sovereign/roles/mailserver/templates/etc_opendmarc.conf.j2

##
## opendmarc.conf -- configuration file for OpenDMARC filter
##
## Copyright (c) 2012-2014, The Trusted Domain Project.  All rights reserved.
##

##  AuthservID (string)
##  	defaults to MTA name
##
##  Sets the "authserv-id" to use when generating the Authentication-Results:
##  header field after verifying a message.  If the string "HOSTNAME" is
##  provided, the name of the host running the filter (as returned by the
##  gethostname(3) function) will be used.  
#
AuthservID {{ mail_server_hostname }}

##  AuthservIDWithJobID { true | false }
##  	default "false"
##
##  If "true", requests that the authserv-id portion of the added
##  Authentication-Results header fields contain the job ID of the message
##  being evaluated.
#
# AuthservIDWithJobID false

##  AutoRestart { true | false }
##  	default "false"
##
##  Automatically re-start on failures. Use with caution; if the filter fails
##  instantly after it starts, this can cause a tight fork(2) loop.
#
# AutoRestart false

##  AutoRestartCount n
##  	default 0
##
##  Sets the maximum automatic restart count.  After this number of automatic
##  restarts, the filter will give up and terminate.  A value of 0 implies no
##  limit.
#
# AutoRestartCount 0

##  AutoRestartRate n/t[u]
##  	default (no limit)
##
##  Sets the maximum automatic restart rate.  If the filter begins restarting
##  faster than the rate defined here, it will give up and terminate.  This
##  is a string of the form n/t[u] where n is an integer limiting the count
##  of restarts in the given interval and t[u] defines the time interval
##  through which the rate is calculated; t is an integer and u defines the
##  units thus represented ("s" or "S" for seconds, the default; "m" or "M"
##  for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
##  value of "10/1h" limits the restarts to 10 in one hour. There is no
##  default, meaning restart rate is not limited.
#
# AutoRestartRate n/t[u]

##  Background { true | false }
##  	default "true"
##
##  Causes opendmarc to fork and exits immediately, leaving the service
##  running in the background.
#
# Background true

##  BaseDirectory (string)
##  	default (none)
##
##  If set, instructs the filter to change to the specified directory using
##  chdir(2) before doing anything else.  This means any files referenced
##  elsewhere in the configuration file can be specified relative to this
##  directory.  It's also useful for arranging that any crash dumps will be
##  saved to a specific location.
#
# BaseDirectory /var/run/opendmarc

##  ChangeRootDirectory (string)
##  	default (none)
##
##  Requests that the operating system change the effective root directory of
##  the process to the one specified here prior to beginning execution.
##  chroot(2) requires superuser access.  A warning will be generated if
##  UserID is not also set.
# 
# ChangeRootDirectory /var/chroot/opendmarc

##  CopyFailuresTo (string)
##  	default (none)
##
##  Requests addition of the specified email address to the envelope of
##  any message that fails the DMARC evaluation.
#
# CopyFailuresTo postmaster@localhost

##  DNSTimeout (integer)
##  	default 5
## 
##  Sets the DNS timeout in seconds.  A value of 0 causes an infinite wait.
##  (NOT YET IMPLEMENTED)
#
# DNSTimeout 5

##  EnableCoredumps { true | false }
##  	default "false"
##
##  On systems that have such support, make an explicit request to the kernel
##  to dump cores when the filter crashes for some reason.  Some modern UNIX
##  systems suppress core dumps during crashes for security reasons if the
##  user ID has changed during the lifetime of the process.  Currently only
##  supported on Linux.
#
# EnableCoreDumps false

##  FailureReports { true | false }
##  	default "false"
##
##  Enables generation of failure reports when the DMARC test fails and the
##  purported sender of the message has requested such reports.  Reports are
##  formatted per RFC6591.
# 
# FailureReports false

##  FailureReportsBcc (string)
##  	default (none)
##
##  When failure reports are enabled and one is to be generated, always
##  send one to the address(es) specified here.  If a failure report is
##  requested by the domain owner, the address(es) are added in a Bcc: field.
##  If no request is made, they address(es) are used in a To: field.  There
##  is no default.
# 
# FailureReportsBcc postmaster@example.coom

##  FailureReportsOnNone { true | false }
##  	default "false"
##
##  Supplements the "FailureReports" setting by generating reports for
##  domains that advertise "none" policies.  By default, reports are only
##  generated (when enabled) for sending domains advertising a "quarantine"
##  or "reject" policy.
# 
# FailureReportsOnNone false

##  FailureReportsSentBy string
##  	default "USER@HOSTNAME"
##
##  Specifies the email address to use in the From: field of failure
##  reports generated by the filter.  The default is to use the userid of
##  the user running the filter and the local hostname to construct an
##  email address.  "postmaster" is used in place of the userid if a name
##  could not be determined.
# 
# FailureReportsSentBy USER@HOSTNAME

##  HistoryFile path
##  	default (none)
##
##  If set, specifies the location of a text file to which records are written
##  that can be used to generate DMARC aggregate reports.  Records are groups
##  of rows containing information about a single received message, and
##  include all relevant information needed to generate a DMARC aggregate
##  report.  It is expected that this will not be used in its raw form, but
##  rather periodically imported into a relational database from which the
##  aggregate reports can be extracted by a tool such as opendmarc-import(8).
#
HistoryFile /var/run/opendmarc/opendmarc.dat

##  IgnoreAuthenticatedClients { true | false }
##  	default "false"
##
##  If set, causes mail from authenticated clients (i.e., those that used
##  SMTP UATH) to be ignored by the filter.
#
# IgnoreAuthenticatedClients false

##  IgnoreHosts path
##  	default (internal)
##
##  Specifies the path to a file that contains a list of hostnames, IP
##  addresses, and/or CIDR expressions identifying hosts whose SMTP
##  connections are to be ignored by the filter.  If not specified, defaults
##  to "127.0.0.1" only.
#
IgnoreHosts /etc/opendmarc/ignore.hosts

##  IgnoreMailFrom domain[,...]
##  	default (none)
##
##  Gives a list of domain names whose mail (based on the From: domain) is to
##  be ignored by the filter.  The list should be comma-separated.  Matching
##  against this list is case-insensitive.  The default is an empty list,
##  meaning no mail is ignored.
#
# IgnoreMailFrom example.com

##  MilterDebug (integer)
##  	default 0
##
##  Sets the debug level to be requested from the milter library.
#
# MilterDebug 0

##  PidFile path
##  	default (none)
##
##  Specifies the path to a file that should be created at process start
##  containing the process ID.
##
#
PidFile /var/run/opendmarc.pid

##  PublicSuffixList path
##  	default (none)
##
##  Specifies the path to a file that contains top-level domains (TLDs) that
##  will be used to compute the Organizational Domain for a given domain name,
##  as described in the DMARC specification.  If not provided, the filter will
##  not be able to determine the Organizational Domain and only the presented
##  domain will be evaluated.
#
# PublicSuffixList path

##  RecordAllMessages { true | false }
##  	default "false"
##
##  If set and "HistoryFile" is in use, all received messages are recorded
##  to the history file.  If not set (the default), only messages for which
##  the From: domain published a DMARC record will be recorded in the
##  history file.
#
# RecordAllMessages false

##  RejectFailures { true | false }
##  	default "false"
##
##  If set, messages will be rejected if they fail the DMARC evaluation, or
##  temp-failed if evaluation could not be completed.  By default, no message
##  will be rejected or temp-failed regardless of the outcome of the DMARC
##  evaluation of the message.  Instead, an Authentication-Results header
##  field will be added.
#
RejectFailures false

##  ReportCommand string
##  	default "/usr/sbin/sendmail -t"
##
##  Indicates the shell command to which failure reports should be passed for
##  delivery when "FailureReports" is enabled.
#
# ReportCommand /usr/sbin/sendmail -t

##  RequiredHeaders { true | false }
##  	default "false"
##
##  If set, the filter will ensure the header of the message conforms to the
##  basic header field count restrictions laid out in RFC5322, Section 3.6.
##  Messages failing this test are rejected without further processing.  A
##  From: field from which no domain name could be extracted will also be
##  rejected.
#
# RequiredHeaders false

##  Socket socketspec
##  	default (none)
##
##  Specifies the socket that should be established by the filter to receive
##  connections from sendmail(8) in order to provide service.  socketspec is
##  in one of two forms: local:path, which creates a UNIX domain socket at
##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
##  a TCP socket on the specified port for the appropriate protocol family.
##  If the host is not given as either a hostname or an IP address, the
##  socket will be listening on all interfaces.  This option is mandatory
##  either in the configuration file or on the command line.  If an IP
##  address is used, it must be enclosed in square brackets.
#
# Socket inet:8893@localhost

##  SoftwareHeader { true | false }
##  	default "false"
##
##  Causes the filter to add a "DMARC-Filter" header field indicating the
##  presence of this filter in the path of the message from injection to
##  delivery.  The product's name, version, and the job ID are included in
##  the header field's contents.
#
SoftwareHeader true

##  SPFIgnoreResults { true | false }
##	default "false"
##
##  Causes the filter to ignore any SPF results in the header of the
##  message.  This is useful if you want the filter to perfrom SPF checks
##  itself, or because you don't trust the arriving header.
#
# SPFIgnoreResults false

##  SPFSelfValidate { true | false }
##	default false
##
##  Enable internal spf checking with --with-spf
##  To use libspf2 instead:  --with-spf --with-spf2-include=path --with-spf2-lib=path
##
##  Causes the filter to perform a fallback SPF check itself when
##  it can find no SPF results in the message header.  If SPFIgnoreResults
##  is also set, it never looks for SPF results in headers and
##  always performs the SPF check itself when this is set.
#
# SPFSelfValidate false

##  Syslog { true | false }
##  	default "false"
##
##  Log via calls to syslog(3) any interesting activity.
#
Syslog true

##  SyslogFacility facility-name
##  	default "mail"
##
##  Log via calls to syslog(3) using the named facility.  The facility names
##  are the same as the ones allowed in syslog.conf(5).
#
# SyslogFacility mail

##  TemporaryDirectory path
##  	default /var/tmp
##
##  Specifies the directory in which temporary files should be written.
#
# TemporaryDirectory /var/tmp

##  TrustedAuthservIDs string
##  	default HOSTNAME
##
##  Specifies one or more "authserv-id" values to trust as relaying true
##  upstream DKIM and SPF results.  The default is to use the name of
##  the MTA processing the message.  To specify a list, separate each entry
##  with a comma.  The key word "HOSTNAME" will be replaced by the name of
##  the host running the filter as reported by the gethostname(3) function.
#
TrustedAuthservIDs {{ mail_server_hostname }}

##  UMask mask
##  	default (none)
##
##  Requests a specific permissions mask to be used for file creation.  This
##  only really applies to creation of the socket when Socket specifies a
##  UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
##  files are normally created by the mkstemp(3) function that enforces a
##  specific file mode on creation regardless of the process umask.  See
##  umask(2) for more information.
#
UMask 0002

##  UserID user[:group]
##  	default (none)
##
##  Attempts to become the specified userid before starting operations.
##  The process will be assigned all of the groups and primary group ID of
##  the named userid unless an alternate group is specified.
#
UserID opendmarc:opendmarc