2Package config holds the configuration file definitions.
4Mox uses two config files:
61. mox.conf, also called the static configuration file.
72. domains.conf, also called the dynamic configuration file.
9The static configuration file is never reloaded during the lifetime of a
10running mox instance. After changes to mox.conf, mox must be restarted for the
11changes to take effect.
13The dynamic configuration file is reloaded automatically when it changes.
14If the file contains an error after the change, the reload is aborted and the
15previous version remains active.
17Below are "empty" config files, generated from the config file definitions in
18the source code, along with comments explaining the fields. Fields named "x" are
19placeholders for user-chosen map keys.
23The config files are in "sconf" format. Properties of sconf files:
25 - Indentation with tabs only.
26 - "#" as first non-whitespace character makes the line a comment. Lines with a
27 value cannot also have a comment.
28 - Values don't have syntax indicating their type. For example, strings are
29 not quoted/escaped and can never span multiple lines.
30 - Fields that are optional can be left out completely. But the value of an
31 optional field may itself have required fields.
33See https://pkg.go.dev/github.com/mjl-/sconf for details.
37 # NOTE: This config file is in 'sconf' format. Indent with tabs. Comments must be
38 # on their own line, they don't end a line. Do not escape or quote strings.
39 # Details: https://pkg.go.dev/github.com/mjl-/sconf.
42 # Directory where all data is stored, e.g. queue, accounts and messages, ACME TLS
43 # certs/keys. If this is a relative path, it is relative to the directory of
47 # Default log level, one of: error, info, debug, trace, traceauth, tracedata.
48 # Trace logs SMTP and IMAP protocol transcripts, with traceauth also messages with
49 # passwords, and tracedata on top of that also the full data exchanges (full
50 # messages), which can be a large amount of data.
53 # Overrides of log level per package (e.g. queue, smtpclient, smtpserver,
54 # imapserver, spf, dkim, dmarc, dmarcdb, autotls, junk, mtasts, tlsrpt).
59 # User to switch to after binding to all sockets as root. Default: mox. If the
60 # value is not a known user, it is parsed as integer and used as uid and gid.
64 # If true, do not automatically fix file permissions when starting up. By default,
65 # mox will ensure reasonable owner/permissions on the working, data and config
66 # directories (and files), and mox binary (if present). (optional)
67 NoFixPermissions: false
69 # Full hostname of system, e.g. mail.<domain>
72 # If enabled, a single DNS TXT lookup of _updates.xmox.nl is done every 24h to
73 # check for a new release. Each time a new release is found, a changelog is
74 # fetched from https://updates.xmox.nl/changelog and delivered to the postmaster
78 # In pedantic mode protocol violations (that happen in the wild) for SMTP/IMAP/etc
79 # result in errors instead of accepting such behaviour. (optional)
82 # Global TLS configuration, e.g. for additional Certificate Authorities. Used for
83 # outgoing SMTP connections, HTTPS requests. (optional)
90 AdditionalToSystem: false
96 # Automatic TLS configuration with ACME, e.g. through Let's Encrypt. The key is a
97 # name referenced in TLS configs, e.g. letsencrypt. (optional)
101 # For letsencrypt, use https://acme-v02.api.letsencrypt.org/directory.
104 # How long before expiration to renew the certificate. Default is 30 days.
108 # Email address to register at ACME provider. The provider can email you when
109 # certificates are about to expire. If you configure an address for which email is
110 # delivered by this server, keep in mind that TLS misconfigurations could result
111 # in such notification emails not arriving.
114 # TLS port for ACME validation, 443 by default. You should only override this if
115 # you cannot listen on port 443 directly. ACME will make requests to port 443, so
116 # you'll have to add an external mechanism to get the tls connection here, e.g. by
117 # configuring firewall-level port forwarding. Validation over the https port uses
118 # tls-alpn-01 with application-layer protocol negotiation, which essentially means
119 # the original tls connection must make it here unmodified, an https reverse proxy
120 # will not work. (optional)
123 # If set, used for suggested CAA DNS records, for restricting TLS certificate
124 # issuance to a Certificate Authority. If empty and DirectyURL is for Let's
125 # Encrypt, this value is set automatically to letsencrypt.org. (optional)
128 # ACME providers can require that a request for a new ACME account reference an
129 # existing non-ACME account known to the provider. External account binding
130 # references that account by a key id, and authorizes new ACME account requests by
131 # signing it with a key known both by the ACME client and ACME provider.
133 ExternalAccountBinding:
135 # Key identifier, from ACME provider.
138 # File containing the base64url-encoded key used to sign account requests with
139 # external account binding. The ACME provider will verify the account request is
140 # correctly signed by the key. File is evaluated relative to the directory of
144 # File containing hash of admin password, for authentication in the web admin
145 # pages (if enabled). (optional)
148 # Listeners are groups of IP addresses and services enabled on those IP addresses,
149 # such as SMTP/IMAP or internal endpoints for administration or Prometheus
150 # metrics. All listeners with SMTP/IMAP services enabled will serve all configured
151 # domains. If the listener is named 'public', it will get a few helpful additional
152 # configuration checks, for acme automatic tls certificates and monitoring of ips
153 # in dnsbls if those are configured.
157 # Use 0.0.0.0 to listen on all IPv4 and/or :: to listen on all IPv6 addresses, but
158 # it is better to explicitly specify the IPs you want to use for email, as mox
159 # will make sure outgoing connections will only be made from one of those IPs. If
160 # both outgoing IPv4 and IPv6 connectivity is possible, and only one family has
161 # explicitly configured addresses, both address families are still used for
162 # outgoing connections. Use the "direct" transport to limit address families for
163 # outgoing connections.
167 # If set, the mail server is configured behind a NAT and field IPs are internal
168 # instead of the public IPs, while NATIPs lists the public IPs. Used during
169 # IP-related DNS self-checks, such as for iprev, mx, spf, autoconfig,
170 # autodiscover, and for autotls. (optional)
174 # Deprecated, use NATIPs instead. If set, IPs are not the public IPs, but are
175 # NATed. Skips IP-related DNS self-checks. (optional)
178 # If empty, the config global Hostname is used. The internal services webadmin,
179 # webaccount, webmail and webapi only match requests to IPs, this hostname,
180 # "localhost". All except webadmin also match for any client settings domain.
184 # For SMTP/IMAP STARTTLS, direct TLS and HTTPS connections. (optional)
187 # Name of provider from top-level configuration to use for ACME, e.g. letsencrypt.
191 # Keys and certificates to use for this listener. The files are opened by the
192 # privileged root process and passed to the unprivileged mox process, so no
193 # special permissions are required on the files. If the private key will not be
194 # replaced when refreshing certificates, also consider adding the private key to
195 # HostPrivateKeyFiles and configuring DANE TLSA DNS records. (optional)
199 # Certificate including intermediate CA certificates, in PEM format.
202 # Private key for certificate, in PEM format. PKCS8 is recommended, but PKCS1 and
203 # EC private keys are recognized as well.
206 # Minimum TLS version. Default: TLSv1.2. (optional)
209 # Private keys used for ACME certificates. Specified explicitly so DANE TLSA DNS
210 # records can be generated, even before the certificates are requested. DANE is a
211 # mechanism to authenticate remote TLS certificates based on a public key or
212 # certificate specified in DNS, protected with DNSSEC. DANE is opportunistic and
213 # attempted when delivering SMTP with STARTTLS. The private key files must be in
214 # PEM format. PKCS8 is recommended, but PKCS1 and EC private keys are recognized
215 # as well. Only RSA 2048 bit and ECDSA P-256 keys are currently used. The first of
216 # each is used when requesting new certificates through ACME. (optional)
220 # Disable TLS client authentication with certificates/keys, preventing the TLS
221 # server from requesting a TLS certificate from clients. Useful for working around
222 # clients that don't handle TLS client authentication well. (optional)
223 ClientAuthDisabled: false
225 # Maximum size in bytes for incoming and outgoing messages. Default is 100MB.
227 SMTPMaxMessageSize: 0
233 # Default 25. (optional)
236 # Do not offer STARTTLS to secure the connection. Not recommended. (optional)
239 # Do not accept incoming messages if STARTTLS is not active. Consider using in
240 # combination with an MTA-STS policy and/or DANE. A remote SMTP server may not
241 # support TLS and may not be able to deliver messages. Incoming messages for TLS
242 # reporting addresses ignore this setting and do not require TLS. (optional)
243 RequireSTARTTLS: false
245 # Do not announce the REQUIRETLS SMTP extension. Messages delivered using the
246 # REQUIRETLS extension should only be distributed onwards to servers also
247 # implementing the REQUIRETLS extension. In some situations, such as hosting
248 # mailing lists, this may not be feasible due to lack of support for the extension
249 # by mailing list subscribers. (optional)
252 # Addresses of DNS block lists for incoming messages. Block lists are only
253 # consulted for connections/messages without enough reputation to make an
254 # accept/reject decision. This prevents sending IPs of all communications to the
255 # block list provider. If any of the listed DNSBLs contains a requested IP
256 # address, the message is rejected as spam. The DNSBLs are checked for healthiness
257 # before use, at most once per 4 hours. IPs we can send from are periodically
258 # checked for being in the configured DNSBLs. See MonitorDNSBLs in domains.conf to
259 # only monitor IPs we send from, without using those DNSBLs for incoming messages.
260 # Example DNSBLs: sbl.spamhaus.org, bl.spamcop.net. See
261 # https://www.spamhaus.org/sbl/ and https://www.spamcop.net/ for more information
262 # and terms of use. (optional)
266 # Delay before accepting a message from a first-time sender for the destination
267 # account. Default: 15s. (optional)
268 FirstTimeSenderDelay: 0s
270 # Override default setting for enabling TLS session tickets. Disabling session
271 # tickets may work around TLS interoperability issues. (optional)
272 TLSSessionTicketsDisabled: false
274 # SMTP for submitting email, e.g. by email applications. Starts out in plain text,
275 # can be upgraded to TLS with the STARTTLS command. Prefer using Submissions which
276 # is always a TLS connection. (optional)
280 # Default 587. (optional)
283 # Do not require STARTTLS. Since users must login, this means password may be sent
284 # without encryption. Not recommended. (optional)
285 NoRequireSTARTTLS: false
287 # SMTP over TLS for submitting email, by email applications. Requires a TLS
292 # Default 465. (optional)
295 # Additionally enable submission on HTTPS port 443 via TLS ALPN. TLS Application
296 # Layer Protocol Negotiation allows clients to request a specific protocol from
297 # the server as part of the TLS connection setup. When this setting is enabled and
298 # a client requests the 'smtp' protocol after TLS, it will be able to talk SMTP to
299 # Mox on port 443. This is meant to be useful as a censorship circumvention
300 # technique for Delta Chat. (optional)
301 EnabledOnHTTPS: false
303 # IMAP for reading email, by email applications. Starts out in plain text, can be
304 # upgraded to TLS with the STARTTLS command. Prefer using IMAPS instead which is
305 # always a TLS connection. (optional)
309 # Default 143. (optional)
312 # Enable this only when the connection is otherwise encrypted (e.g. through a
314 NoRequireSTARTTLS: false
316 # IMAP over TLS for reading email, by email applications. Requires a TLS config.
321 # Default 993. (optional)
324 # Additionally enable IMAP on HTTPS port 443 via TLS ALPN. TLS Application Layer
325 # Protocol Negotiation allows clients to request a specific protocol from the
326 # server as part of the TLS connection setup. When this setting is enabled and a
327 # client requests the 'imap' protocol after TLS, it will be able to talk IMAP to
328 # Mox on port 443. This is meant to be useful as a censorship circumvention
329 # technique for Delta Chat. (optional)
330 EnabledOnHTTPS: false
332 # Account web interface, for email users wanting to change their accounts, e.g.
333 # set new password, set new delivery rulesets. Default path is /. (optional)
337 # Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
338 # matching behaviour. (optional)
341 # Path to serve requests on. Should end with a slash, related to cookie paths.
345 # If set, X-Forwarded-* headers are used for the remote IP address for rate
346 # limiting and for the "secure" status of cookies. (optional)
349 # Account web interface listener like AccountHTTP, but for HTTPS. Requires a TLS
354 # Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
355 # matching behaviour. (optional)
358 # Path to serve requests on. Should end with a slash, related to cookie paths.
362 # If set, X-Forwarded-* headers are used for the remote IP address for rate
363 # limiting and for the "secure" status of cookies. (optional)
366 # Admin web interface, for managing domains, accounts, etc. Default path is
367 # /admin/. Preferably only enable on non-public IPs. Hint: use 'ssh -L
368 # 8080:localhost:80 you@yourmachine' and open http://localhost:8080/admin/, or set
369 # up a tunnel (e.g. WireGuard) and add its IP to the mox 'internal' listener.
374 # Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
375 # matching behaviour. (optional)
378 # Path to serve requests on. Should end with a slash, related to cookie paths.
382 # If set, X-Forwarded-* headers are used for the remote IP address for rate
383 # limiting and for the "secure" status of cookies. (optional)
386 # Admin web interface listener like AdminHTTP, but for HTTPS. Requires a TLS
391 # Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
392 # matching behaviour. (optional)
395 # Path to serve requests on. Should end with a slash, related to cookie paths.
399 # If set, X-Forwarded-* headers are used for the remote IP address for rate
400 # limiting and for the "secure" status of cookies. (optional)
403 # Webmail client, for reading email. Default path is /webmail/. (optional)
407 # Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
408 # matching behaviour. (optional)
411 # Path to serve requests on. Should end with a slash, related to cookie paths.
415 # If set, X-Forwarded-* headers are used for the remote IP address for rate
416 # limiting and for the "secure" status of cookies. (optional)
419 # Webmail client, like WebmailHTTP, but for HTTPS. Requires a TLS config.
424 # Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
425 # matching behaviour. (optional)
428 # Path to serve requests on. Should end with a slash, related to cookie paths.
432 # If set, X-Forwarded-* headers are used for the remote IP address for rate
433 # limiting and for the "secure" status of cookies. (optional)
436 # Like WebAPIHTTPS, but with plain HTTP, without TLS. (optional)
440 # Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
441 # matching behaviour. (optional)
444 # Path to serve requests on. Should end with a slash, related to cookie paths.
448 # If set, X-Forwarded-* headers are used for the remote IP address for rate
449 # limiting and for the "secure" status of cookies. (optional)
452 # WebAPI, a simple HTTP/JSON-based API for email, with HTTPS (requires a TLS
453 # config). Default path is /webapi/. (optional)
457 # Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
458 # matching behaviour. (optional)
461 # Path to serve requests on. Should end with a slash, related to cookie paths.
465 # If set, X-Forwarded-* headers are used for the remote IP address for rate
466 # limiting and for the "secure" status of cookies. (optional)
469 # Serve prometheus metrics, for monitoring. You should not enable this on a public
474 # Default 8010. (optional)
477 # Serve /debug/pprof/ for profiling a running mox instance. Do not enable this on
478 # a public IP! (optional)
482 # Default 8011. (optional)
485 # Serve autoconfiguration/autodiscovery to simplify configuring email
486 # applications, will use port 443. Requires a TLS config. (optional)
490 # TLS port, 443 by default. You should only override this if you cannot listen on
491 # port 443 directly. Autoconfig requests will be made to port 443, so you'll have
492 # to add an external mechanism to get the connection here, e.g. by configuring
493 # port forwarding. (optional)
496 # If set, plain HTTP instead of HTTPS is spoken on the configured port. Can be
497 # useful when the autoconfig domain is reverse proxied. (optional)
500 # If set, X-Forwarded-* headers are used for the remote IP address for rate
501 # limiting and logging. (optional)
504 # Serve MTA-STS policies describing SMTP TLS requirements. Requires a TLS config.
509 # TLS port, 443 by default. You should only override this if you cannot listen on
510 # port 443 directly. MTA-STS requests will be made to port 443, so you'll have to
511 # add an external mechanism to get the connection here, e.g. by configuring port
512 # forwarding. (optional)
515 # If set, plain HTTP instead of HTTPS is spoken on the configured port. Can be
516 # useful when the mta-sts domain is reverse proxied. (optional)
519 # If set, X-Forwarded-* headers are used for the remote IP address for rate
520 # limiting and logging. (optional)
523 # All configured WebHandlers will serve on an enabled listener. (optional)
527 # Port for plain HTTP (non-TLS) webserver. (optional)
530 # Disable rate limiting for all requests to this port. (optional)
531 RateLimitDisabled: false
533 # All configured WebHandlers will serve on an enabled listener. Either ACME must
534 # be configured, or for each WebHandler domain a TLS certificate must be
535 # configured. (optional)
539 # Port for HTTPS webserver. (optional)
542 # Disable rate limiting for all requests to this port. (optional)
543 RateLimitDisabled: false
545 # Destination for emails delivered to postmaster addresses: a plain 'postmaster'
546 # without domain, 'postmaster@<hostname>' (also for each listener with SMTP
547 # enabled), and as fallback for each domain without explicitly configured
548 # postmaster destination.
552 # E.g. Postmaster or Inbox.
555 # Destination for per-host TLS reports (TLSRPT). TLS reports can be per recipient
556 # domain (for MTA-STS), or per MX host (for DANE). The per-domain TLS reporting
557 # configuration is in domains.conf. This is the TLS reporting configuration for
558 # this host. If absent, no host-based TLSRPT address is configured, and no host
559 # TLSRPT DNS record is suggested. (optional)
562 # Account to deliver TLS reports to. Typically same account as for postmaster.
565 # Mailbox to deliver TLS reports to. Recommended value: TLSRPT.
568 # Localpart at hostname to accept TLS reports at. Recommended value: tlsreports.
571 # Mailboxes to create for new accounts. Inbox is always created. Mailboxes can be
572 # given a 'special-use' role, which are understood by most mail clients. If
573 # absent/empty, the following additional mailboxes are created: Sent, Archive,
574 # Trash, Drafts and Junk. (optional)
577 # Special-use roles to mailbox to create. (optional)
595 # Regular, non-special-use mailboxes to create. (optional)
599 # Deprecated in favor of InitialMailboxes. Mailboxes to create when adding an
600 # account. Inbox is always created. If no mailboxes are specified, the following
601 # are automatically created: Sent, Archive, Trash, Drafts and Junk. (optional)
605 # Transport are mechanisms for delivering messages. Transports can be referenced
606 # from Routes in accounts, domains and the global configuration. There is always
607 # an implicit/fallback delivery transport doing direct delivery with SMTP from the
608 # outgoing message queue. Transports are typically only configured when using
609 # smarthosts, i.e. when delivering through another SMTP server. Zero or one
610 # transport methods must be set in a transport, never multiple. When using an
611 # external party to send email for a domain, keep in mind you may have to add
612 # their IP address to your domain's SPF record, and possibly additional DKIM
613 # records. (optional)
617 # Submission SMTP over a TLS connection to submit email to a remote queue.
621 # Host name to connect to and for verifying its TLS certificate.
624 # If unset or 0, the default port for submission(s)/smtp is used: 25 for SMTP, 465
625 # for submissions (with TLS), 587 for submission (possibly with STARTTLS).
629 # If set an unverifiable remote TLS certificate during STARTTLS is accepted.
631 STARTTLSInsecureSkipVerify: false
633 # If set for submission or smtp transport, do not attempt STARTTLS on the
634 # connection. Authentication credentials and messages will be transferred in clear
638 # If set, authentication credentials for the remote server. (optional)
643 # Allowed authentication mechanisms. Defaults to SCRAM-SHA-256-PLUS,
644 # SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1, CRAM-MD5. Not included by default:
645 # PLAIN. Specify the strongest mechanism known to be implemented by the server to
646 # prevent mechanism downgrade attacks. (optional)
650 # Submission SMTP over a plain TCP connection (possibly with STARTTLS) to submit
651 # email to a remote queue. (optional)
654 # Host name to connect to and for verifying its TLS certificate.
657 # If unset or 0, the default port for submission(s)/smtp is used: 25 for SMTP, 465
658 # for submissions (with TLS), 587 for submission (possibly with STARTTLS).
662 # If set an unverifiable remote TLS certificate during STARTTLS is accepted.
664 STARTTLSInsecureSkipVerify: false
666 # If set for submission or smtp transport, do not attempt STARTTLS on the
667 # connection. Authentication credentials and messages will be transferred in clear
671 # If set, authentication credentials for the remote server. (optional)
676 # Allowed authentication mechanisms. Defaults to SCRAM-SHA-256-PLUS,
677 # SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1, CRAM-MD5. Not included by default:
678 # PLAIN. Specify the strongest mechanism known to be implemented by the server to
679 # prevent mechanism downgrade attacks. (optional)
683 # SMTP over a plain connection (possibly with STARTTLS), typically for
684 # old-fashioned unauthenticated relaying to a remote queue. (optional)
687 # Host name to connect to and for verifying its TLS certificate.
690 # If unset or 0, the default port for submission(s)/smtp is used: 25 for SMTP, 465
691 # for submissions (with TLS), 587 for submission (possibly with STARTTLS).
695 # If set an unverifiable remote TLS certificate during STARTTLS is accepted.
697 STARTTLSInsecureSkipVerify: false
699 # If set for submission or smtp transport, do not attempt STARTTLS on the
700 # connection. Authentication credentials and messages will be transferred in clear
704 # If set, authentication credentials for the remote server. (optional)
709 # Allowed authentication mechanisms. Defaults to SCRAM-SHA-256-PLUS,
710 # SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1, CRAM-MD5. Not included by default:
711 # PLAIN. Specify the strongest mechanism known to be implemented by the server to
712 # prevent mechanism downgrade attacks. (optional)
716 # Like regular direct delivery, but makes outgoing connections through a SOCKS
720 # Address of SOCKS proxy, of the form host:port or ip:port.
723 # IP addresses connections from the SOCKS server will originate from. This IP
724 # addresses should be configured in the SPF record (keep in mind DNS record time
725 # to live (TTL) when adding a SOCKS proxy). Reverse DNS should be set up for these
726 # address, resolving to RemoteHostname. These are typically the IPv4 and IPv6
727 # address for the host in the Address field.
731 # Hostname belonging to RemoteIPs. This name is used during in SMTP EHLO. This is
732 # typically the hostname of the host in the Address field.
735 # Like regular direct delivery, but allows to tweak outgoing connections.
739 # If set, outgoing SMTP connections will *NOT* use IPv4 addresses to connect to
740 # remote SMTP servers. (optional)
743 # If set, outgoing SMTP connections will *NOT* use IPv6 addresses to connect to
744 # remote SMTP servers. (optional)
747 # Immediately fails the delivery attempt. (optional)
750 # SMTP error code and optional enhanced error code to use for the failure. If
751 # empty, 554 is used (transaction failed). (optional)
754 # Message to include for the rejection. It will be shown in the DSN. (optional)
757 # Do not send DMARC reports (aggregate only). By default, aggregate reports on
758 # DMARC evaluations are sent to domains if their DMARC policy requests them.
759 # Reports are sent at whole hours, with a minimum of 1 hour and maximum of 24
760 # hours, rounded up so a whole number of intervals cover 24 hours, aligned at
761 # whole days in UTC. Reports are sent from the postmaster@<mailhostname> address.
763 NoOutgoingDMARCReports: false
765 # Do not send TLS reports. By default, reports about failed SMTP STARTTLS
766 # connections and related MTA-STS/DANE policies are sent to domains if their
767 # TLSRPT DNS record requests them. Reports covering a 24 hour UTC interval are
768 # sent daily. Reports are sent from the postmaster address of the configured
769 # domain the mailhostname is in. If there is no such domain, or it does not have
770 # DKIM configured, no reports are sent. (optional)
771 NoOutgoingTLSReports: false
773 # Also send TLS reports if there were no SMTP STARTTLS connection failures. By
774 # default, reports are only sent when at least one failure occurred. If a report
775 # is sent, it does always include the successful connection counts as well.
777 OutgoingTLSReportsForAllSuccess: false
779 # Default maximum total message size in bytes for each individual account, only
780 # applicable if greater than zero. Can be overridden per account. Attempting to
781 # add new messages to an account beyond its maximum total size will result in an
782 # error. Useful to prevent a single account from filling storage. The quota only
783 # applies to the email message files, not to any file system overhead and also not
784 # the message index database file (account for approximately 15% overhead).
790 # NOTE: This config file is in 'sconf' format. Indent with tabs. Comments must be
791 # on their own line, they don't end a line. Do not escape or quote strings.
792 # Details: https://pkg.go.dev/github.com/mjl-/sconf.
795 # Domains for which email is accepted. For internationalized domains, use their
796 # IDNA names in UTF-8.
800 # Disabled domains can be useful during/before migrations. Domains that are
801 # disabled can still be configured like normal, including adding addresses using
802 # the domain to accounts. However, disabled domains: 1. Do not try to fetch ACME
803 # certificates. TLS connections to host names involving the email domain will
804 # fail. A TLS certificate for the hostname (that wil be used as MX) itself will be
805 # requested. 2. Incoming deliveries over SMTP are rejected with a temporary error
806 # '450 4.2.1 recipient domain temporarily disabled'. 3. Submissions over SMTP
807 # using an (envelope) SMTP MAIL FROM address or message 'From' address of a
808 # disabled domain will be rejected with a temporary error '451 4.3.0 sender domain
809 # temporarily disabled'. Note that accounts with addresses at disabled domains can
810 # still log in and read email (unless the account itself is disabled). (optional)
813 # Free-form description of domain. (optional)
816 # Hostname for client settings instead of the mail server hostname. E.g.
817 # mail.<domain>. For future migration to another mail operator without requiring
818 # all clients to update their settings, it is convenient to have client settings
819 # that reference a subdomain of the hosted domain instead of the hostname of the
820 # server where the mail is currently hosted. If empty, the hostname of the mail
821 # server is used for client configurations. Unicode name. (optional)
822 ClientSettingsDomain:
824 # If not empty, only the string before the separator is used to for email delivery
825 # decisions. For example, if set to "+", you+anything@example.com will be
826 # delivered to you@example.com. (optional)
827 LocalpartCatchallSeparator:
829 # Similar to LocalpartCatchallSeparator, but in case multiple are needed. For
830 # example both "+" and "-". Only of one LocalpartCatchallSeparator or
831 # LocalpartCatchallSeparators can be set. If set, the first separator is used to
832 # make unique addresses for outgoing SMTP connections with FromIDLoginAddresses.
834 LocalpartCatchallSeparators:
837 # If set, upper/lower case is relevant for email delivery. (optional)
838 LocalpartCaseSensitive: false
840 # With DKIM signing, a domain is taking responsibility for (content of) emails it
841 # sends, letting receiving mail servers build up a (hopefully positive) reputation
842 # of the domain, which can help with mail delivery. (optional)
845 # Emails can be DKIM signed. Config parameters are per selector. A DNS record must
846 # be created for each selector. Add the name to Sign to use the selector for
851 # sha256 (default) or (older, not recommended) sha1. (optional)
857 # If set, some modifications to the headers (mostly whitespace) are allowed.
860 # If set, some whitespace modifications to the message body are allowed.
863 # Headers to sign with DKIM. If empty, a reasonable default set of headers is
864 # selected. (optional)
868 # If set, don't prevent duplicate headers from being added. Not recommended.
870 DontSealHeaders: false
872 # Period a signature is valid after signing, as duration, e.g. 72h. The period
873 # should be enough for delivery at the final destination, potentially with several
874 # hops/relays. In the order of days at least. (optional)
877 # Either an RSA or ed25519 private key file in PKCS8 PEM form.
880 # List of selectors that emails will be signed with. (optional)
884 # With DMARC, a domain publishes, in DNS, a policy on how other mail servers
885 # should handle incoming messages with the From-header matching this domain and/or
886 # subdomain (depending on the configured alignment). Receiving mail servers use
887 # this to build up a reputation of this domain, which can help with mail delivery.
888 # A domain can also publish an email address to which reports about DMARC
889 # verification results can be sent by verifying mail servers, useful for
890 # monitoring. Incoming DMARC reports are automatically parsed, validated, added to
891 # metrics and stored in the reporting database for later display in the admin web
895 # Address-part before the @ that accepts DMARC reports. Must be
896 # non-internationalized. Recommended value: dmarcreports.
899 # Alternative domain for reporting address, for incoming reports. Typically empty,
900 # causing the domain wherein this config exists to be used. Can be used to receive
901 # reports for domains that aren't fully hosted on this server. Configure such a
902 # domain as a hosted domain without making all the DNS changes, and configure this
903 # field with a domain that is fully hosted on this server, so the localpart and
904 # the domain of this field form a reporting address. Then only update the DMARC
905 # DNS record for the not fully hosted domain, ensuring the reporting address is
906 # specified in its "rua" field as shown in the suggested DNS settings. Unicode
910 # Account to deliver to.
913 # Mailbox to deliver to, e.g. DMARC.
916 # MTA-STS is a mechanism that allows publishing a policy with requirements for
917 # WebPKI-verified SMTP STARTTLS connections for email delivered to a domain.
918 # Existence of a policy is announced in a DNS TXT record (often
919 # unprotected/unverified, MTA-STS's weak spot). If a policy exists, it is fetched
920 # with a WebPKI-verified HTTPS request. The policy can indicate that
921 # WebPKI-verified SMTP STARTTLS is required, and which MX hosts (optionally with a
922 # wildcard pattern) are allowd. MX hosts to deliver to are still taken from DNS
923 # (again, not necessarily protected/verified), but messages will only be delivered
924 # to domains matching the MX hosts from the published policy. Mail servers look up
925 # the MTA-STS policy when first delivering to a domain, then keep a cached copy,
926 # periodically checking the DNS record if a new policy is available, and fetching
927 # and caching it if so. To update a policy, first serve a new policy with an
928 # updated policy ID, then update the DNS record (not the other way around). To
929 # remove an enforced policy, publish an updated policy with mode "none" for a long
930 # enough period so all cached policies have been refreshed (taking DNS TTL and
931 # policy max age into account), then remove the policy from DNS, wait for TTL to
932 # expire, and stop serving the policy. (optional)
935 # Policies are versioned. The version must be specified in the DNS record. If you
936 # change a policy, first change it here to update the served policy, then update
937 # the DNS record with the updated policy ID.
940 # If set to "enforce", a remote SMTP server will not deliver email to us if it
941 # cannot make a WebPKI-verified SMTP STARTTLS connection. In mode "testing",
942 # deliveries can be done without verified TLS, but errors will be reported through
943 # TLS reporting. In mode "none", verified TLS is not required, used for phasing
944 # out an MTA-STS policy.
947 # How long a remote mail server is allowed to cache a policy. Typically 1 or
951 # List of server names allowed for SMTP. If empty, the configured hostname is set.
952 # Host names can contain a wildcard (*) as a leading label (matching a single
953 # label, e.g. *.example matches host.example, not sub.host.example). (optional)
957 # With TLSRPT a domain specifies in DNS where reports about encountered SMTP TLS
958 # behaviour should be sent. Useful for monitoring. Incoming TLS reports are
959 # automatically parsed, validated, added to metrics and stored in the reporting
960 # database for later display in the admin web pages. (optional)
963 # Address-part before the @ that accepts TLSRPT reports. Recommended value:
967 # Alternative domain for reporting address, for incoming reports. Typically empty,
968 # causing the domain wherein this config exists to be used. Can be used to receive
969 # reports for domains that aren't fully hosted on this server. Configure such a
970 # domain as a hosted domain without making all the DNS changes, and configure this
971 # field with a domain that is fully hosted on this server, so the localpart and
972 # the domain of this field form a reporting address. Then only update the TLSRPT
973 # DNS record for the not fully hosted domain, ensuring the reporting address is
974 # specified in its "rua" field as shown in the suggested DNS settings. Unicode
978 # Account to deliver to.
981 # Mailbox to deliver to, e.g. TLSRPT.
984 # Routes for delivering outgoing messages through the queue. Each delivery attempt
985 # evaluates account routes, these domain routes and finally global routes. The
986 # transport of the first matching route is used in the delivery attempt. If no
987 # routes match, which is the default with no configured routes, messages are
988 # delivered directly from the queue. (optional)
992 # Matches if the envelope from domain matches one of the configured domains, or if
993 # the list is empty. If a domain starts with a dot, prefixes of the domain also
998 # Like FromDomain, but matching against the envelope to domain. (optional)
1002 # Matches if at least this many deliveries have already been attempted. This can
1003 # be used to attempt sending through a smarthost when direct delivery has failed
1004 # for several times. (optional)
1008 # Aliases that cause messages to be delivered to one or more locally configured
1009 # addresses. Keys are localparts (encoded, as they appear in email addresses).
1014 # Expanded addresses to deliver to. These must currently be of addresses of local
1015 # accounts. To prevent duplicate messages, a member address that is also an
1016 # explicit recipient in the SMTP transaction will only have the message delivered
1017 # once. If the address in the message From header is a member, that member also
1018 # won't receive the message.
1022 # If true, anyone can send messages to the list. Otherwise only members, based on
1023 # message From address, which is assumed to be DMARC-like-verified. (optional)
1026 # If true, members can see addresses of members. (optional)
1029 # If true, members are allowed to send messages with this alias address in the
1030 # message From header. (optional)
1033 # Accounts represent mox users, each with a password and email address(es) to
1034 # which email can be delivered (possibly at different domains). Each account has
1035 # its own on-disk directory holding its messages and index database. An account
1036 # name is not an email address.
1040 # Webhooks for events about outgoing deliveries. (optional)
1043 # URL to POST webhooks.
1046 # If not empty, value of Authorization header to add to HTTP requests. (optional)
1049 # Events to send outgoing delivery notifications for. If absent, all events are
1050 # sent. Valid values: delivered, suppressed, delayed, failed, relayed, expanded,
1051 # canceled, unrecognized. (optional)
1055 # Webhooks for events about incoming deliveries over SMTP. (optional)
1058 # URL to POST webhooks to for incoming deliveries over SMTP.
1061 # If not empty, value of Authorization header to add to HTTP requests. (optional)
1064 # Login addresses that cause outgoing email to be sent with SMTP MAIL FROM
1065 # addresses with a unique id after the localpart catchall separator (which must be
1066 # enabled when addresses are specified here). Any delivery status notifications
1067 # (DSN, e.g. for bounces), can be related to the original message and recipient
1068 # with unique id's. You can login to an account with any valid email address,
1069 # including variants with the localpart catchall separator. You can use this
1070 # mechanism to both send outgoing messages with and without unique fromid for a
1071 # given email address. With the webapi and webmail, a unique id will be generated.
1072 # For submission, the id from the SMTP MAIL FROM command is used if present, and a
1073 # unique id is generated otherwise. (optional)
1074 FromIDLoginAddresses:
1077 # Period to keep messages retired from the queue (delivered or failed) around.
1078 # Keeping retired messages is useful for maintaining the suppression list for
1079 # transactional email, for matching incoming DSNs to sent messages, and for
1080 # debugging. The time at which to clean up (remove) is calculated at retire time.
1081 # E.g. 168h (1 week). (optional)
1082 KeepRetiredMessagePeriod: 0s
1084 # Period to keep webhooks retired from the queue (delivered or failed) around.
1085 # Useful for debugging. The time at which to clean up (remove) is calculated at
1086 # retire time. E.g. 168h (1 week). (optional)
1087 KeepRetiredWebhookPeriod: 0s
1089 # If non-empty, login attempts on all protocols (e.g. SMTP/IMAP, web interfaces)
1090 # is rejected with this error message. Useful during migrations. Incoming
1091 # deliveries for addresses of this account are still accepted as normal.
1095 # Default domain for account. Deprecated behaviour: If a destination is not a full
1096 # address but only a localpart, this domain is added to form a full address.
1099 # Free form description, e.g. full name or alternative contact info. (optional)
1102 # Full name, to use in message From header when composing messages in webmail. Can
1103 # be overridden per destination. (optional)
1106 # Destinations, keys are email addresses (with IDNA domains). All destinations are
1107 # allowed for logging in with IMAP/SMTP/webmail. If no destinations are
1108 # configured, the account can not login. If the address is of the form '@domain',
1109 # i.e. with localpart missing, it serves as a catchall for the domain, matching
1110 # all messages that are not explicitly configured. Deprecated behaviour: If the
1111 # address is not a full address but a localpart, it is combined with Domain to
1112 # form a full address. (optional)
1116 # Mailbox to deliver to if none of Rulesets match. Default: Inbox. (optional)
1119 # Delivery rules based on message and SMTP transaction. You may want to match each
1120 # mailing list by SMTP MailFrom address, VerifiedDomain and/or List-ID header
1121 # (typically <listname.example.org> if the list address is listname@example.org),
1122 # delivering them to their own mailbox. (optional)
1126 # Matches if this regular expression matches (a substring of) the SMTP MAIL FROM
1127 # address (not the message From-header). E.g. '^user@example\.org$'. (optional)
1130 # Matches if this regular expression matches (a substring of) the single address
1131 # in the message From header. (optional)
1134 # Matches if this domain matches an SPF- and/or DKIM-verified (sub)domain.
1138 # Matches if these header field/value regular expressions all match (substrings
1139 # of) the message headers. Header fields and valuees are converted to lower case
1140 # before matching. Whitespace is trimmed from the value before matching. A header
1141 # field can occur multiple times in a message, only one instance has to match. For
1142 # mailing lists, you could match on ^list-id$ with the value typically the mailing
1143 # list address in angled brackets with @ replaced with a dot, e.g.
1144 # <name\.lists\.example\.org>. (optional)
1148 # Influences spam filtering only, this option does not change whether a message
1149 # matches this ruleset. Can only be used together with SMTPMailFromRegexp and
1150 # VerifiedDomain. SMTPMailFromRegexp must be set to the address used to deliver
1151 # the forwarded message, e.g. '^user(|\+.*)@forward\.example$'. Changes to junk
1152 # analysis: 1. Messages are not rejected for failing a DMARC policy, because a
1153 # legitimate forwarded message without valid/intact/aligned DKIM signature would
1154 # be rejected because any verified SPF domain will be 'unaligned', of the
1155 # forwarding mail server. 2. The sending mail server IP address, and sending EHLO
1156 # and MAIL FROM domains and matching DKIM domain aren't used in future
1157 # reputation-based spam classifications (but other verified DKIM domains are)
1158 # because the forwarding server is not a useful spam signal for future messages.
1162 # Influences spam filtering only, this option does not change whether a message
1163 # matches this ruleset. If this domain matches an SPF- and/or DKIM-verified
1164 # (sub)domain, the message is accepted without further spam checks, such as a junk
1165 # filter or DMARC reject evaluation. DMARC rejects should not apply for mailing
1166 # lists that are not configured to rewrite the From-header of messages that don't
1167 # have a passing DKIM signature of the From-domain. Otherwise, by rejecting
1168 # messages, you may be automatically unsubscribed from the mailing list. The
1169 # assumption is that mailing lists do their own spam filtering/moderation.
1173 # Influences spam filtering only, this option does not change whether a message
1174 # matches this ruleset. If a message is classified as spam, it isn't rejected
1175 # during the SMTP transaction (the normal behaviour), but accepted during the SMTP
1176 # transaction and delivered to the specified mailbox. The specified mailbox is not
1177 # automatically cleaned up like the account global Rejects mailbox, unless set to
1178 # that Rejects mailbox. (optional)
1179 AcceptRejectsToMailbox:
1181 # Mailbox to deliver to if this ruleset matches.
1184 # Free-form comments. (optional)
1187 # If non-empty, incoming delivery attempts to this destination will be rejected
1188 # during SMTP RCPT TO with this error response line. Useful when a catchall
1189 # address is configured for the domain and messages to some addresses should be
1190 # rejected. The response line must start with an error code. Currently the
1191 # following error resonse codes are allowed: 421 (temporary local error), 550
1192 # (user not found). If the line consists of only an error code, an appropriate
1193 # error message is added. Rejecting messages with a 4xx code invites later retries
1194 # by the remote, while 5xx codes should prevent further delivery attempts.
1198 # If non-empty, an additional DMARC-like message authentication check is done for
1199 # incoming messages, validating the domain in the From-header of the message.
1200 # Messages without either an aligned SPF or aligned DKIM pass are rejected during
1201 # the SMTP DATA command with a permanent error code followed by the message in
1202 # this field. The domain in the message 'From' header is matched in relaxed or
1203 # strict mode according to the domain's DMARC policy if present, or relaxed mode
1204 # (organizational instead of exact domain match) otherwise. Useful for
1205 # autoresponders that don't want to accept messages they don't want to send an
1206 # automated reply to. (optional)
1207 MessageAuthRequiredSMTPError:
1209 # Full name to use in message From header when composing messages coming from this
1210 # address with webmail. (optional)
1213 # If configured, messages classified as weakly spam are rejected with instructions
1214 # to retry delivery, but this time with a signed token added to the subject.
1215 # During the next delivery attempt, the signed token will bypass the spam filter.
1216 # Messages with a clear spam signal, such as a known bad reputation, are
1217 # rejected/delayed without a signed token. (optional)
1220 # How long unique values are accepted after generating, e.g. 12h.
1223 # Default maximum total message size in bytes for the account, overriding any
1224 # globally configured default maximum size if non-zero. A negative value can be
1225 # used to have no limit in case there is a limit by default. Attempting to add new
1226 # messages to an account beyond its maximum total size will result in an error.
1227 # Useful to prevent a single account from filling storage. (optional)
1230 # Mail that looks like spam will be rejected, but a copy can be stored temporarily
1231 # in a mailbox, e.g. Rejects. If mail isn't coming in when you expect, you can
1232 # look there. The mail still isn't accepted, so the remote mail server may retry
1233 # (hopefully, if legitimate), or give up (hopefully, if indeed a spammer).
1234 # Messages are automatically removed from this mailbox, so do not set it to a
1235 # mailbox that has messages you want to keep. (optional)
1238 # Don't automatically delete mail in the RejectsMailbox listed above. This can be
1239 # useful, e.g. for future spam training. It can also cause storage to fill up.
1243 # Automatically set $Junk and $NotJunk flags based on mailbox messages are
1244 # delivered/moved/copied to. Email clients typically have too limited
1245 # functionality to conveniently set these flags, especially $NonJunk, but they can
1246 # all move messages to a different mailbox, so this helps them. (optional)
1249 # If enabled, junk/nonjunk flags will be set automatically if they match some of
1250 # the regular expressions. When two of the three mailbox regular expressions are
1251 # set, the remaining one will match all unmatched messages. Messages are matched
1252 # in the order 'junk', 'neutral', 'not junk', and the search stops on the first
1253 # match. Mailboxes are lowercased before matching.
1256 # Example: ^(junk|spam). (optional)
1259 # Example: ^(inbox|neutral|postmaster|dmarc|tlsrpt|rejects), and you may wish to
1260 # add trash depending on how you use it, or leave this empty. (optional)
1261 NeutralMailboxRegexp:
1263 # Example: .* or an empty string. (optional)
1264 NotJunkMailboxRegexp:
1266 # Content-based filtering, using the junk-status of individual messages to rank
1267 # words in such messages as spam or ham. It is recommended you always set the
1268 # applicable (non)-junk status on messages, and that you do not empty your Trash
1269 # because those messages contain valuable ham/spam training information.
1273 # Approximate spaminess score between 0 and 1 above which emails are rejected as
1274 # spam. Each delivery attempt adds a little noise to make it slightly harder for
1275 # spammers to identify words that strongly indicate non-spaminess and use it to
1276 # bypass the filter. E.g. 0.95.
1280 # Track ham/spam ranking for single words. (optional)
1283 # Track ham/spam ranking for each two consecutive words. (optional)
1286 # Track ham/spam ranking for each three consecutive words. (optional)
1289 # Maximum power a word (combination) can have. If spaminess is 0.99, and max power
1290 # is 0.1, spaminess of the word will be set to 0.9. Similar for ham words.
1293 # Number of most spammy/hammy words to use for calculating probability. E.g. 10.
1296 # Ignore words that are this much away from 0.5 haminess/spaminess. E.g. 0.1,
1297 # causing word (combinations) of 0.4 to 0.6 to be ignored. (optional)
1298 IgnoreWords: 0.000000
1300 # Occurrences in word database until a word is considered rare and its influence
1301 # in calculating probability reduced. E.g. 1 or 2. (optional)
1304 # Maximum number of outgoing messages for this account in a 24 hour window. This
1305 # limits the damage to recipients and the reputation of this mail server in case
1306 # of account compromise. Default 1000. (optional)
1307 MaxOutgoingMessagesPerDay: 0
1309 # Maximum number of first-time recipients in outgoing messages for this account in
1310 # a 24 hour window. This limits the damage to recipients and the reputation of
1311 # this mail server in case of account compromise. Default 200. (optional)
1312 MaxFirstTimeRecipientsPerDay: 0
1314 # Do not apply a delay to SMTP connections before accepting an incoming message
1315 # from a first-time sender. Can be useful for accounts that sends automated
1316 # responses and want instant replies. (optional)
1317 NoFirstTimeSenderDelay: false
1319 # If set, this account cannot set a password of their own choice, but can only set
1320 # a new randomly generated password, preventing password reuse across services and
1321 # use of weak passwords. Custom account passwords can be set by the admin.
1323 NoCustomPassword: false
1325 # IMAP capabilities (upper-case) to disable on the connection after
1326 # authentication. Useful if the account uses an email client with an incompatible
1327 # implementation for a capability/extension. (optional)
1328 IMAPCapabilitiesDisabled:
1331 # Routes for delivering outgoing messages through the queue. Each delivery attempt
1332 # evaluates these account routes, domain routes and finally global routes. The
1333 # transport of the first matching route is used in the delivery attempt. If no
1334 # routes match, which is the default with no configured routes, messages are
1335 # delivered directly from the queue. (optional)
1339 # Matches if the envelope from domain matches one of the configured domains, or if
1340 # the list is empty. If a domain starts with a dot, prefixes of the domain also
1345 # Like FromDomain, but matching against the envelope to domain. (optional)
1349 # Matches if at least this many deliveries have already been attempted. This can
1350 # be used to attempt sending through a smarthost when direct delivery has failed
1351 # for several times. (optional)
1355 # Redirect all requests from domain (key) to domain (value). Always redirects to
1356 # HTTPS. For plain HTTP redirects, use a WebHandler with a WebRedirect. (optional)
1360 # Handle webserver requests by serving static files, redirecting, reverse-proxying
1361 # HTTP(s) or passing the request to an internal service. The first matching
1362 # WebHandler will handle the request. Built-in system handlers, e.g. for ACME
1363 # validation, autoconfig and mta-sts always run first. Built-in handlers for
1364 # admin, account, webmail and webapi are evaluated after all handlers, including
1365 # webhandlers (allowing for overrides of internal services for some domains). If
1366 # no handler matches, the response status code is file not found (404). If
1367 # webserver features are missing, forward the requests to an application that
1368 # provides the needed functionality itself. (optional)
1372 # Name to use in logging and metrics. (optional)
1375 # Both Domain and PathRegexp must match for this WebHandler to match a request.
1376 # Exactly one of WebStatic, WebRedirect, WebForward, WebInternal must be set.
1379 # Regular expression matched against request path, must always start with ^ to
1380 # ensure matching from the start of the path. The matching prefix can optionally
1381 # be stripped by WebForward. The regular expression does not have to end with $.
1384 # If set, plain HTTP requests are not automatically permanently redirected (308)
1385 # to HTTPS. If you don't have a HTTPS webserver configured, set this to true.
1387 DontRedirectPlainHTTP: false
1389 # Transparently compress responses (currently with gzip) if the client supports
1390 # it, the status is 200 OK, no Content-Encoding is set on the response yet and the
1391 # Content-Type of the response hints that the data is compressible (text/...,
1392 # specific application/... and .../...+json and .../...+xml). For static files
1393 # only, a cache with compressed files is kept. (optional)
1396 # Serve static files. (optional)
1399 # Path to strip from the request URL before evaluating to a local path. If the
1400 # requested URL path does not start with this prefix and ContinueNotFound it is
1401 # considered non-matching and next WebHandlers are tried. If ContinueNotFound is
1402 # not set, a file not found (404) is returned in that case. (optional)
1405 # Directory to serve files from for this handler. Keep in mind that relative paths
1406 # are relative to the working directory of mox.
1409 # If set, and a directory is requested, and no index.html is present that can be
1410 # served, a file listing is returned. Results in 403 if ListFiles is not set. If a
1411 # directory is requested and the URL does not end with a slash, the response is a
1412 # redirect to the path with trailing slash. (optional)
1415 # If a requested URL does not exist, don't return a file not found (404) response,
1416 # but consider this handler non-matching and continue attempts to serve with later
1417 # WebHandlers, which may be a reverse proxy generating dynamic content, possibly
1418 # even writing a static file for a next request to serve statically. If
1419 # ContinueNotFound is set, HTTP requests other than GET and HEAD do not match.
1420 # This mechanism can be used to implement the equivalent of 'try_files' in other
1421 # webservers. (optional)
1422 ContinueNotFound: false
1424 # Headers to add to the response. Useful for cache-control, content-type, etc. By
1425 # default, Content-Type headers are automatically added for recognized file types,
1426 # unless added explicitly through this setting. For directory listings, a
1427 # content-type header is skipped. (optional)
1431 # Redirect requests to configured URL. (optional)
1434 # Base URL to redirect to. The path must be empty and will be replaced, either by
1435 # the request URL path, or by OrigPathRegexp/ReplacePath. Scheme, host, port and
1436 # fragment stay intact, and query strings are combined. If empty, the response
1437 # redirects to a different path through OrigPathRegexp and ReplacePath, which must
1438 # then be set. Use a URL without scheme to redirect without changing the protocol,
1439 # e.g. //newdomain/. If a redirect would send a request to a URL with the same
1440 # scheme, host and path, the WebRedirect does not match so a next WebHandler can
1441 # be tried. This can be used to redirect all plain http traffic to https.
1445 # Regular expression for matching path. If set and path does not match, a 404 is
1446 # returned. The HTTP path used for matching always starts with a slash. (optional)
1449 # Replacement path for destination URL based on OrigPathRegexp. Implemented with
1450 # Go's Regexp.ReplaceAllString: $1 is replaced with the text of the first
1451 # submatch, etc. If both OrigPathRegexp and ReplacePath are empty, BaseURL must be
1452 # set and all paths are redirected unaltered. (optional)
1455 # Status code to use in redirect, e.g. 307. By default, a permanent redirect (308)
1456 # is returned. (optional)
1459 # Forward requests to another webserver, i.e. reverse proxy. (optional)
1462 # Strip the matching WebHandler path from the WebHandler before forwarding the
1463 # request. (optional)
1466 # URL to forward HTTP requests to, e.g. http://127.0.0.1:8123/base. If StripPath
1467 # is false the full request path is added to the URL. Host headers are sent
1468 # unmodified. New X-Forwarded-{For,Host,Proto} headers are set. Any query string
1469 # in the URL is ignored. Requests are made using Go's net/http.DefaultTransport
1470 # that takes environment variables HTTP_PROXY and HTTPS_PROXY into account.
1471 # Websocket connections are forwarded and data is copied between client and
1472 # backend without looking at the framing. The websocket 'version' and
1473 # 'key'/'accept' headers are verified during the handshake, but other websocket
1474 # headers, including 'origin', 'protocol' and 'extensions' headers, are not
1475 # inspected and the backend is responsible for verifying/interpreting them.
1478 # Headers to add to the response. Useful for adding security- and cache-related
1479 # headers. (optional)
1483 # Pass request to internal service, like webmail, webapi, etc. (optional)
1486 # Path to use as root of internal service, e.g. /webmail/.
1489 # Name of the service, values: admin, account, webmail, webapi.
1492 # Routes for delivering outgoing messages through the queue. Each delivery attempt
1493 # evaluates account routes, domain routes and finally these global routes. The
1494 # transport of the first matching route is used in the delivery attempt. If no
1495 # routes match, which is the default with no configured routes, messages are
1496 # delivered directly from the queue. (optional)
1500 # Matches if the envelope from domain matches one of the configured domains, or if
1501 # the list is empty. If a domain starts with a dot, prefixes of the domain also
1506 # Like FromDomain, but matching against the envelope to domain. (optional)
1510 # Matches if at least this many deliveries have already been attempted. This can
1511 # be used to attempt sending through a smarthost when direct delivery has failed
1512 # for several times. (optional)
1516 # DNS blocklists to periodically check with if IPs we send from are present,
1517 # without using them for checking incoming deliveries.. Also see DNSBLs in SMTP
1518 # listeners in mox.conf, which specifies DNSBLs to use both for incoming
1519 # deliveries and for checking our IPs against. Example DNSBLs: sbl.spamhaus.org,
1520 # bl.spamcop.net. (optional)
1526Mox includes configuration files to illustrate common setups. You can see these
1527examples with "mox config example", and print a specific example with "mox
1528config example <name>". Below are all examples included in mox.
1530# Example webhandlers
1532 # Snippet of domains.conf to configure WebDomainRedirects and WebHandlers.
1534 # Redirect all requests for mox.example to https://www.mox.example.
1536 mox.example: www.mox.example
1538 # Each request is matched against these handlers until one matches and serves it.
1541 # Redirect all plain http requests to https, leaving path, query strings, etc
1542 # intact. When the request is already to https, the destination URL would have the
1543 # same scheme, host and path, causing this redirect handler to not match the
1544 # request (and not cause a redirect loop) and the webserver to serve the request
1545 # with a later handler.
1547 Domain: www.mox.example
1549 # Could leave DontRedirectPlainHTTP at false if it wasn't for this being an
1550 # example for doing this redirect.
1551 DontRedirectPlainHTTP: true
1553 BaseURL: https://www.mox.example
1555 # The name of the handler, used in logging and metrics.
1557 # With ACME configured, each configured domain will automatically get a TLS
1558 # certificate on first request.
1559 Domain: www.mox.example
1560 PathRegexp: ^/who/mjl/
1562 StripPrefix: /who/mjl
1563 # Requested path /who/mjl/inferno/ resolves to local web/mjl/inferno.
1564 # If a directory contains an index.html, it is served when a directory is requested.
1566 # With ListFiles true, if a directory does not contain an index.html, the contents are listed.
1572 Domain: www.mox.example
1573 PathRegexp: ^/redir/a/b/c
1574 # Don't redirect from plain HTTP to HTTPS.
1575 DontRedirectPlainHTTP: true
1577 # Just change the domain and add query string set fragment. No change to scheme.
1578 # Path will start with /redir/a/b/c (and whathever came after) because no
1579 # OrigPathRegexp+ReplacePath is set.
1580 BaseURL: //moxest.example?q=1#frag
1581 # Default redirection is 308 - Permanent Redirect.
1585 Domain: www.mox.example
1588 # Replace path, leaving rest of URL intact.
1589 OrigPathRegexp: ^/old/(.*)
1590 ReplacePath: /new/$1
1593 Domain: www.mox.example
1596 # Strip the path matched by PathRegexp before forwarding the request. So original
1597 # request /app/api become just /api.
1599 # URL of backend, where requests are forwarded to. The path in the URL is kept,
1600 # so for incoming request URL /app/api, the outgoing request URL has path /app-v2/api.
1601 # Requests are made with Go's net/http DefaultTransporter, including using
1602 # HTTP_PROXY and HTTPS_PROXY environment variables.
1603 URL: http://127.0.0.1:8900/app-v2/
1604 # Add headers to response.
1606 X-Frame-Options: deny
1607 X-Content-Type-Options: nosniff
1611 # Snippet for mox.conf, defining a transport called Example that connects on the
1612 # SMTP submission with TLS port 465 ("submissions"), authenticating with
1613 # SCRAM-SHA-256-PLUS (other providers may not support SCRAM-SHA-256-PLUS, but they
1614 # typically do support the older CRAM-MD5).:
1616 # Transport are mechanisms for delivering messages. Transports can be referenced
1617 # from Routes in accounts, domains and the global configuration. There is always
1618 # an implicit/fallback delivery transport doing direct delivery with SMTP from the
1619 # outgoing message queue. Transports are typically only configured when using
1620 # smarthosts, i.e. when delivering through another SMTP server. Zero or one
1621 # transport methods must be set in a transport, never multiple. When using an
1622 # external party to send email for a domain, keep in mind you may have to add
1623 # their IP address to your domain's SPF record, and possibly additional DKIM
1624 # records. (optional)
1627 # Submission SMTP over a TLS connection to submit email to a remote queue.
1630 # Host name to connect to and for verifying its TLS certificate.
1631 Host: smtp.example.com
1633 # If set, authentication credentials for the remote server. (optional)
1635 Username: user@example.com
1638 # Allowed authentication mechanisms. Defaults to SCRAM-SHA-256-PLUS,
1639 # SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1, CRAM-MD5. Not included by default:
1640 # PLAIN. Specify the strongest mechanism known to be implemented by the server to
1641 # prevent mechanism downgrade attacks. (optional)
1643 - SCRAM-SHA-256-PLUS
1646 # Snippet for domains.conf, specifying a route that sends through the transport:
1648 # Routes for delivering outgoing messages through the queue. Each delivery attempt
1649 # evaluates account routes, domain routes and finally these global routes. The
1650 # transport of the first matching route is used in the delivery attempt. If no
1651 # routes match, which is the default with no configured routes, messages are
1652 # delivered directly from the queue. (optional)
1659// NOTE: DO NOT EDIT, this file is generated by ../gendoc.sh.