This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.
Differences between revisions 6 and 7
Revision 6 as of 2016-02-11 14:43:38
Size: 7817
Editor: TimoSirainen
Revision 7 as of 2016-02-11 15:49:41
Size: 7984
Editor: ska
Deletions are marked like this. Additions are marked like this.
Line 220: Line 220:

Some variables exist in the plugin section only, such as sieve_extensions. Those variables '''cannot''' be referred to, that is {{{$sieve_extensions}}} won't work.

Dovecot Configuration File

Basic syntax

The syntax generally looks like this:

# this is a comment

settings_key = settings_value

If Dovecot doesn't seem to be reading your configuration correctly, use doveconf -n to check how Dovecot actually parses it. You can also check more complex configurations by providing filters, for example: doveconf -n -f service=imap -f local= -f remote=


Sections look like this:

section optional_name {
  section_setting_key = section_setting_value
  subsection optional_subname {
    subkey = subvalue

Note that sections must be currently written with the linefeeds as shown above. So for example this doesn't work:

section optional_name { key = value } # DOES NOT WORK

The sections can be optionally named. This is especially useful if you want to update the same section later on in the config. For example:

namespace inbox {
  inbox = yes
# ...
# possibly included from another file:
namespace inbox {
  mailbox Trash {
    special_use = \Trash
# The namespaces get merged into the same inbox namespace.

Without naming the namespace it would have created a new namespace. The section name may also sometimes be used as part of the settings instead of simply a name. For example:

service auth {
  unix_listener auth-master {
    # ..

Above the "auth-master" both uniquely identifies the section name, but also it names the UNIX socket path.


There are a few different filters that can be used to apply settings conditionally. The filters look exactly like sections, which may be a bit confusing. The currently supported filters are:

  • protocol <name>: Name of the service/protocol that is reading the settings. For example: imap, pop3, doveadm, lmtp, lda

  • remote <ip/network>: Remote client's IP/network. For non-TCP connections this will never match. For example or

  • local_name <name>: Matches TLS connection's SNI name, if it's sent by the client. Commonly used to configure multiple TLS certificates.

  • local <ip/range>: Locally connected IP/network. For non-TCP connections this will never match. For example or

These filters work for most of the settings, but most importantly auth settings currently only support the protocol filter. Some of the other settings are also global and can't be filtered, such as log_path.

An example, which uses all of the filters:

local {
  local_name {
     remote {
       protocol imap {
         # ...

The nesting of the filters must be exactly in that order or the config parsing will fail.

When applying the settings, the settings within the most-specific filters override the less-specific filter's settings, so the order of the filters in config file doesn't matter. For example:

local {
  key =
local {
  key =
local {
  key =
# The order of the above blocks doesn't matter:
# If local IP=, key=
# If local IP=, key=
# If local IP=, key=

Similarly remote local filters override remote filters, which override local_name filters, which override protocol filters. In some situations Dovecot may also return an error if it detects that the same setting is being ambiguously set by multiple matching filters.

Including config files

The main dovecot.conf file can also include other config files:

!include local.conf
!include /path/to/another.conf
!include conf.d/*.conf

The paths are relative to the currently parsed config file's directory. For example:

# /etc/dovecot/dovecot.conf:
!include conf.d/imap.conf
# /etc/dovecot/conf.d/imap.conf:
!include imap2.conf
# /etc/dovecot/conf.d/imap2.conf is being included

If any of the includes fail (e.g. file doesn't exist or permission denied), it results in an error. It's not an error if wildcards don't result in any matching files. To avoid these errors, you can use !include_try instead:

!include_try passwords.conf

Including a file preserves the context where it's included from. For example:

protocol imap {
  plugin {
!include imap-plugin-settings.conf

External config files

Due to historical reasons there are still some config files that are external to the main dovecot.conf, which are typically named *.conf.ext. For example:

  • passdb/userdb { args } for ldap/sql points to a dovecot-ldap.conf.ext and dovecot-sql.conf.ext.
  • dict { .. } points to dovecot-dict-*.conf.ext

Although these external config files look similar to the main dovecot.conf file, they have quite a lot of differences in details. Their parsing is done with a completely different config parser, so things like filters, $variables, !includes and <files don't work.

The external config files are also not loaded by the config process at startup, but instead they're parsed whenever the value is being used. So the external passdb/userdb files are loaded by auth process at startup, while the dict config is loaded by dict process at startup.

Eventually these external config files will hopefully be removed.

Long lines

It's possible to split the setting values into multiple lines. Unfortunately this was broken for a long time, so outside *.conf.ext files this works only in v2.2.22+:

# This works in *.conf.ext files, but in the main dovecot.conf only with v2.2.22+:
setting_key = \
  long \
# equivalent to: "long value"

All the whitespace between lines is converted to a single space regardless of how many spaces or tabs are at the beginning of the line or before the '\'.

Reading value from file

It's possible to read the value for a setting from a file:

key = </path/to/file

The value is read exactly as the entire contents of the file. This includes all the whitespace and newlines. The paths are relative to the currently parsed config file's directory, similar to how !include works. The file is read immediately whenever parsing the configuration file, so if it changes afterwards it requires a configuration reload to see the changes. This functionality is especially useful for reading SSL certificates and keys.

Variable expansion

It's possible to refer to other earlier settings as $name. For example:

key = value1
key2 = $key value2
# Equivalent to key2 = value1 value2

This is commonly used with mail_plugins settings to easily add more plugins e.g. inside imap protocol:

mail_plugins = acl quota
protocol imap {
  mail_plugins = $mail_plugins imap_acl imap_quota

However, you must be careful with the ordering of these in the configuration file, because the $variables are expanded immediately while parsing the config file and they're not updated later. For example this is a common problem:

# Enable ACL plugin:
mail_plugins = $mail_plugins acl
protocol imap {
  mail_plugins = $mail_plugins imap_acl
# Enable quota plugin:
mail_plugins = $mail_plugins quota
protocol imap {
  mail_plugins = $mail_plugins imap_quota
# The end result is:
# mail_plugins = " acl quota" - OK
# protocol imap {
#   mail_plugins = " acl imap_acl imap_quota" - NOT OK
# }

This is because the second mail_plugins change that added "quota" globally didn't update anything inside the existing protocol { .. } or other filters.

Some variables exist in the plugin section only, such as sieve_extensions. Those variables cannot be referred to, that is $sieve_extensions won't work.

None: ConfigFile (last edited 2019-09-11 13:50:32 by MichaelSlusarz)