暂无描述
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符

etc_opendmarc.conf.j2 12KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362
  1. ##
  2. ## opendmarc.conf -- configuration file for OpenDMARC filter
  3. ##
  4. ## Copyright (c) 2012-2014, The Trusted Domain Project. All rights reserved.
  5. ##
  6. ## AuthservID (string)
  7. ## defaults to MTA name
  8. ##
  9. ## Sets the "authserv-id" to use when generating the Authentication-Results:
  10. ## header field after verifying a message. If the string "HOSTNAME" is
  11. ## provided, the name of the host running the filter (as returned by the
  12. ## gethostname(3) function) will be used.
  13. #
  14. AuthservID {{ mail_server_hostname }}
  15. ## AuthservIDWithJobID { true | false }
  16. ## default "false"
  17. ##
  18. ## If "true", requests that the authserv-id portion of the added
  19. ## Authentication-Results header fields contain the job ID of the message
  20. ## being evaluated.
  21. #
  22. # AuthservIDWithJobID false
  23. ## AutoRestart { true | false }
  24. ## default "false"
  25. ##
  26. ## Automatically re-start on failures. Use with caution; if the filter fails
  27. ## instantly after it starts, this can cause a tight fork(2) loop.
  28. #
  29. # AutoRestart false
  30. ## AutoRestartCount n
  31. ## default 0
  32. ##
  33. ## Sets the maximum automatic restart count. After this number of automatic
  34. ## restarts, the filter will give up and terminate. A value of 0 implies no
  35. ## limit.
  36. #
  37. # AutoRestartCount 0
  38. ## AutoRestartRate n/t[u]
  39. ## default (no limit)
  40. ##
  41. ## Sets the maximum automatic restart rate. If the filter begins restarting
  42. ## faster than the rate defined here, it will give up and terminate. This
  43. ## is a string of the form n/t[u] where n is an integer limiting the count
  44. ## of restarts in the given interval and t[u] defines the time interval
  45. ## through which the rate is calculated; t is an integer and u defines the
  46. ## units thus represented ("s" or "S" for seconds, the default; "m" or "M"
  47. ## for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
  48. ## value of "10/1h" limits the restarts to 10 in one hour. There is no
  49. ## default, meaning restart rate is not limited.
  50. #
  51. # AutoRestartRate n/t[u]
  52. ## Background { true | false }
  53. ## default "true"
  54. ##
  55. ## Causes opendmarc to fork and exits immediately, leaving the service
  56. ## running in the background.
  57. #
  58. # Background true
  59. ## BaseDirectory (string)
  60. ## default (none)
  61. ##
  62. ## If set, instructs the filter to change to the specified directory using
  63. ## chdir(2) before doing anything else. This means any files referenced
  64. ## elsewhere in the configuration file can be specified relative to this
  65. ## directory. It's also useful for arranging that any crash dumps will be
  66. ## saved to a specific location.
  67. #
  68. # BaseDirectory /var/run/opendmarc
  69. ## ChangeRootDirectory (string)
  70. ## default (none)
  71. ##
  72. ## Requests that the operating system change the effective root directory of
  73. ## the process to the one specified here prior to beginning execution.
  74. ## chroot(2) requires superuser access. A warning will be generated if
  75. ## UserID is not also set.
  76. #
  77. # ChangeRootDirectory /var/chroot/opendmarc
  78. ## CopyFailuresTo (string)
  79. ## default (none)
  80. ##
  81. ## Requests addition of the specified email address to the envelope of
  82. ## any message that fails the DMARC evaluation.
  83. #
  84. # CopyFailuresTo postmaster@localhost
  85. ## DNSTimeout (integer)
  86. ## default 5
  87. ##
  88. ## Sets the DNS timeout in seconds. A value of 0 causes an infinite wait.
  89. ## (NOT YET IMPLEMENTED)
  90. #
  91. # DNSTimeout 5
  92. ## EnableCoredumps { true | false }
  93. ## default "false"
  94. ##
  95. ## On systems that have such support, make an explicit request to the kernel
  96. ## to dump cores when the filter crashes for some reason. Some modern UNIX
  97. ## systems suppress core dumps during crashes for security reasons if the
  98. ## user ID has changed during the lifetime of the process. Currently only
  99. ## supported on Linux.
  100. #
  101. # EnableCoreDumps false
  102. ## FailureReports { true | false }
  103. ## default "false"
  104. ##
  105. ## Enables generation of failure reports when the DMARC test fails and the
  106. ## purported sender of the message has requested such reports. Reports are
  107. ## formatted per RFC6591.
  108. #
  109. # FailureReports false
  110. ## FailureReportsBcc (string)
  111. ## default (none)
  112. ##
  113. ## When failure reports are enabled and one is to be generated, always
  114. ## send one to the address(es) specified here. If a failure report is
  115. ## requested by the domain owner, the address(es) are added in a Bcc: field.
  116. ## If no request is made, they address(es) are used in a To: field. There
  117. ## is no default.
  118. #
  119. # FailureReportsBcc postmaster@example.coom
  120. ## FailureReportsOnNone { true | false }
  121. ## default "false"
  122. ##
  123. ## Supplements the "FailureReports" setting by generating reports for
  124. ## domains that advertise "none" policies. By default, reports are only
  125. ## generated (when enabled) for sending domains advertising a "quarantine"
  126. ## or "reject" policy.
  127. #
  128. # FailureReportsOnNone false
  129. ## FailureReportsSentBy string
  130. ## default "USER@HOSTNAME"
  131. ##
  132. ## Specifies the email address to use in the From: field of failure
  133. ## reports generated by the filter. The default is to use the userid of
  134. ## the user running the filter and the local hostname to construct an
  135. ## email address. "postmaster" is used in place of the userid if a name
  136. ## could not be determined.
  137. #
  138. # FailureReportsSentBy USER@HOSTNAME
  139. ## HistoryFile path
  140. ## default (none)
  141. ##
  142. ## If set, specifies the location of a text file to which records are written
  143. ## that can be used to generate DMARC aggregate reports. Records are groups
  144. ## of rows containing information about a single received message, and
  145. ## include all relevant information needed to generate a DMARC aggregate
  146. ## report. It is expected that this will not be used in its raw form, but
  147. ## rather periodically imported into a relational database from which the
  148. ## aggregate reports can be extracted by a tool such as opendmarc-import(8).
  149. #
  150. HistoryFile /var/run/opendmarc/opendmarc.dat
  151. ## IgnoreAuthenticatedClients { true | false }
  152. ## default "false"
  153. ##
  154. ## If set, causes mail from authenticated clients (i.e., those that used
  155. ## SMTP UATH) to be ignored by the filter.
  156. #
  157. # IgnoreAuthenticatedClients false
  158. ## IgnoreHosts path
  159. ## default (internal)
  160. ##
  161. ## Specifies the path to a file that contains a list of hostnames, IP
  162. ## addresses, and/or CIDR expressions identifying hosts whose SMTP
  163. ## connections are to be ignored by the filter. If not specified, defaults
  164. ## to "127.0.0.1" only.
  165. #
  166. IgnoreHosts /etc/opendmarc/ignore.hosts
  167. ## IgnoreMailFrom domain[,...]
  168. ## default (none)
  169. ##
  170. ## Gives a list of domain names whose mail (based on the From: domain) is to
  171. ## be ignored by the filter. The list should be comma-separated. Matching
  172. ## against this list is case-insensitive. The default is an empty list,
  173. ## meaning no mail is ignored.
  174. #
  175. # IgnoreMailFrom example.com
  176. ## MilterDebug (integer)
  177. ## default 0
  178. ##
  179. ## Sets the debug level to be requested from the milter library.
  180. #
  181. # MilterDebug 0
  182. ## PidFile path
  183. ## default (none)
  184. ##
  185. ## Specifies the path to a file that should be created at process start
  186. ## containing the process ID.
  187. ##
  188. #
  189. PidFile /var/run/opendmarc.pid
  190. ## PublicSuffixList path
  191. ## default (none)
  192. ##
  193. ## Specifies the path to a file that contains top-level domains (TLDs) that
  194. ## will be used to compute the Organizational Domain for a given domain name,
  195. ## as described in the DMARC specification. If not provided, the filter will
  196. ## not be able to determine the Organizational Domain and only the presented
  197. ## domain will be evaluated.
  198. #
  199. # PublicSuffixList path
  200. ## RecordAllMessages { true | false }
  201. ## default "false"
  202. ##
  203. ## If set and "HistoryFile" is in use, all received messages are recorded
  204. ## to the history file. If not set (the default), only messages for which
  205. ## the From: domain published a DMARC record will be recorded in the
  206. ## history file.
  207. #
  208. # RecordAllMessages false
  209. ## RejectFailures { true | false }
  210. ## default "false"
  211. ##
  212. ## If set, messages will be rejected if they fail the DMARC evaluation, or
  213. ## temp-failed if evaluation could not be completed. By default, no message
  214. ## will be rejected or temp-failed regardless of the outcome of the DMARC
  215. ## evaluation of the message. Instead, an Authentication-Results header
  216. ## field will be added.
  217. #
  218. RejectFailures false
  219. ## ReportCommand string
  220. ## default "/usr/sbin/sendmail -t"
  221. ##
  222. ## Indicates the shell command to which failure reports should be passed for
  223. ## delivery when "FailureReports" is enabled.
  224. #
  225. # ReportCommand /usr/sbin/sendmail -t
  226. ## RequiredHeaders { true | false }
  227. ## default "false"
  228. ##
  229. ## If set, the filter will ensure the header of the message conforms to the
  230. ## basic header field count restrictions laid out in RFC5322, Section 3.6.
  231. ## Messages failing this test are rejected without further processing. A
  232. ## From: field from which no domain name could be extracted will also be
  233. ## rejected.
  234. #
  235. # RequiredHeaders false
  236. ## Socket socketspec
  237. ## default (none)
  238. ##
  239. ## Specifies the socket that should be established by the filter to receive
  240. ## connections from sendmail(8) in order to provide service. socketspec is
  241. ## in one of two forms: local:path, which creates a UNIX domain socket at
  242. ## the specified path, or inet:port[@host] or inet6:port[@host] which creates
  243. ## a TCP socket on the specified port for the appropriate protocol family.
  244. ## If the host is not given as either a hostname or an IP address, the
  245. ## socket will be listening on all interfaces. This option is mandatory
  246. ## either in the configuration file or on the command line. If an IP
  247. ## address is used, it must be enclosed in square brackets.
  248. #
  249. # Socket inet:8893@localhost
  250. ## SoftwareHeader { true | false }
  251. ## default "false"
  252. ##
  253. ## Causes the filter to add a "DMARC-Filter" header field indicating the
  254. ## presence of this filter in the path of the message from injection to
  255. ## delivery. The product's name, version, and the job ID are included in
  256. ## the header field's contents.
  257. #
  258. SoftwareHeader true
  259. ## SPFIgnoreResults { true | false }
  260. ## default "false"
  261. ##
  262. ## Causes the filter to ignore any SPF results in the header of the
  263. ## message. This is useful if you want the filter to perfrom SPF checks
  264. ## itself, or because you don't trust the arriving header.
  265. #
  266. # SPFIgnoreResults false
  267. ## SPFSelfValidate { true | false }
  268. ## default false
  269. ##
  270. ## Enable internal spf checking with --with-spf
  271. ## To use libspf2 instead: --with-spf --with-spf2-include=path --with-spf2-lib=path
  272. ##
  273. ## Causes the filter to perform a fallback SPF check itself when
  274. ## it can find no SPF results in the message header. If SPFIgnoreResults
  275. ## is also set, it never looks for SPF results in headers and
  276. ## always performs the SPF check itself when this is set.
  277. #
  278. # SPFSelfValidate false
  279. ## Syslog { true | false }
  280. ## default "false"
  281. ##
  282. ## Log via calls to syslog(3) any interesting activity.
  283. #
  284. Syslog true
  285. ## SyslogFacility facility-name
  286. ## default "mail"
  287. ##
  288. ## Log via calls to syslog(3) using the named facility. The facility names
  289. ## are the same as the ones allowed in syslog.conf(5).
  290. #
  291. # SyslogFacility mail
  292. ## TemporaryDirectory path
  293. ## default /var/tmp
  294. ##
  295. ## Specifies the directory in which temporary files should be written.
  296. #
  297. # TemporaryDirectory /var/tmp
  298. ## TrustedAuthservIDs string
  299. ## default HOSTNAME
  300. ##
  301. ## Specifies one or more "authserv-id" values to trust as relaying true
  302. ## upstream DKIM and SPF results. The default is to use the name of
  303. ## the MTA processing the message. To specify a list, separate each entry
  304. ## with a comma. The key word "HOSTNAME" will be replaced by the name of
  305. ## the host running the filter as reported by the gethostname(3) function.
  306. #
  307. TrustedAuthservIDs {{ mail_server_hostname }}
  308. ## UMask mask
  309. ## default (none)
  310. ##
  311. ## Requests a specific permissions mask to be used for file creation. This
  312. ## only really applies to creation of the socket when Socket specifies a
  313. ## UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
  314. ## files are normally created by the mkstemp(3) function that enforces a
  315. ## specific file mode on creation regardless of the process umask. See
  316. ## umask(2) for more information.
  317. #
  318. UMask 0002
  319. ## UserID user[:group]
  320. ## default (none)
  321. ##
  322. ## Attempts to become the specified userid before starting operations.
  323. ## The process will be assigned all of the groups and primary group ID of
  324. ## the named userid unless an alternate group is specified.
  325. #
  326. UserID opendmarc:opendmarc