Update the mail server config to include the missing pieces to avoid getting detected as spam
This commit is contained in:
parent
2376a0fec9
commit
c9e6a83bdb
2 changed files with 790 additions and 12 deletions
38
README.md
38
README.md
|
@ -1,6 +1,10 @@
|
|||
# Base Config
|
||||
|
||||
Note: The Mail Server requires SSL certificates
|
||||
## Notes:
|
||||
|
||||
1. The Mail Server requires SSL certificates
|
||||
2. Occurances of `REPLACEME.TLD` without comments stating otherwise should have the FQDN substituted for it
|
||||
3. Occurances of `REPLACEME` without comments stating otherwise should have the FQDN without the TLD substituted for it
|
||||
|
||||
## Swap File
|
||||
|
||||
|
@ -21,10 +25,10 @@ nginx, php, systemd
|
|||
|
||||
1. Install the packages in the `Package Requirements` above
|
||||
2. Copy the folders above that aren't already configured to their equivalent location in `/etc`
|
||||
3. In `/etc/nginx/sites-available/REPLACEME.TLD.conf` and `/etc/systemd/system/letsencrypt.service`, replace instances of `REPLACEME.TLD` with the FQDN
|
||||
4. Rename `/etc/nginx/sites-available/REPLACEME.TLD.conf` so that `REPLACEME.TLD` is replaced with the FQDN
|
||||
5. Add your site files to `/srv/http/REPLACEME.TLD` where public assets are located in `/srv/http/REPLACEME.TLD/public` (replacing `REPLACEME.TLD` with the FQDN)
|
||||
6. Create a symlink from `/etc/nginx/sites-available/REPLACEME.tld.conf` to `/etc/nginx/sites-enabled/REPLACEME.tld.conf` (replacing `REPLACEME.TLD` with the FQDN)
|
||||
3. In `/etc/nginx/sites-available/REPLACEME.TLD.conf` and `/etc/systemd/system/letsencrypt.service`
|
||||
4. Rename `/etc/nginx/sites-available/REPLACEME.TLD.conf`
|
||||
5. Add your site files to `/srv/http/REPLACEME.TLD` where public assets are located in `/srv/http/REPLACEME.TLD/public`
|
||||
6. Create a symlink from `/etc/nginx/sites-available/REPLACEME.tld.conf` to `/etc/nginx/sites-enabled/REPLACEME.tld.conf`
|
||||
7. Run `openssl dhparam -out /etc/nginx/dhparam.pem 4096` to generate the diffie-hellman parameter
|
||||
8. Run `systemctl start php-fpm nginx` to start the web services and `systemctl status php-fpm` and `systemctl status nginx` to check for errors
|
||||
9. If there were no errors in the previous command, run `systemctl enable php-fpm nginx` to enable the web services at boot
|
||||
|
@ -44,21 +48,31 @@ nginx, php, systemd
|
|||
|
||||
### Package Requirements for Mail Server
|
||||
|
||||
dovecot, postfix, procmail
|
||||
dovecot, postfix, procmail, opendkim
|
||||
|
||||
### Folders for Mail Server
|
||||
|
||||
dovecot, pam.d, postfix, procmailrc, skel, systemd
|
||||
dovecot, pam.d, postfix, procmailrc, skel, systemd, opendkim
|
||||
|
||||
### Setup Instructions for Mail Server
|
||||
|
||||
1. Install the packages in the `Package Requirements` above
|
||||
2. Copy the folders above that aren't already configured to their equivalent location in `/etc`
|
||||
3. In `/etc/dovecot/dovecot.conf` and `/etc/postfix/main.cf`, replace instances of `REPLACEME.TLD` with the FQDN
|
||||
4. In `/etc/postfix/aliases`, replace the instance of `REPLACEME` with the user that should receive domain-level emails
|
||||
5. Run `newaliases` to update the aliases database with the contents of `/etc/postfix/aliases`
|
||||
6. Run `systemctl start postfix dovecot` to start the mail services and `systemctl status postfix` and `systemctl status dovecot` to check for errors
|
||||
7. If there were no errors in the previous command, run `systemctl enable postfix dovecot` to enable the mail services at boot
|
||||
3. Add a DNS entry with a hostname for the server that isn't the FQDN mail will be sent to and the FQDN
|
||||
4. Set the hostname of the server with `hostnamectl set-hostname SOMETHING.REPLACEME.TLD` where `SOMETHING.REPLACEME.TLD` is the server hostname
|
||||
5. Add the hostname of the server to the end of the line starting with `127.0.0.1` in `/etc/hosts`
|
||||
6. In `/etc/dovecot/dovecot.conf` and `/etc/opendkim/opendkim.conf` replace occurances of `REPLACEME` and `REPLACEME.TLD`
|
||||
7. In `/etc/postfix/main.cf` replace occurances of `REPLACEME.TLD` with the hostname (not the name)
|
||||
8. Run `opendkim-genkey -r -s REPLACEME -d REPLACEME.TLD`
|
||||
9. In `/etc/postfix/aliases`, replace the instance of `REPLACEME` with the user that should receive domain-level emails
|
||||
10. Run `newaliases` to update the aliases database with the contents of `/etc/postfix/aliases`
|
||||
11. Run `systemctl start postfix dovecot opendkim` to start the mail services and `systemctl status postfix dovecot opendkim` to check for errors
|
||||
12. If there were no errors in the previous command, run `systemctl enable postfix dovecot opendkim` to enable the mail services at boot
|
||||
13. Create an MX DNS record for `REPLACEME.TLD` containing the hostname
|
||||
14. Create a TXT DNS record for the host `REPLACEME._domainkey.REPLACEME.TLD` containing `v=DKIM1; k=rsa; s=email; p=PASSWORD`, replacing the occurance of `PASSWORD` with the string following `p=` in `/etc/opendkim/REPLACEME.txt`
|
||||
15. Create a TXT DNS record for the host `REPLACEME.TLD` containing `v=spf1 mx -all`
|
||||
16. Create a TXT DNS record for the host `_dmarc.REPLACEME.TLD` containing `v=DMARC1; p=none`
|
||||
17. Set the reverse DNS record for the VPS to the hostname
|
||||
|
||||
### Add Accounts
|
||||
|
||||
|
|
764
opendkim/opendkim.conf
Normal file
764
opendkim/opendkim.conf
Normal file
|
@ -0,0 +1,764 @@
|
|||
##
|
||||
## opendkim.conf -- configuration file for OpenDKIM filter
|
||||
##
|
||||
## Copyright (c) 2010-2015, The Trusted Domain Project. All rights reserved.
|
||||
##
|
||||
|
||||
##
|
||||
## For settings that refer to a "dataset", see the opendkim(8) man page.
|
||||
##
|
||||
|
||||
## DEPRECATED CONFIGURATION OPTIONS
|
||||
##
|
||||
## The following configuration options are no longer valid. They should be
|
||||
## removed from your existing configuration file to prevent potential issues.
|
||||
## Failure to do so may result in opendkim being unable to start.
|
||||
##
|
||||
## Removed in 2.10.0:
|
||||
## AddAllSignatureResults
|
||||
## ADSPAction
|
||||
## ADSPNoSuchDomain
|
||||
## BogusPolicy
|
||||
## DisableADSP
|
||||
## LDAPSoftStart
|
||||
## LocalADSP
|
||||
## NoDiscardableMailTo
|
||||
## On-PolicyError
|
||||
## SendADSPReports
|
||||
## UnprotectedPolicy
|
||||
|
||||
## CONFIGURATION OPTIONS
|
||||
|
||||
## AllowSHA1Only { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## By default, the filter will refuse to start if support for SHA256 is
|
||||
## not available since this violates the strong recommendations of
|
||||
## RFC6376 Section 3.3, which says:
|
||||
##
|
||||
## "Verifiers MUST implement both rsa-sha1 and rsa-sha256. Signers MUST
|
||||
## implement and SHOULD sign using rsa-sha256."
|
||||
##
|
||||
## This forces that violation to be explicitly selected by the administrator.
|
||||
|
||||
# AllowSHA1Only no
|
||||
|
||||
## AlwaysAddARHeader { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## Add an "Authentication-Results:" header even to unsigned messages
|
||||
## from domains with no "signs all" policy. The reported DKIM result
|
||||
## will be "none" in such cases. Normally unsigned mail from non-strict
|
||||
## domains does not cause the results header to be added.
|
||||
|
||||
# AlwaysAddARHeader no
|
||||
|
||||
## AuthservID string
|
||||
## default (local host name)
|
||||
##
|
||||
## Defines the "authserv-id" token to be used when generating
|
||||
## Authentication-Results headers after message verification.
|
||||
|
||||
# AuthservID example.com
|
||||
|
||||
## AuthservIDWithJobID
|
||||
## default "no"
|
||||
##
|
||||
## Appends a "/" followed by the MTA's job ID to the "authserv-id" token
|
||||
## when generating Authentication-Results headers after message verification.
|
||||
|
||||
# AuthservIDWithJobId no
|
||||
|
||||
## AutoRestart { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## Indicate whether or not the filter should arrange to restart automatically
|
||||
## if it crashes.
|
||||
|
||||
# AutoRestart No
|
||||
|
||||
## AutoRestartCount n
|
||||
## default 0
|
||||
##
|
||||
## Sets the maximum automatic restart count. After this number of
|
||||
## automatic restarts, the filter will give up and terminate. A value of 0
|
||||
## implies no limit.
|
||||
|
||||
# AutoRestartCount 0
|
||||
|
||||
## AutoRestartRate n/t[u]
|
||||
## default (none)
|
||||
##
|
||||
## Sets the maximum automatic restart rate. See the opendkim.conf(5)
|
||||
## man page for the format of this parameter.
|
||||
|
||||
# AutoRestartRate n/tu
|
||||
|
||||
## Background { yes | no }
|
||||
## default "yes"
|
||||
##
|
||||
## Indicate whether or not the filter should run in the background.
|
||||
|
||||
# Background Yes
|
||||
|
||||
## BaseDirectory path
|
||||
## default (none)
|
||||
##
|
||||
## Causes the filter to change to the named directory before beginning
|
||||
## operation. Thus, cores will be dumped here and configuration files
|
||||
## are read relative to this location.
|
||||
|
||||
# BaseDirectory /var/run/opendkim
|
||||
|
||||
## BodyLengthDB dataset
|
||||
## default (none)
|
||||
##
|
||||
## A data set that is checked against envelope recipients to see if a
|
||||
## body length tag should be included in the generated signature.
|
||||
## This has security implications; see opendkim.conf(5) for details.
|
||||
|
||||
# BodyLengthDB dataset
|
||||
|
||||
## Canonicalization hdrcanon[/bodycanon]
|
||||
## default "simple/simple"
|
||||
##
|
||||
## Select canonicalizations to use when signing. If the "bodycanon" is
|
||||
## omitted, "simple" is used. Valid values for each are "simple" and
|
||||
## "relaxed".
|
||||
|
||||
# Canonicalization simple/simple
|
||||
Canonicalization relaxed/simple
|
||||
|
||||
## ClockDrift n
|
||||
## default 300
|
||||
##
|
||||
## Specify the tolerance range for expired signatures or signatures
|
||||
## which appear to have timestamps in the future, allowing for clock
|
||||
## drift.
|
||||
|
||||
# ClockDrift 300
|
||||
|
||||
## Diagnostics { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## Specifies whether or not signatures with header diagnostic tags should
|
||||
## be generated.
|
||||
|
||||
# Diagnostics No
|
||||
|
||||
## DNSTimeout n
|
||||
## default 10
|
||||
##
|
||||
## Specify the time in seconds to wait for replies from the nameserver when
|
||||
## requesting keys or signing policies.
|
||||
|
||||
# DNSTimeout 10
|
||||
|
||||
## Domain dataset
|
||||
## default (none)
|
||||
##
|
||||
## Specify for which domain(s) signing should be done. No default; must
|
||||
## be specified for signing.
|
||||
|
||||
Domain REPLACEME.TLD
|
||||
|
||||
## DomainKeysCompat { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## When enabled, backward compatibility with DomainKeys (RFC4870) key
|
||||
## records is enabled. Otherwise, such key records are considered to be
|
||||
## syntactically invalid.
|
||||
|
||||
# DomainKeysCompat no
|
||||
|
||||
## DontSignMailTo dataset
|
||||
## default (none)
|
||||
##
|
||||
## Gives a list of recipient addresses or address patterns whose mail should
|
||||
## not be signed.
|
||||
|
||||
# DontSignMailTo addr1,addr2,...
|
||||
|
||||
## EnableCoredumps { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## On systems which have support for such, requests that the kernel dump
|
||||
## core even though the process may change user ID during its execution.
|
||||
|
||||
# EnableCoredumps no
|
||||
|
||||
## ExemptDomains dataset
|
||||
## default (none)
|
||||
##
|
||||
## A data set of domain names that are checked against the message sender's
|
||||
## domain. If a match is found, the message is ignored by the filter.
|
||||
|
||||
# ExemptDomains domain1,domain2,...
|
||||
|
||||
## ExternalIgnoreList filename
|
||||
##
|
||||
## Names a file from which a list of externally-trusted hosts is read.
|
||||
## These are hosts which are allowed to send mail through you for signing.
|
||||
## Automatically contains 127.0.0.1. See man page for file format.
|
||||
|
||||
# ExternalIgnoreList filename
|
||||
|
||||
## FixCRLF { yes | no }
|
||||
##
|
||||
## Requests that the library convert "naked" CR and LF characters to
|
||||
## CRLFs during canonicalization. The default is "no".
|
||||
|
||||
# FixCRLF no
|
||||
|
||||
## IgnoreMalformedMail { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## Silently passes malformed messages without alteration. This includes
|
||||
## messages that fail the RequiredHeaders check, if enabled. The default is
|
||||
## to pass those messages but add an Authentication-Results field indicating
|
||||
## that they were malformed.
|
||||
|
||||
# IgnoreMalformedMail no
|
||||
|
||||
## InternalHosts dataset
|
||||
## default "127.0.0.1"
|
||||
##
|
||||
## Names a file from which a list of internal hosts is read. These are
|
||||
## hosts from which mail should be signed rather than verified.
|
||||
## Automatically contains 127.0.0.1.
|
||||
|
||||
# InternalHosts dataset
|
||||
|
||||
## KeepTemporaryFiles { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## If set, causes temporary files generated during message signing or
|
||||
## verifying to be left behind for debugging use. Not for normal operation;
|
||||
## can fill your disks quite fast on busy systems.
|
||||
|
||||
# KeepTemporaryFiles no
|
||||
|
||||
## KeyFile filename
|
||||
## default (none)
|
||||
##
|
||||
## Specifies the path to the private key to use when signing. Ignored if
|
||||
## SigningTable and KeyTable are used. No default; must be specified for
|
||||
## signing if SigningTable/KeyTable are not in use.
|
||||
|
||||
KeyFile /etc/opendkim/REPLACEME.private
|
||||
|
||||
## KeyTable dataset
|
||||
## default (none)
|
||||
##
|
||||
## Defines a table that will be queried to convert key names to
|
||||
## sets of data of the form (signing domain, signing selector, private key).
|
||||
## The private key can either contain a PEM-formatted private key,
|
||||
## a base64-encoded DER format private key, or a path to a file containing
|
||||
## one of those.
|
||||
|
||||
# KeyTable dataset
|
||||
|
||||
## LogWhy { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## If logging is enabled (see Syslog below), issues very detailed logging
|
||||
## about the logic behind the filter's decision to either sign a message
|
||||
## or verify it. The logic behind the decision is non-trivial and can be
|
||||
## confusing to administrators not familiar with its operation. A
|
||||
## description of how the decision is made can be found in the OPERATIONS
|
||||
## section of the opendkim(8) man page. This causes a large increase
|
||||
## in the amount of log data generated for each message, so it should be
|
||||
## limited to debugging use and not enabled for general operation.
|
||||
|
||||
# LogWhy no
|
||||
|
||||
## MacroList macro[=value][,...]
|
||||
##
|
||||
## Gives a set of MTA-provided macros which should be checked to see
|
||||
## if the sender has been determined to be a local user and therefore
|
||||
## whether or not signing should be done. See opendkim.conf(5) for
|
||||
## more information.
|
||||
|
||||
# MacroList foo=bar,baz=blivit
|
||||
|
||||
## MaximumHeaders n
|
||||
##
|
||||
## Disallow messages whose header blocks are bigger than "n" bytes.
|
||||
## Intended to detect and block a denial-of-service attack. The default
|
||||
## is 65536. A value of 0 disables this test.
|
||||
|
||||
# MaximumHeaders n
|
||||
|
||||
## MaximumSignaturesToVerify n
|
||||
## (default 3)
|
||||
##
|
||||
## Verify no more than "n" signatures on an arriving message.
|
||||
## A value of 0 means "no limit".
|
||||
|
||||
# MaximumSignaturesToVerify n
|
||||
|
||||
## MaximumSignedBytes n
|
||||
##
|
||||
## Don't sign more than "n" bytes of the message. The default is to
|
||||
## sign the entire message. Setting this implies "BodyLengths".
|
||||
|
||||
# MaximumSignedBytes n
|
||||
|
||||
## MilterDebug n
|
||||
##
|
||||
## Request a debug level of "n" from the milter library. The default is 0.
|
||||
|
||||
# MilterDebug 0
|
||||
|
||||
## Minimum n[% | +]
|
||||
## default 0
|
||||
##
|
||||
## Sets a minimum signing volume; one of the following formats:
|
||||
## n at least n bytes (or the whole message, whichever is less)
|
||||
## must be signed
|
||||
## n% at least n% of the message must be signed
|
||||
## n+ if a length limit was presented in the signature, no more than
|
||||
## n bytes may have been added
|
||||
|
||||
# Minimum n
|
||||
|
||||
## MinimumKeyBits n
|
||||
## default 1024
|
||||
##
|
||||
## Causes the library not to accept signatures matching keys made of fewer
|
||||
## than the specified number of bits, even if they would otherwise pass
|
||||
## DKIM signing.
|
||||
|
||||
# MinimumKeyBits 1024
|
||||
|
||||
## Mode [sv]
|
||||
## default sv
|
||||
##
|
||||
## Indicates which mode(s) of operation should be provided. "s" means
|
||||
## "sign", "v" means "verify".
|
||||
|
||||
# Mode sv
|
||||
|
||||
## MTA dataset
|
||||
## default (none)
|
||||
##
|
||||
## Specifies a list of MTAs whos mail should always be signed rather than
|
||||
## verified. The "mtaname" is extracted from the DaemonPortOptions line
|
||||
## in effect.
|
||||
|
||||
# MTA name
|
||||
|
||||
## MultipleSignatures { yes | no }
|
||||
## default no
|
||||
##
|
||||
## Allows multiple signatures to be added. If set to "true" and a SigningTable
|
||||
## is in use, all SigningTable entries that match the candidate message will
|
||||
## cause a signature to be added. Otherwise, only the first matching
|
||||
## SigningTable entry will be added, or only the key defined by Domain,
|
||||
## Selector and KeyFile will be added.
|
||||
|
||||
# MultipleSignatures no
|
||||
|
||||
## MustBeSigned dataset
|
||||
## default (none)
|
||||
##
|
||||
## Defines a list of headers which, if present on a message, must be
|
||||
## signed for the signature to be considered acceptable.
|
||||
|
||||
# MustBeSigned header1,header2,...
|
||||
|
||||
## Nameservers addr1[,addr2[,...]]
|
||||
## default (none)
|
||||
##
|
||||
## Provides a comma-separated list of IP addresses that are to be used when
|
||||
## doing DNS queries to retrieve DKIM keys, VBR records, etc.
|
||||
## These override any local defaults built in to the resolver in use, which
|
||||
## may be defined in /etc/resolv.conf or hard-coded into the software.
|
||||
|
||||
# Nameservers addr1,addr2,...
|
||||
|
||||
## NoHeaderB { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## Suppresses addition of "header.b" tags on Authentication-Results
|
||||
## header fields.
|
||||
|
||||
# NoHeaderB no
|
||||
|
||||
## OmitHeaders dataset
|
||||
## default (none)
|
||||
##
|
||||
## Specifies a list of headers that should always be omitted when signing.
|
||||
## Header names should be separated by commas.
|
||||
|
||||
# OmitHeaders header1,header2,...
|
||||
|
||||
## On-...
|
||||
##
|
||||
## Specifies what to do when certain error conditions are encountered.
|
||||
##
|
||||
## See opendkim.conf(5) for more information.
|
||||
|
||||
# On-Default
|
||||
# On-BadSignature
|
||||
# On-DNSError
|
||||
# On-InternalError
|
||||
# On-NoSignature
|
||||
# On-Security
|
||||
# On-SignatureError
|
||||
|
||||
## OversignHeaders dataset
|
||||
## default (none)
|
||||
##
|
||||
## Specifies a set of header fields that should be included in all signature
|
||||
## header lists (the "h=" tag) once more than the number of times they were
|
||||
## actually present in the signed message. See opendkim.conf(5) for more
|
||||
## information.
|
||||
|
||||
# OverSignHeaders header1,header2,...
|
||||
|
||||
## PeerList dataset
|
||||
## default (none)
|
||||
##
|
||||
## Contains a list of IP addresses, CIDR blocks, hostnames or domain names
|
||||
## whose mail should be neither signed nor verified by this filter. See man
|
||||
## page for file format.
|
||||
|
||||
# PeerList filename
|
||||
|
||||
## PidFile filename
|
||||
## default (none)
|
||||
##
|
||||
## Name of the file where the filter should write its pid before beginning
|
||||
## normal operations.
|
||||
|
||||
# PidFile filename
|
||||
|
||||
## POPDBFile dataset
|
||||
## default (none)
|
||||
##
|
||||
## Names a database which should be checked for "POP before SMTP" records
|
||||
## as a form of authentication of users who may be sending mail through
|
||||
## the MTA for signing. Requires special compilation of the filter.
|
||||
## See opendkim.conf(5) for more information.
|
||||
|
||||
# POPDBFile filename
|
||||
|
||||
## Quarantine { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## Indicates whether or not the filter should arrange to quarantine mail
|
||||
## which fails verification. Intended for diagnostic use only.
|
||||
|
||||
# Quarantine No
|
||||
|
||||
## QueryCache { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## Instructs the DKIM library to maintain its own local cache of keys and
|
||||
## policies retrieved from DNS, rather than relying on the nameserver for
|
||||
## caching service. Useful if the nameserver being used by the filter is
|
||||
## not local. The filter must be compiled with the QUERY_CACHE flag to enable
|
||||
## this feature, since it adds a library dependency.
|
||||
|
||||
# QueryCache No
|
||||
|
||||
## RedirectFailuresTo address
|
||||
## default (none)
|
||||
##
|
||||
## Redirects signed messages to the specified address if none of the
|
||||
## signatures present failed to verify.
|
||||
|
||||
# RedirectFailuresTo postmaster@example.com
|
||||
|
||||
## RemoveARAll { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## Remove all Authentication-Results: headers on all arriving mail.
|
||||
|
||||
# RemoveARAll No
|
||||
|
||||
## RemoveARFrom dataset
|
||||
## default (none)
|
||||
##
|
||||
## Remove all Authentication-Results: headers on all arriving mail that
|
||||
## claim to have been added by hosts listed in this parameter. The list
|
||||
## should be comma-separated. Entire domains may be specified by preceding
|
||||
## the dopmain name by a single dot (".") character.
|
||||
|
||||
# RemoveARFrom host1,host2,.domain1,.domain2,...
|
||||
|
||||
## RemoveOldSignatures { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## Remove old signatures on messages, if any, when generating a signature.
|
||||
|
||||
# RemoveOldSignatures No
|
||||
|
||||
## ReportAddress addr
|
||||
## default (executing user)@(hostname)
|
||||
##
|
||||
## Specifies the sending address to be used on From: headers of outgoing
|
||||
## failure reports. By default, the e-mail address of the user executing
|
||||
## the filter is used.
|
||||
|
||||
# ReportAddress "DKIM Error Postmaster" <postmaster@example.com>
|
||||
|
||||
## ReportBccAddress addr
|
||||
## default (none)
|
||||
##
|
||||
## Specifies additional recipient address(es) to receive outgoing failure
|
||||
## reports.
|
||||
|
||||
# ReportBccAddress postmaster@example.com, john@example.com
|
||||
|
||||
## RequiredHeaders { yes | no }
|
||||
## default no
|
||||
##
|
||||
## Rejects messages which don't conform to RFC5322 header count requirements.
|
||||
|
||||
# RequiredHeaders No
|
||||
|
||||
## RequireSafeKeys { yes | no }
|
||||
## default yes
|
||||
##
|
||||
## Refuses to use key files that appear to have unsafe permissions.
|
||||
|
||||
# RequireSafeKeys Yes
|
||||
|
||||
## ResignAll { yes | no }
|
||||
## default no
|
||||
##
|
||||
## Where ResignMailTo triggers a re-signing action, this flag indicates
|
||||
## whether or not all mail should be signed (if set) versus only verified
|
||||
## mail being signed (if not set).
|
||||
|
||||
# ResignAll No
|
||||
|
||||
## ResignMailTo dataset
|
||||
## default (none)
|
||||
##
|
||||
## Checks each message recipient against the specified dataset for a
|
||||
## matching record. The full address is checked in each case, then the
|
||||
## hostname, then each domain preceded by ".". If there is a match, the
|
||||
## value returned is presumed to be the name of a key in the KeyTable
|
||||
## (if defined) to be used to re-sign the message in addition to
|
||||
## verifying it. If there is a match without a KeyTable, the default key
|
||||
## is applied.
|
||||
|
||||
# ResignMailTo dataset
|
||||
|
||||
## ResolverConfiguration string
|
||||
##
|
||||
## Passes arbitrary configuration data to the resolver. For the stock UNIX
|
||||
## resolver, this is ignored; for Unbound, it names a resolv.conf(5)-style
|
||||
## file that should be read for configuration information.
|
||||
|
||||
# ResolverConfiguration string
|
||||
|
||||
## ResolverTracing { yes | no }
|
||||
##
|
||||
## Requests enabling of resolver trace features, if available. The effect
|
||||
## of setting this flag depends on how trace features, if any, are implemented
|
||||
## in the resolver in use. Currently only effective when used with the
|
||||
## OpenDKIM asynchronous resolver.
|
||||
|
||||
# ResolverTracing no
|
||||
|
||||
## Selector name
|
||||
##
|
||||
## The name of the selector to use when signing. No default; must be
|
||||
## specified for signing.
|
||||
|
||||
Selector REPLACEME
|
||||
|
||||
## SenderHeaders dataset
|
||||
## default (none)
|
||||
##
|
||||
## Overrides the default list of headers that will be used to determine
|
||||
## the sending domain when deciding whether to sign the message and with
|
||||
## with which key(s). See opendkim.conf(5) for details.
|
||||
|
||||
# SenderHeaders From
|
||||
|
||||
## SendReports { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## Specifies whether or not the filter should generate report mail back
|
||||
## to senders when verification fails and an address for such a purpose
|
||||
## is provided. See opendkim.conf(5) for details.
|
||||
|
||||
# SendReports No
|
||||
|
||||
## SignatureAlgorithm signalg
|
||||
## default "rsa-sha256"
|
||||
##
|
||||
## Signature algorithm to use when generating signatures. Must be either
|
||||
## "rsa-sha1" or "rsa-sha256".
|
||||
|
||||
# SignatureAlgorithm rsa-sha256
|
||||
|
||||
## SignatureTTL seconds
|
||||
## default "0"
|
||||
##
|
||||
## Specifies the lifetime in seconds of signatures generated by the
|
||||
## filter. A value of 0 means no expiration time is included in the
|
||||
## signature.
|
||||
|
||||
# SignatureTTL 0
|
||||
|
||||
## SignHeaders dataset
|
||||
## default (none)
|
||||
##
|
||||
## Specifies the list of headers which should be included when generating
|
||||
## signatures. The string should be a comma-separated list of header names.
|
||||
## See the opendkim.conf(5) man page for more information.
|
||||
|
||||
# SignHeaders header1,header2,...
|
||||
|
||||
## SigningTable dataset
|
||||
## default (none)
|
||||
##
|
||||
## Defines a dataset that will be queried for the message sender's address
|
||||
## to determine which private key(s) (if any) should be used to sign the
|
||||
## message. The sender is determined from the value of the sender
|
||||
## header fields as described with SenderHeaders above. The key for this
|
||||
## lookup should be an address or address pattern that matches senders;
|
||||
## see the opendkim.conf(5) man page for more information. The value
|
||||
## of the lookup should return the name of a key found in the KeyTable
|
||||
## that should be used to sign the message. If MultipleSignatures
|
||||
## is set, all possible lookup keys will be attempted which may result
|
||||
## in multiple signatures being applied.
|
||||
|
||||
# SigningTable filename
|
||||
|
||||
## SingleAuthResult { yes | no}
|
||||
## default "no"
|
||||
##
|
||||
## When DomainKeys verification is enabled, multiple Authentication-Results
|
||||
## will be added, one for DK and one for DKIM. With this enabled, only
|
||||
## a DKIM result will be reported unless DKIM failed but DK passed, in which
|
||||
## case only a DK result will be reported.
|
||||
|
||||
# SingleAuthResult no
|
||||
|
||||
## SMTPURI uri
|
||||
##
|
||||
## Specifies a URI (e.g., "smtp://localhost") to which mail should be sent
|
||||
## via SMTP when notifications are generated.
|
||||
|
||||
# Socket smtp://localhost
|
||||
|
||||
## Socket socketspec
|
||||
##
|
||||
## Names the socket where this filter should listen for milter connections
|
||||
## from the MTA. Required. Should be in one of these forms:
|
||||
##
|
||||
## inet:port@address to listen on a specific interface
|
||||
## inet:port to listen on all interfaces
|
||||
## local:/path/to/socket to listen on a UNIX domain socket
|
||||
|
||||
Socket inet:8891@localhost
|
||||
|
||||
## SoftwareHeader { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## Add a DKIM-Filter header field to messages passing through this filter
|
||||
## to identify messages it has processed.
|
||||
|
||||
# SoftwareHeader no
|
||||
|
||||
## StrictHeaders { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## Requests that the DKIM library refuse to process a message whose
|
||||
## header fields do not conform to the standards, in particular Section 3.6
|
||||
## of RFC5322.
|
||||
|
||||
# StrictHeaders no
|
||||
|
||||
## StrictTestMode { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## Selects strict CRLF mode during testing (see the "-t" command line
|
||||
## flag in the opendkim(8) man page). Messages for which all header
|
||||
## fields and body lines are not CRLF-terminated are considered malformed
|
||||
## and will produce an error.
|
||||
|
||||
# StrictTestMode no
|
||||
|
||||
## SubDomains { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## Sign for subdomains as well?
|
||||
|
||||
# SubDomains No
|
||||
|
||||
## Syslog { yes | no }
|
||||
## default "yes"
|
||||
##
|
||||
## Log informational and error activity to syslog?
|
||||
|
||||
Syslog Yes
|
||||
|
||||
## SyslogFacility facility
|
||||
## default "mail"
|
||||
##
|
||||
## Valid values are :
|
||||
## auth cron daemon kern lpr mail news security syslog user uucp
|
||||
## local0 local1 local2 local3 local4 local5 local6 local7
|
||||
##
|
||||
## syslog facility to be used
|
||||
|
||||
# SyslogFacility mail
|
||||
|
||||
## SyslogSuccess { yes | no }
|
||||
## default "no"
|
||||
##
|
||||
## Log success activity to syslog?
|
||||
|
||||
# SyslogSuccess No
|
||||
|
||||
## TemporaryDirectory path
|
||||
## default /tmp
|
||||
##
|
||||
## Specifies which directory will be used for creating temporary files
|
||||
## during message processing.
|
||||
|
||||
# TemporaryDirectory /tmp
|
||||
|
||||
## TestPublicKeys filename
|
||||
## default (none)
|
||||
##
|
||||
## Names a file from which public keys should be read. Intended for use
|
||||
## only during automated testing.
|
||||
|
||||
# TestPublicKeys /tmp/testkeys
|
||||
|
||||
## TrustAnchorFile filename
|
||||
## default (none)
|
||||
##
|
||||
## Specifies a file from which trust anchor data should be read when doing
|
||||
## DNS queries and applying the DNSSEC protocol. See the Unbound documentation
|
||||
## at http://unbound.net for the expected format of this file.
|
||||
|
||||
# TrustAnchorFile /var/named/trustanchor
|
||||
|
||||
## UMask mask
|
||||
## default (none)
|
||||
##
|
||||
## Change the process umask for file creation to the specified value.
|
||||
## The system has its own default which will be used (usually 022).
|
||||
## See the umask(2) man page for more information.
|
||||
|
||||
# UMask 022
|
||||
|
||||
# UnboundConfigFile /var/named/unbound.conf
|
||||
|
||||
## Userid userid
|
||||
## default (none)
|
||||
##
|
||||
## Change to user "userid" before starting normal operation? May include
|
||||
## a group ID as well, separated from the userid by a colon.
|
||||
|
||||
UserID opendkim
|
Loading…
Reference in a new issue