Home Explore Help
Sign In
cookbooks
/
dovecot
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 7c7e2d7ddb
Branches Tags
dovecot
/
templates
/
default
/
conf.d
/
10-auth.conf.erb

10-auth.conf.erb 6.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129 
  1. # Generated by Chef
    2. 

  2. 

  3. ##
    4. 

  4. ## Authentication processes
    5. 

  5. ##
    6. 

  6. 

  7. # Disable LOGIN command and all other plaintext authentications unless
    8. 

  8. # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
    9. 

  9. # matches the local IP (ie. you're connecting from the same computer), the
    10. 

  10. # connection is considered secure and plaintext authentication is allowed.
    11. 

  11. <%= Dovecot::Conf.attribute(@conf, 'disable_plaintext_auth', true) %>
    12. 

  12. 

  13. # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
    14. 

  14. # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
    15. 

  15. <%= Dovecot::Conf.attribute(@conf, 'auth_cache_size', 0) %>
    16. 

  16. # Time to live for cached data. After TTL expires the cached record is no
    17. 

  17. # longer used, *except* if the main database lookup returns internal failure.
    18. 

  18. # We also try to handle password changes automatically: If user's previous
    19. 

  19. # authentication was successful, but this one wasn't, the cache isn't used.
    20. 

  20. # For now this works only with plaintext authentication.
    21. 

  21. <%= Dovecot::Conf.attribute(@conf, 'auth_cache_ttl', '1 hour') %>
    22. 

  22. # TTL for negative hits (user not found, password mismatch).
    23. 

  23. # 0 disables caching them completely.
    24. 

  24. <%= Dovecot::Conf.attribute(@conf, 'auth_cache_negative_ttl', '1 hour') %>
    25. 

  25. 

  26. # Space separated list of realms for SASL authentication mechanisms that need
    27. 

  27. # them. You can leave it empty if you don't want to support multiple realms.
    28. 

  28. # Many clients simply use the first one listed here, so keep the default realm
    29. 

  29. # first.
    30. 

  30. <%= Dovecot::Conf.attribute(@conf, 'auth_realms') %>
    31. 

  31. 

  32. # Default realm/domain to use if none was specified. This is used for both
    33. 

  33. # SASL realms and appending @domain to username in plaintext logins.
    34. 

  34. <%= Dovecot::Conf.attribute(@conf, 'auth_default_realm') %>
    35. 

  35. 

  36. # List of allowed characters in username. If the user-given username contains
    37. 

  37. # a character not listed in here, the login automatically fails. This is just
    38. 

  38. # an extra check to make sure user can't exploit any potential quote escaping
    39. 

  39. # vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
    40. 

  40. # set this value to empty.
    41. 

  41. <%= Dovecot::Conf.attribute(@conf, 'auth_username_chars', 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@') %>
    42. 

  42. 

  43. # Username character translations before it's looked up from databases. The
    44. 

  44. # value contains series of from -> to characters. For example "#@/@" means
    45. 

  45. # that '#' and '/' characters are translated to '@'.
    46. 

  46. <%= Dovecot::Conf.attribute(@conf, 'auth_username_translation') %>
    47. 

  47. 

  48. # Username formatting before it's looked up from databases. You can use
    49. 

  49. # the standard variables here, eg. %Lu would lowercase the username, %n would
    50. 

  50. # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
    51. 

  51. # "-AT-". This translation is done after auth_username_translation changes.
    52. 

  52. <%= Dovecot::Conf.attribute(@conf, 'auth_username_format') %>
    53. 

  53. 

  54. # If you want to allow master users to log in by specifying the master
    55. 

  55. # username within the normal username string (ie. not using SASL mechanism's
    56. 

  56. # support for it), you can specify the separator character here. The format
    57. 

  57. # is then <username><separator><master username>. UW-IMAP uses "*" as the
    58. 

  58. # separator, so that could be a good choice.
    59. 

  59. <%= Dovecot::Conf.attribute(@conf, 'auth_master_user_separator') %>
    60. 

  60. 

  61. # Username to use for users logging in with ANONYMOUS SASL mechanism
    62. 

  62. <%= Dovecot::Conf.attribute(@conf, 'auth_anonymous_username', 'anonymous') %>
    63. 

  63. 

  64. # Maximum number of dovecot-auth worker processes. They're used to execute
    65. 

  65. # blocking passdb and userdb queries (eg. MySQL and PAM). They're
    66. 

  66. # automatically created and destroyed as needed.
    67. 

  67. <%= Dovecot::Conf.attribute(@conf, 'auth_worker_max_count', 30) %>
    68. 

  68. 

  69. # Host name to use in GSSAPI principal names. The default is to use the
    70. 

  70. # name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
    71. 

  71. # entries.
    72. 

  72. <%= Dovecot::Conf.attribute(@conf, 'auth_gssapi_hostname') %>
    73. 

  73. 

  74. # Kerberos keytab to use for the GSSAPI mechanism. Will use the system
    75. 

  75. # default (usually /etc/krb5.keytab) if not specified. You may need to change
    76. 

  76. # the auth service to run as root to be able to read this file.
    77. 

  77. <%= Dovecot::Conf.attribute(@conf, 'auth_krb5_keytab') %>
    78. 

  78. 

  79. # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
    80. 

  80. # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
    81. 

  81. <%= Dovecot::Conf.attribute(@conf, 'auth_use_winbind', false) %>
    82. 

  82. 

  83. # Path for Samba's ntlm_auth helper binary.
    84. 

  84. <%= Dovecot::Conf.attribute(@conf, 'auth_winbind_helper_path', '/usr/bin/ntlm_auth') %>
    85. 

  85. 

  86. # Time to delay before replying to failed authentications.
    87. 

  87. <%= Dovecot::Conf.attribute(@conf, 'auth_failure_delay', '2 secs') %>
    88. 

  88. 

  89. # Require a valid SSL client certificate or the authentication fails.
    90. 

  90. <%= Dovecot::Conf.attribute(@conf, 'auth_ssl_require_client_cert', false) %>
    91. 

  91. 

  92. # Take the username from client's SSL certificate, using 
    93. 

  93. # X509_NAME_get_text_by_NID() which returns the subject's DN's
    94. 

  94. # CommonName. 
    95. 

  95. <%= Dovecot::Conf.attribute(@conf, 'auth_ssl_username_from_cert', false) %>
    96. 

  96. 

  97. # Space separated list of wanted authentication mechanisms:
    98. 

  98. #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
    99. 

  99. #   gss-spnego
    100. 

  100. # NOTE: See also disable_plaintext_auth setting.
    101. 

  101. <%= Dovecot::Conf.attribute(@conf, 'auth_mechanisms', 'plain') %>
    102. 

  102. 

  103. ##
    104. 

  104. ## Password and user databases
    105. 

  105. ##
    106. 

  106. 

  107. #
    108. 

  108. # Password database is used to verify user's password (and nothing more).
    109. 

  109. # You can have multiple passdbs and userdbs. This is useful if you want to
    110. 

  110. # allow both system users (/etc/passwd) and virtual users to login without
    111. 

  111. # duplicating the system users into virtual database.
    112. 

  112. #
    113. 

  113. # <doc/wiki/PasswordDatabase.txt>
    114. 

  114. #
    115. 

  115. # User database specifies where mails are located and what user/group IDs
    116. 

  116. # own them. For single-UID configuration use "static" userdb.
    117. 

  117. #
    118. 

  118. # <doc/wiki/UserDatabase.txt>
    119. 

  119. 

  120. <%= '#' unless @auth['deny'].kind_of?(Hash) %>!include auth-deny.conf.ext
    121. 

  121. <%= '#' unless @auth['master'].kind_of?(Hash) %>!include auth-master.conf.ext
    122. 

  122. 

  123. <%= '#' unless @auth['system'].kind_of?(Hash) %>!include auth-system.conf.ext
    124. 

  124. <%= '#' unless @auth['sql'].kind_of?(Hash) %>!include auth-sql.conf.ext
    125. 

  125. <%= '#' unless @auth['ldap'].kind_of?(Hash) %>!include auth-ldap.conf.ext
    126. 

  126. <%= '#' unless @auth['passwdfile'].kind_of?(Hash) %>!include auth-passwdfile.conf.ext
    127. 

  127. <%= '#' unless @auth['checkpassword'].kind_of?(Hash) %>!include auth-checkpassword.conf.ext
    128. 

  128. <%= '#' unless @auth['vpopmail'].kind_of?(Hash) %>!include auth-vpopmail.conf.ext
    129. 

  129. <%= '#' unless @auth['static'].kind_of?(Hash) %>!include auth-static.conf.ext
    130.