|
|
@@ -1,41 +1,336 @@
|
|
1
|
|
-# This is a basic configuration that can easily be adapted to suit a standard
|
|
2
|
|
-# installation. For more advanced options, see opendkim.conf(5) and/or
|
|
3
|
|
-# /usr/share/doc/opendmarc/examples/opendmarc.conf.sample.
|
|
|
1
|
+##
|
|
|
2
|
+## opendmarc.conf -- configuration file for OpenDMARC filter
|
|
|
3
|
+##
|
|
|
4
|
+## Copyright (c) 2012-2014, The Trusted Domain Project. All rights reserved.
|
|
|
5
|
+##
|
|
4
|
6
|
|
|
5
|
7
|
## AuthservID (string)
|
|
6
|
|
-## defaults to MTA name
|
|
|
8
|
+## defaults to MTA name
|
|
|
9
|
+##
|
|
|
10
|
+## Sets the "authserv-id" to use when generating the Authentication-Results:
|
|
|
11
|
+## header field after verifying a message. If the string "HOSTNAME" is
|
|
|
12
|
+## provided, the name of the host running the filter (as returned by the
|
|
|
13
|
+## gethostname(3) function) will be used.
|
|
7
|
14
|
#
|
|
8
|
15
|
AuthservID {{ mail_server_hostname }}
|
|
9
|
16
|
|
|
10
|
|
-## ForensicReports { true | false }
|
|
11
|
|
-## default "false"
|
|
|
17
|
+## AuthservIDWithJobID { true | false }
|
|
|
18
|
+## default "false"
|
|
|
19
|
+##
|
|
|
20
|
+## If "true", requests that the authserv-id portion of the added
|
|
|
21
|
+## Authentication-Results header fields contain the job ID of the message
|
|
|
22
|
+## being evaluated.
|
|
|
23
|
+#
|
|
|
24
|
+# AuthservIDWithJobID false
|
|
|
25
|
+
|
|
|
26
|
+## AutoRestart { true | false }
|
|
|
27
|
+## default "false"
|
|
|
28
|
+##
|
|
|
29
|
+## Automatically re-start on failures. Use with caution; if the filter fails
|
|
|
30
|
+## instantly after it starts, this can cause a tight fork(2) loop.
|
|
|
31
|
+#
|
|
|
32
|
+# AutoRestart false
|
|
|
33
|
+
|
|
|
34
|
+## AutoRestartCount n
|
|
|
35
|
+## default 0
|
|
|
36
|
+##
|
|
|
37
|
+## Sets the maximum automatic restart count. After this number of automatic
|
|
|
38
|
+## restarts, the filter will give up and terminate. A value of 0 implies no
|
|
|
39
|
+## limit.
|
|
|
40
|
+#
|
|
|
41
|
+# AutoRestartCount 0
|
|
|
42
|
+
|
|
|
43
|
+## AutoRestartRate n/t[u]
|
|
|
44
|
+## default (no limit)
|
|
|
45
|
+##
|
|
|
46
|
+## Sets the maximum automatic restart rate. If the filter begins restarting
|
|
|
47
|
+## faster than the rate defined here, it will give up and terminate. This
|
|
|
48
|
+## is a string of the form n/t[u] where n is an integer limiting the count
|
|
|
49
|
+## of restarts in the given interval and t[u] defines the time interval
|
|
|
50
|
+## through which the rate is calculated; t is an integer and u defines the
|
|
|
51
|
+## units thus represented ("s" or "S" for seconds, the default; "m" or "M"
|
|
|
52
|
+## for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
|
|
|
53
|
+## value of "10/1h" limits the restarts to 10 in one hour. There is no
|
|
|
54
|
+## default, meaning restart rate is not limited.
|
|
|
55
|
+#
|
|
|
56
|
+# AutoRestartRate n/t[u]
|
|
|
57
|
+
|
|
|
58
|
+## Background { true | false }
|
|
|
59
|
+## default "true"
|
|
|
60
|
+##
|
|
|
61
|
+## Causes opendmarc to fork and exits immediately, leaving the service
|
|
|
62
|
+## running in the background.
|
|
|
63
|
+#
|
|
|
64
|
+# Background true
|
|
|
65
|
+
|
|
|
66
|
+## BaseDirectory (string)
|
|
|
67
|
+## default (none)
|
|
|
68
|
+##
|
|
|
69
|
+## If set, instructs the filter to change to the specified directory using
|
|
|
70
|
+## chdir(2) before doing anything else. This means any files referenced
|
|
|
71
|
+## elsewhere in the configuration file can be specified relative to this
|
|
|
72
|
+## directory. It's also useful for arranging that any crash dumps will be
|
|
|
73
|
+## saved to a specific location.
|
|
|
74
|
+#
|
|
|
75
|
+# BaseDirectory /var/run/opendmarc
|
|
|
76
|
+
|
|
|
77
|
+## ChangeRootDirectory (string)
|
|
|
78
|
+## default (none)
|
|
|
79
|
+##
|
|
|
80
|
+## Requests that the operating system change the effective root directory of
|
|
|
81
|
+## the process to the one specified here prior to beginning execution.
|
|
|
82
|
+## chroot(2) requires superuser access. A warning will be generated if
|
|
|
83
|
+## UserID is not also set.
|
|
|
84
|
+#
|
|
|
85
|
+# ChangeRootDirectory /var/chroot/opendmarc
|
|
|
86
|
+
|
|
|
87
|
+## CopyFailuresTo (string)
|
|
|
88
|
+## default (none)
|
|
|
89
|
+##
|
|
|
90
|
+## Requests addition of the specified email address to the envelope of
|
|
|
91
|
+## any message that fails the DMARC evaluation.
|
|
|
92
|
+#
|
|
|
93
|
+# CopyFailuresTo postmaster@localhost
|
|
|
94
|
+
|
|
|
95
|
+## DNSTimeout (integer)
|
|
|
96
|
+## default 5
|
|
|
97
|
+##
|
|
|
98
|
+## Sets the DNS timeout in seconds. A value of 0 causes an infinite wait.
|
|
|
99
|
+## (NOT YET IMPLEMENTED)
|
|
|
100
|
+#
|
|
|
101
|
+# DNSTimeout 5
|
|
|
102
|
+
|
|
|
103
|
+## EnableCoredumps { true | false }
|
|
|
104
|
+## default "false"
|
|
|
105
|
+##
|
|
|
106
|
+## On systems that have such support, make an explicit request to the kernel
|
|
|
107
|
+## to dump cores when the filter crashes for some reason. Some modern UNIX
|
|
|
108
|
+## systems suppress core dumps during crashes for security reasons if the
|
|
|
109
|
+## user ID has changed during the lifetime of the process. Currently only
|
|
|
110
|
+## supported on Linux.
|
|
|
111
|
+#
|
|
|
112
|
+# EnableCoreDumps false
|
|
|
113
|
+
|
|
|
114
|
+## FailureReports { true | false }
|
|
|
115
|
+## default "false"
|
|
|
116
|
+##
|
|
|
117
|
+## Enables generation of failure reports when the DMARC test fails and the
|
|
|
118
|
+## purported sender of the message has requested such reports. Reports are
|
|
|
119
|
+## formatted per RFC6591.
|
|
|
120
|
+#
|
|
|
121
|
+# FailureReports false
|
|
|
122
|
+
|
|
|
123
|
+## FailureReportsBcc (string)
|
|
|
124
|
+## default (none)
|
|
|
125
|
+##
|
|
|
126
|
+## When failure reports are enabled and one is to be generated, always
|
|
|
127
|
+## send one to the address(es) specified here. If a failure report is
|
|
|
128
|
+## requested by the domain owner, the address(es) are added in a Bcc: field.
|
|
|
129
|
+## If no request is made, they address(es) are used in a To: field. There
|
|
|
130
|
+## is no default.
|
|
|
131
|
+#
|
|
|
132
|
+# FailureReportsBcc postmaster@example.coom
|
|
|
133
|
+
|
|
|
134
|
+## FailureReportsOnNone { true | false }
|
|
|
135
|
+## default "false"
|
|
|
136
|
+##
|
|
|
137
|
+## Supplements the "FailureReports" setting by generating reports for
|
|
|
138
|
+## domains that advertise "none" policies. By default, reports are only
|
|
|
139
|
+## generated (when enabled) for sending domains advertising a "quarantine"
|
|
|
140
|
+## or "reject" policy.
|
|
|
141
|
+#
|
|
|
142
|
+# FailureReportsOnNone false
|
|
|
143
|
+
|
|
|
144
|
+## FailureReportsSentBy string
|
|
|
145
|
+## default "USER@HOSTNAME"
|
|
|
146
|
+##
|
|
|
147
|
+## Specifies the email address to use in the From: field of failure
|
|
|
148
|
+## reports generated by the filter. The default is to use the userid of
|
|
|
149
|
+## the user running the filter and the local hostname to construct an
|
|
|
150
|
+## email address. "postmaster" is used in place of the userid if a name
|
|
|
151
|
+## could not be determined.
|
|
|
152
|
+#
|
|
|
153
|
+# FailureReportsSentBy USER@HOSTNAME
|
|
|
154
|
+
|
|
|
155
|
+## HistoryFile path
|
|
|
156
|
+## default (none)
|
|
|
157
|
+##
|
|
|
158
|
+## If set, specifies the location of a text file to which records are written
|
|
|
159
|
+## that can be used to generate DMARC aggregate reports. Records are groups
|
|
|
160
|
+## of rows containing information about a single received message, and
|
|
|
161
|
+## include all relevant information needed to generate a DMARC aggregate
|
|
|
162
|
+## report. It is expected that this will not be used in its raw form, but
|
|
|
163
|
+## rather periodically imported into a relational database from which the
|
|
|
164
|
+## aggregate reports can be extracted by a tool such as opendmarc-import(8).
|
|
|
165
|
+#
|
|
|
166
|
+HistoryFile /var/run/opendmarc/opendmarc.dat
|
|
|
167
|
+
|
|
|
168
|
+## IgnoreAuthenticatedClients { true | false }
|
|
|
169
|
+## default "false"
|
|
|
170
|
+##
|
|
|
171
|
+## If set, causes mail from authenticated clients (i.e., those that used
|
|
|
172
|
+## SMTP UATH) to be ignored by the filter.
|
|
|
173
|
+#
|
|
|
174
|
+# IgnoreAuthenticatedClients false
|
|
|
175
|
+
|
|
|
176
|
+## IgnoreHosts path
|
|
|
177
|
+## default (internal)
|
|
|
178
|
+##
|
|
|
179
|
+## Specifies the path to a file that contains a list of hostnames, IP
|
|
|
180
|
+## addresses, and/or CIDR expressions identifying hosts whose SMTP
|
|
|
181
|
+## connections are to be ignored by the filter. If not specified, defaults
|
|
|
182
|
+## to "127.0.0.1" only.
|
|
|
183
|
+#
|
|
|
184
|
+IgnoreHosts /etc/opendmarc/ignore.hosts
|
|
|
185
|
+
|
|
|
186
|
+## IgnoreMailFrom domain[,...]
|
|
|
187
|
+## default (none)
|
|
12
|
188
|
##
|
|
13
|
|
-# ForensicReports false
|
|
|
189
|
+## Gives a list of domain names whose mail (based on the From: domain) is to
|
|
|
190
|
+## be ignored by the filter. The list should be comma-separated. Matching
|
|
|
191
|
+## against this list is case-insensitive. The default is an empty list,
|
|
|
192
|
+## meaning no mail is ignored.
|
|
|
193
|
+#
|
|
|
194
|
+# IgnoreMailFrom example.com
|
|
14
|
195
|
|
|
|
196
|
+## MilterDebug (integer)
|
|
|
197
|
+## default 0
|
|
|
198
|
+##
|
|
|
199
|
+## Sets the debug level to be requested from the milter library.
|
|
|
200
|
+#
|
|
|
201
|
+# MilterDebug 0
|
|
|
202
|
+
|
|
|
203
|
+## PidFile path
|
|
|
204
|
+## default (none)
|
|
|
205
|
+##
|
|
|
206
|
+## Specifies the path to a file that should be created at process start
|
|
|
207
|
+## containing the process ID.
|
|
|
208
|
+##
|
|
|
209
|
+#
|
|
15
|
210
|
PidFile /var/run/opendmarc.pid
|
|
16
|
211
|
|
|
|
212
|
+## PublicSuffixList path
|
|
|
213
|
+## default (none)
|
|
|
214
|
+##
|
|
|
215
|
+## Specifies the path to a file that contains top-level domains (TLDs) that
|
|
|
216
|
+## will be used to compute the Organizational Domain for a given domain name,
|
|
|
217
|
+## as described in the DMARC specification. If not provided, the filter will
|
|
|
218
|
+## not be able to determine the Organizational Domain and only the presented
|
|
|
219
|
+## domain will be evaluated.
|
|
|
220
|
+#
|
|
|
221
|
+# PublicSuffixList path
|
|
|
222
|
+
|
|
|
223
|
+## RecordAllMessages { true | false }
|
|
|
224
|
+## default "false"
|
|
|
225
|
+##
|
|
|
226
|
+## If set and "HistoryFile" is in use, all received messages are recorded
|
|
|
227
|
+## to the history file. If not set (the default), only messages for which
|
|
|
228
|
+## the From: domain published a DMARC record will be recorded in the
|
|
|
229
|
+## history file.
|
|
|
230
|
+#
|
|
|
231
|
+# RecordAllMessages false
|
|
|
232
|
+
|
|
17
|
233
|
## RejectFailures { true | false }
|
|
18
|
|
-## default "false"
|
|
|
234
|
+## default "false"
|
|
19
|
235
|
##
|
|
|
236
|
+## If set, messages will be rejected if they fail the DMARC evaluation, or
|
|
|
237
|
+## temp-failed if evaluation could not be completed. By default, no message
|
|
|
238
|
+## will be rejected or temp-failed regardless of the outcome of the DMARC
|
|
|
239
|
+## evaluation of the message. Instead, an Authentication-Results header
|
|
|
240
|
+## field will be added.
|
|
|
241
|
+#
|
|
20
|
242
|
RejectFailures false
|
|
21
|
243
|
|
|
|
244
|
+## ReportCommand string
|
|
|
245
|
+## default "/usr/sbin/sendmail -t"
|
|
|
246
|
+##
|
|
|
247
|
+## Indicates the shell command to which failure reports should be passed for
|
|
|
248
|
+## delivery when "FailureReports" is enabled.
|
|
|
249
|
+#
|
|
|
250
|
+# ReportCommand /usr/sbin/sendmail -t
|
|
|
251
|
+
|
|
|
252
|
+## RequiredHeaders { true | false }
|
|
|
253
|
+## default "false"
|
|
|
254
|
+##
|
|
|
255
|
+## If set, the filter will ensure the header of the message conforms to the
|
|
|
256
|
+## basic header field count restrictions laid out in RFC5322, Section 3.6.
|
|
|
257
|
+## Messages failing this test are rejected without further processing. A
|
|
|
258
|
+## From: field from which no domain name could be extracted will also be
|
|
|
259
|
+## rejected.
|
|
|
260
|
+#
|
|
|
261
|
+# RequiredHeaders false
|
|
|
262
|
+
|
|
|
263
|
+## Socket socketspec
|
|
|
264
|
+## default (none)
|
|
|
265
|
+##
|
|
|
266
|
+## Specifies the socket that should be established by the filter to receive
|
|
|
267
|
+## connections from sendmail(8) in order to provide service. socketspec is
|
|
|
268
|
+## in one of two forms: local:path, which creates a UNIX domain socket at
|
|
|
269
|
+## the specified path, or inet:port[@host] or inet6:port[@host] which creates
|
|
|
270
|
+## a TCP socket on the specified port for the appropriate protocol family.
|
|
|
271
|
+## If the host is not given as either a hostname or an IP address, the
|
|
|
272
|
+## socket will be listening on all interfaces. This option is mandatory
|
|
|
273
|
+## either in the configuration file or on the command line. If an IP
|
|
|
274
|
+## address is used, it must be enclosed in square brackets.
|
|
|
275
|
+#
|
|
|
276
|
+# Socket inet:8893@localhost
|
|
|
277
|
+
|
|
|
278
|
+## SoftwareHeader { true | false }
|
|
|
279
|
+## default "false"
|
|
|
280
|
+##
|
|
|
281
|
+## Causes the filter to add a "DMARC-Filter" header field indicating the
|
|
|
282
|
+## presence of this filter in the path of the message from injection to
|
|
|
283
|
+## delivery. The product's name, version, and the job ID are included in
|
|
|
284
|
+## the header field's contents.
|
|
|
285
|
+#
|
|
|
286
|
+SoftwareHeader true
|
|
|
287
|
+
|
|
|
288
|
+## SPFIgnoreResults { true | false }
|
|
|
289
|
+## default "false"
|
|
|
290
|
+##
|
|
|
291
|
+## Causes the filter to ignore any SPF results in the header of the
|
|
|
292
|
+## message. This is useful if you want the filter to perfrom SPF checks
|
|
|
293
|
+## itself, or because you don't trust the arriving header.
|
|
|
294
|
+#
|
|
|
295
|
+# SPFIgnoreResults false
|
|
|
296
|
+
|
|
|
297
|
+## SPFSelfValidate { true | false }
|
|
|
298
|
+## default false
|
|
|
299
|
+##
|
|
|
300
|
+## Enable internal spf checking with --with-spf
|
|
|
301
|
+## To use libspf2 instead: --with-spf --with-spf2-include=path --with-spf2-lib=path
|
|
|
302
|
+##
|
|
|
303
|
+## Causes the filter to perform a fallback SPF check itself when
|
|
|
304
|
+## it can find no SPF results in the message header. If SPFIgnoreResults
|
|
|
305
|
+## is also set, it never looks for SPF results in headers and
|
|
|
306
|
+## always performs the SPF check itself when this is set.
|
|
|
307
|
+#
|
|
|
308
|
+# SPFSelfValidate false
|
|
|
309
|
+
|
|
22
|
310
|
## Syslog { true | false }
|
|
23
|
|
-## default "false"
|
|
|
311
|
+## default "false"
|
|
24
|
312
|
##
|
|
25
|
313
|
## Log via calls to syslog(3) any interesting activity.
|
|
26
|
314
|
#
|
|
27
|
315
|
Syslog true
|
|
28
|
316
|
|
|
29
|
317
|
## SyslogFacility facility-name
|
|
30
|
|
-## default "mail"
|
|
|
318
|
+## default "mail"
|
|
31
|
319
|
##
|
|
32
|
320
|
## Log via calls to syslog(3) using the named facility. The facility names
|
|
33
|
321
|
## are the same as the ones allowed in syslog.conf(5).
|
|
34
|
322
|
#
|
|
35
|
323
|
# SyslogFacility mail
|
|
36
|
324
|
|
|
|
325
|
+## TemporaryDirectory path
|
|
|
326
|
+## default /var/tmp
|
|
|
327
|
+##
|
|
|
328
|
+## Specifies the directory in which temporary files should be written.
|
|
|
329
|
+#
|
|
|
330
|
+# TemporaryDirectory /var/tmp
|
|
|
331
|
+
|
|
37
|
332
|
## TrustedAuthservIDs string
|
|
38
|
|
-## default HOSTNAME
|
|
|
333
|
+## default HOSTNAME
|
|
39
|
334
|
##
|
|
40
|
335
|
## Specifies one or more "authserv-id" values to trust as relaying true
|
|
41
|
336
|
## upstream DKIM and SPF results. The default is to use the name of
|
|
|
@@ -45,9 +340,8 @@ Syslog true
|
|
45
|
340
|
#
|
|
46
|
341
|
TrustedAuthservIDs {{ mail_server_hostname }}
|
|
47
|
342
|
|
|
48
|
|
-
|
|
49
|
343
|
## UMask mask
|
|
50
|
|
-## default (none)
|
|
|
344
|
+## default (none)
|
|
51
|
345
|
##
|
|
52
|
346
|
## Requests a specific permissions mask to be used for file creation. This
|
|
53
|
347
|
## only really applies to creation of the socket when Socket specifies a
|
|
|
@@ -59,27 +353,10 @@ TrustedAuthservIDs {{ mail_server_hostname }}
|
|
59
|
353
|
UMask 0002
|
|
60
|
354
|
|
|
61
|
355
|
## UserID user[:group]
|
|
62
|
|
-## default (none)
|
|
|
356
|
+## default (none)
|
|
63
|
357
|
##
|
|
64
|
358
|
## Attempts to become the specified userid before starting operations.
|
|
65
|
359
|
## The process will be assigned all of the groups and primary group ID of
|
|
66
|
360
|
## the named userid unless an alternate group is specified.
|
|
67
|
361
|
#
|
|
68
|
362
|
UserID opendmarc:opendmarc
|
|
69
|
|
-
|
|
70
|
|
-## The path to the Ignored Hosts list. This file should contain a list of
|
|
71
|
|
-## networks and hosts that you trust. Their mail will not be checked by
|
|
72
|
|
-## OpenDMARC.
|
|
73
|
|
-#
|
|
74
|
|
-IgnoreHosts /etc/opendmarc/ignore.hosts
|
|
75
|
|
-
|
|
76
|
|
-## The path under which the History file should be created.
|
|
77
|
|
-## This file is necessary if you want to be able to create aggregate
|
|
78
|
|
-## reports to send out to other organizations
|
|
79
|
|
-#
|
|
80
|
|
-HistoryFile /var/run/opendmarc/opendmarc.dat
|
|
81
|
|
-
|
|
82
|
|
-## Adds a “Dmarc-Filter” header with the opendmarc version in every processed mail.
|
|
83
|
|
-## This is good to have during testing.
|
|
84
|
|
-#
|
|
85
|
|
-SoftwareHeader true
|
Allen Riddell
8 years ago