server-configs/opendkim/opendkim.conf

765 lines
22 KiB
Text
Raw Normal View History

##
## opendkim.conf -- configuration file for OpenDKIM filter
##
## Copyright (c) 2010-2015, The Trusted Domain Project. All rights reserved.
##
##
## For settings that refer to a "dataset", see the opendkim(8) man page.
##
## DEPRECATED CONFIGURATION OPTIONS
##
## The following configuration options are no longer valid. They should be
## removed from your existing configuration file to prevent potential issues.
## Failure to do so may result in opendkim being unable to start.
##
## Removed in 2.10.0:
## AddAllSignatureResults
## ADSPAction
## ADSPNoSuchDomain
## BogusPolicy
## DisableADSP
## LDAPSoftStart
## LocalADSP
## NoDiscardableMailTo
## On-PolicyError
## SendADSPReports
## UnprotectedPolicy
## CONFIGURATION OPTIONS
## AllowSHA1Only { yes | no }
## default "no"
##
## By default, the filter will refuse to start if support for SHA256 is
## not available since this violates the strong recommendations of
## RFC6376 Section 3.3, which says:
##
## "Verifiers MUST implement both rsa-sha1 and rsa-sha256. Signers MUST
## implement and SHOULD sign using rsa-sha256."
##
## This forces that violation to be explicitly selected by the administrator.
# AllowSHA1Only no
## AlwaysAddARHeader { yes | no }
## default "no"
##
## Add an "Authentication-Results:" header even to unsigned messages
## from domains with no "signs all" policy. The reported DKIM result
## will be "none" in such cases. Normally unsigned mail from non-strict
## domains does not cause the results header to be added.
# AlwaysAddARHeader no
## AuthservID string
## default (local host name)
##
## Defines the "authserv-id" token to be used when generating
## Authentication-Results headers after message verification.
# AuthservID example.com
## AuthservIDWithJobID
## default "no"
##
## Appends a "/" followed by the MTA's job ID to the "authserv-id" token
## when generating Authentication-Results headers after message verification.
# AuthservIDWithJobId no
## AutoRestart { yes | no }
## default "no"
##
## Indicate whether or not the filter should arrange to restart automatically
## if it crashes.
# AutoRestart No
## AutoRestartCount n
## default 0
##
## Sets the maximum automatic restart count. After this number of
## automatic restarts, the filter will give up and terminate. A value of 0
## implies no limit.
# AutoRestartCount 0
## AutoRestartRate n/t[u]
## default (none)
##
## Sets the maximum automatic restart rate. See the opendkim.conf(5)
## man page for the format of this parameter.
# AutoRestartRate n/tu
## Background { yes | no }
## default "yes"
##
## Indicate whether or not the filter should run in the background.
# Background Yes
## BaseDirectory path
## default (none)
##
## Causes the filter to change to the named directory before beginning
## operation. Thus, cores will be dumped here and configuration files
## are read relative to this location.
# BaseDirectory /var/run/opendkim
## BodyLengthDB dataset
## default (none)
##
## A data set that is checked against envelope recipients to see if a
## body length tag should be included in the generated signature.
## This has security implications; see opendkim.conf(5) for details.
# BodyLengthDB dataset
## Canonicalization hdrcanon[/bodycanon]
## default "simple/simple"
##
## Select canonicalizations to use when signing. If the "bodycanon" is
## omitted, "simple" is used. Valid values for each are "simple" and
## "relaxed".
# Canonicalization simple/simple
Canonicalization relaxed/simple
## ClockDrift n
## default 300
##
## Specify the tolerance range for expired signatures or signatures
## which appear to have timestamps in the future, allowing for clock
## drift.
# ClockDrift 300
## Diagnostics { yes | no }
## default "no"
##
## Specifies whether or not signatures with header diagnostic tags should
## be generated.
# Diagnostics No
## DNSTimeout n
## default 10
##
## Specify the time in seconds to wait for replies from the nameserver when
## requesting keys or signing policies.
# DNSTimeout 10
## Domain dataset
## default (none)
##
## Specify for which domain(s) signing should be done. No default; must
## be specified for signing.
Domain REPLACEME.TLD
## DomainKeysCompat { yes | no }
## default "no"
##
## When enabled, backward compatibility with DomainKeys (RFC4870) key
## records is enabled. Otherwise, such key records are considered to be
## syntactically invalid.
# DomainKeysCompat no
## DontSignMailTo dataset
## default (none)
##
## Gives a list of recipient addresses or address patterns whose mail should
## not be signed.
# DontSignMailTo addr1,addr2,...
## EnableCoredumps { yes | no }
## default "no"
##
## On systems which have support for such, requests that the kernel dump
## core even though the process may change user ID during its execution.
# EnableCoredumps no
## ExemptDomains dataset
## default (none)
##
## A data set of domain names that are checked against the message sender's
## domain. If a match is found, the message is ignored by the filter.
# ExemptDomains domain1,domain2,...
## ExternalIgnoreList filename
##
## Names a file from which a list of externally-trusted hosts is read.
## These are hosts which are allowed to send mail through you for signing.
## Automatically contains 127.0.0.1. See man page for file format.
# ExternalIgnoreList filename
## FixCRLF { yes | no }
##
## Requests that the library convert "naked" CR and LF characters to
## CRLFs during canonicalization. The default is "no".
# FixCRLF no
## IgnoreMalformedMail { yes | no }
## default "no"
##
## Silently passes malformed messages without alteration. This includes
## messages that fail the RequiredHeaders check, if enabled. The default is
## to pass those messages but add an Authentication-Results field indicating
## that they were malformed.
# IgnoreMalformedMail no
## InternalHosts dataset
## default "127.0.0.1"
##
## Names a file from which a list of internal hosts is read. These are
## hosts from which mail should be signed rather than verified.
## Automatically contains 127.0.0.1.
# InternalHosts dataset
## KeepTemporaryFiles { yes | no }
## default "no"
##
## If set, causes temporary files generated during message signing or
## verifying to be left behind for debugging use. Not for normal operation;
## can fill your disks quite fast on busy systems.
# KeepTemporaryFiles no
## KeyFile filename
## default (none)
##
## Specifies the path to the private key to use when signing. Ignored if
## SigningTable and KeyTable are used. No default; must be specified for
## signing if SigningTable/KeyTable are not in use.
KeyFile /etc/opendkim/REPLACEME.private
## KeyTable dataset
## default (none)
##
## Defines a table that will be queried to convert key names to
## sets of data of the form (signing domain, signing selector, private key).
## The private key can either contain a PEM-formatted private key,
## a base64-encoded DER format private key, or a path to a file containing
## one of those.
# KeyTable dataset
## LogWhy { yes | no }
## default "no"
##
## If logging is enabled (see Syslog below), issues very detailed logging
## about the logic behind the filter's decision to either sign a message
## or verify it. The logic behind the decision is non-trivial and can be
## confusing to administrators not familiar with its operation. A
## description of how the decision is made can be found in the OPERATIONS
## section of the opendkim(8) man page. This causes a large increase
## in the amount of log data generated for each message, so it should be
## limited to debugging use and not enabled for general operation.
# LogWhy no
## MacroList macro[=value][,...]
##
## Gives a set of MTA-provided macros which should be checked to see
## if the sender has been determined to be a local user and therefore
## whether or not signing should be done. See opendkim.conf(5) for
## more information.
# MacroList foo=bar,baz=blivit
## MaximumHeaders n
##
## Disallow messages whose header blocks are bigger than "n" bytes.
## Intended to detect and block a denial-of-service attack. The default
## is 65536. A value of 0 disables this test.
# MaximumHeaders n
## MaximumSignaturesToVerify n
## (default 3)
##
## Verify no more than "n" signatures on an arriving message.
## A value of 0 means "no limit".
# MaximumSignaturesToVerify n
## MaximumSignedBytes n
##
## Don't sign more than "n" bytes of the message. The default is to
## sign the entire message. Setting this implies "BodyLengths".
# MaximumSignedBytes n
## MilterDebug n
##
## Request a debug level of "n" from the milter library. The default is 0.
# MilterDebug 0
## Minimum n[% | +]
## default 0
##
## Sets a minimum signing volume; one of the following formats:
## n at least n bytes (or the whole message, whichever is less)
## must be signed
## n% at least n% of the message must be signed
## n+ if a length limit was presented in the signature, no more than
## n bytes may have been added
# Minimum n
## MinimumKeyBits n
## default 1024
##
## Causes the library not to accept signatures matching keys made of fewer
## than the specified number of bits, even if they would otherwise pass
## DKIM signing.
# MinimumKeyBits 1024
## Mode [sv]
## default sv
##
## Indicates which mode(s) of operation should be provided. "s" means
## "sign", "v" means "verify".
# Mode sv
## MTA dataset
## default (none)
##
## Specifies a list of MTAs whos mail should always be signed rather than
## verified. The "mtaname" is extracted from the DaemonPortOptions line
## in effect.
# MTA name
## MultipleSignatures { yes | no }
## default no
##
## Allows multiple signatures to be added. If set to "true" and a SigningTable
## is in use, all SigningTable entries that match the candidate message will
## cause a signature to be added. Otherwise, only the first matching
## SigningTable entry will be added, or only the key defined by Domain,
## Selector and KeyFile will be added.
# MultipleSignatures no
## MustBeSigned dataset
## default (none)
##
## Defines a list of headers which, if present on a message, must be
## signed for the signature to be considered acceptable.
# MustBeSigned header1,header2,...
## Nameservers addr1[,addr2[,...]]
## default (none)
##
## Provides a comma-separated list of IP addresses that are to be used when
## doing DNS queries to retrieve DKIM keys, VBR records, etc.
## These override any local defaults built in to the resolver in use, which
## may be defined in /etc/resolv.conf or hard-coded into the software.
# Nameservers addr1,addr2,...
## NoHeaderB { yes | no }
## default "no"
##
## Suppresses addition of "header.b" tags on Authentication-Results
## header fields.
# NoHeaderB no
## OmitHeaders dataset
## default (none)
##
## Specifies a list of headers that should always be omitted when signing.
## Header names should be separated by commas.
# OmitHeaders header1,header2,...
## On-...
##
## Specifies what to do when certain error conditions are encountered.
##
## See opendkim.conf(5) for more information.
# On-Default
# On-BadSignature
# On-DNSError
# On-InternalError
# On-NoSignature
# On-Security
# On-SignatureError
## OversignHeaders dataset
## default (none)
##
## Specifies a set of header fields that should be included in all signature
## header lists (the "h=" tag) once more than the number of times they were
## actually present in the signed message. See opendkim.conf(5) for more
## information.
# OverSignHeaders header1,header2,...
## PeerList dataset
## default (none)
##
## Contains a list of IP addresses, CIDR blocks, hostnames or domain names
## whose mail should be neither signed nor verified by this filter. See man
## page for file format.
# PeerList filename
## PidFile filename
## default (none)
##
## Name of the file where the filter should write its pid before beginning
## normal operations.
# PidFile filename
## POPDBFile dataset
## default (none)
##
## Names a database which should be checked for "POP before SMTP" records
## as a form of authentication of users who may be sending mail through
## the MTA for signing. Requires special compilation of the filter.
## See opendkim.conf(5) for more information.
# POPDBFile filename
## Quarantine { yes | no }
## default "no"
##
## Indicates whether or not the filter should arrange to quarantine mail
## which fails verification. Intended for diagnostic use only.
# Quarantine No
## QueryCache { yes | no }
## default "no"
##
## Instructs the DKIM library to maintain its own local cache of keys and
## policies retrieved from DNS, rather than relying on the nameserver for
## caching service. Useful if the nameserver being used by the filter is
## not local. The filter must be compiled with the QUERY_CACHE flag to enable
## this feature, since it adds a library dependency.
# QueryCache No
## RedirectFailuresTo address
## default (none)
##
## Redirects signed messages to the specified address if none of the
## signatures present failed to verify.
# RedirectFailuresTo postmaster@example.com
## RemoveARAll { yes | no }
## default "no"
##
## Remove all Authentication-Results: headers on all arriving mail.
# RemoveARAll No
## RemoveARFrom dataset
## default (none)
##
## Remove all Authentication-Results: headers on all arriving mail that
## claim to have been added by hosts listed in this parameter. The list
## should be comma-separated. Entire domains may be specified by preceding
## the dopmain name by a single dot (".") character.
# RemoveARFrom host1,host2,.domain1,.domain2,...
## RemoveOldSignatures { yes | no }
## default "no"
##
## Remove old signatures on messages, if any, when generating a signature.
# RemoveOldSignatures No
## ReportAddress addr
## default (executing user)@(hostname)
##
## Specifies the sending address to be used on From: headers of outgoing
## failure reports. By default, the e-mail address of the user executing
## the filter is used.
# ReportAddress "DKIM Error Postmaster" <postmaster@example.com>
## ReportBccAddress addr
## default (none)
##
## Specifies additional recipient address(es) to receive outgoing failure
## reports.
# ReportBccAddress postmaster@example.com, john@example.com
## RequiredHeaders { yes | no }
## default no
##
## Rejects messages which don't conform to RFC5322 header count requirements.
# RequiredHeaders No
## RequireSafeKeys { yes | no }
## default yes
##
## Refuses to use key files that appear to have unsafe permissions.
# RequireSafeKeys Yes
## ResignAll { yes | no }
## default no
##
## Where ResignMailTo triggers a re-signing action, this flag indicates
## whether or not all mail should be signed (if set) versus only verified
## mail being signed (if not set).
# ResignAll No
## ResignMailTo dataset
## default (none)
##
## Checks each message recipient against the specified dataset for a
## matching record. The full address is checked in each case, then the
## hostname, then each domain preceded by ".". If there is a match, the
## value returned is presumed to be the name of a key in the KeyTable
## (if defined) to be used to re-sign the message in addition to
## verifying it. If there is a match without a KeyTable, the default key
## is applied.
# ResignMailTo dataset
## ResolverConfiguration string
##
## Passes arbitrary configuration data to the resolver. For the stock UNIX
## resolver, this is ignored; for Unbound, it names a resolv.conf(5)-style
## file that should be read for configuration information.
# ResolverConfiguration string
## ResolverTracing { yes | no }
##
## Requests enabling of resolver trace features, if available. The effect
## of setting this flag depends on how trace features, if any, are implemented
## in the resolver in use. Currently only effective when used with the
## OpenDKIM asynchronous resolver.
# ResolverTracing no
## Selector name
##
## The name of the selector to use when signing. No default; must be
## specified for signing.
Selector REPLACEME
## SenderHeaders dataset
## default (none)
##
## Overrides the default list of headers that will be used to determine
## the sending domain when deciding whether to sign the message and with
## with which key(s). See opendkim.conf(5) for details.
# SenderHeaders From
## SendReports { yes | no }
## default "no"
##
## Specifies whether or not the filter should generate report mail back
## to senders when verification fails and an address for such a purpose
## is provided. See opendkim.conf(5) for details.
# SendReports No
## SignatureAlgorithm signalg
## default "rsa-sha256"
##
## Signature algorithm to use when generating signatures. Must be either
## "rsa-sha1" or "rsa-sha256".
# SignatureAlgorithm rsa-sha256
## SignatureTTL seconds
## default "0"
##
## Specifies the lifetime in seconds of signatures generated by the
## filter. A value of 0 means no expiration time is included in the
## signature.
# SignatureTTL 0
## SignHeaders dataset
## default (none)
##
## Specifies the list of headers which should be included when generating
## signatures. The string should be a comma-separated list of header names.
## See the opendkim.conf(5) man page for more information.
# SignHeaders header1,header2,...
## SigningTable dataset
## default (none)
##
## Defines a dataset that will be queried for the message sender's address
## to determine which private key(s) (if any) should be used to sign the
## message. The sender is determined from the value of the sender
## header fields as described with SenderHeaders above. The key for this
## lookup should be an address or address pattern that matches senders;
## see the opendkim.conf(5) man page for more information. The value
## of the lookup should return the name of a key found in the KeyTable
## that should be used to sign the message. If MultipleSignatures
## is set, all possible lookup keys will be attempted which may result
## in multiple signatures being applied.
# SigningTable filename
## SingleAuthResult { yes | no}
## default "no"
##
## When DomainKeys verification is enabled, multiple Authentication-Results
## will be added, one for DK and one for DKIM. With this enabled, only
## a DKIM result will be reported unless DKIM failed but DK passed, in which
## case only a DK result will be reported.
# SingleAuthResult no
## SMTPURI uri
##
## Specifies a URI (e.g., "smtp://localhost") to which mail should be sent
## via SMTP when notifications are generated.
# Socket smtp://localhost
## Socket socketspec
##
## Names the socket where this filter should listen for milter connections
## from the MTA. Required. Should be in one of these forms:
##
## inet:port@address to listen on a specific interface
## inet:port to listen on all interfaces
## local:/path/to/socket to listen on a UNIX domain socket
Socket inet:8891@localhost
## SoftwareHeader { yes | no }
## default "no"
##
## Add a DKIM-Filter header field to messages passing through this filter
## to identify messages it has processed.
# SoftwareHeader no
## StrictHeaders { yes | no }
## default "no"
##
## Requests that the DKIM library refuse to process a message whose
## header fields do not conform to the standards, in particular Section 3.6
## of RFC5322.
# StrictHeaders no
## StrictTestMode { yes | no }
## default "no"
##
## Selects strict CRLF mode during testing (see the "-t" command line
## flag in the opendkim(8) man page). Messages for which all header
## fields and body lines are not CRLF-terminated are considered malformed
## and will produce an error.
# StrictTestMode no
## SubDomains { yes | no }
## default "no"
##
## Sign for subdomains as well?
# SubDomains No
## Syslog { yes | no }
## default "yes"
##
## Log informational and error activity to syslog?
Syslog Yes
## SyslogFacility facility
## default "mail"
##
## Valid values are :
## auth cron daemon kern lpr mail news security syslog user uucp
## local0 local1 local2 local3 local4 local5 local6 local7
##
## syslog facility to be used
# SyslogFacility mail
## SyslogSuccess { yes | no }
## default "no"
##
## Log success activity to syslog?
# SyslogSuccess No
## TemporaryDirectory path
## default /tmp
##
## Specifies which directory will be used for creating temporary files
## during message processing.
# TemporaryDirectory /tmp
## TestPublicKeys filename
## default (none)
##
## Names a file from which public keys should be read. Intended for use
## only during automated testing.
# TestPublicKeys /tmp/testkeys
## TrustAnchorFile filename
## default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol. See the Unbound documentation
## at http://unbound.net for the expected format of this file.
# TrustAnchorFile /var/named/trustanchor
## UMask mask
## default (none)
##
## Change the process umask for file creation to the specified value.
## The system has its own default which will be used (usually 022).
## See the umask(2) man page for more information.
# UMask 022
# UnboundConfigFile /var/named/unbound.conf
## Userid userid
## default (none)
##
## Change to user "userid" before starting normal operation? May include
## a group ID as well, separated from the userid by a colon.
UserID opendkim