Dovecot

Options ☜

Global doveadm(1) options:

-D

Enables verbosity and debug messages.

-f formatter

Specifies the formatter for formatting the output. Supported formatters are:

flow

prints each line with key=value pairs.

pager

prints each key: value pair on its own line and separates records with form
feed character (^L).

tab

prints a table header followed by tab separated value lines.

table

prints a table header followed by adjusted value lines.

-o setting=value

Overrides the configuration setting from /etc/dovecot/dovecot.conf and from the
userdb with the given value. In order to override multiple settings, the -o option
may be specified multiple times.

-v

Enables verbosity, including progress counter.

This command uses by default the output formatter flow (without the key=
prefix).

Command specific options:

-a replicator_socket_path

This option is used to specify an absolute path to an alternative UNIX domain socket.

By default doveadm(1) will use the socket
/var/run/dovecot/replicator-doveadm. The socket may be located in another directory, when
the default base_dir setting was overridden in /etc/dovecot/dovecot.conf.

Options ☜

Global doveadm(1) options:

-D

Enables verbosity and debug messages.

-o setting=value

Overrides the configuration setting from /etc/dovecot/dovecot.conf and from the
userdb with the given value. In order to override multiple settings, the -o option
may be specified multiple times.

-v

Enables verbosity, including progress counter.

Command specific options:

-a userdb_socket_path

This option is used to specify an absolute path to an alternative UNIX domain socket.

By default doveadm(1) will use the socket
/var/run/dovecot/auth-userdb. The socket may be located in another directory, when the
default base_dir setting was overridden in /etc/dovecot/dovecot.conf.

-f field

When this option and the name of a userdb field is given, doveadm(1) will show only the value of the specified field.

-u

When this option is given, doveadm(1) will only show values
from the userdb. Without -u parameter if any of the uid, gid, home or
mail fields are missing, their defaults are taken from configuration file.

-x auth_info

auth_info specifies additional conditions for the user command. The
auth_info option string has to be given as name=value pair. For
multiple conditions the -x option could be supplied multiple times.
Possible names for the auth_info are:

service

The service for which the userdb lookup should be tested. The value may be the name of a
service, commonly used with Dovecot. For example: imap, pop3 or
smtp.

lip

The local IP address (server) for the test.

rip

The remote IP address (client) for the test.

lport

The local port, e.g. 143

rport

The remote port, e.g. 24567

Options ☜

-a

Dump all configuration settings to stdout and exit successfully. The same as
doveconf -a.

-c config-file

Start dovecot with an alternative configuration.

-F

Run dovecot in foreground, do not daemonize.

-n

Dump non-default settings to stdout and exit successfully. The same as
doveconf -n.

-p

Prompt for the ssl key password for the configured ssl_key on startup.

—build-options

Show Dovecot’s build options and exit successfully.

—help

Print a usage message to stdout and exit successfully.

—hostdomain

Shows the current host.domain name of the system. If the domain lookup should
fail for some reason, only the hostname will be shown.

—version

Show Dovecot’s version and exit successfully.

dovecot.conf

While still in /usr/local/etc, open dovecot.conf in a text editor.

        base_dir = /var/run/dovecot/

This was created for you during installation.

        protocols = imap

You can add other protocols if you want. This setup only uses IMAP.

protocol imap {
        listen = *:143
}

Dovecot listens on port 143 by default, so the port setting isn’t necessary unless you want to use a different port. According to the documentation, * causes Dovecot to listen on all available IP4 interfaces. If your IMAP box is also your Internet gateway, and you’re not offering mail services externally, then you probably don’t want that. If you specify your LAN interface, Dovecot may continue to listen at localhost, but you can’t count on it. If your host name isn’t exposed externally, then you can use

protocol imap {
        listen = wibblemailhost:143
}

Otherwise use

protocol imap {
        listen = 192.168.15.23:143
}

        ssl_disable = yes

If you have this set to yes, you can ignore the SSL settings that follow in dovecot.conf.

        login_dir = /var/run/dovecot/login
        login_chroot = yes
        login_user = dovecot
        verbose_proctitle = yes

The above are all part of the default conf file.

        first_valid_uid = 3000
        last_valid_uid = 3000

If you are assigning the postoffice UID number to all mail accounts, you can restrict access to only that UID number. See mention of mail_uid above.

        first_valid_gid = 8
        last_valid_gid = 8

        mail_location = mbox:/var/mail/%u

or

        mail_location = maildir:/var/mail/%u

        client_workarounds = oe6-fetch-no-newmail outlook-idle

We don’t use Outlook or Outlook Express. However, someone may decide to use an MS mail client in the future, and leaving this in place does no harm.

        mail_save_crlf = no

My IMAP box really doesn’t work very hard, so I don’t think it matters how this is set. If your mail server gets hammered regularly, you may want to play with this and see if it makes a difference in speed.

        maildir_copy_with_hardlinks = yes

«yes» is supposed to be faster. See the comments in the config file for the tradeoffs.

        mbox_read_locks = fcntl
        mbox_write_locks = fcntl

I also tried flock and dotlock, and they work FBSD. This is the preferred setting, if it works on your system. Locking should not be necessary for Maildir setups.

auth default {
        mechanisms = plain

«plain» seems more likely to work under more circumstances.

        passdb ldap {
           args = /usr/local/etc/dovecot-ldap.conf
        }
        userdb ldap {
           args = /usr/local/etc/dovecot-ldap.conf
        }

If you need to switch to passwd authentication for testing, change this to

        passdb passwd {
        }
        userdb passwd {
        }

        user = dovecot-auth

If you need to switch to passwd authentication for testing, change this to

        user = root

        auth_verbose = yes

If you have to debug your configuration, you’ll want as much information as possible.

Ubuntu config files

These are two full config files used on Ubuntu —

        # /etc/dovecot/dovecot.conf
        protocols = imap imaps
        log_timestamp = "%Y-%m-%d %H:%M:%S "
        first_valid_uid = 100
        mail_debug = yes
        mail_location = /var/mail/%u/Maildir

        auth default {
            mechanisms = plain
            passdb ldap {
                args = /etc/dovecot/dovecot-ldap.conf
            }
            userdb ldap {
                args = /etc/dovecot/dovecot-ldap.conf
            }
        }

For LDAP configuration,

        auth_bind = yes
        auth_bind_userdn = uid=%u,ou=People,dc=_WIZZY_HOSTNAME_,ou=wizzy
        ldap_version = 3
        base = ou=People,dc=_WIZZY_HOSTNAME_,ou=wizzy
        scope = subtree
        user_attrs = homeDirectory=home
        user_filter = (&(objectClass=posixAccount)(uid=%u))
        mail_uid = dovecot
        mail_gid = mail

Examples

Dynamic passwd-file locations

mail_location = maildir:/home/%d/%n/Maildir
passdb {
  driver = passwd-file
  args = username_format=%n /home/%d/etc/shadow
}
userdb {
  driver = passwd-file
  args = username_format=%n /home/%d/etc/passwd
}

In the above examples users are expected to log in as «user@domain». Their mail is kept in their home directory at /home/<domain>/<username>/Maildir.

The usernames in the passwd and shadow files are expected to contain only the user part, no domain. This is because the path itself already contained %d to specify the domain. If you want the files to contain full user@domain names, you can use username_format=%u.

static userdb

Many people store only usernames and passwords in their database and don’t want to deal with UIDs or GIDs. In that case the easiest way to get Dovecot running is to use the static userdb:

mail_location = maildir:~/Maildir
passdb {
  driver = pam
}
userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/mail/virtual/%d/%n
}

Commands ☜

Replicator Add

doveadm replicator add [-a replicator_socket_path] user_mask

Add the specified user(s) to the replicator. If the user_mask contains «?» or
«*» wildcards, the list of usernames is looked up from the userdb.

Replicator Dsync-Status

doveadm replicator dsync-status [-a replicator_socket_path]

Show the status for the currently running dsync processes.

doveadm replicator remove [-a replicator_socket_path] username

Remove the specified user from replicator.

Replicator Replicate

doveadm replicator replicate [-a replicator_socket_path] [-f]
[-p priority] user_mask

Start replication for the specified users now. If the -f parameter is given, full replication is
done for the user. You can also specify the priority, which can be either high or low. If
the user mask contains «?» or «*» wildcards, the list of usernames is looked up
from the users that currently exist in replicator (not from the userdb).

Virtual users

With a lookup

Give the destination username to dovecot-lda with -d parameter, for example:

dovecot-lda -f $FROM_ENVELOPE -d $DEST_USERNAME

You’ll need to set up a auth-userdb socket for dovecot-lda so it knows where to find mailboxes for the users:

service auth {
  unix_listener auth-userdb {
    mode = 0600
    user = vmail # User running dovecot-lda
    #group = vmail # Or alternatively mode 0660 + dovecot-lda user in this group
  }
}

The auth-userdb socket can be used to do userdb lookups for given usernames or get a list of all users. Typically the result will contain the user’s UID, GID and home directory, but depending on your configuration it may return other information as well. So the information is similar to what can be found from eg. /etc/passwd for system users. This means that it’s probably not a problem to use mode=0666 for the socket, but you should try to restrict it more just to be safe.

Without a lookup

If you have already looked up the user’s home directory and you don’t need a userdb lookup for any other reason either (such as overriding settings for specific users), you can run dovecot-lda similar to how it’s run for system users:

HOME=/path/to/user/homedir dovecot-lda -f $FROM_ENVELOPE

This way you don’t need to have a master listener socket. Note that you should verify the user’s existence prior to running dovecot-lda, otherwise you’ll end up having mail delivered to nonexistent users as well.

You must have set the proper UID (and GID) before running dovecot-lda. It’s not possible to run dovecot-lda as root without -d parameter.

Multiple UIDs

If you’re using more than one UID for users, you’re going to have problems running dovecot-lda, as most MTAs won’t let you run dovecot-lda as root. Best solution is to use LMTP instead, but if you can’t do that, there are two ways to work around this problem:

1. Make dovecot-lda setuid-root.
2. Use sudo to wrap the invocation of dovecot-lda.

Making dovecot-lda setuid-root:

Beware: it’s insecure to make dovecot-lda setuid-root, especially if you have untrusted users in your system. Setuid-root dovecot-lda can be used to gain root privileges. You should take extra steps to make sure that untrusted users can’t run it and potentially gain root privileges. You can do this by making sure only your MTA has execution access to it. For example:

# chgrp secmail /usr/local/libexec/dovecot/dovecot-lda
# chmod 04750 /usr/local/libexec/dovecot/dovecot-lda
# ls -l /usr/local/libexec/dovecot/dovecot-lda
-rwsr-x--- 1 root secmail 4023932 2010-06-15 16:23 dovecot-lda

Then start dovecot-lda as a user that belongs to secmail group. Note that you have to recreate these rights after each update of dovecot.

Using sudo:

Alternatively, you can use sudo to wrap the invocation of dovecot-lda. This has the advantage that updates will not clobber the setuid bit, but note that it is just as insecure being able to run dovecot-lda via sudo as setuid-root. Make sure you only give your MTA the ability to invoke dovecot-lda via sudo.

First configure sudo to allow ‘dovelda’ user to invoke dovecot-lda by adding the following to your /etc/sudoers:

Defaults:dovelda !syslog
dovelda          ALL=NOPASSWD:/usr/local/libexec/dovecot/dovecot-lda

Then configure your MTA to invoke dovecot-lda as user ‘dovelda’ and via sudo:

/usr/bin/sudo /usr/local/libexec/dovecot/dovecot-lda

instead of just plain /usr/local/libexec/dovecot/dovecot-lda.

Per-user quota

You can override quota rules in your userdb’s extra fields. Keep all the global settings in plugin section and override only those settings you need to in your userdb.

If you’re wondering why per-user quota isn’t working:

• Check that dovecot-lda is called with -d parameter.

• Check that you’re not using userdb static.

• Check that quota_rule setting is properly returned by userdb. Enable auth_debug=yes and mail_debug=yes to see this.

For example:

plugin {
  quota = maildir:User quota
  quota_rule = *:storage=1G
  quota_rule2 = Trash:storage=+100M
}

Next override the default 1GB quota for users:

LDAP

Quota limit is in quotaBytes field:

user_attrs = homeDirectory=home, quotaBytes=quota_rule=*:bytes=%$

Remember that user_attrs is used only if you use userdb ldap.

MySQL

user_query = SELECT uid, gid, home, \
  concat('*:bytes=', quota_limit_bytes) AS quota_rule \
  FROM users WHERE userid = '%u'

# MySQL with userdb prefetch: Remember to prefix quota_rule with userdb_
# (just like all other userdb extra fields):
password_query = SELECT userid AS user, password, \
  uid AS userdb_uid, gid AS userdb_gid, \
  concat('*:bytes=', quota_limit_bytes) AS userdb_quota_rule \
  FROM users WHERE userid = '%u'

Remember that user_query is used only if you use userdb sql.

PostgreSQL, SQLite

user_query = SELECT uid, gid, home, \
  '*:bytes=' || quota_limit_bytes AS quota_rule \
  FROM users WHERE userid = '%u'

Remember that user_query is used only if you use userdb sql.

passwd-file

Example passwd-file entries:

user:{plain}pass:1000:1000::/home/user::userdb_quota_rule=*:bytes=100M
user2:{plain}pass2:1001:1001::/home/user2::userdb_quota_rule=*:bytes=200M
user3:{plain}pass3:1002:1002::/home/user3::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=300M

passwd

The passwd userdb doesn’t support extra fields. That’s why you can’t directly set users’ quota limits to passwd file. One possibility would be to write a script that reads quota limits from another file, merges them with passwd file and produces another passwd-file, which you could then use with Dovecot’s userdb passwd-file.

Настройка Postfix[править]

apt-get install postfix-ldap

Изменение файловправить

В каталоге /etc/postfix изменяем файлы для домена test.alt:

main.cfправить

# Global Postfix configuration file.  This file lists only a small subset
# of all parameters.  For the syntax, and for a complete parameter list,
# see the postconf(5) manual page.  For a commented and more complete
# version of this file see /etc/postfix/main.cf.dist
mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
inet_protocols = ipv4

# Mappings
virtual_mailbox_base = /var/mail
virtual_mailbox_domains = test.alt
virtual_mailbox_maps = ldap:/etc/postfix/ad_local_recipients.cf
virtual_alias_maps = ldap:/etc/postfix/ad_mail_groups.cf
virtual_transport = dovecot
local_transport = virtual
local_recipient_maps = $virtual_mailbox_maps

# SSL/TLS
smtpd_use_tls = yes
smtpd_tls_security_level = encrypt
#smtpd_tls_security_level = may
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = test.alt
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = ldap:/etc/postfix/ad_sender_login.cf
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /var/lib/ssl/certs/dovecot.cert
smtpd_tls_key_file = /var/lib/ssl/private/dovecot.key
smtpd_tls_CAfile = /var/lib/ssl/certs/dovecot.pem

smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, permit_sasl_authenticated, reject
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch

Внимание! Файл /etc/postfix/mydestination должен быть пустым

master.cfправить

В файл master.cf необходимо добавить:

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient}
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

ad_local_recipients.cfправить

version = 3
server_host = test.alt:389
search_base = dc=test,dc=alt
scope = sub
query_filter = (&(|(mail=%s)(otherMailbox=%u@%d))(sAMAccountType=805306368))
result_filter = %s
result_attribute = mail
special_result_attribute = member

bind = yes
bind_dn = cn=vmail,cn=users,dc=test,dc=alt
bind_pw = Pa$$word

ad_mail_groups.cfправить

version = 3
server_host = test.alt:389
search_base = dc=test,dc=alt
timeout = 3
scope = sub
query_filter = (&(mail=%s)(sAMAccountType=268435456))
result_filter = %s
result_attribute = mail
special_result_attribute = member

bind = yes
bind_dn = cn=vmail,cn=users,dc=test,dc=alt
bind_pw = Pa$$word

ad_sender_login.cfправить

version = 3
server_host = test.alt:389
search_base = dc=test,dc=alt
scope = sub
query_filter = (&(objectClass=user)(|(sAMAccountName=%s)(mail=%s)))
result_attribute = mail

bind = yes
bind_dn = cn=vmail,cn=users,dc=test,dc=alt
bind_pw = Pa$$word

Тестируем работуправить

Проверка конфигурации Postfix (не должно быть никаких сообщений:

# postconf >/dev/null

Проверка пользователя почты petrov:

# postmap -q petrov@test.alt ldap:/etc/postfix/ad_local_recipients.cf
petrov@test.alt

Проверка входа:

# postmap -q petrov@test.alt ldap:/etc/postfix/ad_sender_login.cf
petrov@test.alt

# samba-tool group add --mail-address=sales@test.alt Sales
Added group Sales
# samba-tool group addmembers Sales ivanov,petrov
Added members to group Sales
# postmap -q sales@test.alt ldap:/etc/postfix/ad_mail_groups.cf
sales@test.alt,ivanov@test.alt,petrov@test.alt

service postfix restart

Quota for private namespaces

You can create a separate namespace-specific quota for a folder hierarchy. This is done by adding another namespace and the :ns=<namespace prefix> parameter to quota setting. For example you could have something like:

namespace {
  type = private
  prefix = Archive/
  #location = ..
}

plugin {
  # Maildir quota
  quota = maildir:User quota:ns=
  quota2 = maildir:Archive quota:ns=Archive/

  # Dict quota
  #quota = dict:User quota:%u.default:ns=:proxy::quota
  #quota2 = dict:Archive quota:%u.archive:ns=Archive/:proxy::quota

  #quota_rules and quota2_rules..
}

Note: If you’re using dict quota, you need to make sure that the quota of the Archive namespace is calculated for another «user» than the default namespace. Either track different namespaces in different backends or make sure the users differs. %u.archive defines <username>.archive as key to track quota for the Archive namespace, the %u.default tracks the quota of other folders. See Variables for further help on variables.

Задача[править]

Настроить почтовую систему на базе Postfix и Dovecot для работы с базой пользователей Active Directory.

Параметр	Значение
Имя домена	test.alt
Размещение почты	/var/mail/<имя домена>/<имя пользователя> (формат maildir)
Доступ на чтение почты	IMAP (порт 993), SSL
Доступ на отправку почты	SMTP (порт 465), SSL/STARTTLS
Данные аутентификации:	Полный email с доменом (например, petrov@test.alt) или имя пользователя
Журнал работы	/var/log/maillog

Принятые ограниченияправить

В текущей конфигурации не рассматриваются многодоменные конфигурации;
Доступ к службам реализован только с помощью SSL по соображениям безопасности;
Уровень домена и леса Active Directory должен быть не выше Windows 2008 R2;
В данной версии инструкции не рассматривается конфигурация для подключения Microsoft Exchange на основе MAPI или EWS;
Для подключения в данной конфигурации можно использовать Microsoft Outlook версии, начиная с 2003 в режиме подключения почты по IMAP;

Внимание! Доступ к серверу LDAP осуществляется по протоколу ldap без шифрования. Для SambaDC отключите обязательный ldaps в /etc/samba/smb.conf в секции : ldap server require strong auth = no

Configure startup

On Ubuntu, installing slapd is sufficient to start it, and have it start on reboot. It runs as root. Proceed to Configuration.

Run as root, listen on all interfaces

This is the simplest set up. I recommed this for your initial set up and testing. Running as root is a security risk, so you probably want to change this before making the the server available to users.

The first step is to go to /etc/rc.conf and add the following line.

slapd_enable="YES"

This will cause the OS to look for slapd.sh and run it at bootup.

Go to /usr/local/etc/rc.d, and copy slapd.sh.sample to slapd.sh. (Yes, Virginia, there is a slap daemon.) Open the file in a text editor. If you have the following line

        # Uncomment one of the following:

ignore it. Comment out the following line if you have it.

        slapd_args="-u ldap -g ldap"

Save your changes and close the text editor.

Run as normal user, listen at specified sockets

Create a new user and group named «ldap». ldap needs access to the configuration file and the database.

chown ldap:ldap /usr/local/etc/openldap/slapd.conf
chown -R ldap:ldap /var/db/openldap-data

Add the following to /etc/rc.conf.

slapd_args="-u ldap -g ldap"

slapd_args='-u ldap -g ldap -h "ldap://localhost/ ldap://<Internal IP address>/ ldapi://%2fvar%2frun%2fopenldap%2fldapi/????x-mod=0777"'

The ldapi specification is for Unix domain sockets. See the slapd man page.

Arguments ☜

user_mask

Specifies for which users the command should be executed. In most cases you would like to use
patterns which contains wildcards, e.g. \*@example.net for all users of the example.net domain, or
simply \* for all users.

When the SQL userdb module is used make sure that the iterate_query setting in
/etc/dovecot/dovecot-sql.conf.ext matches your database layout. When using the LDAP userdb
module, make sure that the iterate_attrs and iterate_filter settings in
/etc/dovecot/dovecot-ldap.conf.ext match your LDAP schema. Otherwise doveadm(1) will be unable to iterate over all users.

Install

If you are going to use CRYPT password hashing as the default in OpenLDAP (this is compatible with Dovecot), then you will need to add the —enable-crypt option to the CONFIGRE_ARGS variable in the Makefile so that OpenLDAP will compile with CRYPT support. If you don’t do this, OpenLDAP may actually work for a while, but then one day you’ll restart the server and OpenLDAP will refuse to run until you remove the CRYPT setting from slapd.conf, which means the user passwords won’t work.

On BSD, if you have portupgrade installed, the simplest way to install OpenLDAP is by using the portinstall tool.

        # portinstall openldap21

On Ubuntu, use apt-get (or aptitude).

        % sudo apt-get install slapd

The instructions for configuring OpenLDAP, including a Quick Install Guide, are at

http://www.openldap.org

On BSD, OpenLDAP appears to be difficult to install properly. My first two attempts were unsuccessful. The FreeBSD port includes Perl scripts that run tests to ensure that the installation succeeded. Even though the installation passed the tests, it couldn’t be configured to work properly. On my third attempt, OpenLDAP worked but attempts to limit access to specified attributes caused OpenLDAP to refuse access to all attributes. On my fourth attempt, OpenLDAP ignored any attempts to limit access to specified attributes. While searching for information, I found a posting that commented that every installation of OpenLDAP on FreeBSD 4.8 requires its own config file; each installation behaves differently and the config file has to be tuned to the individual installation. You may need to install a few times before you get a usable installation of OpenLDAP.

On Ubuntu, it worked fine.

Search Keys ☜

The following search keys from the specification of IMAP version 4 revision 1 (see: RFC 3501,
section 6.4.4) are supported:

sequence-set

Matches messages with the given sequence numbers. The sequence-set may be a single UID.
Can be a sequence range, written as from:to, e.g. 100:125. As
comma separated list of sequences, e.g. 11,50,4. It’s also possible to combine multiple
sequences, e.g. 1,3,5,7,10:20. Using * selects the last mail in the mailbox.
For example 1:100 matches the first 100 mails and 101:200 the next second hundred mails. 1,5,*
matches the first, the fifth and the last email.

ALL

Matches all messages.

ANSWERED

Matches messages with the IMAP flag \Answered set.

BCC string

Matches messages, which contain string in the BCC field of the message’s IMAP
envelope structure.

BEFORE date specification

Matches messages with an internal date before date specification.

BODY string

Matches messages, which contain string in the body part.

CC string

Matches messages, which contain string in the CC field of the message’s IMAP
envelope structure.

DELETED

Matches messages with the IMAP flag \Deleted set.

DRAFT

Matches messages with the IMAP flag \Draft set.

FLAGGED

Matches messages with the IMAP flag \Flagged set.

FROM string

Matches messages, which contain string in the FROM field of the message’s IMAP
envelope structure.

HEADER field string

Matches messages, which either have the named header field, when empty string was
given. Or messages, where the given header field‘s value contains the specified
string.

KEYWORD keyword

Matches messages with the given IMAP keyword (e.g. $Forwarded) flag set.

LARGER size

Matches messages that are larger than the specified size.

MAILBOX name

Matches messages in the mailbox with the specified name.

MAILBOX-GUID guid

Matches messages in the mailbox with the specified guid.

NEW

Matches messages, which have the IMAP flag \Recent set but not the IMAP flag \Seen.

NOT search key

Inverse matching — matches massages, where the search doesn’t match the specified
search key or its value.

OLD

Matches messages, which do not have the IMAP flag \Recent set.

ON date specification

Matches messages whose internal date matches the given date specification.

search key OR search key

Matches messages where one of the OR-ed search keys matches.
Note: IMAP4rev1 uses the syntax: OR search key search key

RECENT

Matches messages with the IMAP flag \Recent set.

SEEN

Matches messages with the IMAP flag \Seen set.

SENTBEFORE date specification

Matches messages with a Date: header before date specification.

SENTON date specification

Matches messages with a Date: header matching the given date specification.

SENTSINCE date specification

Matches messages with a Date: header matching or after the given
date specification.

SINCE date specification

Matches messages whose internal date is within or after the given
date specification.

SMALLER size

Matches messages with a size smaller than the given size.

SUBJECT string

Matches messages, which contain string in the SUBJECT field of the message’s IMAP
envelope structure.

TEXT string

Matches messages, which contain string in the message body.

TO string

Matches messages, which contain string in the TO field of the message’s IMAP
envelope structure.

UID sequence-set

Matches messages with the given IMAP UID(s). See the sequence-set description for
details on it. For example 1:10,100:200,* matches the UIDs from 1 to 10, 100 to 200 and also
the last mail.

UNANSWERED

Matches messages, which do not have the IMAP flag \Answered set.

UNDELETED

Matches messages, which do not have the IMAP flag \Deleted set.

UNDRAFT

Matches messages, which do not have the IMAP flag \Draft set.

UNFLAGGED

Matches messages, which do not have the IMAP flag \Flagged set.

UNKEYWORD keyword

Matches messages, which do not have the given IMAP keyword flag set

UNSEEN

Matches messages, which do not have the IMAP flag \Seen set.

Doveadm Search Keys

Additional search keys, provided by doveadm(1).

SAVEDBEFORE date specification

Matches messages, which were saved before date specification.

SAVEDON date specification

Matches messages whose save date matches the given date specification.

SAVEDSINCE date specification

Matches messages with a save date matching or after the given
date specification.