentications.
  71. <%= Dovecot::Conf.attribute(@conf, 'auth_failure_delay', '2 secs') %>
  72. # Require a valid SSL client certificate or the authentication fails.
  73. <%= Dovecot::Conf.attribute(@conf, 'auth_ssl_require_client_cert', false) %>
  74. # Take the username from client's SSL certificate, using
  75. # X509_NAME_get_text_by_NID() which returns the subject's DN's
  76. # CommonName.
  77. <%= Dovecot::Conf.attribute(@conf, 'auth_ssl_username_from_cert', false) %>
  78. # Space separated list of wanted authentication mechanisms:
  79. # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
  80. # gss-spnego
  81. # NOTE: See also disable_plaintext_auth setting.
  82. <%= Dovecot::Conf.attribute(@conf, 'auth_mechanisms', 'plain') %>
  83. ##
  84. ## Password and user databases
  85. ##
  86. #
  87. # Password database is used to verify user's password (and nothing more).
  88. # You can have multiple passdbs and userdbs. This is useful if you want to
  89. # allow both system users (/etc/passwd) and virtual users to login without
  90. # duplicating the system users into virtual database.
  91. #
  92. # <doc/wiki/PasswordDatabase.txt>
  93. #
  94. # User database specifies where mails are located and what user/group IDs
  95. # own them. For single-UID configuration use "static" userdb.
  96. #
  97. # <doc/wiki/UserDatabase.txt>
  98. <%= '#' unless @auth['deny'].kind_of?(Hash) %>!include auth-deny.conf.ext
  99. <%= '#' unless @auth['master'].kind_of?(Hash) %>!include auth-master.conf.ext
  100. <%= '#' unless @auth['system'].kind_of?(Hash) %>!include auth-system.conf.ext
  101. <%= '#' unless @auth['sql'].kind_of?(Hash) %>!include auth-sql.conf.ext
  102. <%= '#' unless @auth['ldap'].kind_of?(Hash) %>!include auth-ldap.conf.ext
  103. <%= '#' unless @auth['passwdfile'].kind_of?(Hash) %>!include auth-passwdfile.conf.ext
  104. <%= '#' unless @auth['checkpassword'].kind_of?(Hash) %>!include auth-checkpassword.conf.ext
  105. <%= '#' unless @auth['vpopmail'].kind_of?(Hash) %>!include auth-vpopmail.conf.ext
  106. <%= '#' unless @auth['static'].kind_of?(Hash) %>!include auth-static.conf.ext