## opendmarc.conf -- configuration file for OpenDMARC filter
|
##
|
## Copyright (c) 2012-2015, 2018, 2021, The Trusted Domain Project.
|
## All rights reserved.
|
|
## DEPRECATED CONFIGURATION OPTIONS
|
##
|
## The following configuration options are no longer valid. They should be
|
## removed from your existing configuration file to prevent potential issues.
|
## Failure to do so may result in opendmarc being unable to start.
|
##
|
## Renamed in 1.3.0:
|
## ForensicReports became FailureReports
|
## ForensicReportsBcc became FailureReportsBcc
|
## ForensicReportsOnNone became FailureReportsOnNone
|
## ForensicReportsSentBy became FailureReportsSentBy
|
|
## CONFIGURATION OPTIONS
|
|
## AuthservID (string)
|
## defaults to MTA name
|
##
|
## Sets the "authserv-id" to use when generating the Authentication-Results:
|
## header field after verifying a message. If the string "HOSTNAME" is
|
## provided, the name of the host running the filter (as returned by the
|
## gethostname(3) function) will be used.
|
#
|
# AuthservID name
|
|
## AuthservIDWithJobID { true | false }
|
## default "false"
|
##
|
## If "true", requests that the authserv-id portion of the added
|
## Authentication-Results header fields contain the job ID of the message
|
## being evaluated.
|
#
|
# AuthservIDWithJobID false
|
|
## AutoRestart { true | false }
|
## default "false"
|
##
|
## Automatically re-start on failures. Use with caution; if the filter fails
|
## instantly after it starts, this can cause a tight fork(2) loop.
|
#
|
# AutoRestart false
|
|
## AutoRestartCount n
|
## default 0
|
##
|
## Sets the maximum automatic restart count. After this number of automatic
|
## restarts, the filter will give up and terminate. A value of 0 implies no
|
## limit.
|
#
|
# AutoRestartCount 0
|
|
## AutoRestartRate n/t[u]
|
## default (no limit)
|
##
|
## Sets the maximum automatic restart rate. If the filter begins restarting
|
## faster than the rate defined here, it will give up and terminate. This
|
## is a string of the form n/t[u] where n is an integer limiting the count
|
## of restarts in the given interval and t[u] defines the time interval
|
## through which the rate is calculated; t is an integer and u defines the
|
## units thus represented ("s" or "S" for seconds, the default; "m" or "M"
|
## for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
|
## value of "10/1h" limits the restarts to 10 in one hour. There is no
|
## default, meaning restart rate is not limited.
|
#
|
# AutoRestartRate n/t[u]
|
|
## Background { true | false }
|
## default "true"
|
##
|
## Causes opendmarc to fork and exits immediately, leaving the service
|
## running in the background.
|
#
|
# Background true
|
|
## BaseDirectory (string)
|
## default (none)
|
##
|
## If set, instructs the filter to change to the specified directory using
|
## chdir(2) before doing anything else. This means any files referenced
|
## elsewhere in the configuration file can be specified relative to this
|
## directory. It's also useful for arranging that any crash dumps will be
|
## saved to a specific location.
|
#
|
BaseDirectory /var/opendmarc
|
|
## ChangeRootDirectory (string)
|
## default (none)
|
##
|
## Requests that the operating system change the effective root directory of
|
## the process to the one specified here prior to beginning execution.
|
## chroot(2) requires superuser access. A warning will be generated if
|
## UserID is not also set.
|
#
|
# ChangeRootDirectory /var/chroot/opendmarc
|
|
## CopyFailuresTo (string)
|
## default (none)
|
##
|
## Requests addition of the specified email address to the envelope of
|
## any message that fails the DMARC evaluation.
|
#
|
# CopyFailuresTo postmaster@localhost
|
|
## DomainWhitelist (string)
|
## default (none)
|
##
|
## A brief list of whitelisted domains for which ARC signature headers are
|
## trusted as determined by evaluating entries in the "arc.chain" field found
|
## in a locally generated Authentication-Results header.
|
##
|
## This list will be concatenated with DomainWhitelistFile (if provided).
|
##
|
#
|
# DomainWhitelist example.com
|
|
## DomainWhitelistFile path
|
## default (none)
|
##
|
## A comprehensive list of whitelisted domains for which ARC signature headers
|
## are trusted as determined by evaluating entries in the "arc.chain" field
|
## found in a locally generated Authentication-Results header.
|
##
|
## This list will be concatenated with DomainWhitelist (if provided).
|
##
|
#
|
# DomainWhitelistFile /usr/local/etc/opendmarc/whitelist.domains
|
|
## DomainWhitelistSize
|
## default 3000
|
##
|
## The maximum number of entries in the DomainWhitelist including both entries
|
## in the DomainWhitelist configuration parameter (above) and entries in the
|
## DomainWhitelistFile. This number will be increased by approximately 20% to
|
## increase the efficiency of the hashing algorithm.
|
##
|
#
|
# DomainWhitelistSize 3000
|
|
## DNSTimeout (integer)
|
## default 5
|
##
|
## Sets the DNS timeout in seconds. A value of 0 causes an infinite wait.
|
## (NOT YET IMPLEMENTED)
|
#
|
# DNSTimeout 5
|
|
## EnableCoredumps { true | false }
|
## default "false"
|
##
|
## On systems that have such support, make an explicit request to the kernel
|
## to dump cores when the filter crashes for some reason. Some modern UNIX
|
## systems suppress core dumps during crashes for security reasons if the
|
## user ID has changed during the lifetime of the process. Currently only
|
## supported on Linux.
|
#
|
# EnableCoreDumps false
|
|
## FailureReports { true | false }
|
## default "false"
|
##
|
## Enables generation of failure reports when the DMARC test fails and the
|
## purported sender of the message has requested such reports. Reports are
|
## formatted per RFC6591.
|
#
|
# FailureReports false
|
|
## FailureReportsBcc (string)
|
## default (none)
|
##
|
## When failure reports are enabled and one is to be generated, always
|
## send one to the address(es) specified here. If a failure report is
|
## requested by the domain owner, the address(es) are added in a Bcc: field.
|
## If no request is made, they address(es) are used in a To: field. There
|
## is no default.
|
#
|
# FailureReportsBcc postmaster@example.coom
|
|
## FailureReportsOnNone { true | false }
|
## default "false"
|
##
|
## Supplements the "FailureReports" setting by generating reports for
|
## domains that advertise "none" policies. By default, reports are only
|
## generated (when enabled) for sending domains advertising a "quarantine"
|
## or "reject" policy.
|
#
|
# FailureReportsOnNone false
|
|
## FailureReportsSentBy string
|
## default "USER@HOSTNAME"
|
##
|
## Specifies the email address to use in the From: field of failure
|
## reports generated by the filter. The default is to use the userid of
|
## the user running the filter and the local hostname to construct an
|
## email address. "postmaster" is used in place of the userid if a name
|
## could not be determined.
|
#
|
# FailureReportsSentBy USER@HOSTNAME
|
|
## HistoryFile path
|
## default (none)
|
##
|
## If set, specifies the location of a text file to which records are written
|
## that can be used to generate DMARC aggregate reports. Records are groups
|
## of rows containing information about a single received message, and
|
## include all relevant information needed to generate a DMARC aggregate
|
## report. It is expected that this will not be used in its raw form, but
|
## rather periodically imported into a relational database from which the
|
## aggregate reports can be extracted by a tool such as opendmarc-import(8).
|
#
|
HistoryFile /var/opendmarc/opendmarc.dat
|
|
## HoldQuarantinedMessages { true | false }
|
## default "false"
|
##
|
## If set, the milter will signal to the mta that messages with
|
## p=quarantine, which fail dmarc authentication, should be held in
|
## the MTA's "Hold" or "Quarantine" queue. The name varies by MTA.
|
## If false, messsages will be accepted and passed along with the
|
## regular mail flow, and the quarantine will be left up to downstream
|
## MTA/MDA/MUA filters, if any, to handle by re-evaluating the headers,
|
## including the Authentication-Results header added by OpenDMARC
|
#
|
# HoldQuarantinedMessages false
|
|
## IgnoreAuthenticatedClients { true | false }
|
## default "false"
|
##
|
## If set, causes mail from authenticated clients (i.e., those that used
|
## SMTP AUTH) to be ignored by the filter.
|
#
|
# IgnoreAuthenticatedClients false
|
|
## HoldQuarantinedMessages { true | false }
|
## default "false"
|
##
|
## If set, the milter will signal to the mta that messages with
|
## p=quarantine, which fail dmarc authentication, should be held in
|
## the MTA's "Hold" or "Quarantine" queue. The name varies by MTA.
|
## If false, messsages will be accepted and passed along with the
|
## regular mail flow, and the quarantine will be left up to downstream
|
## MTA/MDA/MUA filters, if any, to handle by re-evaluating the headers,
|
## including the Authentication-Results header added by OpenDMARC
|
#
|
# HoldQuarantinedMessages false
|
|
|
## IgnoreHosts path
|
## default (internal)
|
##
|
## Specifies the path to a file that contains a list of hostnames, IP
|
## addresses, and/or CIDR expressions identifying hosts whose SMTP
|
## connections are to be ignored by the filter. If not specified, defaults
|
## to "127.0.0.1" only.
|
#
|
# IgnoreHosts /usr/local/etc/opendmarc/ignore.hosts
|
|
## IgnoreMailFrom domain[,...]
|
## default (none)
|
##
|
## Gives a list of domain names whose mail (based on the From: domain) is to
|
## be ignored by the filter. The list should be comma-separated. Matching
|
## against this list is case-insensitive. The default is an empty list,
|
## meaning no mail is ignored.
|
#
|
# IgnoreMailFrom example.com
|
|
## MilterDebug (integer)
|
## default 0
|
##
|
## Sets the debug level to be requested from the milter library.
|
#
|
# MilterDebug 0
|
|
## PidFile path
|
## default (none)
|
##
|
## Specifies the path to a file that should be created at process start
|
## containing the process ID.
|
#
|
PidFile /var/opendmarc/opendmarc.pid
|
|
## PublicSuffixList path
|
## default (none)
|
##
|
## Specifies the path to a file that contains top-level domains (TLDs) that
|
## will be used to compute the Organizational Domain for a given domain name,
|
## as described in the DMARC specification. If not provided, the filter will
|
## not be able to determine the Organizational Domain and only the presented
|
## domain will be evaluated. This file should be periodically updated.
|
## One location to retrieve the file from is https://publicsuffix.org/list/
|
#
|
# PublicSuffixList path
|
|
## RecordAllMessages { true | false }
|
## default "false"
|
##
|
## If set and "HistoryFile" is in use, all received messages are recorded
|
## to the history file. If not set (the default), only messages for which
|
## the From: domain published a DMARC record will be recorded in the
|
## history file.
|
#
|
# RecordAllMessages false
|
|
## RejectFailures { true | false }
|
## default "false"
|
##
|
## If set, messages will be rejected if they fail the DMARC evaluation, or
|
## temp-failed if evaluation could not be completed. By default, no message
|
## will be rejected or temp-failed regardless of the outcome of the DMARC
|
## evaluation of the message. Instead, an Authentication-Results header
|
## field will be added.
|
#
|
# RejectFailures false
|
|
## RejectMultiValueFrom { true | false }
|
## default "false"
|
##
|
## If set, messages with multiple addresses in the From: field of the message
|
## will be rejected unless all domains in the field are the same. They will
|
## otherwise be ignored by the filter (the default).
|
#
|
# RejectMultiValueFrom false
|
|
## ReportCommand string
|
## default "/usr/sbin/sendmail -t"
|
##
|
## Indicates the shell command to which failure reports should be passed for
|
## delivery when "FailureReports" is enabled.
|
#
|
ReportCommand /usr/sbin/sendmail -t
|
|
## RequiredHeaders { true | false }
|
## default "false"
|
##
|
## If set, the filter will ensure the header of the message conforms to the
|
## basic header field count restrictions laid out in RFC5322, Section 3.6.
|
## Messages failing this test are rejected without further processing. A
|
## From: field from which no domain name could be extracted will also be
|
## rejected.
|
#
|
# RequiredHeaders false
|
|
## Socket socketspec
|
## default (none)
|
##
|
## Specifies the socket that should be established by the filter to receive
|
## connections from sendmail(8) in order to provide service. socketspec is
|
## in one of two forms: local:path, which creates a UNIX domain socket at
|
## the specified path, or inet:port[@host] or inet6:port[@host] which creates
|
## a TCP socket on the specified port for the appropriate protocol family.
|
## If the host is not given as either a hostname or an IP address, the
|
## socket will be listening on all interfaces. This option is mandatory
|
## either in the configuration file or on the command line. If an IP
|
## address is used, it must be enclosed in square brackets.
|
#
|
Socket inet:8893@localhost
|
|
## SoftwareHeader { true | false }
|
## default "false"
|
##
|
## Causes the filter to add a "DMARC-Filter" header field indicating the
|
## presence of this filter in the path of the message from injection to
|
## delivery. The product's name, version, and the job ID are included in
|
## the header field's contents.
|
#
|
# SoftwareHeader false
|
|
## SPFIgnoreResults { true | false }
|
## default "false"
|
##
|
## Causes the filter to ignore any SPF results in the header of the
|
## message. This is useful if you want the filter to perform SPF checks
|
## itself, or because you don't trust the arriving header.
|
#
|
# SPFIgnoreResults false
|
|
## SPFSelfValidate { true | false }
|
## default false
|
##
|
## Enable internal spf checking with --with-spf
|
## To use libspf2 instead: --with-spf --with-spf2-include=path --with-spf2-lib=path
|
##
|
## Causes the filter to perform a fallback SPF check itself when
|
## it can find no SPF results in the message header. If SPFIgnoreResults
|
## is also set, it never looks for SPF results in headers and
|
## always performs the SPF check itself when this is set.
|
#
|
# SPFSelfValidate false
|
|
## Syslog { true | false }
|
## default "false"
|
##
|
## Log via calls to syslog(3) any interesting activity.
|
#
|
Syslog true
|
|
## SyslogFacility facility-name
|
## default "mail"
|
##
|
## Log via calls to syslog(3) using the named facility. The facility names
|
## are the same as the ones allowed in syslog.conf(5).
|
#
|
SyslogFacility mail
|
|
## TrustedAuthservIDs string
|
## default HOSTNAME
|
##
|
## Specifies one or more "authserv-id" values to trust as relaying true
|
## upstream DKIM and SPF results. The default is to use the name of
|
## the MTA processing the message. To specify a list, separate each entry
|
## with a comma. The key word "HOSTNAME" will be replaced by the name of
|
## the host running the filter as reported by the gethostname(3) function.
|
#
|
# TrustedAuthservIDs HOSTNAME
|
|
## UMask mask
|
## default (none)
|
##
|
## Requests a specific permissions mask to be used for file creation. This
|
## only really applies to creation of the socket when Socket specifies a
|
## UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
|
## files are normally created by the mkstemp(3) function that enforces a
|
## specific file mode on creation regardless of the process umask. See
|
## umask(2) for more information.
|
#
|
UMask 077
|
|
## UserID user[:group]
|
## default (none)
|
##
|
## Attempts to become the specified userid before starting operations.
|
## The process will be assigned all of the groups and primary group ID of
|
## the named userid unless an alternate group is specified.
|
#
|
UserID opendmarc:opendmarc
|
