1# IMAP4rev1 endpoint23Module 'imap' is a listener that implements IMAP4rev1 protocol and provides4access to local messages storage specified by 'storage' directive.56In most cases, local storage modules will auto-create accounts when they are7accessed via IMAP. This relies on authentication provider used by IMAP endpoint8to provide what essentially is access control. There is a caveat, however: this9auto-creation will not happen when delivering incoming messages via SMTP as10there is no authentication to confirm that this account should indeed be11created.1213## Configuration directives1415```16imap tcp://0.0.0.0:143 tls://0.0.0.0:993 {17 tls /etc/ssl/private/cert.pem /etc/ssl/private/pkey.key18 io_debug no19 debug no20 insecure_auth no21 sasl_login no22 auth pam23 storage &local_mailboxes24 auth_map identity25 auth_map_normalize auto26 storage_map identity27 storage_map_normalize auto28}29```3031### tls _certificate-path_ _key-path_ { ... }32Default: global directive value3334TLS certificate & key to use. Fine-tuning of other TLS properties is possible35by specifying a configuration block and options inside it:3637```38tls cert.crt key.key {39 protocols tls1.2 tls1.340}41```4243See [TLS configuration / Server](/reference/tls/#server-side) for details.4445---4647### proxy_protocol _trusted ips..._ { ... }48Default: not enabled4950Enable use of HAProxy PROXY protocol. Supports both v1 and v2 protocols.51If a list of trusted IP addresses or subnets is provided, only connections52from those will be trusted.5354TLS for the channel between the proxies and maddy can be configured55using a 'tls' directive:56```57proxy_protocol {58 trust 127.0.0.1 ::1 192.168.0.1/2459 tls &proxy_tls60}61```62Note that the top-level 'tls' directive is not inherited here. If you63need TLS on top of the PROXY protocol, securing the protocol header,64you must declare TLS explicitly.6566---6768### io_debug _boolean_69Default: `no`7071Write all commands and responses to stderr.7273---7475### io_errors _boolean_76Default: `no`7778Log I/O errors.7980---8182### debug _boolean_83Default: global directive value8485Enable verbose logging.8687---8889### insecure_auth _boolean_90Default: `no` (`yes` if TLS is disabled)9192Allow plain-text authentication over unencrypted connections.9394---9596### sasl_login _boolean_97Default: `no`9899Enable support for SASL LOGIN authentication mechanism used by100some outdated clients.101102---103104### auth _module-reference_105**Required.**106107Use the specified module for authentication.108109---110111### storage _module-reference_112**Required.**113114Use the specified module for message storage.115116---117118### storage_map _module-reference_119Default: `identity`120121Use the specified table to map SASL usernames to storage account names.122123Before username is looked up, it is normalized using function defined by124`storage_map_normalize`.125126This directive is useful if you want users user@example.org and user@example.com127to share the same storage account named "user". In this case, use128129```130 storage_map email_localpart131```132133Note that `storage_map` does not affect the username passed to the134authentication provider.135136It also does not affect how message delivery is handled, you should specify137`delivery_map` in storage module to define how to map email addresses138to storage accounts. E.g.139140```141 storage.imapsql local_mailboxes {142 ...143 delivery_map email_localpart # deliver "user@*" to mailbox for "user"144 }145```146147---148149### storage_map_normalize _function_150Default: `auto`151152Same as `auth_map_normalize` but for `storage_map`.153154---155156### auth_map_normalize _function_157Default: `auto`158159Overrides global `auth_map_normalize` value for this endpoint.160161See [Global configuration](/reference/global-config) for details.162163164