sample_config.yaml

# This defaults to True, otherwise VoIP will be unreliable for guests.
# However, it does introduce a slight security risk as it allows users to
# connect to arbitrary endpoints without having first signed up for a
# valid account (e.g. by passing a CAPTCHA).
#
#turn_allow_guests: true


## Registration ##
#
# Registration can be rate-limited using the parameters in the "Ratelimiting"
# section of this file.

# Enable registration for new users.
#
#enable_registration: false

# Optional account validity configuration. This allows for accounts to be denied
# any request after a given period.
#
# Once this feature is enabled, Synapse will look for registered users without an
# expiration date at startup and will add one to every account it found using the
# current settings at that time.
# This means that, if a validity period is set, and Synapse is restarted (it will
# then derive an expiration date from the current validity period), and some time
# after that the validity period changes and Synapse is restarted, the users'
# expiration dates won't be updated unless their account is manually renewed. This
# date will be randomly selected within a range [now + period - d ; now + period],
# where d is equal to 10% of the validity period.
#
account_validity:
  # The account validity feature is disabled by default. Uncomment the
  # following line to enable it.
  #
  #enabled: true

  # The period after which an account is valid after its registration. When
  # renewing the account, its validity period will be extended by this amount
  # of time. This parameter is required when using the account validity
  # feature.
  #
  #period: 6w

  # The amount of time before an account's expiry date at which Synapse will
  # send an email to the account's email address with a renewal link. By
  # default, no such emails are sent.
  #
  # If you enable this setting, you will also need to fill out the 'email' and
  # 'public_baseurl' configuration sections.
  #
  #renew_at: 1w

  # The subject of the email sent out with the renewal link. '%(app)s' can be
  # used as a placeholder for the 'app_name' parameter from the 'email'
  # section.
  #
  # Note that the placeholder must be written '%(app)s', including the
  # trailing 's'.
  #
  # If this is not set, a default value is used.
  #
  #renew_email_subject: "Renew your %(app)s account"

  # Directory in which Synapse will try to find templates for the HTML files to
  # serve to the user when trying to renew an account. If not set, default
  # templates from within the Synapse package will be used.
  #
  #template_dir: "res/templates"

  # File within 'template_dir' giving the HTML to be displayed to the user after
  # they successfully renewed their account. If not set, default text is used.
  #
  #account_renewed_html_path: "account_renewed.html"

  # File within 'template_dir' giving the HTML to be displayed when the user
  # tries to renew an account with an invalid renewal token. If not set,
  # default text is used.
  #
  #invalid_token_html_path: "invalid_token.html"

# Time that a user's session remains valid for, after they log in.
#
# Note that this is not currently compatible with guest logins.
#
# Note also that this is calculated at login time: changes are not applied
# retrospectively to users who have already logged in.
#
# By default, this is infinite.
#
#session_lifetime: 24h

# The user must provide all of the below types of 3PID when registering.
#
#registrations_require_3pid:
#  - email
#  - msisdn

# Explicitly disable asking for MSISDNs from the registration
# flow (overrides registrations_require_3pid if MSISDNs are set as required)
#
#disable_msisdn_registration: true

# Mandate that users are only allowed to associate certain formats of
# 3PIDs with accounts on this server.
#
#allowed_local_3pids:
#  - medium: email
#    pattern: '.*@matrix\.org'
#  - medium: email
#    pattern: '.*@vector\.im'
#  - medium: msisdn
#    pattern: '\+44'

# Enable 3PIDs lookup requests to identity servers from this server.
#
#enable_3pid_lookup: true

# If set, allows registration of standard or admin accounts by anyone who
# has the shared secret, even if registration is otherwise disabled.
#
#registration_shared_secret: <PRIVATE STRING>

# Set the number of bcrypt rounds used to generate password hash.
# Larger numbers increase the work factor needed to generate the hash.
# The default number is 12 (which equates to 2^12 rounds).
# N.B. that increasing this will exponentially increase the time required
# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins.
#
#bcrypt_rounds: 12

# Allows users to register as guests without a password/email/etc, and
# participate in rooms hosted on this server which have been made
# accessible to anonymous users.
#
#allow_guest_access: false

# The identity server which we suggest that clients should use when users log
# in on this server.
#
# (By default, no suggestion is made, so it is left up to the client.
# This setting is ignored unless public_baseurl is also set.)
#
#default_identity_server: https://matrix.org

# The list of identity servers trusted to verify third party
# identifiers by this server.
#
# Also defines the ID server which will be called when an account is
# deactivated (one will be picked arbitrarily).
#
# Note: This option is deprecated. Since v0.99.4, Synapse has tracked which identity
# server a 3PID has been bound to. For 3PIDs bound before then, Synapse runs a
# background migration script, informing itself that the identity server all of its
# 3PIDs have been bound to is likely one of the below.
#
# As of Synapse v1.4.0, all other functionality of this option has been deprecated, and
# it is now solely used for the purposes of the background migration script, and can be
# removed once it has run.
#trusted_third_party_id_servers:
#  - matrix.org
#  - vector.im

# Handle threepid (email/phone etc) registration and password resets through a set of
# *trusted* identity servers. Note that this allows the configured identity server to
# reset passwords for accounts!
#
# Be aware that if `email` is not set, and SMTP options have not been
# configured in the email config block, registration and user password resets via
# email will be globally disabled.
#
# Additionally, if `msisdn` is not set, registration and password resets via msisdn
# will be disabled regardless. This is due to Synapse currently not supporting any
# method of sending SMS messages on its own.
#
# To enable using an identity server for operations regarding a particular third-party
# identifier type, set the value to the URL of that identity server as shown in the
# examples below.
#
# Servers handling the these requests must answer the `/requestToken` endpoints defined
# by the Matrix Identity Service API specification:
# https://matrix.org/docs/spec/identity_service/latest
#
# If a delegate is specified, the config option public_baseurl must also be filled out.
#
account_threepid_delegates:
    #email: https://example.com     # Delegate email sending to example.com
    #msisdn: http://localhost:8090  # Delegate SMS sending to this local process

# Whether users are allowed to change their displayname after it has
# been initially set. Useful when provisioning users based on the
# contents of a third-party directory.
#
# Does not apply to server administrators. Defaults to 'true'
#
#enable_set_displayname: false

# Whether users are allowed to change their avatar after it has been
# initially set. Useful when provisioning users based on the contents
# of a third-party directory.
#
# Does not apply to server administrators. Defaults to 'true'
#
#enable_set_avatar_url: false

# Whether users can change the 3PIDs associated with their accounts
# (email address and msisdn).
#
# Defaults to 'true'
#
#enable_3pid_changes: false

# Users who register on this homeserver will automatically be joined
# to these rooms
#
#auto_join_rooms:
#  - "#example:example.com"

# Where auto_join_rooms are specified, setting this flag ensures that the
# the rooms exist by creating them when the first user on the
# homeserver registers.
# Setting to false means that if the rooms are not manually created,
# users cannot be auto-joined since they do not exist.
#
#autocreate_auto_join_rooms: true

# When auto_join_rooms is specified, setting this flag to false prevents
# guest accounts from being automatically joined to the rooms.
#
# Defaults to true.
#
#auto_join_rooms_for_guests: false


## Metrics ###

# Enable collection and rendering of performance metrics
#
#enable_metrics: false

# Enable sentry integration
# NOTE: While attempts are made to ensure that the logs don't contain
# any sensitive information, this cannot be guaranteed. By enabling
# this option the sentry server may therefore receive sensitive
# information, and it in turn may then diseminate sensitive information
# through insecure notification channels if so configured.
#
#sentry:
#    dsn: "..."

# Flags to enable Prometheus metrics which are not suitable to be
# enabled by default, either for performance reasons or limited use.
#
metrics_flags:
    # Publish synapse_federation_known_servers, a gauge of the number of
    # servers this homeserver knows about, including itself. May cause
    # performance problems on large homeservers.
    #
    #known_servers: true

# Whether or not to report anonymized homeserver usage statistics.
#
#report_stats: true|false

# The endpoint to report the anonymized homeserver usage statistics to.
# Defaults to https://matrix.org/report-usage-stats/push
#
#report_stats_endpoint: https://example.com/report-usage-stats/push


## API Configuration ##

# A list of event types that will be included in the room_invite_state
#
#room_invite_state_types:
#  - "m.room.join_rules"
#  - "m.room.canonical_alias"
#  - "m.room.avatar"
#  - "m.room.encryption"
#  - "m.room.name"


# A list of application service config files to use
#
#app_service_config_files:
#  - app_service_1.yaml
#  - app_service_2.yaml

# Uncomment to enable tracking of application service IP addresses. Implicitly
# enables MAU tracking for application service users.
#
#track_appservice_user_ips: true


# a secret which is used to sign access tokens. If none is specified,
# the registration_shared_secret is used, if one is given; otherwise,
# a secret key is derived from the signing key.
#
#macaroon_secret_key: <PRIVATE STRING>

# a secret which is used to calculate HMACs for form values, to stop
# falsification of values. Must be specified for the User Consent
# forms to work.
#
#form_secret: <PRIVATE STRING>

## Signing Keys ##

# Path to the signing key to sign messages with
#
signing_key_path: "CONFDIR/SERVERNAME.signing.key"

# The keys that the server used to sign messages with but won't use
# to sign new messages.
#
old_signing_keys:
  # For each key, `key` should be the base64-encoded public key, and
  # `expired_ts`should be the time (in milliseconds since the unix epoch) that
  # it was last used.
  #
  # It is possible to build an entry from an old signing.key file using the
  # `export_signing_key` script which is provided with synapse.
  #
  # For example:
  #
  #"ed25519:id": { key: "base64string", expired_ts: 123456789123 }

# How long key response published by this server is valid for.
# Used to set the valid_until_ts in /key/v2 APIs.
# Determines how quickly servers will query to check which keys
# are still valid.
#
#key_refresh_interval: 1d

# The trusted servers to download signing keys from.
#
# When we need to fetch a signing key, each server is tried in parallel.
#
# Normally, the connection to the key server is validated via TLS certificates.
# Additional security can be provided by configuring a `verify key`, which
# will make synapse check that the response is signed by that key.
#
# This setting supercedes an older setting named `perspectives`. The old format
# is still supported for backwards-compatibility, but it is deprecated.
#
# 'trusted_key_servers' defaults to matrix.org, but using it will generate a
# warning on start-up. To suppress this warning, set
# 'suppress_key_server_warning' to true.
#
# Options for each entry in the list include:
#
#    server_name: the name of the server. required.
#
#    verify_keys: an optional map from key id to base64-encoded public key.
#       If specified, we will check that the response is signed by at least
#       one of the given keys.
#
#    accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset,
#       and federation_verify_certificates is not `true`, synapse will refuse
#       to start, because this would allow anyone who can spoof DNS responses
#       to masquerade as the trusted key server. If you know what you are doing
#       and are sure that your network environment provides a secure connection
#       to the key server, you can set this to `true` to override this
#       behaviour.
#
# An example configuration might look like:
#
#trusted_key_servers:
#  - server_name: "my_trusted_server.example.com"
#    verify_keys:
#      "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
#  - server_name: "my_other_trusted_server.example.com"
#
trusted_key_servers:
  - server_name: "matrix.org"

# Uncomment the following to disable the warning that is emitted when the
# trusted_key_servers include 'matrix.org'. See above.
#
#suppress_key_server_warning: true

# The signing keys to use when acting as a trusted key server. If not specified
# defaults to the server signing key.
#
# Can contain multiple keys, one per line.
#
#key_server_signing_keys_path: "key_server_signing_keys.key"


## Single sign-on integration ##

# Enable SAML2 for registration and login. Uses pysaml2.
#
# At least one of `sp_config` or `config_path` must be set in this section to
# enable SAML login.
#
# (You will probably also want to set the following options to `false` to
# disable the regular login/registration flows:
#   * enable_registration
#   * password_config.enabled
#
# Once SAML support is enabled, a metadata file will be exposed at
# https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
# use to configure your SAML IdP with. Alternatively, you can manually configure
# the IdP to use an ACS location of
# https://<server>:<port>/_matrix/saml2/authn_response.
#
saml2_config:
  # `sp_config` is the configuration for the pysaml2 Service Provider.
  # See pysaml2 docs for format of config.
  #
  # Default values will be used for the 'entityid' and 'service' settings,
  # so it is not normally necessary to specify them unless you need to
  # override them.
  #
  #sp_config:
  #  # point this to the IdP's metadata. You can use either a local file or
  #  # (preferably) a URL.
  #  metadata:
  #    #local: ["saml2/idp.xml"]
  #    remote:
  #      - url: https://our_idp/metadata.xml
  #
  #  # By default, the user has to go to our login page first. If you'd like
  #  # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
  #  # 'service.sp' section:
  #  #
  #  #service:
  #  #  sp:
  #  #    allow_unsolicited: true
  #
  #  # The examples below are just used to generate our metadata xml, and you
  #  # may well not need them, depending on your setup. Alternatively you
  #  # may need a whole lot more detail - see the pysaml2 docs!
  #
  #  description: ["My awesome SP", "en"]
  #  name: ["Test SP", "en"]
  #
  #  organization:
  #    name: Example com
  #    display_name:
  #      - ["Example co", "en"]
  #    url: "http://example.com"
  #
  #  contact_person:
  #    - given_name: Bob
  #      sur_name: "the Sysadmin"
  #      email_address": ["admin@example.com"]
  #      contact_type": technical

  # Instead of putting the config inline as above, you can specify a
  # separate pysaml2 configuration file:
  #
  #config_path: "CONFDIR/sp_conf.py"

  # The lifetime of a SAML session. This defines how long a user has to
  # complete the authentication process, if allow_unsolicited is unset.
  # The default is 5 minutes.
  #
  #saml_session_lifetime: 5m

  # An external module can be provided here as a custom solution to
  # mapping attributes returned from a saml provider onto a matrix user.
  #
  user_mapping_provider:
    # The custom module's class. Uncomment to use a custom module.
    #
    #module: mapping_provider.SamlMappingProvider

    # Custom configuration values for the module. Below options are
    # intended for the built-in provider, they should be changed if
    # using a custom module. This section will be passed as a Python
    # dictionary to the module's `parse_config` method.
    #
    config:
      # The SAML attribute (after mapping via the attribute maps) to use
      # to derive the Matrix ID from. 'uid' by default.
      #
      # Note: This used to be configured by the
      # saml2_config.mxid_source_attribute option. If that is still
      # defined, its value will be used instead.
      #
      #mxid_source_attribute: displayName

      # The mapping system to use for mapping the saml attribute onto a
      # matrix ID.
      #
      # Options include:
      #  * 'hexencode' (which maps unpermitted characters to '=xx')
      #  * 'dotreplace' (which replaces unpermitted characters with
      #     '.').
      # The default is 'hexencode'.
      #
      # Note: This used to be configured by the
      # saml2_config.mxid_mapping option. If that is still defined, its
      # value will be used instead.
      #
      #mxid_mapping: dotreplace

  # In previous versions of synapse, the mapping from SAML attribute to
  # MXID was always calculated dynamically rather than stored in a
  # table. For backwards- compatibility, we will look for user_ids
  # matching such a pattern before creating a new account.
  #
  # This setting controls the SAML attribute which will be used for this
  # backwards-compatibility lookup. Typically it should be 'uid', but if
  # the attribute maps are changed, it may be necessary to change it.
  #
  # The default is 'uid'.
  #
  #grandfathered_mxid_source_attribute: upn

  # Directory in which Synapse will try to find the template files below.
  # If not set, default templates from within the Synapse package will be used.
  #
  # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
  # If you *do* uncomment it, you will need to make sure that all the templates
  # below are in the directory.
  #
  # Synapse will look for the following templates in this directory:
  #
  # * HTML page to display to users if something goes wrong during the
  #   authentication process: 'saml_error.html'.
  #
  #   When rendering, this template is given the following variables:
  #     * code: an HTML error code corresponding to the error that is being
  #       returned (typically 400 or 500)
  #
  #     * msg: a textual message describing the error.
  #
  #   The variables will automatically be HTML-escaped.
  #
  # You can see the default templates at:
  # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
  #
  #template_dir: "res/templates"


# OpenID Connect integration. The following settings can be used to make Synapse
# use an OpenID Connect Provider for authentication, instead of its internal
# password database.
#
# See https://github.com/matrix-org/synapse/blob/master/openid.md.
#
oidc_config:
  # Uncomment the following to enable authorization against an OpenID Connect
  # server. Defaults to false.
  #
  #enabled: true

  # Uncomment the following to disable use of the OIDC discovery mechanism to
  # discover endpoints. Defaults to true.
  #
  #discover: false

  # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to
  # discover the provider's endpoints.
  #
  # Required if 'enabled' is true.
  #
  #issuer: "https://accounts.example.com/"

  # oauth2 client id to use.
  #
  # Required if 'enabled' is true.
  #
  #client_id: "provided-by-your-issuer"

  # oauth2 client secret to use.
  #
  # Required if 'enabled' is true.
  #
  #client_secret: "provided-by-your-issuer"

  # auth method to use when exchanging the token.
  # Valid values are 'client_secret_basic' (default), 'client_secret_post' and
  # 'none'.
  #
  #client_auth_method: client_secret_post

  # list of scopes to request. This should normally include the "openid" scope.
  # Defaults to ["openid"].
  #
  #scopes: ["openid", "profile"]

  # the oauth2 authorization endpoint. Required if provider discovery is disabled.
  #
  #authorization_endpoint: "https://accounts.example.com/oauth2/auth"

  # the oauth2 token endpoint. Required if provider discovery is disabled.
  #
  #token_endpoint: "https://accounts.example.com/oauth2/token"

  # the OIDC userinfo endpoint. Required if discovery is disabled and the
  # "openid" scope is not requested.
  #
  #userinfo_endpoint: "https://accounts.example.com/userinfo"

  # URI where to fetch the JWKS. Required if discovery is disabled and the
  # "openid" scope is used.
  #
  #jwks_uri: "https://accounts.example.com/.well-known/jwks.json"

  # Uncomment to skip metadata verification. Defaults to false.
  #
  # Use this if you are connecting to a provider that is not OpenID Connect
  # compliant.
  # Avoid this in production.
  #
  #skip_verification: true

  # An external module can be provided here as a custom solution to mapping
  # attributes returned from a OIDC provider onto a matrix user.
  #
  user_mapping_provider:
    # The custom module's class. Uncomment to use a custom module.
    # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'.
    #
    # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers
    # for information on implementing a custom mapping provider.
    #
    #module: mapping_provider.OidcMappingProvider

    # Custom configuration values for the module. This section will be passed as
    # a Python dictionary to the user mapping provider module's `parse_config`
    # method.
    #
    # The examples below are intended for the default provider: they should be
    # changed if using a custom provider.
    #
    config:
      # name of the claim containing a unique identifier for the user.
      # Defaults to `sub`, which OpenID Connect compliant providers should provide.
      #
      #subject_claim: "sub"

      # Jinja2 template for the localpart of the MXID.
      #
      # When rendering, this template is given the following variables:
      #   * user: The claims returned by the UserInfo Endpoint and/or in the ID
      #     Token
      #
      # This must be configured if using the default mapping provider.
      #
      localpart_template: "{{ user.preferred_username }}"

      # Jinja2 template for the display name to set on first login.
      #
      # If unset, no displayname will be set.
      #
      #display_name_template: "{{ user.given_name }} {{ user.last_name }}"



# Enable CAS for registration and login.
#
#cas_config:
#   enabled: true
#   server_url: "https://cas-server.com"
#   service_url: "https://homeserver.domain.com:8448"
#   #displayname_attribute: name
#   #required_attributes:
#   #    name: value


# Additional settings to use with single-sign on systems such as OpenID Connect,
# SAML2 and CAS.
#
sso:
    # A list of client URLs which are whitelisted so that the user does not
    # have to confirm giving access to their account to the URL. Any client
    # whose URL starts with an entry in the following list will not be subject
    # to an additional confirmation step after the SSO login is completed.
    #
    # WARNING: An entry such as "https://my.client" is insecure, because it
    # will also match "https://my.client.evil.site", exposing your users to
    # phishing attacks from evil.site. To avoid this, include a slash after the
    # hostname: "https://my.client/".
    #
    # If public_baseurl is set, then the login fallback page (used by clients
    # that don't natively support the required login flows) is whitelisted in
    # addition to any URLs in this list.
    #
    # By default, this list is empty.
    #
    #client_whitelist:
    #  - https://riot.im/develop
    #  - https://my.custom.client/

    # Directory in which Synapse will try to find the template files below.
    # If not set, default templates from within the Synapse package will be used.
    #
    # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
    # If you *do* uncomment it, you will need to make sure that all the templates
    # below are in the directory.
    #
    # Synapse will look for the following templates in this directory:
    #
    # * HTML page for a confirmation step before redirecting back to the client
    #   with the login token: 'sso_redirect_confirm.html'.
    #
    #   When rendering, this template is given three variables:
    #     * redirect_url: the URL the user is about to be redirected to. Needs
    #                     manual escaping (see
    #                     https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
    #
    #     * display_url: the same as `redirect_url`, but with the query
    #                    parameters stripped. The intention is to have a
    #                    human-readable URL to show to users, not to use it as
    #                    the final address to redirect to. Needs manual escaping
    #                    (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
    #
    #     * server_name: the homeserver's name.
    #
    # * HTML page which notifies the user that they are authenticating to confirm
    #   an operation on their account during the user interactive authentication
    #   process: 'sso_auth_confirm.html'.
    #
    #   When rendering, this template is given the following variables:
    #     * redirect_url: the URL the user is about to be redirected to. Needs
    #                     manual escaping (see
    #                     https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
    #
    #     * description: the operation which the user is being asked to confirm
    #
    # * HTML page shown after a successful user interactive authentication session:
    #   'sso_auth_success.html'.
    #
    #   Note that this page must include the JavaScript which notifies of a successful authentication
    #   (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback).
    #
    #   This template has no additional variables.
    #
    # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database)
    #   attempts to login: 'sso_account_deactivated.html'.
    #
    #   This template has no additional variables.
    #
    # * HTML page to display to users if something goes wrong during the
    #   OpenID Connect authentication process: 'sso_error.html'.
    #
    #   When rendering, this template is given two variables:
    #     * error: the technical name of the error
    #     * error_description: a human-readable message for the error
    #
    # You can see the default templates at:
    # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
    #
    #template_dir: "res/templates"


# The JWT needs to contain a globally unique "sub" (subject) claim.
#
#jwt_config:
#   enabled: true
#   secret: "a secret"
#   algorithm: "HS256"


password_config:
   # Uncomment to disable password login
   #
   #enabled: false

   # Uncomment to disable authentication against the local password
   # database. This is ignored if `enabled` is false, and is only useful
   # if you have other password_providers.
   #
   #localdb_enabled: false

   # Uncomment and change to a secret random string for extra security.
   # DO NOT CHANGE THIS AFTER INITIAL SETUP!
   #
   #pepper: "EVEN_MORE_SECRET"

   # Define and enforce a password policy. Each parameter is optional.
   # This is an implementation of MSC2000.
   #
   policy:
      # Whether to enforce the password policy.
      # Defaults to 'false'.
      #
      #enabled: true

      # Minimum accepted length for a password.
      # Defaults to 0.
      #
      #minimum_length: 15

      # Whether a password must contain at least one digit.
      # Defaults to 'false'.
      #
      #require_digit: true

      # Whether a password must contain at least one symbol.
      # A symbol is any character that's not a number or a letter.
      # Defaults to 'false'.
      #
      #require_symbol: true

      # Whether a password must contain at least one lowercase letter.
      # Defaults to 'false'.
      #
      #require_lowercase: true

      # Whether a password must contain at least one lowercase letter.
      # Defaults to 'false'.
      #
      #require_uppercase: true


# Configuration for sending emails from Synapse.
#
email:
  # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
  #
  #smtp_host: mail.server

  # The port on the mail server for outgoing SMTP. Defaults to 25.
  #
  #smtp_port: 587

  # Username/password for authentication to the SMTP server. By default, no
  # authentication is attempted.
  #
  #smtp_user: "exampleusername"
  #smtp_pass: "examplepassword"

  # Uncomment the following to require TLS transport security for SMTP.
  # By default, Synapse will connect over plain text, and will then switch to
  # TLS via STARTTLS *if the SMTP server supports it*. If this option is set,
  # Synapse will refuse to connect unless the server supports STARTTLS.
  #
  #require_transport_security: true

  # notif_from defines the "From" address to use when sending emails.
  # It must be set if email sending is enabled.
  #
  # The placeholder '%(app)s' will be replaced by the application name,
  # which is normally 'app_name' (below), but may be overridden by the
  # Matrix client application.
  #
  # Note that the placeholder must be written '%(app)s', including the
  # trailing 's'.
  #
  #notif_from: "Your Friendly %(app)s homeserver <noreply@example.com>"

  # app_name defines the default value for '%(app)s' in notif_from. It
  # defaults to 'Matrix'.
  #
  #app_name: my_branded_matrix_server

  # Uncomment the following to enable sending emails for messages that the user
  # has missed. Disabled by default.
  #
  #enable_notifs: true

  # Uncomment the following to disable automatic subscription to email
  # notifications for new users. Enabled by default.
  #
  #notif_for_new_users: false

  # Custom URL for client links within the email notifications. By default
  # links will be based on "https://matrix.to".
  #
  # (This setting used to be called riot_base_url; the old name is still
  # supported for backwards-compatibility but is now deprecated.)
  #
  #client_base_url: "http://localhost/riot"

  # Configure the time that a validation email will expire after sending.
  # Defaults to 1h.
  #
  #validation_token_lifetime: 15m

  # Directory in which Synapse will try to find the template files below.
  # If not set, default templates from within the Synapse package will be used.
  #
  # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
  # If you *do* uncomment it, you will need to make sure that all the templates
  # below are in the directory.
  #
  # Synapse will look for the following templates in this directory:
  #
  # * The contents of email notifications of missed events: 'notif_mail.html' and
  #   'notif_mail.txt'.
  #
  # * The contents of account expiry notice emails: 'notice_expiry.html' and
  #   'notice_expiry.txt'.
  #
  # * The contents of password reset emails sent by the homeserver:
  #   'password_reset.html' and 'password_reset.txt'
  #
  # * HTML pages for success and failure that a user will see when they follow
  #   the link in the password reset email: 'password_reset_success.html' and
  #   'password_reset_failure.html'
  #
  # * The contents of address verification emails sent during registration:
  #   'registration.html' and 'registration.txt'
  #
  # * HTML pages for success and failure that a user will see when they follow
  #   the link in an address verification email sent during registration:
  #   'registration_success.html' and 'registration_failure.html'
  #
  # * The contents of address verification emails sent when an address is added
  #   to a Matrix account: 'add_threepid.html' and 'add_threepid.txt'
  #
  # * HTML pages for success and failure that a user will see when they follow
  #   the link in an address verification email sent when an address is added
  #   to a Matrix account: 'add_threepid_success.html' and
  #   'add_threepid_failure.html'
  #
  # You can see the default templates at:
  # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
  #
  #template_dir: "res/templates"


# Password providers allow homeserver administrators to integrate
# their Synapse installation with existing authentication methods
# ex. LDAP, external tokens, etc.
#
# For more information and known implementations, please see
# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md
#
# Note: instances wishing to use SAML or CAS authentication should
# instead use the `saml2_config` or `cas_config` options,
# respectively.
#
password_providers:
#    # Example config for an LDAP auth provider
#    - module: "ldap_auth_provider.LdapAuthProvider"
#      config:
#        enabled: true
#        uri: "ldap://ldap.example.com:389"
#        start_tls: true
#        base: "ou=users,dc=example,dc=com"
#        attributes:
#           uid: "cn"
#           mail: "email"
#           name: "givenName"
#        #bind_dn:
#        #bind_password:
#        #filter: "(objectClass=posixAccount)"



# Clients requesting push notifications can either have the body of
# the message sent in the notification poke along with other details
# like the sender, or just the event ID and room ID (`event_id_only`).
# If clients choose the former, this option controls whether the
# notification request includes the content of the event (other details
# like the sender are still included). For `event_id_only` push, it
# has no effect.
#
# For modern android devices the notification content will still appear
# because it is loaded by the app. iPhone, however will send a
# notification saying only that a message arrived and who it came from.
#
#push:
#  include_content: true


# Spam checkers are third-party modules that can block specific actions
# of local users, such as creating rooms and registering undesirable
# usernames, as well as remote users by redacting incoming events.
#
spam_checker:
   #- module: "my_custom_project.SuperSpamChecker"
   #  config:
   #    example_option: 'things'
   #- module: "some_other_project.BadEventStopper"
   #  config:
   #    example_stop_events_from: ['@bad:example.com']


## Rooms ##

# Controls whether locally-created rooms should be end-to-end encrypted by
# default.
#
# Possible options are "all", "invite", and "off". They are defined as:
#
# * "all": any locally-created room
# * "invite": any room created with the "private_chat" or "trusted_private_chat"
#             room creation presets
# * "off": this option will take no effect
#
# The default value is "off".
#
# Note that this option will only affect rooms created after it is set. It
# will also not affect rooms created by other servers.
#
#encryption_enabled_by_default_for_room_type: invite


# Uncomment to allow non-server-admin users to create groups on this server
#
#enable_group_creation: true

# If enabled, non server admins can only create groups with local parts