Configuration settings
Mattermost configuration settings are maintained in the config.json configuration file, located in the mattermost/config directory. You can modify the configuration file using the System Console, or by using a text editor to modify it directly.
Important
Mattermost must have write permissions to config.json, otherwise changes made in the System Console will have no effect.
On new installations from v5.14, the default.json file used to create the initial config.json has been removed from the binary and replaced with a build step that generates a fresh config.json. This is to ensure the initial configuration file has all the correct defaults provided in the server code. Existing config.json files are not affected by this change.
From Mattermost v5.38 (released August 16, 2021), the “config watcher” (the mechanism that automatically reloads the config.json file) has been deprecated in favor of the mmctl config reload command that must be run to apply configuration changes after they’re made. This change will improve configuration performance and robustness.
See the Deprecated configuration settings documentation for details on all deprecated Mattermost configuration settings.
Configuration in database
Storing configuration in the database is supported from v5.10 and later. Please see more information on how to set this up here.
Environment variables
Starting from Mattermost v3.8, you can use environment variables to manage the configuration. Environment variables override settings in config.json. If a change to a setting in config.json requires a restart for it to take effect, then changes to the corresponding environment variable also require a server restart.
The name of the environment variable for any setting can be derived from the name of that setting in config.json. For example, to derive the name of the Site URL setting:
Find the setting in
config.json. In this case, ServiceSettings.SiteURL.Add
MM_to the beginning and convert all characters to uppercase and replace the.with_. For example, MM_SERVICESETTINGS_SITEURL.The setting becomes
export MM_SERVICESETTINGS_SITEURL="http://example.com".
Note
If Mattermost is run from an initialization file, environment variables can be set via
Environment=<>, orEnvironmentFile=<path/to/file>. In the second case, the file specified contains the list of environment variables to set.When settings are configured through an environment variable, System Admins can’t modify them in the System Console. If a setting is configured through an environment variable, and any other changes are made in the System Console, the value stored of the environment variable will be written back to the
config.jsonas that setting’s value.For any setting that’s not set in
config.jsonor in environment variables, the Mattermost server uses the setting’s default value as documented in the sections below on this page.
Warning
Environment variables for Mattermost settings that are set within the active shell will take effect when migrating configuration. For more information, see Configuration In Database.
Database connection strings for the database read and search replicas need to be formatted using URL encoding. Incorrectly formatted strings may cause some characters to terminate the string early, resulting in issues when the connection string is parsed.
Override Mattermost license file
Starting from Mattermost v5.26, you can use an environment variable to override any license in the database or file configuration without replacing those licenses.
When starting the server, specify the license key as MM_LICENSE with the contents of a license file.
Note
If MM_LICENSE is set to a non-empty string, but the license specified is not valid, the Mattermost server will be started without a license.
In a High Availability deployment, using an environment variable to override a server license only affects the individual app server and doesn’t propagate to other servers in the cluster.
Load custom configuration defaults
Starting from Mattermost v5.30, you can load a set of custom configuration defaults using an environment variable. This custom configuration applies only if the values are not already present in the current server configuration.
Create a JSON file that contains the custom configuration defaults. For example,
custom.json.When starting the server, point the custom defaults environment variable to the defaults file:
MM_CUSTOM_DEFAULTS_PATH=custom.json.
About
Settings for managing the edition and license for Mattermost Enterprise Edition.
Edition and License
Access the following configuration settings in the System Console by going to About > Edition and License.
License
View subscription details including the number of users and expiry date of your Mattermost license.
License Key
Upload or remove license files. For more information on Mattermost Licensing, please see our frequently asked questions about licensing.
Reporting
See the reporting configuration settings documentation for details on the following configuration settings:
User Management
See the user management configuration settings documentation for details on the following configuration settings:
Environment
Web server
See the web server configuration settings documentation for details on the following configuration settingsn:
Database
See the database configuration settings documentation for details on the following configuration settings:
Elasticsearch
See the Elasticsearch configuration settings documentation for details on the following configuration settings:
Changes to properties in this section require a server restart before taking effect. Access the following configuration settings in the System Console by going to Environment > Elasticsearch.
Enable Elasticsearch Indexing
Available in legacy Enterprise Edition E20
True: Indexing of new posts occurs automatically. Search queries will use database search until Enable Elasticsearch for search queries is enabled. Learn more about Elasticsearch in our documentation.
False: Elasticsearch indexing is disabled and new posts are not indexed. If indexing is disabled and re-enabled after an index is created, we recommend you purge and rebuild the index to ensure complete search results.
This feature’s |
Server Connection Address
Available in legacy Enterprise Edition E20
The address of the Elasticsearch server. Learn more about Elasticsearch in our documentation.
This feature’s |
Skip TLS Verification
Available in legacy Enterprise Edition E20
True: Skips the certificate verification step for TLS connections. Not recommended for production environments where TLS is required. For testing only.
False: Mattermost does not skip certificate verification.
This feature’s |
Server Username
Available in legacy Enterprise Edition E20
(Optional) The username to authenticate to the Elasticsearch server.
This feature’s |
Server Password
Available in legacy Enterprise Edition E20
(Optional) The password to authenticate to the Elasticsearch server.
This feature’s |
Enable Cluster Sniffing
Available in legacy Enterprise Edition E20
True: Sniffing finds and connects to all data nodes in your cluster automatically.
False: Sniffing is disabled.
This feature’s |
Bulk Indexing
Available in legacy Enterprise Edition E20
This button starts a bulk index of all existing posts in the database. If the indexing process is cancelled the index and search results will be incomplete.
Purge Indexes
Available in legacy Enterprise Edition E20
This button purges the entire Elasticsearch index. Typically only used if the index has corrupted and search is not behaving as expected. After purging the index a new index can be created with the Bulk Index button.
Enable Elasticsearch for Search Queries
Available in legacy Enterprise Edition E20
True: Elasticsearch will be used for all search queries using the latest index. Search results may be incomplete until a bulk index of the existing post database is finished.
False: Database search is used for search queries.
This feature’s |
Enable Elasticsearch for Autocomplete Queries
Available in legacy Enterprise Edition E20
True: Elasticsearch will be used for all autocompletion queries on users and channels using the latest index. Autocompletion results may be incomplete until a bulk index of the existing users and channels database is finished.
False: Database autocomplete is used.
This feature’s |
File Storage
Mattermost currently supports storing files on the local filesystem and Amazon S3 or S3 compatible containers. Access the following configuration settings in the System Console by going to Environment > File Storage.
Note
We have tested Mattermost with MinIO and Digital Ocean Spaces products, but not all S3 compatible containers on the market. If you are looking to use other S3 compatible containers we advise completing your own testing.
File Storage System
|
|
Allowed Values |
|
This selects which file storage system is used: Local File System or Amazon S3.
Local File System: Files and images are stored in the specified local file directory.
Amazon S3: Files and images are stored on Amazon S3 based on the provided access key, bucket, and region fields. The "amazons3" driver is compatible with MinIO (Beta) and Digital Ocean Spaces based on the provided access key, bucket, and region fields.
Local Storage Directory
The local directory to which files are written when the File Storage System is set to "local". This is relative to the directory Mattermost is installed to and defaults to "./data" When File Storage System is set to S3 this setting has no effect.
|
|
Allowed Values |
Any directory writeable by the user Mattermost is running as. Defaults to |
Maximum File Size
Maximum file size for message attachments and plugins entered in megabytes in the System Console. Converted to bytes in config.json at 1048576 bytes per megabyte.
This feature’s |
Warning
Verify server memory can support your setting choice. Large file sizes increase the risk of server crashes and failed uploads due to network disruptions.
Note
If you use a proxy or load balancer in front of Mattermost its settings need to be adjusted accordingly. For NGINX use client_max_body_size. For Apache use LimitRequestBody.
Enable Document Search by Content
Enable users to search the contents of documents attached to messages. Mattermost self-hosted deployments include support for PDF, PPTX, DOCX, ODT, HTML, and plain text documents. Improved server performance during PDF extraction and additional file support for RTF, DOC, and PAGES documents is available through the installation of third-party dependencies.
True: Documents are searchable by their content.
Note
Document content search results for files shared before upgrading to Mattermost Server v5.35 may be incomplete until an mmctl content extraction job is run, or an extraction command is executed using the CLI. If this command is not run, users can search older files based on file name only.
False: Documents aren’t searchable by their content. When document content search is disabled, users can search for files by filename only.
This feature’s |
To extend content search support to include file formats including RTF, DOC, and PAGES, and to take advantage of improved server performance during PDF extraction, you must install these dependencies. If you choose not to install these dependencies, you’ll see log entries for documents that couldn’t be extracted. Any documents that can’t be extracted are skipped and logged so that content extraction can proceed.
The search support each dependency offers is described below:
tidy: Used to search the contents of HTML and PAGES documents.wv: Used to search the contents of DOC documents.popplerutils: Used to significantly improve server performance when extracting the contents of PDF documents.unrtf: Used to search the contents of RTF documents.Justtext: Used to search HTML documents.
Note
Document content search is available in Mattermost Server from v5.35, with mobile support coming soon.
Searching document contents adds load to your server.
For large deployments, or teams that share many large, text-heavy documents, we recommended you review our hardware requirements, and test enabling this feature in a staging environment before enabling it in a production environment.
Enable Searching Content of Documents within ZIP Files
This configuration setting enables users to search the contents of compressed ZIP files attached to messages.
True: Contents of documents within ZIP files are returned in search results. This may have an impact on server performance for large files.
False: The contents of documents within ZIP files aren’t returned in search results.
This feature’s |
Note
Document content search within ZIP files is available in Mattermost Server from v5.35, with mobile support coming soon.
Searching document contents adds load to your server.
For large deployments, or teams that share many large, text-heavy documents, we recommended you review our hardware requirements, and test enabling this feature in a staging environment before enabling it in a production environment.
Amazon S3 Bucket
The name of the bucket for your S3-compatible object storage instance.
|
|
Allowed Values |
A string with the S3-compatible bucket name. |
Amazon S3 Region
The AWS region you selected when creating your S3 bucket. If no region is set, Mattermost attempts to get the appropriate region from AWS and sets it to "us-east-1" if none is found. For MinIO or Digital Ocean Spaces, leave this setting empty.
|
|
Allowed Values |
A string with the AWS region containing the bucket. |
Amazon S3 Access Key ID
This is required for access unless you are using an Amazon S3 IAM Role with Amazon S3. Your EC2 administrator can supply you with the Access Key ID.
|
|
Allowed Values |
A string with the access key for the S3-compatible storage instance. |
Amazon S3 Endpoint
The hostname of your S3-compatible instance. Defaults to "s3.amazonaws.com".
Note
For Digital Ocean Spaces, the hostname should be set to "<region>.digitaloceanspaces.com", where <region> is the abbreviation for the region you chose when setting up the Space. It can be nyc3, ams3, or sgp1.
|
|
Allowed Values |
A string with the hostname of the S3-compatible storage instance. |
Amazon S3 Secret Access Key
The secret access key associated with your Amazon S3 Access Key ID.
|
|
Allowed Values |
A string with the secret access key for the S3-compatible storage instance. |
Enable Secure Amazon S3 Connections
True: Enables only secure Amazon S3 connections.
False: Allows insecure connections to Amazon S3.
|
|
Allowed Values |
|
Enable Server-Side Encryption for Amazon S3
Available in legacy Enterprise Edition E20
True: Encrypts files in Amazon S3 using server-side encryption with Amazon S3-managed keys.
False: Doesn’t encrypt files in Amazon S3.
Note
Server-side encryption only works with Amazon S3.
|
|
Allowed Values |
|
Image Proxy
Access the following configuration settings in the System Console by going to Environment > Image Proxy.
Enable Image Proxy
When true, enables an image proxy for loading external images. The image proxy is used by the Mattermost apps to prevent them from connecting directly to remote servers. This anonymizes their connections and prevents them from accessing insecure content.
See the image proxy documentation to learn more.
This feature’s |
Image Proxy Type
The type of image proxy used by Mattermost. There are two options:
local: The Mattermost server itself acts as the image proxy. This is the default option.
atmos/camo: An external atmos/camo image proxy is used.
See the documentation to learn more.
This feature’s |
Remote Image Proxy URL
The URL of the atmos/camo proxy. This setting is not needed when using the local image proxy.
This feature’s |
Remote Image Proxy Options
The URL signing key passed to an atmos/camo image proxy. This setting is not needed when using the local image proxy.
See the documentation to learn more.
This feature’s |
SMTP
Access the following configuration settings in the System Console by going to Environment > SMTP.
SMTP Email Server
Location of SMTP email server used for email notifications.
This feature’s |
SMTP Server Port
Port of SMTP email server.
This feature’s |
SMTP Server Timeout
The maximum amount of time (in seconds) allowed for establishing a TCP connection between Mattermost and the SMTP server, to be idle before being terminated.
This feature’s |
Enable SMTP Authentication
True: SMTP username and password are used for authenticating to the SMTP server.
False: Mattermost doesn’t attempt to authenticate to the SMTP server.
This feature’s |
SMTP Server Username
The username for authenticating to the SMTP server.
This feature’s |
SMTP Server Password
The password associated with the SMTP username.
This feature’s |
Connection Security
None: Send email over an unsecure connection.
TLS: Communication between Mattermost and your email server is encrypted.
STARTTLS: Attempts to upgrade an existing insecure connection to a secure connection using TLS.
This feature’s |
Skip Server Certificate Verification
True: Mattermost will not verify the email server certificate.
False: Mattermost will verify the email server certificate.
This feature’s |
Enable Security Alerts
True: Enable System Admins to be notified by email if a relevant security fix alert is announced. Requires email to be enabled. To learn more about this feature, see Telemetry.
False: Security alerts are disabled.
This feature’s |
Push Notification Server
Access the following configuration settings in the System Console by going to Environment > Push Notification Server.
Enable Push Notifications
True: Your Mattermost server sends mobile push notifications to the server specified in PushNotificationServer.
False: Mobile push notifications are disabled.
This feature’s |
Push Notification Server
Location of Mattermost Push Notification Service (MPNS), which re-sends push notifications from Mattermost to services like Apple Push Notification Service (APNS) and Google Cloud Messaging (GCM).
To confirm push notifications are working, connect to the Mattermost iOS App on iTunes or the Mattermost Android App on Google Play:
For Enterprise or Professional Edition, enter
https://push.mattermost.comfor the push notification server hosted in the United States. If you prefer to use a push notification server hosted in Germany, enterhttps://hpns-de.mattermost.com/.For Team Edition, enter
https://push-test.mattermost.com.
Please review full documentation on push notifications and mobile applications including guidance on compiling your own mobile apps and MPNS before deploying to production.
Note
The https://push-test.mattermost.com server is provided for testing push notifications prior to compiling your own service. Please make sure to read about its limitations.
This feature’s |
Max Notifications Per Channel
Maximum total number of users in a channel before @all, @here, and @channel no longer send notifications to maximize performance.
If you want to increase this value, we recommend increasing it a little at a time and monitor system health with performance monitoring metrics. We also recommend only increasing this value if large channels have restricted permissions for who can post to the channel (for instance, a read-only Town Square channel).
This feature’s |
Troubleshooting Push Notifications
To confirm push notifications are working:
Go to System Console > Notifications > Environment > Push Notification Server > Enable Push Notifications and select Use TPNS connection to send notifications to iOS and Android apps.
Set Push Notification Server to
https://push.mattermost.comif using Enterprise Edition. If using Team Edition, set the value tohttps://push-test.mattermost.com.To confirm push notifications are working, connect to the Mattermost iOS App on iTunes or the Mattermost Android App on Google Play and log in to your team site.
Close the app on your device, and close any other connections to your team site.
Wait 5 minutes and have another team member send you a direct message, which should trigger a push notification to the Mattermost app on your mobile device.
You should receive a push notification on your device alerting you of the direct message.
If you did not receive an alert:
Set System Console > Environment > Logging > File Log Level to DEBUG (make sure to set this back to INFO after troubleshooting to save disk space).
Repeat the above steps.
Go to System Console > Reporting > Server Logs and copy the log output into a file.
For Enterprise Edition customers, submit a support request with the file attached. For Team Edition users, please start a thread in the troubleshooting forum for peer-to-peer support.
High Availability
Access the following configuration settings in the System Console by going to Environment > High Availability.
Changes to properties in this section require a server restart before taking effect.
When High Availability mode is enabled, the System Console is set to read-only and settings can only be changed by editing the configuration file directly. However, for testing and validating a High Availability setup, you can set ReadOnlyConfig to false, which allows changes made in the System Console to be saved back to the configuration file.
To learn more about configuring High Availability, see High Availability Cluster.
Enable High Availability Mode
Available in legacy Enterprise Edition E20
True: The Mattermost server will attempt inter-node communication with the other servers in the cluster that have the same cluster name. This sets the System Console to read-only mode to keep the servers config.json files in sync.
False: Mattermost High Availability is disabled.
This feature’s |
Cluster Name
Available in legacy Enterprise Edition E20
The cluster to join by name. Only nodes with the same cluster name will join together. This is to support Blue-Green deployments or staging pointing to the same database.
This feature’s |
Override Hostname
Available in legacy Enterprise Edition E20
If blank, Mattermost attempts to get the hostname from the OS or use the IP address. You can override the hostname of this server with this property. It is not recommended to override the hostname unless needed. This property can also be set to a specific IP address if needed. Also see cluster discovery for more details.
This feature’s |
Use IP Address
Available in legacy Enterprise Edition E20
True: The cluster attempts to communicate using the IP address.
False: The cluster attempts to communicate using the hostname.
This feature’s |
Use Gossip
Available in legacy Enterprise Edition E20
Note
All cluster traffic uses the gossip protocol. From Mattermost Server v5.36 gossip clustering can no longer be disabled.
True: The server attempts to communicate via the gossip protocol over the gossip port.
False: The server attempts to communicate over the streaming port.
Note
The gossip port and gossip protocol are used to determine cluster health even when this setting is false.
This feature’s |
Enable Experimental Gossip Encryption
Available in legacy Enterprise Edition E20
True: All communication through the cluster using the gossip protocol will be encrypted.
False: All communication using gossip protocol remains unencrypted.
The encryption uses AES-256 by default, and it is not kept configurable by design. However, you can manually set the ClusterEncryptionKey row value in the Systems table. A key is a byte array converted to base64. It should be either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256.
This feature’s |
Enable Gossip Compression
Available in legacy Enterprise Edition E20
True: All communication through the cluster uses gossip compression. This is set to true by default to maintain compatibility with older servers.
False: All communication using the gossip protocol remains uncompressed. Once all servers in a cluster are upgraded to Mattermost v5.33 or later, we recommend that you disable this configuration setting for better performance.
This feature’s |
Rate Limiting
Access the following configuration settings in the System Console by going to Environment > Rate Limiting.
Changes to properties in this section require a server restart before taking effect.
Enable Rate Limiting
Rate limiting prevents your server from being overloaded with too many requests. This decreases the risk and impact of third-party applications or malicious attacks on your server.
True: APIs are throttled at the rate specified by PerSec.
False: APIs are not throttled.
This feature’s |
Maximum Queries per Second
Throttle API at this number of requests per second if rate limiting is enabled.
The location of the log files. If blank, they are stored in the ./logs directory. The path that you set must exist and Mattermost must have write permissions in it.
This feature’s |
Maximum Burst Size
The maximum number of requests allowed beyond the per second query limit.
This feature’s |
Memory Store Size
Maximum number of user sessions connected to the system as determined by VaryByRemoteAddr and VaryByHeader variables.
Typically set to the number of users in the system.
This feature’s |
Vary rate limit by remote address
True: Rate limit API access by IP address. Recommended to set to true if you’re using a proxy.
False: Rate limiting does not vary by IP address.
This feature’s |
Vary rate limit by user
True: Rate limit API access by user authentication token. Recommended to set to true if you’re using a proxy.
False: Rate limiting does not vary by user authentication token.
This feature’s |
Vary rate limit by HTTP header
Vary rate limiting by HTTP header field specified (e.g. when configuring Ngnix set to X-Real-IP, when configuring AmazonELB set to X-Forwarded-For). Recommended to be set if you’re using a proxy.
This feature’s |
Advanced Logging
Available in legacy Enterprise Edition E20
Output logs to multiple targets
Allow any combination of console, local file, syslog, and TCP socket targets, and send log records to multiple targets. These targets have been chosen as they support the vast majority of log aggregators, and other log analysis tools, without needing additional software installed. Please see Audit Log v2 for more comprehensive documentation.
System Admins can define multiple log targets to:
Mirror log output to files and log aggregators for redundancy.
Log certain entries to specific destinations. For example, all errors could be routed to a specific destination for review.
Additional configuration options include:
Multiple local file targets: Supports rotation and compression triggered by size and/or duration.
Multiple syslogs: Supports local and remote syslog servers, with or without TLS transport.
Multiple TCP sockets: TCP socket target can be configured with an IP address or domain name, port, and optional TLS certificate.
All access to the REST API or CLI is audited. When using Advanced Logging for auditing, System Admins can capture the following auditing in the target configuration in addition to discrete log levels:
"Levels": [
{"ID": 100, "Name": "audit-api"},
{"ID": 101, "Name": "audit-content"},
{"ID": 102, "Name": "audit-permissions"},
{"ID": 103, "Name": "audit-cli"},
],
Where:
audit-api: Enables output of REST API calls.audit-content: Enables output of API calls that generate content (e.g.create post,create reaction).audit-permissions: Enables output of all permissions failures.audit-cli: Enables output of legacy CLI calls.
Note
Logs are recorded asynchronously to reduce latency to the caller.
Advanced logging supports hot-reloading of logger configuration.
This feature’s |
Options outlined in this text file are described in the following table.
Key |
Definition |
Type |
Levels |
||
ID |
Unique log level identifier. Must be registered in |
int |
Name |
Human-readable name for the log level identifier. |
string |
Stacktrace |
Set to |
bool |
Targets |
||
Type |
Can be one of: |
string |
Format |
Can be either |
string |
Levels |
Array of log levels. |
[] |
Options |
Map of options specific to the target type. |
{} |
MaxQueueSize |
The number of audit records that can be queued/buffered at any point in time when writing to syslog. Default is 1000. |
int |
Console |
||
Out |
Can be either |
string |
File |
||
Filename |
Path and filename for logs. |
string |
MaxAgeDays |
Number of days until a rotation is triggered. Set to |
int |
MaxBackups |
Maximum number of rotated files to keep where the oldest are deleted. Set to |
int |
MaxSizeMB |
Maximum file size before a rotation is triggered. Set to |
int |
Compress |
Set to |
bool |
SysLog |
||
IP |
IP address or domain of the syslog server. |
string |
Port |
Listening port of syslog server. |
int |
Tag |
Typically the program name, machine name, or node name. |
string |
TLS |
Set to |
bool |
Cert |
For TLS connections where TLS is set to |
string |
Insecure |
Used for testing purposes only. Set to |
bool |
TCP |
||
IP |
IP address or domain of the socket server. |
string |
Port |
Listening port of the socket server. |
int |
TLS |
Set to |
bool |
Cert |
For TLS connections where TLS is set to |
string |
Insecure |
Used for testing purposes only. Set to |
bool |
Note
Filenames for AdvancedLoggingConfig can contain an absolute filename, a relative filename, or embedded JSON.
See the Advanced Logging Options Sample JSON ZIP file for a sample configuration file.
Standard Logging
Access the following configuration settings in the System Console by going to Environment > Logging.
Note
Standard logging in Mattermost supports the ability to output logs to the console and file targets. Mattermost Enterprise customers can specify additional log target types, such as TCP configuration options using audit log v2. See the audit log v2 documentation and the advanced audit logging configuration documentation for additional details.
Output logs to console
True: Output log messages to the console based on ConsoleLevel option. The server writes messages to the standard output stream (stdout).
False: Output log messages are not written to the console.
Changes to this setting require a server restart before taking effect.
This feature’s |
Console Log Level
Level of detail at which log events are written to the console when EnableConsole = true.
DEBUG: Prints high detail for developers debugging issues.
ERROR: Outputs only error messages.
INFO: Outputs error messages and information around startup and initialization.
This feature’s |
Output console logs as JSON
Typically set to true in production. When true, logged events are written in a machine readable JSON format. Otherwise they are printed as plain text.
True: Logged events are written in a machine-readable JSON format.
False: Logged events are written in plain text.
Changes to this setting require a server restart before taking effect.
This feature’s |
Output logs to file
Typically set to true in production. When true, logged events are written to the mattermost.log file in the directory specified by the FileLocation setting. The logs are archived to a file in the same directory, and given a name with a datestamp and serial number. For example, mattermost.2017-03-31.001.
Note
Logs are rotated once the log file reaches a size of 100 MB or more.
True: Log files are written to files specified in FileLocation.
False: Log files are not written.
Changes to this setting require a server restart before taking effect.
This feature’s |
File Log Level
Level of detail at which log events are written to log files when EnableFile = true.
ERROR: Outputs only error messages.
INFO: Outputs error messages and information around startup and initialization.
DEBUG: Prints high detail for developers debugging issues.
This feature’s |
Output file logs as JSON
Typically set to true in production. When true, logged events are written in a machine readable JSON format. Otherwise they are printed as plain text.
True: Logged events are written in a machine-readable JSON format.
False: Logged events are written in plain text.
Changes to this setting require a server restart before taking effect.
This feature’s |
File Log Directory
The location of the log files. If blank, they are stored in the ./logs directory. The path that you set must exist and Mattermost must have write permissions in it.
Changes to this setting require a server restart before taking effect.
This feature’s |
Enable Webhook Debugging
True: Contents of incoming webhooks are printed to log files for debugging.
False: Contents of incoming webhooks are not printed to log files.
This feature’s |
Enable Diagnostics and Error Reporting
True: To improve the quality and performance of future Mattermost updates, this option sends error reporting and diagnostic information to Mattermost, Inc. All diagnostics and error reporting is encrypted in transit and does not include personally identifiable information or message contents. To learn more about this feature, see Telemetry.
False: Diagnostics and error reporting are disabled.
This feature’s |
Session Lengths
Access the following configuration settings in the System Console by going to Environment > Session Lengths.
User sessions are cleared when a user tries to log in. Additionally, a job runs every 24 hours to clear sessions from the sessions database table.
Extend session length with activity
Improves user experience by extending sessions and keeping users logged in if they are active in their Mattermost apps.
True: Sessions will be automatically extended when the user is active in their Mattermost client. User sessions will only expire if they are not active in their Mattermost client for the entire duration of the session lengths defined in the fields below.
False: Sessions will not extend with activity in Mattermost. User sessions will immediately expire at the end of the session length or idle timeouts defined below.
This feature’s |
Session length for email and AD/LDAP authentication
Set the number of hours from the last time a user entered their credentials to the expiry of the user’s session on email and AD/LDAP authentication.
After changing this setting, the new session length will take effect after the next time the user enters their credentials.
This feature’s |
Session length for mobile apps
Set the number of hours from the last time a user entered their credentials to the expiry of the user’s session on mobile apps.
After changing this setting, the new session length will take effect after the next time the user enters their credentials.
This feature’s |
Session length for SSO authentication
This setting defines the session length for SSO authentication, such as SAML, GitLab, and OAuth 2.0.
Set the number of hours from the last time a user entered their credentials to the expiry of the user’s session. Numbers as decimals are also accepted by this configuration setting. If the authentication method is SAML, GitLab, or OAuth 2.0, the user may automatically be logged back in to Mattermost if they are already logged in to SAML, GitLab, or with OAuth 2.0.
After changing this setting, the setting will take effect after the next time the user enters their credentials.
This feature’s |
Session Cache (minutes)
Set the number of minutes to cache a session in memory.
This feature’s |
Session Idle Timeout (minutes)
The number of minutes from the last time a user was active on the system to the expiry of the user’s session. Once expired, the user will need to log in to continue. Minimum is 5 minutes, and 0 is unlimited.
Applies to the desktop app and browsers. For mobile apps, use an EMM provider to lock the app when not in use. In High Availability mode, enable IP hash load balancing for reliable timeout measurement.
This setting does not take effect if ExtendSessionLengthWithActivity is set to true.
This feature’s |
Performance Monitoring
Access the following configuration settings in the System Console by going to Environment > Performance Monitoring.
Changes to properties in this section require a server restart before taking effect.
Enable Performance Monitoring
Available in legacy Enterprise Edition E20
True: Mattermost enables performance monitoring collection and profiling. Please see documentation to learn more about configuring performance monitoring for Mattermost.
False: Mattermost performance monitoring is disabled.
This feature’s |
Developer
Access the following configuration settings in the System Console by going to Environment > Developer.
Enable Testing Commands
True: /test slash command is enabled to load test accounts and test data.
False: /test slash command is disabled.
Changes to this setting require a server restart before taking effect.
This feature’s |
Enable Developer Mode
True: Javascript errors are shown in a purple bar at the top of the user interface. Not recommended for use in production.
False: Users are not alerted to Javascript errors.
This feature’s |
Enable Client Performance Debugging
True: User-specific performance debugging features can be enabled from Settings > Advanced > Performance Debugging. These settings only affect the user who enables them. See the Performance Debugging product documentation to learn more.
False: Disables and hides debugging features from Settings > Advanced > Performance Debugging.
This feature’s |
Allow Untrusted Internal Connections To
This setting limits the ability for the Mattermost server to make untrusted requests within its local network. A request is considered “untrusted” when it’s made on behalf of a client. The following features make untrusted requests and are affected by this setting:
Integrations using webhooks, slash commands, or message actions. This prevents them from requesting endpoints within the local network.
Link previews. When a link to a local network address is posted in a chat message, this prevents a link preview from being displayed.
The local image proxy. If the local image proxy is enabled, images located on the local network cannot be used by integrations or posted in chat messages.
Requests that can only be configured by admins are considered trusted and will not be affected by this setting. Trusted URLs include ones used for OAuth login or for sending push notifications.
Warning
This setting is intended to prevent users located outside your local network from using the Mattermost server to request confidential data from inside your network. Care should be used when configuring this setting to prevent unintended access to your local network.
Some examples of when you may want to modify this setting include:
When installing a plugin that includes its own images, such as Matterpoll, you will need to add the Mattermost server’s domain name to this list.
When running a bot or webhook-based integration on your local network, you’ll need to add the hostname of the bot/integration to this list.
If your network is configured in such a way that publicly-accessible web pages or images are accessed by the Mattermost server using their internal IP address, the hostnames for those servers must be added to this list.
This setting is a whitelist of local network addresses that can be requested by the Mattermost server. It’s configured as a whitespace-separated list of hostnames, IP addresses, and CIDR ranges that can be accessed (such as webhooks.internal.example.com 127.0.0.1 10.0.16.0/28). Since v5.9, the public IP of the Mattermost application server itself is also considered a reserved IP.
Note
Use whitespaces instead of commas to list the hostnames, IP addresses, or CIDR ranges. For example: webhooks.internal.example.com 127.0.0.1 10.0.16.0/28.
IP address and domain name rules are applied before host resolution. CIDR rules are applied after host resolution, and only CIDR rules require DNS resolution. We try to match IP addresses and hostnames without even resolving. If that fails, we resolve using the local resolver (by reading the /etc/hosts file first), then check for matching CIDR rules. For example, if the domain “webhooks.internal.example.com” resolves to the IP address 10.0.16.20, a webhook with the URL “https://webhooks.internal.example.com/webhook” can be whitelisted using webhooks.internal.example.com or 10.0.16.16/28, but not 10.0.16.20.
This feature’s |
Site Configuration
Settings for customizing your Mattermost deployment.
Customization
Access the following configuration settings in the System Console by going to Site Configuration > Customization.
Site Name
Name of service shown in login screens and UI. Maximum 30 characters.
This feature’s |
Site Description
Description of service shown in login screens and UI. When not specified, “All team communication in one place, searchable and accessible anywhere” is displayed.
This feature’s |
Enable Custom Branding
This feature was moved to Team Edition in Mattermost v5.0, released June 16th, 2018. Prior to v5.0, this feature is available in legacy Enterprise Edition E10 and E20.
True: Enables custom branding to show a JPG image some custom text on the server login page.
False: Custom branding is disabled.
This feature’s |
Custom Brand Image
Custom JPG image is displayed on left side of server login page. Recommended maximum image size is less than 2 MB because image will be loaded for every user who logs in.
This features has no |
Custom Brand Text
Custom text will be shown below custom brand image on left side of server login page. Maximum 500 characters allowed. You can format this text using the same Markdown formatting codes as using in Mattermost messages.
This feature’s |
Enable Ask Community Link
True: Ask the community link is visible in the Mattermost channel header, under the Help menu. When selected, users are redirected to https://mattermost.com/pl/default-ask-mattermost-community/, where they can join the Mattermost Community to ask questions and help others troubleshoot issues. This option is not available on the mobile apps.
False: The link is not visible to users.
This feature’s |
Help link
Configurable link to a Help page your organization may provide to end users. By default, links to Mattermost help documentation are hosted on docs.mattermost.com.
This feature’s |
Terms of Use link
Configurable link to Terms of Use your organization may provide to end users on the footer of Mattermost sign-up and login pages. By default, links to a Terms of Use page hosted on mattermost.com. If changing the link to a different Terms of Use, make sure to include the “Mattermost Acceptable Use Policy” notice to end users that must also be shown to users from the “Terms of Use” link.
From Mattermost v5.17, this setting doesn’t change the terms of use link displayed in the About Mattermost dialog, which refers to the Mattermost Terms of Use.
This feature’s |
Privacy Policy link
Configurable link to Privacy Policy your organization may provide to end users on the footer of the sign-up and login pages. By default, links to a Privacy Policy page hosted on mattermost.com.
In version 5.17 and later, this setting does not change the privacy policy link in Main Menu > About Mattermost, which refers to the Mattermost Privacy Policy.
This feature’s |
About Link
Configurable link to an About page describing your organization may provide to end users. By default, links to an About page hosted on mattermost.com.
This feature’s |
Report a Problem link
Set the link for the support website.
This feature’s |
Mattermost Apps Download Page Link
Configurable link to a download page for Mattermost Apps. When a link is present, an option to Download Apps will be added in the Main Menu so users can find the download page. Leave this field blank to hide the option from the Main Menu. Defaults to a page on mattermost.com where users can download the iOS, Android, and Desktop clients. If you’re using an Enterprise App Store for your mobile apps, change this link to point to a customized download page where users can find the correct apps.
This feature’s |
Android App Download Link
Configurable link to download the Android app. When a link is present, users who access the site on a mobile web browser will be prompted with a page giving them the option to download the app. Leave this field blank to prevent the page from appearing. If you are using an Enterprise App Store for your mobile apps, change this link to point to the correct app.
This feature’s |
iOS App Download Link
Configurable link to download the iOS app. When a link is present, users who access the site on a mobile web browser will be prompted with a page giving them the option to download the app. Leave this field blank to prevent the page from appearing. If you are using an Enterprise App Store for your mobile apps, change this link to point to the correct app.
This feature’s |
Localization
Access the following configuration settings in the System Console by going to Site Configuration > Localization.
Default Server Language
Default language for system messages and logs.
Changes to this setting require a server restart before taking effect.
This feature’s |
Default Client Language
Default language for newly-created users and pages where the user hasn’t logged in.
This feature’s |
Available Languages
Sets which languages are available for users in Settings > Display > Language. Leave the field blank to add new languages automatically by default, or add new languages using the dropdown menu manually as they become available. If you’re manually adding new languages, the Default Client Language must be added before saving the setting.
Note
Servers which upgraded to v3.1 need to manually set this field blank to have new languages added by default.
This feature’s |
Users and Teams
Access the following configuration settings in the System Console by going to Site Configuration > Users and Teams.
Max Users Per Team
Maximum number of users per team, excluding inactive users.
The Max Users Per Team refers to the size of the “team site” which is workspace a “team of people” inhabits. A team of people is considered a small organization where people work closely together towards a specific shared goal and share the same etiquette. In the physical world, a team of people could typically be seated around a single table to have a meal and discuss their project.
The default maximum of 50 people, is at the extreme high end of a single team of people. At this point organizations are more often “multiple teams of people” and investments in explicitly defining etiquette, such as channel organization in Enterprise Edition, are often used to scale the high levels of productivity found in a team of people using Mattermost to multiple teams of people.
In terms of technical performance, with appropriate hardware, Mattermost can easily scale to hundreds and even thousands of users, and provided the administrator believes the appropriate etiquette is in place, they should feel free to increase the default value.
This feature’s |
Max Channels Per Team
Maximum number of channels per team, including both active and deleted channels.
This feature’s |
Enable users to open Direct Message channels with
Any user on the Mattermost server: The Direct Messages More menu has the option to open a Direct Message channel with any user on the server.
Any member of the team: The Direct Messages More menu only has the option to open a Direct Message channel with users on the current team, and pressing Ctrl K on Windows or Linux, or ⌘ K on Mac only lists users on the current team. If a user belongs to multiple teams, direct messages will still be received regardless of what team they are currently on.
This setting only affects the UI, not permissions on the server. For instance, a direct message channel can be created with anyone on the server regardless of this setting.
This feature’s |
Teammate Name Display
Specifies how names are displayed in the user interface by default. Please note that users can override this setting in Settings > Display > Teammate Name Display.
Show username: Displays the user’s username.
Show nickname if one exists: Displays the user’s nickname. If the user does not have a nickname, their full name is displayed. If the user does not have a full name, their username is displayed.
Show first and last name: Displays the user’s full name. If the user does not have a full name, their username is displayed. Recommended when using SAML or LDAP if first name and last name attributes are configured.
This feature’s |
Lock Teammate Name Display for all users
True: Disables users’ ability to change settings under Settings > Display > Teammate Name Display.
False: Users can change how their teammate name displays.
Allow Users to View Archived Channels
True: Allows users to view, share, and search for content of channels that have been archived. Users can only view the content in channels of which they were a member before the channel was archived.
False: Users are unable to view, share, or search for content of channels that have been archived.
This feature’s |
Show Email Address
True: Show email address of all users.
False: Hide email address of users from other users in the user interface, including Team Admins. This is designed for managing teams where users choose to keep their contact information private. System Admins will still be able to see email addresses in the UI.
This feature’s |
Show Full Name
True: Show full name of all users.
False: Hide full name of users from other users including Team Admins. This is designed for managing teams where users choose to keep their contact information private. System Admins will still be able to see full names in the UI.
This feature’s |
Notifications
Access the following configuration settings in the System Console by going to Site Configuration > Notifications.
Show @channel, @all, or @here confirmation dialog
True: Users will be prompted to confirm when posting @channel, @all, or @here in channels with over five members.
False: No confirmation is required.
This feature’s |
Enable Email Notifications
True: Enables sending of email notifications.
False: Disables email notifications for posts. This is useful for developers who may want to skip email setup for faster development. In order to remove the Preview Mode: Email notifications have not been configured banner, you should also set Enable Preview Mode Banner to false.
If this setting is set to false and the SMTP server is set up, account related emails (such as password, email, username, user token, MFA, and other authentication related changes) will be sent regardless of this setting.
Email invitations and account deactivation emails are not affected by this setting.
This feature’s |
Enable Preview Mode Banner
True: Preview Mode banner is displayed to all users when "SendEmailNotifications": false so users are aware that email notifications are disabled.
False: Preview Mode banner is not displayed to users.
This feature’s |
Enable Email Batching
True: Users can select how often to receive email notifications, and multiple notifications within that timeframe will be combined into a single email. Batching will occur at a default interval of 15 minutes, configurable in Settings > Notifications.
Note
Email batching cannot be enabled unless the SiteURL is configured and the SMTP Email Server is configured.
Email batching in High Availability mode is planned but not yet supported.
False: If email notifications are enabled in Settings, emails will be sent individually for every mention or direct message received.
This feature’s |
Email Notification Contents
Available in legacy Enterprise Edition E20
Send full message contents: Sender name and channel are included in email notifications.
Send generic description with only sender name: The team name and name of the person who sent the message, with no information about channel name or message contents, is included in email notifications. Typically used for compliance reasons if Mattermost contains confidential information and policy dictates it cannot be stored in email.
This feature’s |
Support Email Address
Set an email address for feedback or support requests. This field is required, and if a value isn’t set, email notifications don’t include a way for users to request assistance.
To ensure that users can contact you for assistance, set this value to an email address your System Admin receives, such as "support@yourcompany.com". This address is displayed on email notifications and during the Getting Started tutorial.
This feature’s |
Notification Display Name
Name displayed on email account used when sending notification emails from Mattermost system. This field is required, and if a value isn’t set, email notifications don’t include a way for users to request assistance.
This feature’s |
Notification From Address
Address displayed on email account used when sending notification emails from within Mattermost. This field is required, and if a value isn’t set, email notifications don’t include a way for users to request assistance.
So you don’t miss messages, please make sure to change this value to an email your system administrator receives, such as "admin@yourcompany.com".
This feature’s |
Notification Reply-To Address
Email address used in the Reply-To header when sending notification emails from Mattermost.
This feature’s |
Notification Footer Mailing Address
Organization name and mailing address displayed in the footer of email notifications from Mattermost, such as “© ABC Corporation, 565 Knight Way, Palo Alto, California, 94305, USA”. If the field is left empty, the organization name and mailing address will not be displayed.
This feature’s |
Push Notification Contents
Generic description with only sender name: Push notifications include only the name of the person who sent the message but no information about channel name or message text.
Generic description with sender and channel names: Push notifications include names of users and channels but no specific details from the message text.
Full message content sent in the notification payload: Selecting Send full message snippet sends excerpts from messages triggering notifications with specifics and may include confidential information sent in messages. If your Push Notification Service is outside your firewall, it is HIGHLY RECOMMENDED this option only be used with an “https” protocol to encrypt the connection.
Full message content fetched from the server on receipt (Available in Mattermost Enterprise): The notification payload relayed through the Apple Push Notification service or Firebase Cloud Messaging service contains no message content. Instead it contains a unique message ID used to fetch message content from the server when a push notification is received by a device via a notification service app extension on iOS or an expandable notification pattern on Android. If the server cannot be reached, a generic push notification message is displayed without message content or sender name.
For customers who choose to wrap the Mattermost mobile application in a secure container, such as BlackBerry Dynamics, MobileIron, AirWatch or other solutions, the container needs to execute the fetching of message contents from the unique message ID when push notification are received. If the container is unable to execute the fetch, the push notification contents cannot be received by the customer’s mobile application without passing the message contents through either the Apple Push Notification service or Firebase Cloud Messaging service.
This feature’s |
Announcement Banner
Access the following configuration settings in the System Console by going to Site Configuration > Announcement Banner.
Enable Announcement Banner
Enable an announcement banner across all teams. The banner is displayed at the top of the screen and is the entire width of the screen. By default, users can dismiss the banner until you either change the text of the banner or until you re-enable the banner after it has been disabled. You can prevent users from dismissing the banner, and you can control the text color and the background color.
True: Enable the announcement banner. The banner is displayed only if BannerText has a value.
False: Disable the announcement banner.
This feature’s |
Banner Text
The text of the announcement banner.
This feature’s |
Banner Color
The background color of the announcement banner.
This feature’s |
Emoji
Access the following configuration settings in the System Console by going to Site Configuration > Emoji.
Enable Emoji Picker
True: Enables an emoji picker that allows users to select emojis to add as reactions or use in messages. Enabling the emoji picker with a large number of custom emojis may slow down performance.
False: The emoji picker is disabled.
This feature’s |
Posts
Access the following configuration settings in the System Console by going to Site Configuration > Posts.
Automatically Follow Threads
This setting must be enabled to support Collapsed Reply Threads. See the administrator’s guide to enabling Collapsed Reply Threads knowledge base article for details.
True: Threads a user starts, participates in, or is mentioned in are automatically followed. A new Threads table is added in the database that tracks threads and thread participants, and a ThreadMembership table tracks followed threads for each user and the read or unread state of each followed thread. Mattermost Cloud workspaces have this setting enabled.
False: All backend operations for Collapsed Reply Threads are disabled and server performance will not be impacted by the feature. Collapsed Reply Threads (CollapsedThreads) cannot be enabled if ThreadAutoFollow is disabled.
Note
Enabling this configuration setting doesn’t retroactively follow threads for actions taken prior to the setting being enabled. For example, threads a user participated in prior to enabling this setting won’t be automatically followed. However, if this setting is enabled, and a user adds a new comment on an old thread, they will automatically start following the thread.
This feature’s |
Collapsed Reply Threads
Collapsed Reply Threads offers an enhanced experience for users communicating in threads and replying to messages. Collapsed Reply Threads is generally available in Mattermost Cloud and from self-hosted Mattermost v7.0, and is enabled by default for all new Mattermost deployments. See our Organizing Conversations using Collapsed Reply Threads documentation to learn more about this feature.
Important
Customers upgrading to v7.0 must review the administrator’s guide to enabling Collapsed Reply Threads knowledge base article to learn about the system requirements, steps to enable, and self-host prerequisites to consider prior to enabling this functionality.
System Admins can set the default availability of Collapsed Reply Threads for their workspace by going to System Console > Site Configuration > Posts, then setting Collapsed Reply Threads to one of the following options:
Always On: Enables Collapsed Reply Threads functionality on the server and for all users. Users can’t disable this functionality. This is the recommended configuration for optimal user experience and to ensure consistency in how users read and respond to threaded conversations. Mattermost Cloud workspaces have Collapsed Reply Threads set to always_on by default.
Default On: Enables Collapsed Reply Threads functionality on the server and for all users. Users can choose to disable Collapsed Reply Threads for their Mattermost account in Settings > Display > Collapsed Reply Threads.
Default Off: Enables Collapsed Reply Threads functionality on the server but not for users. Users can choose to enable Collapsed Reply Threads for their Mattermost account in Settings > Display > Collapsed Reply Threads.
Disabled: Disables Collapsed Reply Threads front-end functionality.
This feature’s |
Enable Link Previews
Link previews are previews of linked website content, image links, and YouTube videos that are displayed below posts when available.
Link previews are requested by the server, meaning the Mattermost server must be connected to the internet for previews to be displayed. This connection can be established through a firewall or outbound proxy in environments where direct internet connectivity is not given or security policies make this necessary.
True: Website link previews, image link previews, and YouTube previews are enabled on the server. Users can enable or disable website previews for themselves from Settings > Display > Website Link Previews.
False: Website link previews, image link previews, and YouTube previews are disabled. The server does not request metadata for any links sent in messages.
This feature’s |
Disable Link Previews for Specific Domains
Link previews are disabled for this list of comma-separated domains (e.g. “github.com, mattermost.com”).
This feature’s |
Enable message link previews
True: Links to messages generate a preview for any users with access to the original message.
False: Links to messages don’t include a preview.
This feature’s |
Enable SVGs
True: Enables users to see previews of SVG file attachments and SVG image links.
False: Previews of SVG file attachments and SVG image links are not displayed.
This feature’s |
Enable LaTeX Code Block Rendering
True: Enables rendering of LaTeX code in a latex code block.
False: Disables rendering of LaTeX code to prevent the app from crashing when sharing code that might outgrow assigned memory. When disabled, LaTeX code will be highlighted.
This feature’s |
Enable Inline LaTeX Rendering
True: Enables inline rendering of LaTeX code.
False: Disables inline rendering of LaTeX code to prevent the app from crashing when sharing code that might outgrow assigned memory. When disabled, LaTeX code will be highlighted. When disabled, Latex code can only be rendered in a code block using syntax highlighting.
This feature’s |
Custom URL Schemes
A list of URL schemes that are used for autolinking in message text. http, https, ftp, tel and mailto always create links.
This feature’s |
Google API Key
Mattermost offers the ability to embed YouTube videos from URLs shared by end users.
Set this key and add YouTube Data API v3 as a service to your key to enable the display of titles for embedded YouTube video previews. Without the key, YouTube previews will still be created based on hyperlinks appearing in messages or comments but they will not show the video title. If Google detects the number of views is exceedingly high, they may throttle embed access.
Should this occur, you can remove the throttle by registering for a Google Developer Key and entering it in this field following these instructions: https://www.youtube.com/watch?v=Im69kzhpR3I. Your Google Developer Key is used in client-side Javascript.
Using a Google API Key allows Mattermost to detect when a video is no longer available and display the post with a Video not found label.
This feature’s |
File Sharing and Downloads
Access the following configuration settings in the System Console by going to Site Configuration > File Sharing and Downloads.
Allow File Sharing
When false, disables file sharing on the server. All file and image uploads on messages are forbidden across clients and devices, including mobile.
This feature’s |
Allow File Uploads on Mobile
Available in legacy Enterprise Edition E20
True: Enables file uploads on messages using Mattermost clients.
False: Disables file uploads on mobile apps. All file and image uploads on messages are forbidden across clients and devices, including mobile.
This feature’s |
Allow File Downloads on Mobile
Available in legacy Enterprise Edition E20
True: Enables file downloads on Mattermost mobile apps.
False: Disables file downloads on mobile apps. Users can still download files from a mobile web browser.
This feature’s |
Public Links
Access the following configuration settings in the System Console by going to Site Configuration > Public Links.
Enable Public File Links
True: Allow users to generate public links to files and images for sharing outside the Mattermost system with a public URL.
False: The Get Public Link option is hidden from the image preview user interface.
Note
When set to False, anyone who tries to visit a previously generated public link will receive an error message saying public links have been disabled. When set back to True, old public links will work again unless the Public Link Salt has been regenerated.
This feature’s |
Notices
Access the following configuration settings in the System Console by going to Site Configuration > Notices.
Enable Admin Notices
True: System Admins will receive notices about available server upgrades and relevant system administration features. Learn more.
False: System Admins will not receive notices except those that apply to all end users (See UserNoticesEnabled).
This feature’s |
Enable End User Notices
True: All users will receive notices about available client upgrades and relevant end user features to improve user experience. Learn more.
False: Users will not receive notices about available client upgrades and relevant end user features.
This feature’s |
Authentication
Authentication settings to enable account creation and log in with email, GitLab, Google or Office 365 OAuth, AD/LDAP, or SAML.
Signup
Enable Account Creation
True: Ability to create new accounts is enabled via inviting new members or sharing the team invite link.
False: Ability to create accounts is disabled. The Create Account button displays an error when trying to signup via an email invite or team invite link.
This feature’s |
Restrict account creation to specified email domains
Teams and user accounts can only be created by a verified email from this list of comma-separated domains (e.g. “corp.mattermost.com, mattermost.com”).
This setting only affects email login. For domain restrictions to be effective, you must also set Require Email Verification to true.
This feature’s |
Enable Open Server
True: Users can sign up to the server from the root page without an invite.
False: Users can only sign up to the server if they receive an invite.
This feature’s |
Enable account creation with email
True: Allow team creation and account signup using email and password.
False: Email signup is disabled. This limits signup to single sign-on services like OAuth or AD/LDAP.
This feature’s |
Require Email Verification
True: Require email verification after account creation prior to allowing login.
False: Users do not need to verify their email address prior to login. Developers may set this field to false to skip sending verification emails for faster development.
This feature’s |
Enable sign-in with email
True: Mattermost allows account creation using email and password.
False: Log in with email is disabled and does not appear on the login screen. Use this value when you want to limit sign up to a Single Sign-on service like AD/LDAP, SAML, or GitLab.
This feature’s |
Enable sign-in with username
True: Mattermost allows users with email login to log in using their username and password. This setting does not affect AD/LDAP login.
False: Log in with username is disabled and does not appear on the login screen.
This feature’s |
Password
Minimum Password Length
This feature was moved to Team Edition in Mattermost v5.0, released June 16th, 2018. Prior to v5.0, this feature is available in legacy Enterprise Edition E10 and E20.
Minimum number of characters required for a valid password. Must be a whole number greater than or equal to 5 and less than or equal to 64.
This feature’s |
Password Requirements
This feature was moved to Team Edition in Mattermost v5.0, released June 16th, 2018. Prior to v5.0, this feature is available in legacy Enterprise Edition E10 and E20.
Set the required character types to be included in a valid password. Defaults to allow any characters unless otherwise specified by the checkboxes. The error message previewed in the System Console will appear on the account creation page if a user enters an invalid password.
At least one lowercase letter: Select this checkbox if a valid password must contain at least one lowercase letter.
At least one uppercase letter: Select this checkbox if a valid password must contain at least one uppercase letter.
At least one number: Select this checkbox if a valid password must contain at least one number.
At least one symbol: Select this checkbox if a valid password must contain at least one symbol. Valid symbols include:
!"#$%&'()*+,-./:;<=>?@[]^_`|~.
This feature’s config.json settings are, respectively:
|
|
|
|
MFA
Configure security settings for multi-factor authentication.
The default recommendation for secure deployment is to host Mattermost within your own private network, with VPN clients on mobile, so everything works under your existing security policies and authentication protocols, which may already include multi-factor authentication.
If you choose to run Mattermost outside your private network, bypassing your existing security protocols, we recommend you set up a multi-factor authentication service specifically for accessing Mattermost.
Enable Multi-factor Authentication
True: Users with LDAP and email authentication will be given the option to require a phone-based passcode, in addition to their password-based authentication, to log in to the Mattermost server. Specifically, they’ll be asked to download the Google Authenticator app to their iOS or Android mobile device, connect the app with their account, and then enter a passcode generated by the app on their phone whenever they log in to the Mattermost server.
False: Multi-factor authentication is disabled.
This feature’s |
Enforce Multi-factor Authentication
Available in legacy Enterprise Edition E10 and E20
True: Multi-factor authentication (MFA) is required for login. New users will be required to configure MFA on signup. Logged in users without MFA configured are redirected to the MFA setup page until configuration is complete. If your system has users with login options other than AD/LDAP and email, MFA must be enforced with the authentication provider outside of Mattermost.
False: Multi-factor authentication is optional.
This feature’s |
AD/LDAP
Enable sign-in with AD/LDAP
Available in legacy Enterprise Edition E10 and E20
True: Mattermost allows login using AD/LDAP or Active Directory.
False: Login with AD/LDAP is disabled.
This feature’s |
Enable Synchronization with AD/LDAP
True: Mattermost periodically synchronizes users from AD/LDAP.
False: AD/LDAP synchronization is disabled.
This feature’s |
Login Field Name
The placeholder text that appears in the login field on the login page. Typically this would be whatever name is used to refer to AD/LDAP credentials in your company, so it is recognizable to your users. Defaults to AD/LDAP Username.
This feature’s |
AD/LDAP Server
The domain or IP address of the AD/LDAP server.
This feature’s |
AD/LDAP Port
The port Mattermost will use to connect to the AD/LDAP server. Defaults to 389.
This feature’s |
Connection Security
The type of connection security Mattermost uses to connect to AD/LDAP.
None: No encryption, Mattermost will not attempt to establish an encrypted connection to the AD/LDAP server.
TLS: Encrypts the communication between Mattermost and your server using TLS.
STARTTLS: Takes an existing insecure connection and attempts to upgrade it to a secure connection using TLS.
If the “No encryption” option is selected it is highly recommended that the AD/LDAP connection is secured outside of Mattermost, for example, by adding a stunnel proxy.
This feature’s |
Skip Certificate Verification
True: Skips the certificate verification step for TLS or STARTTLS connections. Not recommended for production environments where TLS is required. For testing only.
False: Mattermost does not skip certificate verification.
This feature’s |
Private Key
(Optional) The private key file provided by your LDAP Authentication Provider and uploaded if TLS client certificates are being used as the primary authentication mechanism.
This feature’s |
Public Certificate
(Optional) The public TLS certificate file provided by your LDAP Authentication Provider and uploaded if TLS client certificates are being used as the primary authentication mechanism.
This feature’s |
Bind Username
The username used to perform the AD/LDAP search. This should be an account created specifically for use with Mattermost. Its permissions should be limited to read-only access to the portion of the AD/LDAP tree specified in the Base DN field. When using Active Directory, Bind Username should specify domain in "DOMAIN/username" format. This field is required, and anonymous bind is not currently supported.
This feature’s |
Bind Password
Password of the user given in Bind Username. Anonymous bind is not currently supported.
This feature’s |
Base DN
The Base Distinguished Name of the location where Mattermost should start its search for users in the AD/LDAP tree.
This feature’s |
User Filter
(Optional) Enter an AD/LDAP Filter to use when searching for user objects (accepts general syntax). Only the users selected by the query will be able to access Mattermost.
Sample filters for Active Directory:
To filter out disabled users:
(&(objectCategory=Person)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))).To filter out by group membership, determine the distinguishedName of your group, then use the group membership general syntax format as your filter.
For example, if the security group distinguishedName is
CN=group1,OU=groups,DC=example,DC=com, then the user filter to use is:(memberOf=CN=group1,OU=groups,DC=example,DC=com). Note that the user must explicitly belong to this group for the filter to apply.
This filter uses the permissions of the Bind Username account to execute the search. Administrators should make sure to use a specially created account for Bind Username with read-only access to the portion of the AD/LDAP tree specified in the Base DN field.
This feature’s |
Group Filter
Available in legacy Enterprise Edition E20
(Optional) Enter an AD/LDAP Filter to use when searching for group objects (accepts general syntax). Only the groups selected by the query will be able to access Mattermost.
This filter is defaulted to (|(objectClass=group)(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)) when blank.
Note
This filter is used only when AD/LDAP Group Sync is enabled. See AD/LDAP Group Sync documentation for more information on enabling and configuring AD/LDAP Group Sync.
This feature’s |
Enable Admin Filter
True: Enables System Admins to configure an AD/LDAP filter.
False: Disables the ability for System Admins to configure an AD/LDAP filter.
Admin Filter
Available in legacy Enterprise Edition E20
(Optional) Enter a filter to use for designating the System Admin role to users. When enabled the user is promoted to this role on their next login or at the next scheduled AD/LDAP sync. If the Admin Filter is removed, users who are currently logged in retain their Admin role. When they log out this is revoked and on their next login they will no longer have Admin privileges.
This filter default is false and must be set to true in order for the Admin Filter to be used.
This feature’s |
Guest Filter
Available in legacy Enterprise Edition E20
(Optional) Enter an AD/LDAP Filter to use when searching for external users who have Guest Access to Mattermost. Only the users selected by the query will be able to log in to and use Mattermost as Guests. This filter default is blank.
See the Guest Accounts documentation for more information.
This feature’s |
ID Attribute
The attribute in the AD/LDAP server used as a unique identifier in Mattermost. It should be an AD/LDAP attribute with a value that does not change.
If a user’s ID Attribute changes, a new Mattermost account (unassociated with the previous one) is created. To prevent this, it’s recommended that a unique attribute such as objectGUID in Active Directory and entryUUID in LDAP be used instead.
Before making any changes confirm with your LDAP provider whether these attributes are available in your environment.
If you need to change this field after users have already logged in, use the mattermost ldap idmigrate CLI tool.
This feature’s |
Login ID Attribute
The attribute in the AD/LDAP server used to log in to Mattermost. Normally this attribute is the same as the Username Attribute field above.
If your team typically uses domainusername to log in to other services with AD/LDAP, you may enter domainusername in this field to maintain consistency between sites.
This feature’s |
Username Attribute
The attribute in the AD/LDAP server used to populate the username field in Mattermost. This may be the same as the Login ID Attribute.
This attribute will be used within the Mattermost user interface to identify and mention users. For example, if a Username Attribute is set to john.smith a user typing @john will see @john.smith in their auto-complete options and posting a message with @john.smith will send a notification to that user that they’ve been mentioned.
The Username Attribute may be set to the same value used to log in to the system, called a Login ID Attribute, or it can be mapped to a different value.
This feature’s |
Email Attribute
The attribute in the AD/LDAP server used to populate the email address field in Mattermost.
Email notifications will be sent to this email address, and this email address may be viewable by other Mattermost users depending on privacy settings chosen by the System Admin.
This feature’s |
First Name Attribute
(Optional) The attribute in the AD/LDAP server used to populate the first name of users in Mattermost. When set, users cannot edit their first name, since it is synchronized with the LDAP server. When left blank, users can set their first name as part of their profile settings.
This feature’s |
Last Name Attribute
(Optional) The attribute in the AD/LDAP server used to populate the last name of users in Mattermost. When set, users cannot edit their last name, since it is synchronized with the LDAP server. When left blank, users can set their last name as part of their profile settings.
This feature’s |
Nickname Attribute
(Optional) The attribute in the AD/LDAP server used to populate the nickname of users in Mattermost. When set, users cannot edit their nickname, since it is synchronized with the LDAP server. When left blank, users can set their nickname as part of their profile settings.
This feature’s |
Position Attribute
(Optional) The attribute in the AD/LDAP server used to populate the position field in Mattermost. When set, users cannot edit their position, since it is synchronized with the LDAP server. When left blank, users can set their position as part of their profile settings.
This feature’s |
Profile Picture Attribute
The attribute in the AD/LDAP server used to synchronize (and lock) the profile picture used in Mattermost.
The Mattermost server will replace the user’s profile image upon login (not at the sync interval as with other attributes). The sync will not occur if the current Mattermost profile image matches the image associated with that user in AD/LDAP.
This feature’s |
Group Display Name Attribute
Available in legacy Enterprise Edition E20
(Required) Enter an AD/LDAP Group Display name attribute used to populate Mattermost Group names.
Note
This attribute is used only when AD/LDAP Group Sync is enabled. See AD/LDAP Group Sync documentation for more information on enabling and configuring AD/LDAP Group Sync.
This feature’s |
Group Id Attribute
Available in legacy Enterprise Edition E20
(Required) Enter an AD/LDAP Group ID attribute to use as a unique identifier for Groups. This should be an AD/LDAP value that does not change. This is usually entryUUID for LDAP and objectGUID for AD.
Note
This attribute is used only when AD/LDAP Group Sync is enabled. See AD/LDAP Group Sync documentation for more information on enabling and configuring AD/LDAP Group Sync.
This feature’s |
Synchronization Interval (minutes)
Set how often Mattermost accounts synchronize attributes with AD/LDAP, in minutes.
When synchronizing, Mattermost queries AD/LDAP for relevant account information and updates Mattermost accounts based on changes to attributes (first name, last name, and nickname).
When accounts are disabled in AD/LDAP users are made inactive in Mattermost, and their active sessions are revoked once Mattermost synchronizes attributes. To synchronize immediately after disabling an account, use the AD/LDAP Synchronize Now button.
This feature’s |
Note
LDAP syncs cause a large number of database read queries. Ensure that you monitor database load during a sync to determine how often these syncs should happen in your environment in order to minimize performance degradation.
Maximum Page Size
The maximum number of users the Mattermost server will request from the AD/LDAP server at one time. Use this setting if your AD/LDAP server limits the number of users that can be requested at once.
A value of 0 is unlimited and does not paginate the results.
A value of 1500 is recommended to align with the default AD/LDAP
MaxPageSizesetting.
This feature’s |
Query Timeout (seconds)
The timeout value for queries to the AD/LDAP server. Increase this value if you are getting timeout errors caused by a slow AD/LDAP server.
This feature’s |
AD/LDAP Test
This button can be used to test the connection to the AD/LDAP server. If the test is successful, it shows a confirmation message and if there is a problem with the configuration settings it will show an error message.
AD/LDAP Synchronize Now
This button causes AD/LDAP synchronization to occur as soon as it is pressed. Use it whenever you have made a change in the AD/LDAP server you want to take effect immediately. After using the button, the next AD/LDAP synchronization will occur after the time specified by the Synchronization Interval.
You can monitor the status of the synchronization job in the table below this button.
Note
If synchronization Status displays as Pending and does not complete, make sure that the Enable Synchronization with AD/LDAP setting is set to true.
SAML
Note
In line with Microsoft ADFS guidance we recommend configuring intranet forms-based authentication for devices that do not support WIA.
Enable Login With SAML
Available in legacy Enterprise Edition E20
True: Mattermost allows login using SAML. Please see documentation to learn more about configuring SAML for Mattermost.
False: Login with SAML is disabled.
This feature’s |
Enable Synchronizing SAML Accounts With AD/LDAP
Available in legacy Enterprise Edition E20
True: Mattermost periodically synchronizes SAML user attributes, including user deactivation and removal, with AD/LDAP. Enable and configure synchronization settings at Authentication > AD/LDAP. See documentation to learn more.
False: Synchronization of SAML accounts with AD/LDAP is disabled.
This feature’s |
Ignore Guest Users When Synchronizing with AD/LDAP
Available in legacy Enterprise Edition E20
Available when Enable Synchronizing SAML Accounts With AD/LDAP is set to true.
True: Mattermost ignores Guest Users identified by the Guest Attribute when synchronizing with AD/LDAP on user deactivation and removal. Manage guest deactivation manually via System Console > Users. See documentation to learn more.
False: Synchronization of SAML deactivates and removes Guest Users when synchronizing with AD/LDAP.
This feature’s |
Override SAML Bind Data with AD/LDAP Information
Available in legacy Enterprise Edition E20
True: Mattermost overrides the SAML ID attribute with the AD/LDAP ID attribute if configured or overrides the SAML Email attribute with the AD/LDAP Email attribute if SAML ID attribute is not present. See documentation to learn more.
False: Mattermost uses the email attribute to bind users to SAML.
Note
Moving from true to false will prevent the override from happening. To prevent the disabling of user accounts, SAML IDs must match the LDAP IDs when this feature is enabled. This setting should be set to false unless LDAP sync is enabled.
This feature’s |
Identity Provider Metadata URL
Available in legacy Enterprise Edition E20
The URL where Mattermost sends a request to obtain setup metadata from the provider.
This feature’s |
SAML SSO URL
Available in legacy Enterprise Edition E20
The URL where Mattermost sends a SAML request to start login sequence.
This feature’s |
Identity Provider Issuer URL
Available in legacy Enterprise Edition E20
The issuer URL for the Identity Provider you use for SAML requests.
This feature’s |
Identity Provider Public Certificate
Available in legacy Enterprise Edition E20
The public authentication certificate issued by your Identity Provider.
This feature’s |
Verify Signature
Available in legacy Enterprise Edition E20
True: Mattermost verifies that the signature sent from the SAML Response matches the Service Provider Login URL.
False: Not recommended for production environments. For testing only.
This feature’s |
Service Provider Login URL
Available in legacy Enterprise Edition E20
Enter https://<your-mattermost-url>/login/sso/saml (example: https://example.com/login/sso/saml). Make sure you use HTTP or HTTPS in your URL depending on your server configuration. This field is also known as the Assertion Consumer Service URL.
This feature’s |
Service Provider Identifier
Available in legacy Enterprise Edition E20
The unique identifier for the Service Provider, usually the same as Service Provider Login URL. In ADFS, this must match the Relying Party Identifier.
This feature’s |
Enable Encryption
Available in legacy Enterprise Edition E20
True: Mattermost will decrypt SAML Assertions encrypted with your Service Provider Public Certificate.
False: Not recommended for production environments. For testing only.
This feature’s |
Service Provider Private Key
Available in legacy Enterprise Edition E20
The private key used to decrypt SAML Assertions from the Identity Provider.
This feature’s |
Service Provider Public Certificate
Available in legacy Enterprise Edition E20
The certificate file used to generate the signature on a SAML request to the Identity Provider for a service provider initiated SAML login, when Mattermost is the Service Provider.
This feature’s |
Sign Request
Available in legacy Enterprise Edition E20
When true, Mattermost signs the SAML request using your Service Provider Private Key. When false, Mattermost does not sign the SAML request.
This feature’s |
Signature Algorithm
Available in legacy Enterprise Edition E20
The signature algorithm used to sign the request. Supported options are RSAwithSHA1, RSAwithSHA256, and RSAwithSHA512.
This feature’s |
Canonical Algorithm
Available in legacy Enterprise Edition E20
The canonicalization algorithm. Supported options are Canonical1.0 for Exclusive XML Canonicalization 1.0 (omit comments) (http://www.w3.org/2001/10/xml-exc-c14n#) and Canonical1.1 for Canonical XML 1.1 (omit comments) (http://www.w3.org/2006/12/xml-c14n11).
This feature’s |
Email Attribute
Available in legacy Enterprise Edition E20
The attribute in the SAML Assertion that will be used to populate the email addresses of users in Mattermost.
Email notifications will be sent to this email address, and this email address may be viewable by other Mattermost users depending on privacy settings chosen by the System Admin.
This feature’s |
Username Attribute
Available in legacy Enterprise Edition E20
The attribute in the SAML Assertion that will be used to populate the username field in Mattermost user interface. This attribute will be used within the Mattermost user interface to identify and mention users. For example, if a Username Attribute is set to john.smith a user typing @john will see @john.smith in their auto-complete options and posting a message with @john.smith will send a notification to that user that they’ve been mentioned.
This feature’s |
Id Attribute
Available in legacy Enterprise Edition E20
(Optional) The attribute in the SAML Assertion used to bind users from SAML to users in Mattermost.
This feature’s |
Guest Attribute
Available in legacy Enterprise Edition E20
(Optional) The attribute in the SAML Assertion used to apply a Guest role to users in Mattermost.
See the Guest Accounts documentation for more information.
This feature’s |
Enable Admin Attribute
Available in legacy Enterprise Edition E20
True: Enables System Admins to configure the SAML Assertion.
False: Disables the ability for System Admins to configure the SAML Assertion.
Admin Attribute
Available in legacy Enterprise Edition E20
(Optional) The attribute in the SAML Assertion for designating System Admins. The user is automatically promoted to this role on their next login. If the Admin Attribute is removed, users who are currently logged in retain their Admin role. When they log out this is revoked and on their next login they will no longer have Admin privileges.
This attribute’s default is false and must be set to true in order for the Admin Attribute to be used.
This feature’s |
First Name Attribute
Available in legacy Enterprise Edition E20
(Optional) The attribute in the SAML Assertion that will be used to populate the first name of users in Mattermost.
This feature’s |
Last Name Attribute
Available in legacy Enterprise Edition E20
(Optional) The attribute in the SAML Assertion that will be used to populate the last name of users in Mattermost.
This feature’s |
Nickname Attribute
Available in legacy Enterprise Edition E20
(Optional) The attribute in the SAML Assertion that will be used to populate the nickname of users in Mattermost.
This feature’s |
Position Attribute
Available in legacy Enterprise Edition E20
(Optional) The attribute in the SAML Assertion that will be used to populate the position field for users in Mattermost (typically used to describe a person’s job title or role at the company).
This feature’s |
OAuth 2.0
Note
OAuth 2.0 is being deprecated and will be replaced by OpenID Connect in a future release.
Settings to configure OAuth login for account creation and login.
Select OAuth 2.0 service provider
Available in legacy Enterprise Edition E20
Choose whether OAuth can be used for account creation and login. Options include:
Do not allow login via an OAuth 2.0 provider
GitLab (available in all plans; see GitLab Settings for details)
Google Apps (Available in Mattermost Enterprise and Professional; see Google Settings for details)
Office 365 (Available in Mattermost Enterprise and Professional; see Office 365 Settings for details)
This feature’s setting does not appear in config.json.
GitLab
Enable authentication with GitLab
True: Allow team creation and account signup using GitLab OAuth. To configure, input the Secret and Id credentials.
False: GitLab OAuth cannot be used for team creation or account signup.
Note
For Enterprise subscriptions, GitLab settings can be found under OAuth 2.0
This feature’s |
Application ID
Obtain this value by logging into your GitLab account. Go to Profile Settings > Applications > New Application, enter a Name, then enter Redirect URLs https://<your-mattermost-url>/login/gitlab/complete (example: https://example.com:8065/login/gitlab/complete and https://<your-mattermost-url>/signup/gitlab/complete.
This feature’s |
Application Secret Key
Obtain this value by logging into your GitLab account. Go to Profile Settings > Applications > New Application, enter a Name, then enter Redirect URLs https://<your-mattermost-url>/login/gitlab/complete (example: https://example.com:8065/login/gitlab/complete and https://<your-mattermost-url>/signup/gitlab/complete.
This feature’s |
GitLab Site URL
Specify the URL of your GitLab instance (example https://example.com:3000). If your GitLab instance is not set up with SSL, start the URL with http:// instead of https://.
User API Endpoint
Enter https://<your-gitlab-url>/api/v3/user (example: https://example.com:3000/api/v3/user). Use HTTP or HTTPS depending on how your server is configured.
This feature’s |
Enable authentication with Google by selecting Google Apps from OAuth 2.0 > Select OAuth 2.0 service provider.
True: Allow team creation and account signup using Google OAuth. To configure, input the Client ID and Client Secret credentials. See the documentation for more detail.
False: Google OAuth cannot be used for team creation or account signup.
This feature’s |
Client ID
Available in legacy Enterprise Edition E20
Obtain this value by registering Mattermost as an application in your Google account.
This feature’s |
Client Secret
Available in legacy Enterprise Edition E20
Obtain this value by registering Mattermost as an application in your Google account.
This feature’s |
User API Endpoint
Available in legacy Enterprise Edition E20
We recommend you use https://people.googleapis.com/v1/people/me?personFields=names,emailAddresses,nicknames,metadata as the User API Endpoint. Otherwise, enter a custom endpoint in config.json with HTTP or HTTPS depending on how your server is configured.
This feature’s |
Auth Endpoint
Available in legacy Enterprise Edition E20
We recommend you use https://accounts.google.com/o/oauth2/v2/auth as the Auth Endpoint. Otherwise, enter a custom endpoint in config.json with HTTP or HTTPS depending on how your server is configured.
This feature’s |
Token Endpoint
Available in legacy Enterprise Edition E20
We recommend that you use https://www.googleapis.com/oauth2/v4/token as the Token Endpoint. Otherwise, enter a custom endpoint in config.json with HTTP or HTTPS depending on how your server is configured.
This feature’s |
Office 365
Note
In line with Microsoft ADFS guidance we recommend configuring intranet forms-based authentication for devices that do not support WIA.
Enable authentication with Office 365 by selecting Office 365 from System Console > Authentication > OAuth 2.0 > Select OAuth 2.0 service provider.
True: Allow team creation and account signup using Office 365 OAuth. To configure, input the Application ID and Application Secret Password credentials. See the documentation for more detail.
False: Office 365 OAuth cannot be used for team creation or account signup.
This feature’s |
Application ID
Available in legacy Enterprise Edition E20
Obtain this value by registering Mattermost as an application in your Microsoft or Office account.
This feature’s |
Application Secret Password
Available in legacy Enterprise Edition E20
Obtain this value by registering Mattermost as an application in your Microsoft or Office account.
This feature’s |
Directory (tenant) ID
Available in legacy Enterprise Edition E20
This value is the ID of the application’s AAD directory.
This feature’s |
User API Endpoint
Available in legacy Enterprise Edition E20
We recommend using https://graph.microsoft.com/v1.0/me as the User API Endpoint. Otherwise, enter a custom endpoint in config.json with HTTP or HTTPS depending on how your server is configured.
This feature’s |
Auth Endpoint
Available in legacy Enterprise Edition E20
We recommend using https://accounts.google.com/o/oauth2/v2/auth as the Auth Endpoint. Otherwise, enter a custom endpoint in config.json with HTTP or HTTPS depending on how your server is configured.
This feature’s |
Token Endpoint
Available in legacy Enterprise Edition E20
We recommend that you use https://login.microsoftonline.com/common/oauth2/v2.0/token as the Token Endpoint. Otherwise, enter a custom endpoint in config.json with HTTP or HTTPS depending on how your server is configured.
This feature’s |
OpenID Connect
Select OpenID Connect service provider
Available in legacy Enterprise Edition E20
Choose whether OpenID Connect can be used for account creation and login. Options include:
Do not allow login via an OpenID provider
GitLab (available in all plans; see GitLab Settings for details)
Google Apps (Available in Mattermost Enterprise and Professional; see Google Settings for details)
Office 365 (Available in Mattermost Enterprise and Professional; see Office 365 Settings for details)
OpenID Connect (Other) (Available in Mattermost Enterprise and Professional; see OpenID Connect Settings for more detail)
This feature’s setting does not appear in config.json.
GitLab Settings
GitLab Site URL
Available in legacy Enterprise Edition E10 and E20. Not available in Cloud Starter.
Specify the URL of your GitLab instance (example https://example.com:3000). If your GitLab instance is not set up with SSL, start the URL with http:// instead of https://.
Discovery Endpoint
Available in legacy Enterprise Edition E10 and E20 Not available in Cloud Starter
Obtain this value by registering Mattermost as an application in your service provider account. Should be in the format https://myopenid.provider.com/{my_company}/.well-known/openid-configuration where the value of {my_company} is replaced with your organization.
Google Settings
Enable authentication with Google by selecting Google Apps from System Console > Authentication > OpenID Connect > Select service provider.
True: Allow team creation and account signup using Google OpenID Connect. To configure, input the Client ID, Client Secret, and DiscoveryEndpoint credentials. See the documentation for more detail.
False: Google OpenID Connect cannot be used for team creation or account signup.
This feature’s |
Discovery Endpoint
Available in legacy Enterprise Edition E20
This value is prepopulated with https://accounts.google.com/.well-known/openid-configuration.
This feature’s |
Office 365 Settings
Note
In line with Microsoft ADFS guidance, we recommend configuring intranet forms-based authentication for devices that do not support WIA.
Enable authentication with Office 365 by selecting Office 365 from System Console > Authentication > OpenID Connect > Select service provider.
True: Allow team creation and account signup using Office 365 OpenID Connect. To configure, input the Application ID and Application Secret Password credentials. See the documentation for more detail.
False: Office 365 OpenID Connect cannot be used for team creation or account signup.
This feature’s |
Directory (tenant) ID
Available in legacy Enterprise Edition E20
This value is the ID of the application’s AAD directory.
Discovery Endpoint
Available in legacy Enterprise Edition E20
This value is prepopulated with https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration.
OpenID Connect (Other)
Enable authentication with a service provider by selecting OpenID Connect (Other) from System Console > Authentication > OpenID Connect > Select service provider.
True: Allow team creation and account signup using OpenID Connect. To configure, input the Client ID, Client Secret, and DiscoveryEndpoint credentials. See the documentation for more detail.
False: OpenID Connect cannot be used for team creation or account signup.
This feature’s |
Button Name
Available in legacy Enterprise Edition E20
Specify the text that displays on the OpenID login button.
This feature’s |
Button Color
Specify the color of the OpenID login button for white labeling purposes. Use a hex code with a #-sign before the code, for example #145DBF.
This feature’s |
Discovery Endpoint
Available in legacy Enterprise Edition E20
Obtain this value by registering Mattermost as an application in your service provider account. Should be in the format https://myopenid.provider.com/{my_company}/.well-known/openid-configuration where the value of {my_company} is replaced with your organization.
This feature’s |
Guest Access
Enable Guest Access
Available in legacy Enterprise Edition E10 and E20
True: Allow guest invitations to channels within teams. Please see Guest Accounts documentation for more information.
False: Email signup is disabled. This limits signup to Single sign-on services like OAuth or AD/LDAP.
This feature’s |
Whitelisted Guest Domains
Available in legacy Enterprise Edition E10 and E20
When populated, guest accounts can only be created by a verified email from this list of comma-separated domains.
This feature’s |
Enforce Multi-factor Authentication
Available in legacy Enterprise Edition E10 and E20
This setting defaults to false and is read-only if multi-factor authentication is not enforced for regular users.
True: Multi-factor authentication (MFA) is required for login. New guest users will be required to configure MFA on sign-up. Logged in guest users without MFA configured are redirected to the MFA setup page until configuration is complete.
False: Multi-factor authentication for guests is optional.
This feature’s |
Plugins
Settings to configure Mattermost plugins.
Plugin Management
Access the following configuration settings in the System Console by going to Plugins > Plugin Management.
Enable Plugins
True: Enables plugins on your Mattermost server. Use plugins to integrate with third-party systems, extend functionality, or customize the user interface of your Mattermost server. See documentation to learn more.
False: Disables plugins on your Mattermost server.
This feature’s |
Require Plugin Signature
True: Require valid plugin signatures before starting managed or unmanaged plugins. Pre-packaged plugins are not subject to plugin signature verification. Plugins installed through the Plugin Marketplace are always subject to plugin signature verification at the time of download.
False: Don’t require valid plugin signatures before starting managed or unmanaged plugins. Pre-packaged plugins are not subject to plugin signature verification. Plugins installed through the Plugin Marketplace are always subject to plugin signature verification at the time of download.
This feature’s |
Automatic Prepackaged Plugins
True: Any pre-packaged plugins enabled in the configuration will be installed or upgraded automatically. If a newer version is already installed, no changes are made.
False: Pre-packaged plugins aren’t installed or upgraded automatically but may be installed manually from the Plugin Marketplace, even when offline.
This feature’s |
Enable Marketplace
True: Enables Plugin Marketplace on your Mattermost server for all System Admins.
False: Disables Plugin Marketplace on your Mattermost server for all System Admins.
This feature’s |
Enable Remote Marketplace
True: The server will attempt to connect to the configured Plugin Marketplace to show the latest plugins. If the connection fails, the Plugin Marketplace shows only pre-packaged and already installed plugins alongside a connection error.
False: The server won’t attempt to connect to a remote marketplace, and will show only pre-packaged and already installed plugins. Use this setting if your server can’t connect to the internet.
This feature’s |
This setting only takes effect when "EnableMarketplace": true.
Note
For the Remote Marketplace to operate, each host running the Mattermost service requires network access to the marketplace service endpoint (hosted at https://api.integrations.mattermost.com, see Marketplace URL ).
Marketplace URL
If the Marketplace is enabled, this setting specifies which URL should be used to query for new Marketplace plugins.
This feature’s |
Installed Plugin State
Lists installed plugins on your Mattermost server and whether they are enabled. Pre-packaged plugins are installed by default and can be deactivated, but not removed.
This feature’s |
Agenda
Access the following configuration settings in the System Console by going to Plugins > Agenda.
Antivirus
This plugin allows the forwarding of uploaded files to an antivirus scanning application, ClamAV anti-virus software, and prevents the upload from completing if there is a virus detected in the file.
Use this plugin to prevent users from inadvertently spreading malware or viruses via your Mattermost server. See the Mattermost Antivirus Plugin documentation for details.
Access the following configuration settings in the System Console by going to Plugins > Antivirus.
Apps
Enable Plugin
True: Enables the Apps plugin on your Mattermost server.
False: Disables the Apps plugin on your Mattermost server.
To create your own Mattermost App, see the Mattermost Apps developer documentation.
Autolink
This plugin creates regular expression (regexp) patterns that are reformatted into a Markdown link before the message is saved into the database. System Admins can configure this plugin in the config.json file, using the /autolink slash command (when enabled), or through using the System Console. See the Autolink Plugin documentation for details.
Access the following configuration settings in the System Console by going to Plugins > Autolink.
Enable Plugin
True: Enables the Autolink plugin on your Mattermost server.
False: Disables the Autolink plugin on your Mattermost server.
Enable administration with /autolink command
True: Enables the ability to configure the Apps plugin using the /autolink slash command.
False: Disables the ability to use the slash command to configure the plugin.
AWS SNS
This plugin is used to receive alert notifications from Amazon AWS CloudWatch to Mattermost channels via AWS Simple Notification Server (SNS).
Access the following configuration settings in the System Console by going to Plugins > AWS SNS.
Enable Plugin
True: Enables the AWS SNS plugin on your Mattermost server.
False: Disables the AWS SNS plugin on your Mattermost server.
Channel to send notifications to
Specify the channel to send notifications to in the format teamname,channelname. For example, for a channel with a URL of https://example.com/myteam/channels/mychannel, set the value to myteam,mychannel. If the specified channel does not exist, the plugin creates the channel for you.
Calls (beta)
Access the following configuration settings in the System Console by going to Plugins > Calls.
Enable Plugin
True: Enables the calls plugin on your Mattermost workspace.
False: Disables the calls plugin on your Mattermost workspace.
Additional configuration
RTC Server Port: Default setting is 8443.
Enable on specific channels: Allow Channel Admins to enable or disable calls on specific channels. This can be set to true or false.
Enable on all channels: Enable calls by default on all channels. This can be set to true or false.
Max call participants: This is an optional field and default is 0 (unlimited). The recommended setting is 8.
ICE Host Override: This is an optional field.
ICE Servers: This is an optional field. The default is stun:stun.global.calls.mattermost.com:3478. Depending on the setup they may not be necessary (e.g. if running a single instance and providing a ICE Host Override). No media goes through STUN servers, the only sensitive information that passes through is the client’s (and server’s) public IP address.
RTCD Service URL: This is an optional field.
Channel Export
Access the following configuration settings in the System Console by going to Plugins > Channel Export.
Demo Plugin
Access the following configuration settings in the System Console by going to Plugins > Demo Plugin.
Enable Plugin
True: Enables the Demo plugin on your Mattermost workspace.
False: Disables the Demo plugin on your Mattermost workspace.
GIF commands
Access the following configuration settings in the System Console by going to Plugins > GIF commands.
This plugin is used to post GIFs from Gfycat, Giphy, or Tenor using slash commands.
Enable Plugin
True: Enables the GIF commands plugin on your Mattermost server.
False: Disables the GIF commands plugin on your Mattermost server.
Display the GIF as
Display the GIF as an embedded image where the GIF can’t be collapsed, or as a collapsible image preview where the full URL displays.
Note
Link previews must be enabled in order to display GIF link previews. Mattermost deployments restricted to access behind a firewall must open port 443 to both https://api.gfycat.com/v1 and https://gfycat.com/<id> (for all request types) for this feature to work.
GIF Provider
Specify the GIF provider as GIPHY, Tenor, or Gfycat.
Note
Selecting GIPHY or Tenor requires an API Key for this feature to work. An API key is not required for Gfycat.
Giphy/Tenor API Key
Configure your own API Key when specifying the GIF Provider as GIPHY or Tenor. An API key is not required for Gfycat.
To get your own API key, see the GIPHY Developers Quick Start documentation, or the Tenor Developer documentation for details.
Content Rating (GIPHY & Tenor only)
Select an MPAA-style content rating for GIFs from GIPHY or Tenor. Leave this field empty to disable content filtering.
Gfycat display style
Specify the display style for GIFs from Gfycat. See the Gfycat Developer API documentation for details.
GIPHY display style
Specify the display style for GIFs from GIPHY. See the GIPHY Developers Rendition Guide for details.
Tenor display style
Specify the display style for GIFs from Tenor. See the Tenor API documentation for details.
Language
Specify the language used to search GIFs from GIPHY. See the GIPHY Developers Language Support documentation for details.
Mattermost Boards
Mattermost Boards is an open source alternative to Trello, Notion, and Asana that’s integrated from Mattermost v5.36. Boards is a project management tool that helps define, organize, track and manage work across teams, using a familiar kanban board view. See the Mattermost Boards product documentation for details.
Access the following configuration settings in the System Console by going to Plugins > Mattermost Boards.
Mattermost Playbooks
Mattermost Playbooks is an open source, self-hosted collaboration tool for teams. Each playbook represents a recurring outcome or specific goal that your teams collaborate on to achieve, such as service outage recovery or customer onboarding. Teams run a playbook every time they want to orchestrate people, tools, and data to achieve that outcome as quickly as possible while providing visibility to stakeholders. Playbooks also allow teams to incorporate learnings from the retrospective to tweak and improve the playbook with every iteration. See the Mattermost Playbooks documentation for details.
Access the following configuration settings in the System Console by going to Plugins > Playbooks.
User Satisfaction Surveys
This plugin enables Mattermost to send user satisfaction surveys to gather feedback and improve product quality directly from your Mattermost users. Please refer to the Mattermost Privacy Policy for more information on the collection and use of information received through Mattermost services.
Access the following configuration settings in the System Console by going to Plugins > User Satisfaction Surveys.
Enable Plugin
True: Enables the Mattermost Playbooks plugin on your Mattermost workspace.
False: Disables the Mattermost Playbooks plugin on your Mattermost workspace.
Enable User Satisfaction Survey
True: A user satisfaction survey will be sent out to all users on a quarterly basis. The survey results will be used by Mattermost, Inc. to improve the quality and user experience of the product. Please refer to the Mattermost Privacy Policy for more information on the collection and use of information received through Mattermost services.
False: User satisfaction surveys are disabled.
Zoom
This plugin allows team members to initiate a Zoom meeting with a single click. All participants in a channel can easily join the Zoom meeting and the shared link is updated when the meeting is over. See the Zoom Conferencing Plugin product documentation for details.
Note
To set up this plugin, you need to create a Zoom App using a Zoom Administrator account. See the Zoom Configuration documentation for details.
Access the following configuration settings in the System Console by going to Plugins > Zoom.
Enable Plugin
True: Enables the Zoom plugin on your Mattermost server.
False: Disables the Zoom plugin on your Mattermost server.
Zoom URL
Specify the URL for a self-hosted private cloud or on-premise Zoom server. For example, https://yourzoom.com. Leave blank if you’re using Zoom’s vendor-hosted SaaS service.
Zoom API URL
Specify the API URL for a self-hosted private cloud or on-premise Zoom server. For example, https://api.yourzoom.com/v2. Leave blank if you’re using Zoom’s vendor-hosted SaaS service.
Enable OAuth
True: OAuth will be used as the authentication means with Zoom.
False: JWT will be used as the authentication means with Zoom.
Note
If you are currently using a JWT Zoom application and switch to OAuth, all users will need to connect their Zoom account using OAuth the next time they try to start a meeting. See the Zoom Configuration documentation for details.
OAuth by Account Level App (Beta)
True: Only an account administrator has to log in. The rest of the users will use their e-mail to log in.
False: All users must use their e-mail to log in.
Zoom OAuth Client ID
Specify the Client ID for the OAuth app registered with Zoom. Leave blank if not using OAuth.
Zoom OAuth Client Secret
Specify the Client Secret for the OAuth app registered with Zoom. Leave blank if not using OAuth.
Integrations
Settings to configure webhooks, slash commands, and external integration services.
Integration Management
Access the following configuration settings in the System Console by going to Integrations > Integration Management.
Enable Incoming Webhooks
Developers building integrations can create webhook URLs for Public channels and Private channels. Please see our documentation page to learn about creating webhooks, viewing samples, and letting community know about integrations you’ve built.
True: Incoming webhooks are allowed. To manage incoming webhooks, select Integrations from the Mattermost Product menu. The webhook URLs created can be used by external applications to create posts in any Public or Private channels that you have access to.
False: The Integrations > Incoming Webhooks section of the Mattermost Product menu is hidden and all incoming webhooks are disabled.
Important
Security note: By enabling this feature, users may be able to perform phishing attacks by attempting to impersonate other users. To combat these attacks, a BOT tag appears next to all posts from a webhook. Enable at your own risk.
This feature’s |
Enable Outgoing Webhooks
Developers building integrations can create webhook tokens for Public channels. Trigger words are used to fire new message events to external integrations. For security reasons, outgoing webhooks are only available in Public channels. Please see our documentation page to learn about creating webhooks and viewing samples.
True: Outgoing webhooks will be allowed. To manage outgoing webhooks, select Integrations from the Mattermost Product menu.
False: The Integrations > Outgoing Webhooks of the Mattermost Product menu is hidden and all outgoing webhooks are disabled.
Important
Security note: By enabling this feature, users may be able to perform phishing attacks by attempting to impersonate other users. To combat these attacks, a BOT tag appears next to all posts from a webhook. Enable at your own risk.
This feature’s |
Enable Custom Slash Commands
Slash commands send events to external integrations that send a response back to Mattermost.
True: Allow users to create custom slash commands from Main Menu > Integrations > Commands.
False: Slash commands are hidden in the Integrations user interface.
This feature’s |
Enable OAuth 2.0 Service Provider
True: Mattermost acts as an OAuth 2.0 service provider allowing Mattermost to authorize API requests from external applications.
False: Mattermost does not function as an OAuth 2.0 service provider.
This feature’s |
Enable integrations to override usernames
True: Webhooks, slash commands, OAuth 2.0 apps, and other integrations such as Zapier, will be allowed to change the username they are posting as. If no username is present, the username for the post is the same as it would be for a setting of False.
False: Custom slash commands can only post as the username of the user who used the slash command. OAuth 2.0 apps can only post as the username of the user who set up the integration. For incoming webhooks and outgoing webhooks, the username is “webhook”. See https://developers.mattermost.com/integrate/other-integrations/ for more details.
This feature’s |
Enable integrations to override profile picture icons
True: Webhooks, slash commands, and other integrations, such as Zapier, will be allowed to change the profile picture they post with.
False: Webhooks, slash commands, and OAuth 2.0 apps can only post with the profile picture of the account they were set up with. See https://developers.mattermost.com/integrate/other-integrations/ for more details.
This feature’s |
Enable Personal Access Tokens
True: Users can create personal access tokens for integrations in Profile > Security. They can be used to authenticate against the API and give full access to the account.
To manage who can create personal access tokens or to search users by token ID, go to the System Console > Users page.
False: Personal access tokens are disabled on the server.
This feature’s |
Bot Accounts
Access the following configuration settings in the System Console by going to Integrations > Bot Accounts.
Enable Bot Account Creation
True: Users can create bot accounts for integrations in Integrations > Bot Accounts. Bot accounts are similar to user accounts except they cannot be used to log in. See documentation to learn more.
False: Bot accounts cannot be created through the user interface or the RESTful API. Plugins can still create and manage bot accounts.
This feature’s |
Disable bot accounts when owner is deactivated
True: When a user is deactivated, disables all bot accounts managed by the user. To re-enable bot accounts, go to Integrations > Bot Accounts.
False: When a user is deactivated, all bot accounts managed by the user remain active.
This feature’s |
GIF (Beta)
Access the following configuration settings in the System Console by going to Integrations > GIF (Beta).
Enable GIF Picker
True: Allow users to select GIFs from the emoji picker via a Gfycat integration.
False: GIFs cannot be selected in the emoji picker.
This feature’s |
Note
Link previews must be enabled in order to display GIF link previews. Mattermost deployments restricted to access behind a firewall must open port 443 to both https://api.gfycat.com/v1 and https://gfycat.com/<id> (for all request types) for this feature to work.
Gfycat API Key
When blank, uses the default API key provided by Gfycat. Alternatively, a unique API key can be requested at https://developers.gfycat.com/signup/#/. Enter the client ID you receive via email to this field.
This feature’s |
CORS
Access the following configuration settings in the System Console by going to Integrations > CORS.
Enable cross-origin requests from
Enable HTTP cross-origin requests from specific domains separated by spaces. Type * to allow CORS from any domain or leave it blank to disable it.
Note
Please make sure you have entered your Site URL before enabling this setting to prevent losing access to the System Console after saving. If you experience lost access to the System Console after changing this setting, you can set your Site URL through the config.json file.
This feature’s |
CORS Exposed Headers
Whitelist of headers that will be accessible to the requester.
This feature’s |
CORS Allow Credentials
True: Requests that pass validation will include the Access-Control-Allow-Credentials header.
False: Requests won’t include the Access-Control-Allow-Credentials header.
This feature’s |
CORS Debug
True: Prints messages to the logs to help when developing an integration that uses CORS. These messages will include the structured key value pair "source": "cors".
False: Debug messages not printed to the logs.
This feature’s |
Compliance
Data Retention Policies
Changes to properties in this section require a server restart before taking effect.
Warning
Once a message or a file is deleted, the action is irreversible. Please be careful when setting up a custom data retention policy.
Access the following configuration settings in the System Console by going to Compliance > Data Retention Policies.
Global Retention Policy for Messages
Available in legacy Enterprise Edition E20
Set how long Mattermost keeps messages across all teams and channels. Doesn’t apply to custom retention policies. Requires the global retention policy for messages configuration setting to be set to true.
By default, messages are kept forever. If Days or Years is chosen, set how many days or years messages are kept in Mattermost. Messages older than the duration you set will be deleted nightly. The minimum time is one day.
This feature’s |
Global Retention Policy for Files
Available in legacy Enterprise Edition E20
Set how long Mattermost keeps files across all teams and channels. Doesn’t apply to custom retention policies. Requires the global retention policy for files configuration setting to be set to true.
By default, messages are kept forever. If Days or Years is chosen, set how many days or years files are kept in Mattermost. Files older than the duration you set will be deleted nightly. The minimum time is one day.
This feature’s |
Custom retention policy
Available in legacy Enterprise Edition E20
Set how long Mattermost keeps messages and files across specific teams and channels by specifying a name for the custom retention policy, setting a duration value, specifying the teams and channels that will follow this policy.
Data Deletion Time
Available in legacy Enterprise Edition E20
Set the start time of the daily scheduled data retention job. Choose a time when fewer people are using your system. Must be a 24-hour time stamp in the form HH:MM.
This setting is based on the local time of the server.
This feature’s |
Compliance Export
Access the following configuration settings in the System Console by going to Compliance > Compliance Export.
Enable Compliance Export
Available as an add-on to legacy Enterprise Edition E20
True: Mattermost will generate a compliance export file that contains all messages that were posted in the last 24 hours. The export task is scheduled to run once per day. See the documentation to learn more.
False: Mattermost doesn’t generate a compliance export file.
This feature’s |
Compliance Export Time
Available as an add-on to legacy Enterprise Edition E20
Set the start time of the daily scheduled compliance export job. Choose a time when fewer people are using your system. Must be a 24-hour time stamp in the form HH:MM.
This setting is based on the local time of the server.
This feature’s |
Export File Format
Available as an add-on to legacy Enterprise Edition E20
File format of the compliance export. Corresponds to the system that you want to import the data into.
Currently supported formats are CSV, Actiance XML, and Global Relay EML.
If Global Relay is chosen, the following options will be presented:
Global Relay Customer Account
Available as an add-on to legacy Enterprise Edition E20
Type of Global Relay customer account your organization has, either A9/Type 9 or A10/Type 10.
This feature’s |
Global Relay SMTP Username
Available as an add-on to legacy Enterprise Edition E20
The username for authenticating to the Global Relay SMTP server.
This feature’s |
Global Relay SMTP Password
Available as an add-on to legacy Enterprise Edition E20
The password associated with the Global Relay SMTP username.
This feature’s |
Compliance Monitoring
Settings used to enable and configure Mattermost compliance reports.
Access the following configuration settings in the System Console by going to Compliance > Compliance Monitoring.
Enable Compliance Reporting
Available as an add-on to legacy Enterprise Edition E20
True: Compliance reporting is enabled in Mattermost.
False: Compliance reporting is disabled.
This feature’s |
Compliance Report Directory
Available as an add-on to legacy Enterprise Edition E20
Sets the directory where compliance reports are written.
This feature’s |
Enable Daily Report
Available as an add-on to legacy Enterprise Edition E20
True: Mattermost generates a daily compliance report.
False: Daily reports are not generated.
This feature’s |
Batch Size
Available as an add-on to legacy Enterprise Edition E20
Set the size of the batches in which posts will be read from the database to generate the compliance report. This setting is currently not available in the System Console and can only be set in config.json.
This feature’s |
Custom Terms of Service
Access the following configuration settings in the System Console by going to Compliance > Custom Terms of Service.
Enable Custom Terms of Service
Available as an add-on to legacy Enterprise Edition E20
Note
This configuration setting can only be modified using the System Console user interface.
True: New users must accept the Terms of Service before accessing any Mattermost teams on desktop, web, or mobile. Existing users must accept them after login or a page refresh. To update the Terms of Service link displayed in account creation and login pages, go to System Console > Legal and Support > Terms of Service Link.
False: During account creation or login, users can review Terms of Service by accessing the link configured via System Console > Legal and Support > Terms of Service link.
Experimental
There are a number of settings considered “experimental” that are configurable from the System Console. These may be replaced or removed in a future release.
AD/LDAP Settings
Access the following configuration settings in the System Console by going to Experimental > Features.
AD/LDAP Login Button Color
Specify the color of the AD/LDAP login button for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps.
This feature’s |
AD/LDAP Login Button Border Color
Specify the color of the AD/LDAP login button border for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps.
This feature’s |
AD/LDAP Login Button Text Color
Specify the color of the AD/LDAP login button text for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps.
This feature’s |
Allow Authentication Transfer
Available in legacy Enterprise Edition E10 and E20
True: Users can change their login method to any that is enabled on the server, either via Profile > Security or the APIs.
False: Users cannot change their login method, regardless of which authentication options are enabled.
This feature’s |
Link Metadata Timeout
Adds a configurable timeout for requests made to return link metadata. If the metadata is not returned before this timeout expires, the message will post without requiring metadata. This timeout covers the failure cases of broken URLs and bad content types on slow network connections.
This feature’s |
Bleve Settings
Access the following configuration settings in the System Console by going to Experimental > Bleve.
Enable Bleve Indexing
True: The indexing of new posts occurs automatically. Search queries will not use bleve search until Enable Bleve for search queries is enabled.
False: The indexing of new posts does not occur automatically.
This feature’s |
Index Directory
Directory path to use for storing bleve indexes.
Tip
The bleve index directory path isn’t required to exist within the mattermost directory. When it exists outside of the mattermost directory, no additional steps are needed to preserve or reindex these files as part of a Mattermost upgrade. See our Upgrading Mattermost Server documentation for details.
This feature’s |
Bulk Index Now
Select Index Now to index all users, channels, and posts in the database from oldest to newest. Bleve is available during indexing, but search results may be incomplete until the indexing job is complete.
You can configure the maximum time window used for a batch of posts being indexed. See the Bulk Indexing Time Window Seconds documentation for details.
Purge Indexes
Select Purge Index to remove the contents of the Bleve index directory. Search results may be incomplete until a bulk index of the existing database is rebuilt.
Email Settings
Email Batching Buffer Size
Specify the maximum number of notifications batched into a single email.
This feature’s |
Email Batching Interval
Specify the maximum frequency, in seconds, which the batching job checks for new notifications. Longer batching intervals will increase performance.
This feature’s |
Email Login Button Color
Specify the color of the email login button for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps.
This feature’s |
Email Login Button Border Color
Specify the color of the email login button border for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps.
This feature’s |
Email Login Button Text Color
Specify the color of the email login button text for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps.
This feature’s |
Enable Account Deactivation
True: Ability for users to deactivate their own account from Settings > Advanced. If a user deactivates their own account, they will get an email notification confirming they were deactivated.
False: Ability for users to deactivate their own account is disabled.
This feature’s |
Enable Automatic Replies
True: Users can enable Automatic Replies in Settings > Notifications. Users set a custom message that will be automatically sent in response to Direct Messages.
False: Disables the Automatic Direct Message Replies feature and hides it from Settings.
This feature’s |
Enable Channel Viewed WebSocket Messages
This setting determines whether channel_viewed WebSocket events are sent, which synchronize unread notifications across clients and devices. Disabling the setting in larger deployments may improve server performance.
This feature’s |
Enable Client-Side Certification
Available in legacy Enterprise Edition E20
True: Enables client-side certification for your Mattermost server. See the documentation to learn more.
False: Client-side certification is disabled.
This feature’s |
Client-Side Certification Login Method
Available in legacy Enterprise Edition E20
Used in combination with the ClientSideCertEnable configuration setting.
Primary: After the client side certificate is verified, user’s email is retrieved from the certificate and is used to log in without a password.
Secondary: After the client side certificate is verified, user’s email is retrieved from the certificate and matched against the one supplied by the user. If they match, the user logs in with regular email/password credentials.
This feature’s |
Enable Default Channel Leave/Join System Messages
This setting determines whether team leave/join system messages are posted in the default town-square channel.
True: Enables leave/join system messages in the default town-square channel.
False: Disables leave/join messages from the default town-square channel. These system messages won’t be added to the database either.
This feature’s |
Enable Hardened Mode (Experimental)
True: Enables a hardened mode for Mattermost that makes user experience trade-offs in the interest of security.
False: Disables hardened mode.
Changes made when hardened mode is enabled:
Failed login returns a generic error message instead of a specific message for username and password.
If multi-factor authentication (MFA) is enabled, the route to check if a user has MFA enabled always returns true. This causes the MFA input screen to appear even if the user does not have MFA enabled. The user may enter any value to pass the screen. Note that hardened mode does not affect user experience when MFA is enforced.
Password reset does not inform the user that they can not reset their SSO account through Mattermost and instead claims to have sent the password reset email.
Mattermost sanitizes all 500 errors before returned to the client. Use the supplied
request_idto match user facing errors with the server logs.
This feature’s |
Enable AD/LDAP Group Sync
Available in legacy Enterprise Edition E20
True: Enables AD/LDAP Group Sync configurable under User Management > Groups.
False: Disables AD/LDAP Group Sync and removes User Management > Groups from the System Console.
For more information on AD/LDAP Group Sync, please see the AD/LDAP Group Sync documentation.
This feature’s |
Enable Preview Features
True: Preview features can be enabled from Settings > Advanced > Preview Pre-release features.
False: Disables and hides preview features from Settings > Advanced > Preview Pre-release features.
This feature’s |
Enable Theme Selection
Available in legacy Enterprise Edition E10 and E20
True: Enables the Display > Theme tab in Settings so users can select their theme.
False: Users cannot select a different theme. The Display > Theme tab is hidden in Settings.
This feature’s |
Allow Custom Themes
Available in legacy Enterprise Edition E10 and E20
True: Enables the Display > Theme > Custom Theme section in Settings.
False: Users cannot use a custom theme. The Display > Theme > Custom Theme section is hidden in Settings.
This feature’s |
Default Theme
Available in legacy Enterprise Edition E10 and E20
Set a default theme that applies to all new users on the system.
This feature’s |
Enable Tutorial (Experimental)
True: Users are prompted with a tutorial when they open Mattermost for the first time after account creation.
False: The tutorial is disabled. Users are placed in Town Square when they open Mattermost for the first time after account creation.
This feature’s |
Enable Onboarding
True: New Mattermost users are shown key tasks to complete as part of initial onboarding.
False: User onboarding tasks are disabled. Users are placed in Town Square when they open Mattermost for the first time after account creation.
This feature’s |
Enable User Typing Messages
This setting determines whether “user is typing…” messages are displayed below the message box. Disabling the setting in larger deployments may improve server performance.
This feature’s |
Time Between User Typing Updates (User Typing Timeout)
This setting defines how frequently “user is typing…” messages are updated, measured in milliseconds.
This feature’s |
Primary Team (Experimental)
The primary team of which users on the server are members. When a primary team is set, the options to join other teams or leave the primary team are disabled.
If the team URL of the primary team is https://example.mattermost.com/myteam/, then set the value to myteam in config.json.
This feature’s |
SAML Settings
SAML Login Button Color
Available in legacy Enterprise Edition E20
Specify the color of the SAML login button for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps.
This feature’s |
SAML Login Button Border Color
Available in legacy Enterprise Edition E20
Specify the color of the SAML login button border for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps.
This feature’s |
SAML Login Button Text Color
Available in legacy Enterprise Edition E20
Specify the color of the SAML login button text for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps.
This feature’s |
Use Channel Name in Email Notifications (Experimental)
True: Channel and team name appears in email notification subject lines. Useful for servers using only one team.
False: Only team name appears in email notification subject line.
This feature’s |
User Status Away Timeout
This setting defines the number of seconds after which the user’s status indicator changes to “Away”, when they are away from Mattermost.
This feature’s |
Enable Shared Channels
Available in legacy Enterprise Edition E20
Shared channels enables the ability to establish secure connections between Mattermost instances, and invite secured connections to shared channels where secure connections can participate as they would in any public and private channel. Enabling shared channels functionality requires a server restart.
This feature’s two |
Note
Both configuration settings must be enabled in order to share channels with secure connections. Only the Enable Shared Channels configuration option is available through the System Console.
System Admins for Cloud deployments can submit a request to have the
EnableRemoteClusterServiceconfiguration setting enabled in their Cloud instance.
Enable Apps Bar
This setting enables the Apps Bar and moves all Mattermost integration icons from the channel header to a vertical pane on the far right side of the screen.
Note
Integrations currently registered to the channel header will move to the Apps Bar automatically; however, we strongly encourage Mattermost integrators to update their integrations to provide the best user experience. See the channel header plugin changes user forum discussion for details on how to register integrations with the Apps Bar.
True: All integration icons in the channel header move to the Apps Bar with the exception of the calls beta feature.
False: All integration icons in the channel header display in the channel header.
This feature’s |
Settings configurable only in config.json
There are a number of settings customizable in config.json which are unavailable in the System Console and require updating from the file itself.
Data Retention Policies
Enable Global Retention Policy for Messages
Available in legacy Enterprise Edition E20
True: Messages can be deleted as part of a scheduled data retention job. Doesn’t apply to custom retention policies.
False: Messages can’t be deleted as part of a scheduled data retention job.
This feature’s |
Enable Global Retention Policy for Files
Available in legacy Enterprise Edition E20
True: Files can be deleted as part of a scheduled data retention job. Doesn’t apply to custom retention policies.
False: Files can’t be deleted as part of a scheduled data retention job.
This feature’s |
Email Settings
Disable Inactive Server Email Notifications
This setting isn’t available in the System Console and can only be set in config.json.
This configuration setting disables the ability to send inactivity email notifications to Mattermost System Admins.
This feature’s |
Service Settings
Custom User Groups
This setting isn’t available in the System Console and can only be set in config.json.
This configuration setting controls the ability for users to create custom user groups. This configuration setting is disabled by default.
This feature’s |
Developer Flags
This setting isn’t available in the System Console and can only be set in config.json.
This configuration setting specifies a list of strings where each string is a flag used to set the content security policy (CSP) for the Mattermost Web App. Each flag must be in the format flag=true (e.g. unsafe-eval=true,unsafe-inline=true). Not recommended for production environments.
The following values are currently supported:
unsafe-eval: Adds theunsafe-evalCSP directive to the root webapp, allowing increased debugging in developer environments.unsafe-inline: Adds theunsafe-inlineCSP directive to the root webapp, allowing increased debugging in developer environments.
This configuration setting is disabled by default and requires Developer Mode to be enabled.
This feature’s |
WebSocket URL
This setting isn’t available in the System Console and can only be set in config.json.
This setting allows the server to instruct clients where they should try to connect WebSockets to.
This feature’s |
License File Location
This setting isn’t available in the System Console and can only be set in config.json.
Path and filename of the license file on disk. On startup, if Mattermost cannot find a valid license in the database from a previous upload, it looks here. It can be an absolute path or a path relative to the mattermost directory.
This feature’s |
TLS Minimum Version
This setting isn’t available in the System Console and can only be set in config.json.
The minimum TLS version used by the Mattermost server. TLS v1.2 is default given insecurities for TLS 1.0 and 1.1.
Note
This setting only takes effect if you are using the built-in server binary directly, and not using a reverse proxy layer such as NGINX.
This feature’s |
Trusted Proxy IP Header
This setting isn’t available in the System Console and can only be set in config.json.
Specified headers that will be checked one by one for IP addresses (order is important). All other headers are ignored.
Starting with v5.12, new configs will have this set by default to [], meaning that no header will be trusted. Configs created prior to v5.12 without this config entry will have it set to ["X-Forwarded-For", "X-Real-Ip"] on upgrade in order to maintain backwards compatibility.
We recommend keeping the default setting when Mattermost is running without a proxy, to avoid the client sending the headers and bypassing rate limiting and/or the audit log. For environments that use a reverse proxy this problem does not exist, provided that the headers are set by the reverse proxy. In those environments, only explicitly whitelist the header that is set by the reverse proxy and no additional values.
This feature’s |
Enable Strict Transport Security (HSTS)
This setting isn’t available in the System Console and can only be set in config.json.
True: Adds the Strict Transport Security (HSTS) header to all responses, forcing the browser to request all resources via HTTPS. Learn more here.
False: No restrictions on TLS transport. Strict Transport Security (HSTS) header is not added to responses.
This feature’s |
Secure TLS Transport Expiry
This setting isn’t available in the System Console and can only be set in config.json.
The time in seconds that the browser remembers a site is only to be accessed using HTTPS. After this period, a site can be accessed using HTTP unless TLSStrictTransport is set to true. Defaults to two years. Learn more here.
This feature’s |
TLS Cipher Overwrites
This setting isn’t available in the System Console and can only be set in config.json.
Set TLS ciphers overwrites to meet requirements from legacy clients which don’t support modern ciphers, or to limit the types of accepted ciphers.
If none specified, the Mattermost server assumes a set of currently considered secure ciphers, and allows overwrites in the edge case. See the ServerTLSSupportedCiphers variable in /model/config.go for the list of ciphers considered secure.
Note
This setting only takes effect if you are using the built-in server binary directly, and not using a reverse proxy layer such as NGINX.
This feature’s |
Go Routine Health Threshold
This setting isn’t available in the System Console and can only be set in config.json.
Set a threshold on the number of goroutines when the Mattermost system is considered to be in a healthy state. When goroutines exceed this limit, a warning is returned in the server logs.
To turn off checking for the threshold, set this value to -1.
This feature’s |
Allow Cookies for Subdomains
This setting isn’t available in the System Console and can only be set in config.json.
True: Allows cookies for subdomains by setting the domain parameter on Mattermost cookies.
False: Cookies not allowed for subdomains.
This feature’s |
Cluster Log Timeout
This setting isn’t available in the System Console and can only be set in config.json.
This setting defines the frequency of cluster request time logging for Performance monitoring, measured in milliseconds.
This feature’s |
Read Only Config
This setting isn’t available in the System Console and can only be set in config.json.
True: Changes made to settings in the System Console are ignored.
False: Changes made to settings in the System Console are written to config.json.
This feature’s |
Enable Post Search
This setting isn’t available in the System Console and can only be set in config.json.
If this setting is enabled, users can search messages. Disabling search can result in a performance increase, but users get an error message when they attempt to use the search box.
This feature’s |
Enable File Search
This setting isn’t available in the System Console and can only be set in config.json.
This configuration setting enables users to search documents attached to messages by filename. To enable users to search documents by their content, you must also enable the ExtractContent configuration setting. See our Enable Document Search by Content documentation for details. Document content search is available in Mattermost Server from v5.35, with mobile support coming soon.
True: Supported document types are searchable by their filename.
False: File-based searches are disabled.
This feature’s |
Enable User Status Updates
This setting isn’t available in the System Console and can only be set in config.json.
Turn status updates off to improve performance. When status updates are off, users appear online only for brief periods when posting a message, and only to members of the channel in which the message is posted.
This feature’s |
WebSocket Secure Port
This setting isn’t available in the System Console and can only be set in config.json. Changes to this setting require a server restart before taking effect.
(Optional) This setting defines the port on which the secured WebSocket will listen using the wss protocol. Defaults to 443. When the client attempts to make a WebSocket connection it first checks to see if the page is loaded with HTTPS. If so, it will use the secure WebSocket connection. If not, it will use the unsecure WebSocket connection. IT IS HIGHLY RECOMMENDED PRODUCTION DEPLOYMENTS ONLY OPERATE UNDER HTTPS AND WSS.
This feature’s |
WebSocket Port
This setting isn’t available in the System Console and can only be set in config.json. Changes to this setting require a server restart before taking effect.
(Optional) This setting defines the port on which the unsecured WebSocket will listen using the ws protocol. Defaults to 80. When the client attempts to make a WebSocket connection it first checks to see if the page is loaded with HTTPS. If so, it will use the secure WebSocket connection. If not, it will use the unsecure WebSocket connection. IT IS HIGHLY RECOMMENDED PRODUCTION DEPLOYMENTS ONLY OPERATE UNDER HTTPS AND WSS.
This feature’s |
Enable API Team Deletion
This setting isn’t available in the System Console and can only be set in config.json.
True: The api/v4/teams/{teamid}?permanent=true API endpoint can be called by Team and System Admins to permanently delete a team.
False: The API endpoint cannot be called. Note that api/v4/teams/{teamid} can still be used to soft delete a team.
This feature’s |
Enable API User Deletion
This setting isn’t available in the System Console and can only be set in config.json.
True: The api/v4/users/{userid}?permanent=true API endpoint can be called by System Admins, or users with appropriate permissions, to permanently delete a user.
False: The API endpoint cannot be called. Note that api/v4/users/{userid} can still be used to soft delete a user.
This feature’s |
Enable API Channel Deletion
This setting isn’t available in the System Console and can only be set in config.json.
True: The api/v4/channels/{channelid}?permanent=true API endpoint can be called by System Admins, or users with appropriate permissions, to permanently delete a channel.
False: The API endpoint cannot be called. Note that api/v4/channels/{channelid} can still be used to soft delete a channel.
This feature’s |
Enable OpenTracing
This setting isn’t available in the System Console and can only be set in config.json.
True: A Jaeger client is instantiated and is used to trace each HTTP request as it goes through App and Store layers. Context is added to App and Store and is passed down the layer chain to create OpenTracing ‘spans’.
By default, in order to avoid leaking sensitive information, no method parameters are reported to OpenTracing. Only the name of the method is reported.
False: OpenTracing is not enabled.
This feature’s |
Import Settings Default Directory
This setting isn’t available in the System Console and can only be set in config.json.
The directory where the imported files are stored. The path is relative to the FileSettings directory. By default, imports are stored under ./data/import.
This feature’s |
Import Settings Default Retention Days
This setting isn’t available in the System Console and can only be set in config.json.
The number of days to retain the imported files before deleting them.
This feature’s |
Export Settings Default Directory
This setting isn’t available in the System Console and can only be set in config.json.
The directory where the exported files are stored. The path is relative to the FileSettings directory. By default, exports are stored under ./data/export.
This feature’s |
Export Settings Default Retention Days
This setting isn’t available in the System Console and can only be set in config.json.
The number of days to retain the exported files before deleting them.
This feature’s |
Enable Local Mode
This setting isn’t available in the System Console and can only be set in config.json.
True: Enables local mode for mmctl.
False: Prevents local mode for mmctl.
This feature’s |
Enable Local Mode Socket Location
This setting isn’t available in the System Console and can only be set in config.json.
The path for the socket that the server will create for mmctl to connect and communicate through local mode. If the default value for this key is changed, you will need to point mmctl to the new socket path when in local mode, using the --local-socket-path /new/path/to/socket flag in addition to the --local flag.
If nothing is specified, the default path that both the server and mmctl assumes is /var/tmp/mattermost_local.socket.
This feature’s |
Scoping IDP Provider Id
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
Allows an authenticated user to skip the initial login page of their federated Azure AD server, and only require a password to log in.
This feature’s |
Scoping IDP Name
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
Adds the name associated with a user’s Scoping Identity Provider ID.
This feature’s |
Global Relay SMTP Server Timeout
Available as an add-on to legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
The number of seconds that can elapse before the connection attempt to the SMTP server is abandoned. The default value is 1800 seconds. This setting is currently not available in the System Console and can only be set in config.json.
This feature’s |
Batch Size
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
Determines how many new posts are batched together to a compliance export file.
This feature’s |
App Custom URL Schemes
This setting isn’t available in the System Console and can only be set in config.json.
Define valid custom URL schemes for redirect links provided by custom-built mobile Mattermost apps. This ensures users are redirected to the custom-built mobile app and not Mattermost’s mobile client.
When configured, after OAuth or SAML user authentication is complete, custom URL schemes sent by mobile clients are validated to ensure they don’t include default schemes such as http or https. Mobile users are then redirected back to the mobile app using the custom scheme URL provided by the mobile client. We recommend that you update your mobile client values as well with valid custom URL schemes.
This feature’s |
Colorize plain text console logs
This setting isn’t available in the System Console and can only be set in config.json.
True: When logged events are output to the console as plain text, colorize log levels details.
False: Plain text log details aren’t colorized in the console.
This feature’s |
Database Settings
At Rest Encrypt Key
This setting isn’t available in the System Console and can only be set in config.json. It’s a legacy setting used to encrypt data stored at rest in the database, and no fields are encrypted using AtRestEncryptKey.
A 32-character key for encrypting and decrypting sensitive fields in the database. When using High Availability, this value must be identical in each instance of Mattermost.
This feature’s |
Clean Up Old Database Jobs
This setting isn’t available in the System Console and can only be set in config.json.
Defines the threshold in hours beyond which older completed database jobs are removed. This setting applies to both MySQL and PostgreSQL databases, is disabled by default, and must be set to a value greater than or equal to 0 to be enabled.
This feature’s |
Clean Up Outdated Database Entries
This setting only applies to configuration in the database. It isn’t available in the System Console and can be set via mmctl or changed in the database.
Defines the threshold in days beyond which outdated configurations are removed from the database. This setting applies to both MySQL and PostgreSQL databases.
This feature’s |
SQL Settings
Read Replicas
Available in legacy Enterprise Edition E10 and E20
This setting isn’t available in the System Console and can only be set in config.json. Changes to this setting require a server restart before taking effect.
Specifies the connection strings for the read replica databases. Each string must be in the same form as used for the Data Source setting.
This feature’s |
Search Replicas
Available in legacy Enterprise Edition E10 and E20
This setting isn’t available in the System Console and can only be set in config.json. Changes to this setting require a server restart before taking effect.
Specifies the connection strings for the search replica databases. A search replica is similar to a read replica, but is used only for handling search queries. Each string must be in the same form as used for the Data Source setting.
This feature’s |
Replica Lag Settings
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
Specifies a connection string and user-defined SQL queries on the database to measure replica lag for a single replica instance. These settings monitor absolute lag based on binlog distance/transaction queue length, and the time taken for the replica to catch up.
This feature’s |
String array input consists of:
DataSource: The DB credentials to connect to the replica instance.QueryAbsoluteLag: A plain SQL query that must return a single row. The first column must be the node value of the Prometheus metric, and the second column must be the value of the lag used to measure absolute lag.QueryTimeLag: A plain SQL query that must return a single row. The first column must be the node value of the Prometheus metric, and the second column must be the value of the lag used to measure the time lag.
Examples:
For AWS Aurora instances, QueryAbsoluteLag can be:
select server_id, highest_lsn_rcvd-durable_lsn as bindiff from aurora_global_db_instance_status() where server_id=<>
And for AWS Aurora instances, QueryTimeLag can be:
select server_id, visibility_lag_in_msec from aurora_global_db_instance_status() where server_id=<>
For MySQL Group Replication, the absolute lag can be measured from the number of pending transactions in the applier queue:
select member_id, count_transactions_remote_in_applier_queue FROM performance_schema.replication_group_member_stats where member_id=<>
File Settings
Initial Font
This setting isn’t available in the System Console and can only be set in config.json.
Font used in auto-generated profile pics with colored backgrounds.
This feature’s |
Amazon S3 Signature V2
This setting isn’t available in the System Console and can only be set in config.json.
By default, Mattermost uses Signature V4 to sign API calls to AWS, but under some circumstances, V2 is required. For more information about when to use V2, see https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html.
True: Use Signature Version 2 Signing Process.
False: Use Signature Version 4 Signing Process.
This feature’s |
GitLab Settings
Scope
Not available in Cloud Starter
This setting isn’t available in the System Console and can only be set in config.json.
Standard setting for OAuth to determine the scope of information shared with OAuth client. Not currently supported by GitLab OAuth.
This feature’s |
Google Settings
Scope
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
Standard setting for OAuth to determine the scope of information shared with OAuth client. Recommended setting is profile email.
This feature’s |
Office 365 Settings
Scope
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
Standard setting for OAuth to determine the scope of information shared with OAuth client. Recommended setting is User.Read.
This feature’s |
Cluster Settings
Maximum Idle Connections
This setting isn’t available in the System Console and can only be set in config.json.
The maximum number of idle connections held open from one server to all others in the cluster.
This feature’s |
Maximum Idle Connections per Host
This setting isn’t available in the System Console and can only be set in config.json.
The maximum number of idle connections held open from one server to another server in the cluster.
This feature’s |
Idle Connection Timeout (in Milliseconds)
This setting isn’t available in the System Console and can only be set in config.json.
The number of milliseconds to leave an idle connection open between servers in the cluster.
This feature’s |
Network Interface
This setting isn’t available in the System Console and can only be set in config.json.
An IP address used to identify the device that does automatic IP detection in High Availability clusters.
This feature’s |
Bind Address
This setting isn’t available in the System Console and can only be set in config.json.
An IP address used to bind cluster traffic to a specific network device. This setting is used primarily for servers with multiple network devices or different Bind Address and Advertise Address like in deployments that involve NAT (Network Address Translation).
This feature’s |
Advertise Address
This setting isn’t available in the System Console and can only be set in config.json.
The IP address used to access the server from other nodes. This settings is used primary when cluster nodes are not in the same network and involve NAT (Network Address Translation).
This feature’s |
Metrics Settings
Block Profile Rate
This setting isn’t available in the System Console and can only be set in config.json. Changes to this setting require a server restart before taking effect.
Value that controls the fraction of goroutine blocking events reported in the blocking profile.
The profiler aims to sample an average of one blocking event per rate nanoseconds spent blocked.
To include every blocking event in the profile, set the rate to 1. To turn off profiling entirely, set the rate to 0.
This feature’s |
Plugin Settings
Signature Public Key Files
This setting isn’t available in the System Console and can only be set in config.json.
In addition to the Mattermost plugin signing key built into the server, each public key specified here is trusted to validate plugin signatures.
This feature’s |
Chimera OAuth Proxy URL
This setting isn’t available in the System Console and can only be set in config.json.
Specify the Chimera URL used by Mattermost plugins to connect with pre-created OAuth applications.
This feature’s |
Welcome Bot
The settings for the WelcomeBot plugin aren’t available in the System Console, and can only be set in config.json.
Learn more in our documentation.
Experimental Settings only in config.json
Audit settings
The audit settings output audit records to syslog (local or remote server via TLS) and/or to a local file. Both are disabled by default. They can be enabled simultaneously.
Remote Clusters
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
Enable this setting to add, remove, and view remote clusters for shared channels.
True: System Admins can manage remote clusters using the System Console.
False: Remote cluster management is disabled.
This feature’s |
Syslog configuration options
This setting isn’t available in the System Console and can only be set in config.json.
Enable this setting to write audit records to a local or remote syslog, specifying the IP, port, user-generated fields, and certificate settings.
True: Syslog output is enabled.
False: Syslog output is disabled.
This feature’s |
Syslog IP
This setting isn’t available in the System Console and can only be set in config.json.
The IP address or domain of the syslog server. Use localhost for local syslog.
This feature’s |
Syslog port
This setting isn’t available in the System Console and can only be set in config.json.
The port that the syslog server is listening on. The default port is 6514.
This feature’s |
Syslog tag
all-plans|
This setting isn’t available in the System Console and can only be set in config.json.
The syslog metadata tag field.
This feature’s |
Syslog cert
This setting isn’t available in the System Console and can only be set in config.json.
This is the path to the syslog server certificate for TLS connections (.crt or .pem).
This feature’s |
Syslog insecure
This setting isn’t available in the System Console and can only be set in config.json.
This setting controls whether a client verifies the server’s certificate chain and host name. If true, TLS accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks.
Note
This should be used only for testing and not in a production environment.
This feature’s |
Syslog max queue size
This setting isn’t available in the System Console and can only be set in config.json.
This setting determines how many audit records can be queued/buffered at any point in time when writing to syslog. The default is 1000 records. This setting can be left as default unless you are seeing audit write failures in the server log and need to adjust the number accordingly.
This feature’s |
File configuration options
This setting isn’t available in the System Console and can only be set in config.json.
Enable this setting to write audit files locally, specifying size, backup interval, compression, maximum age to manage file rotation, and timestamps.
True: File output is enabled.
False: File output is disabled.
This feature’s |
File name
This setting isn’t available in the System Console and can only be set in config.json.
This is the path to the output file location.
This feature’s |
File max size MB
This setting isn’t available in the System Console and can only be set in config.json.
This is the maximum size (measured in megabytes) that the file can grow before triggering rotation. The default setting is 100.
This feature’s |
File max age days
This setting isn’t available in the System Console and can only be set in config.json.
This is the maximum age in days a file can reach before triggering rotation. The default value is 0, indicating no limit on the age.
This feature’s |
File max backups
This setting isn’t available in the System Console and can only be set in config.json.
This is the maximum number of rotated files kept; the oldest is deleted first. The default value is 0, indicating no limit on the number of backups.
This feature’s |
File compress
This setting isn’t available in the System Console and can only be set in config.json.
When true, rotated files are compressed using gzip.
This feature’s |
File max queue size
This setting isn’t available in the System Console and can only be set in config.json.
This setting determines how many audit records can be queued/buffered at any point in time when writing to a file. The default is 1000 records. This setting can be left as default unless you are seeing audit write failures in the server log and need to adjust the number accordingly.
This feature’s |
Advanced Audit Logging Configuration
Output logs to multiple targets
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
Send log records to multiple targets:
Multiple local file targets
Multiple syslogs
Multiple TCP sockets
Allow any combination of local file, syslog, and TCP socket targets.
File target supports rotation and compression triggered by size and/or duration. Syslog target supports local and remote syslog servers, with or without TLS transport. TCP socket target can be configured with an IP address or domain name, port, and optional TLS certificate.
This feature’s |
Options are outlined in this text file: Log Settings Options. Sample config: Advanced Logging Options Sample.json.zip.
Service Settings
Group Unread Channels (Experimental)
This setting isn’t available in the System Console and can only be set in config.json.
This setting applies to the new sidebar only. You must disable the Enable Legacy Sidebar configuration setting to see and enable this functionality in the System Console.
Default Off: Disables the unread channels sidebar section for all users by default. Users can enable it in Settings > Sidebar > Group unread channels separately.
Default On: Enables the unread channels sidebar section for all users by default. Users can disable it in Settings > Sidebar > Group unread channels separately.
This feature’s |
Strict CSRF Token Enforcement (Experimental)
This setting isn’t available in the System Console and can only be set in config.json.
True: Enables CSRF protection tokens for additional hardening compared to the currently used custom header. When the user logs in, an additional cookie is created with the CSRF token contained.
False: Disables CSRF protection tokens.
This feature’s |
Restrict System Admin
This setting isn’t available in the System Console and can only be set in config.json.
True: Restricts the System Admin from viewing and modifying a subset of server configuration settings from the System Console. Not recommended for use in on-prem installations. This is intended to support Mattermost Private Cloud in giving the System Admin role to users but restricting certain actions only for Cloud Admins.
False: No restrictions are applied to the System Admin role.
This feature’s |
Team Settings
Teammate Name Display
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
Control Teammate Name Display at the system level.
True: Allows System Admins to control Teammate Name Display at the system level.
False: System Admins cannot control Teammate Name Display at the system level.
This feature’s |
Default Channels (Experimental)
This setting isn’t available in the System Console and can only be set in config.json.
Default channels every user is added to automatically after joining a new team. Only applies to Public channels, but affects all teams on the server.
When not set, every user is added to the off-topic and town-square channels by default.
Note
Even if town-square is not listed, every user is added to that channel after joining a new team.
This feature’s |
Client Requirement Settings (Experimental)
Latest Android Version
This setting isn’t available in the System Console and can only be set in config.json.
The latest version of the Android React Native app that is recommended for use.
This feature’s |
Minimum Android Version
This setting isn’t available in the System Console and can only be set in config.json.
The minimum version of the Android React Native app that is required to be used.
This feature’s |
Latest iOS Version
This setting isn’t available in the System Console and can only be set in config.json.
The latest version of the iOS app that is recommended for use.
This feature’s |
Minimum iOS Version
This setting isn’t available in the System Console and can only be set in config.json.
The minimum version of the iOS React Native app that is required to be used.
This feature’s |
Push Notification Buffer
This setting isn’t available in the System Console and can only be set in config.json.
Used to control the buffer of outstanding Push Notification messages to be sent. If the number of messages exceeds that number, then the request making the Push Notification will be blocked until there’s room.
This feature’s |
Theme Settings (Experimental)
Allowed Themes
Available in legacy Enterprise Edition E10 and E20
This setting isn’t available in the System Console and can only be set in config.json.
Select the themes that can be chosen by users when EnableThemeSelection is set to true.
This feature’s |
Experimental Settings
Disable Post Metadata
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
True: Disabling post metadata is only recommended if you are experiencing a significant decrease in performance around channel and post load times.
False: Load channels with more accurate scroll positioning by loading post metadata.
This feature’s |
Analytics Settings
Maximum Users for Statistics
Available in legacy Enterprise Edition E10 and E20
This setting isn’t available in the System Console and can only be set in config.json.
Sets the maximum number of users on the server before statistics for total posts, total hashtag posts, total file posts, posts per day, and active users with posts per day are disabled.
This setting is used to maximize performance for large Enterprise deployments.
This feature’s |
Elasticsearch Settings
Post Index Replicas
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
The number of replicas to use for each post index. If this setting is changed, it only applies to newly-created indexes. To apply the change to existing indexes, purge and rebuild the index after changing this setting.
This feature’s |
Post Index Shards
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
The number of shards to use for each post index. If this setting is changed, it only applies to newly-created indexes. To apply the change to existing indexes, purge and rebuild the index after changing this setting.
This feature’s |
Aggregate Search Indexes
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
Elasticsearch indexes over the age specified by this setting will be aggregated during the daily scheduled job.
Note
If you’re using data retention and ElasticSearch, ensure the ElasticSearch aggregate search indexes setting is set to a value that is greater than your data retention policy in days.
This feature’s |
Post Aggregator Start Time
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
The start time of the daily scheduled aggregator job. Must be a 24-hour time stamp in the form HH:MM. This setting is based on the local time of the server.
This feature’s |
Index Prefix
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
Prefix on the Elasticsearch index name. Enables the use of Mattermost Elasticsearch on a shared Elasticsearch cluster.
This feature’s |
Note
When this setting is used, all Elasticsearch indexes created by Mattermost are given this prefix. You can set different prefixes so that multiple Mattermost deployments can share an Elasticsearch cluster without the index names colliding.
Live Indexing Batch Size
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
Determines how many new posts are batched together before they are added to the Elasticsearch index. It may be necessary to increase this value to avoid hitting the rate limit of your Elasticsearch cluster on installs handling multiple messages per second.
This feature’s |
Request Timeout
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
Timeout in seconds for Elasticsearch calls.
This feature’s |
Batch Size
This setting isn’t available in the System Console and can only be set in config.json.
Sets the number of objects that can be indexed in a single batch.
This feature’s |
Trace
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
Options for printing Elasticsearch trace errors. Accepts error, all, or empty. error will create the error trace when initialising the Elasticsearch client and will print any template creation or search query that returns an error as part of the error message. all will create the three traces (error, trace and info) for the driver and will not print the queries because they will be part of the trace log level of the driver.
This feature’s |
Message Export Settings
Export From Timestamp
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
Set the Unix timestamp (seconds since epoch, UTC) to export data from.
This feature’s |
File Location
Available in legacy Enterprise Edition E20
This setting isn’t available in the System Console and can only be set in config.json.
Set the file location of the compliance exports. By default, they are written to the exports subdirectory of the configured Local Storage directory.
This feature’s |
Plugin Settings
Enable Plugin Uploads
This setting isn’t available in the System Console and can only be set in config.json.
True: Enables plugin uploads by System Admins at Plugins > Management. If you do not plan to upload a plugin, set to false to control which plugins are installed on your server. See documentation to learn more.
False: Disables plugin uploads on your Mattermost server.
This feature’s |
Allow Insecure Download URL
This setting isn’t available in the System Console and can only be set in config.json.
True: Enables downloading and installing a plugin from a remote URL.
False: Disables downloading and installing a plugin from a remote URL.
This feature’s |
Enable Plugin Health Check
This setting isn’t available in the System Console and can only be set in config.json.
True: Enables plugin health check to ensure all plugins are periodically monitored, and restarted or deactivated based on their health status. The health check runs every 30 seconds. If the plugin is detected to fail 3 times within an hour, the Mattermost server attempts to restart it. If the restart fails 3 successive times, it’s automatically disabled.
False: Disables plugin health check on your Mattermost server.
This feature’s |
Directory
This setting isn’t available in the System Console and can only be set in config.json.
The location of the plugin files. If blank, they are stored in the ./plugins directory. The path that you set must exist and Mattermost must have write permissions in it.
This feature’s |
Client Directory
This setting isn’t available in the System Console and can only be set in config.json.
The location of client plugin files. If blank, they are stored in the ./client/plugins directory. The path that you set must exist and Mattermost must have write permissions in it.
This feature’s |
Jobs
Settings to configure how Mattermost schedules and completes periodic tasks such as the deletion of old posts with Data Retention enabled or indexing posts with Elasticsearch. These settings control which Mattermost servers are designated as a Scheduler, a server that queues the tasks at the correct times, and as a Worker, a server that completes the given tasks.
When running Mattermost on a single machine, both RunJobs and RunScheduler should be enabled. Without both of these enabled, Mattermost will not function properly.
When running Mattermost in High Availability mode, RunJobs should be enabled on one or more servers while RunScheduler should be enabled on all servers under normal circumstances. A High Availability cluster will have one Scheduler and one or more Workers. See the below sections for more information.
Run Jobs
This setting isn’t available in the System Console and can only be set in config.json.
Set whether or not this Mattermost server will handle tasks created by the Scheduler. When running Mattermost on a single machine, this setting should always be enabled.
When running Mattermost in High Availablity mode, one or more servers should have this setting enabled. We recommend that your High Availability cluster has one or more dedicated Workers with this setting enabled while the remaining Mattermost app servers have it disabled.
This feature’s |
Run Scheduler
This setting isn’t available in the System Console and can only be set in config.json.
Set whether or not this Mattermost server will schedule tasks that will be completed by a Worker. When running Mattermost on a single machine, this setting should always be enabled.
When running Mattermost in High Availablity mode, this setting should always be enabled. In a High Availability cluster, exactly one of the servers will be designated as the Scheduler at a time to ensure that duplicate tasks aren’t created. See High Availability documentation for more details.
Warning
We strongly recommend that you not change this setting from the default setting of true as this prevents the ClusterLeader from being able to run the scheduler. As a result, recurring jobs such as LDAP sync, Compliance Export, and data retention will no longer be scheduled. In previous Mattermost Server versions, and this documentation, the instructions stated to run the Job Server with RunScheduler: false. The cluster design has evolved and this is no longer the case.
This feature’s |
