|
|
@@ -0,0 +1,806 @@
|
|
|
+{% if ansible_prolog -%}
|
|
|
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
|
|
|
+{{ prolog() }}
|
|
|
+{% endif -%}
|
|
|
+##
|
|
|
+## opendkim.conf -- configuration file for OpenDKIM filter
|
|
|
+##
|
|
|
+## Copyright (c) 2010-2014, The Trusted Domain Project. All rights reserved.
|
|
|
+##
|
|
|
+
|
|
|
+##
|
|
|
+## For settings that refer to a "dataset", see the opendkim(8) man page.
|
|
|
+##
|
|
|
+
|
|
|
+## AddAllSignatureResults { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## If enabled, results for all signatures will be reported by an added
|
|
|
+## Authentication-Results header field. Otherwise, only one signature will
|
|
|
+## be reported, and which one depends on the TrustSignaturesFrom
|
|
|
+## setting or, in its absence, which one(s) passed first or, if none passed,
|
|
|
+## which one was found first during message processing.
|
|
|
+
|
|
|
+# AddAllSignatureResults no
|
|
|
+
|
|
|
+## ADSPAction { continue | discard | reject }
|
|
|
+## default "continue"
|
|
|
+##
|
|
|
+## Defines the action to be taken when a message is passed through the
|
|
|
+## ADSP algorithm and found to be discardable. By default, no action is
|
|
|
+## taken, though the failure will be noted by the addition of an
|
|
|
+## Authentication-Results report.
|
|
|
+
|
|
|
+# ADSPAction continue
|
|
|
+
|
|
|
+## ADSPNoSuchDomain { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## Reject messages which are determined to be from nonexistent domains during
|
|
|
+## the Author Domain Signing Practises (ADSP) check.
|
|
|
+
|
|
|
+# ADSPNoSuchDomain No
|
|
|
+
|
|
|
+## AllowSHA1Only { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## By default, the filter will refuse to start if support for SHA256 is
|
|
|
+## not available since this violates the strong recommendations of
|
|
|
+## RFC6376 Section 3.3, which says:
|
|
|
+##
|
|
|
+## "Verifiers MUST implement both rsa-sha1 and rsa-sha256. Signers MUST
|
|
|
+## implement and SHOULD sign using rsa-sha256."
|
|
|
+##
|
|
|
+## This forces that violation to be explicitly selected by the administrator.
|
|
|
+
|
|
|
+# AllowSHA1Only no
|
|
|
+
|
|
|
+## AlwaysAddARHeader { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## Add an "Authentication-Results:" header even to unsigned messages
|
|
|
+## from domains with no "signs all" policy. The reported DKIM result
|
|
|
+## will be "none" in such cases. Normally unsigned mail from non-strict
|
|
|
+## domains does not cause the results header to be added.
|
|
|
+
|
|
|
+AlwaysAddARHeader yes
|
|
|
+
|
|
|
+## AuthservID string
|
|
|
+## default (local host name)
|
|
|
+##
|
|
|
+## Defines the "authserv-id" token to be used when generating
|
|
|
+## Authentication-Results headers after message verification.
|
|
|
+
|
|
|
+# AuthservID example.com
|
|
|
+
|
|
|
+## AuthservIDWithJobID
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## Appends a "/" followed by the MTA's job ID to the "authserv-id" token
|
|
|
+## when generating Authentication-Results headers after message verification.
|
|
|
+
|
|
|
+# AuthservIDWithJobId no
|
|
|
+
|
|
|
+## AutoRestart { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## Indicate whether or not the filter should arrange to restart automatically
|
|
|
+## if it crashes.
|
|
|
+
|
|
|
+# AutoRestart No
|
|
|
+
|
|
|
+## AutoRestartCount n
|
|
|
+## default 0
|
|
|
+##
|
|
|
+## Sets the maximum automatic restart count. After this number of
|
|
|
+## automatic restarts, the filter will give up and terminate. A value of 0
|
|
|
+## implies no limit.
|
|
|
+
|
|
|
+# AutoRestartCount 0
|
|
|
+
|
|
|
+## AutoRestartRate n/t[u]
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Sets the maximum automatic restart rate. See the opendkim.conf(5)
|
|
|
+## man page for the format of this parameter.
|
|
|
+
|
|
|
+# AutoRestartRate n/tu
|
|
|
+
|
|
|
+## Background { yes | no }
|
|
|
+## default "yes"
|
|
|
+##
|
|
|
+## Indicate whether or not the filter should run in the background.
|
|
|
+
|
|
|
+# Background Yes
|
|
|
+
|
|
|
+## BaseDirectory path
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Causes the filter to change to the named directory before beginning
|
|
|
+## operation. Thus, cores will be dumped here and configuration files
|
|
|
+## are read relative to this location.
|
|
|
+
|
|
|
+# BaseDirectory /var/run/opendkim
|
|
|
+
|
|
|
+## BodyLengthDB dataset
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## A data set that is checked against envelope recipients to see if a
|
|
|
+## body length tag should be included in the generated signature.
|
|
|
+## This has security implications; see opendkim.conf(5) for details.
|
|
|
+
|
|
|
+# BodyLengthDB dataset
|
|
|
+
|
|
|
+## Canonicalization hdrcanon[/bodycanon]
|
|
|
+## default "simple/simple"
|
|
|
+##
|
|
|
+## Select canonicalizations to use when signing. If the "bodycanon" is
|
|
|
+## omitted, "simple" is used. Valid values for each are "simple" and
|
|
|
+## "relaxed".
|
|
|
+
|
|
|
+# Canonicalization simple/simple
|
|
|
+
|
|
|
+## ClockDrift n
|
|
|
+## default 300
|
|
|
+##
|
|
|
+## Specify the tolerance range for expired signatures or signatures
|
|
|
+## which appear to have timestamps in the future, allowing for clock
|
|
|
+## drift.
|
|
|
+
|
|
|
+# ClockDrift 300
|
|
|
+
|
|
|
+## Diagnostics { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## Specifies whether or not signatures with header diagnostic tags should
|
|
|
+## be generated.
|
|
|
+
|
|
|
+# Diagnostics No
|
|
|
+
|
|
|
+## DisableADSP { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## Suppresses Author Domain Signing Practices (ADSP) checks, which conduct
|
|
|
+## additional DNS queries.
|
|
|
+
|
|
|
+# DisableADSP No
|
|
|
+
|
|
|
+## DNSTimeout n
|
|
|
+## default 10
|
|
|
+##
|
|
|
+## Specify the time in seconds to wait for replies from the nameserver when
|
|
|
+## requesting keys or signing policies.
|
|
|
+
|
|
|
+# DNSTimeout 10
|
|
|
+
|
|
|
+## Domain dataset
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Specify for which domain(s) signing should be done. No default; must
|
|
|
+## be specified for signing.
|
|
|
+
|
|
|
+# Domain example.com
|
|
|
+
|
|
|
+## DomainKeysCompat { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## When enabled, backward compatibility with DomainKeys (RFC4870) key
|
|
|
+## records is enabled. Otherwise, such key records are considered to be
|
|
|
+## syntactically invalid.
|
|
|
+
|
|
|
+# DomainKeysCompat no
|
|
|
+
|
|
|
+## DontSignMailTo dataset
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Gives a list of recipient addresses or address patterns whose mail should
|
|
|
+## not be signed.
|
|
|
+
|
|
|
+# DontSignMailTo addr1,addr2,...
|
|
|
+
|
|
|
+## EnableCoredumps { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## On systems which have support for such, requests that the kernel dump
|
|
|
+## core even though the process may change user ID during its execution.
|
|
|
+
|
|
|
+# EnableCoredumps no
|
|
|
+
|
|
|
+## ExemptDomains dataset
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## A data set of domain names that are checked against the message sender's
|
|
|
+## domain. If a match is found, the message is ignored by the filter.
|
|
|
+
|
|
|
+# ExemptDomains domain1,domain2,...
|
|
|
+
|
|
|
+## ExternalIgnoreList filename
|
|
|
+##
|
|
|
+## Names a file from which a list of externally-trusted hosts is read.
|
|
|
+## These are hosts which are allowed to send mail through you for signing.
|
|
|
+## Automatically contains 127.0.0.1. See man page for file format.
|
|
|
+
|
|
|
+# ExternalIgnoreList filename
|
|
|
+
|
|
|
+## FixCRLF { yes | no }
|
|
|
+##
|
|
|
+## Requests that the library convert "naked" CR and LF characters to
|
|
|
+## CRLFs during canonicalization. The default is "no".
|
|
|
+
|
|
|
+# FixCRLF no
|
|
|
+
|
|
|
+## InternalHosts dataset
|
|
|
+## default "127.0.0.1"
|
|
|
+##
|
|
|
+## Names a file from which a list of internal hosts is read. These are
|
|
|
+## hosts from which mail should be signed rather than verified.
|
|
|
+## Automatically contains 127.0.0.1.
|
|
|
+
|
|
|
+# InternalHosts dataset
|
|
|
+
|
|
|
+## KeepTemporaryFiles { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## If set, causes temporary files generated during message signing or
|
|
|
+## verifying to be left behind for debugging use. Not for normal operation;
|
|
|
+## can fill your disks quite fast on busy systems.
|
|
|
+
|
|
|
+# KeepTemporaryFiles no
|
|
|
+
|
|
|
+## KeyFile filename
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Specifies the path to the private key to use when signing. Ignored if
|
|
|
+## SigningTable and KeyTable are used. No default; must be specified for
|
|
|
+## signing if SigningTable/KeyTable are not in use.
|
|
|
+
|
|
|
+#KeyFile /var/db/dkim/example.private
|
|
|
+
|
|
|
+## KeyTable dataset
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Defines a table that will be queried to convert key names to
|
|
|
+## sets of data of the form (signing domain, signing selector, private key).
|
|
|
+## The private key can either contain a PEM-formatted private key,
|
|
|
+## a base64-encoded DER format private key, or a path to a file containing
|
|
|
+## one of those.
|
|
|
+
|
|
|
+KeyTable file:/etc/opendkim/KeyTable
|
|
|
+
|
|
|
+## LocalADSP dataset
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Allows specification of local ADSP overrides for domains. This should be
|
|
|
+## a path to a file containing entries, one per line, with comments and
|
|
|
+## blank lines allowed. An entry is of the form "domain:policy" where
|
|
|
+## "domain" is either a fully-qualified domain name (e.g. "foo.example.com")
|
|
|
+## or a subdomain name preceded by a period (e.g. ".example.com"), and
|
|
|
+## "policy" is either "unknown", "all", or "discardable", as per the current
|
|
|
+## ADSP draft specification. This allows local overrides of policies to
|
|
|
+## enforce for domains which either don't publish ADSP or publish weaker
|
|
|
+## policies than the verifier would like to enforce.
|
|
|
+
|
|
|
+# LocalADSP /etc/mail/local-adsp-rules
|
|
|
+
|
|
|
+## LogWhy { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## If logging is enabled (see Syslog below), issues very detailed logging
|
|
|
+## about the logic behind the filter's decision to either sign a message
|
|
|
+## or verify it. The logic behind the decision is non-trivial and can be
|
|
|
+## confusing to administrators not familiar with its operation. A
|
|
|
+## description of how the decision is made can be found in the OPERATIONS
|
|
|
+## section of the opendkim(8) man page. This causes a large increase
|
|
|
+## in the amount of log data generated for each message, so it should be
|
|
|
+## limited to debugging use and not enabled for general operation.
|
|
|
+
|
|
|
+# LogWhy no
|
|
|
+
|
|
|
+## MacroList macro[=value][,...]
|
|
|
+##
|
|
|
+## Gives a set of MTA-provided macros which should be checked to see
|
|
|
+## if the sender has been determined to be a local user and therefore
|
|
|
+## whether or not signing should be done. See opendkim.conf(5) for
|
|
|
+## more information.
|
|
|
+
|
|
|
+# MacroList foo=bar,baz=blivit
|
|
|
+
|
|
|
+## MaximumHeaders n
|
|
|
+##
|
|
|
+## Disallow messages whose header blocks are bigger than "n" bytes.
|
|
|
+## Intended to detect and block a denial-of-service attack. The default
|
|
|
+## is 65536. A value of 0 disables this test.
|
|
|
+
|
|
|
+# MaximumHeaders n
|
|
|
+
|
|
|
+## MaximumSignaturesToVerify n
|
|
|
+## (default 3)
|
|
|
+##
|
|
|
+## Verify no more than "n" signatures on an arriving message.
|
|
|
+## A value of 0 means "no limit".
|
|
|
+
|
|
|
+# MaximumSignaturesToVerify n
|
|
|
+
|
|
|
+## MaximumSignedBytes n
|
|
|
+##
|
|
|
+## Don't sign more than "n" bytes of the message. The default is to
|
|
|
+## sign the entire message. Setting this implies "BodyLengths".
|
|
|
+
|
|
|
+# MaximumSignedBytes n
|
|
|
+
|
|
|
+## MilterDebug n
|
|
|
+##
|
|
|
+## Request a debug level of "n" from the milter library. The default is 0.
|
|
|
+
|
|
|
+# MilterDebug 0
|
|
|
+
|
|
|
+## Minimum n[% | +]
|
|
|
+## default 0
|
|
|
+##
|
|
|
+## Sets a minimum signing volume; one of the following formats:
|
|
|
+## n at least n bytes (or the whole message, whichever is less)
|
|
|
+## must be signed
|
|
|
+## n% at least n% of the message must be signed
|
|
|
+## n+ if a length limit was presented in the signature, no more than
|
|
|
+## n bytes may have been added
|
|
|
+
|
|
|
+# Minimum n
|
|
|
+
|
|
|
+## MinimumKeyBits n
|
|
|
+## default 1024
|
|
|
+##
|
|
|
+## Causes the library not to accept signatures matching keys made of fewer
|
|
|
+## than the specified number of bits, even if they would otherwise pass
|
|
|
+## DKIM signing.
|
|
|
+
|
|
|
+# MinimumKeyBits 1024
|
|
|
+
|
|
|
+## Mode [sv]
|
|
|
+## default sv
|
|
|
+##
|
|
|
+## Indicates which mode(s) of operation should be provided. "s" means
|
|
|
+## "sign", "v" means "verify".
|
|
|
+
|
|
|
+# Mode sv
|
|
|
+
|
|
|
+## MTA dataset
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Specifies a list of MTAs whos mail should always be signed rather than
|
|
|
+## verified. The "mtaname" is extracted from the DaemonPortOptions line
|
|
|
+## in effect.
|
|
|
+
|
|
|
+# MTA name
|
|
|
+
|
|
|
+## MultipleSignatures { yes | no }
|
|
|
+## default no
|
|
|
+##
|
|
|
+## Allows multiple signatures to be added. If set to "true" and a SigningTable
|
|
|
+## is in use, all SigningTable entries that match the candidate message will
|
|
|
+## cause a signature to be added. Otherwise, only the first matching
|
|
|
+## SigningTable entry will be added, or only the key defined by Domain,
|
|
|
+## Selector and KeyFile will be added.
|
|
|
+
|
|
|
+# MultipleSignatures no
|
|
|
+
|
|
|
+## MustBeSigned dataset
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Defines a list of headers which, if present on a message, must be
|
|
|
+## signed for the signature to be considered acceptable.
|
|
|
+
|
|
|
+# MustBeSigned header1,header2,...
|
|
|
+
|
|
|
+## Nameservers addr1[,addr2[,...]]
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Provides a comma-separated list of IP addresses that are to be used when
|
|
|
+## doing DNS queries to retrieve DKIM keys, ADSP policies, VBR records, etc.
|
|
|
+## These override any local defaults built in to the resolver in use, which
|
|
|
+## may be defined in /etc/resolv.conf or hard-coded into the software.
|
|
|
+
|
|
|
+# Nameservers addr1,addr2,...
|
|
|
+
|
|
|
+## NoHeaderB { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## Suppresses addition of "header.b" tags on Authentication-Results
|
|
|
+## header fields.
|
|
|
+
|
|
|
+# NoHeaderB no
|
|
|
+
|
|
|
+## OmitHeaders dataset
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Specifies a list of headers that should always be omitted when signing.
|
|
|
+## Header names should be separated by commas.
|
|
|
+
|
|
|
+# OmitHeaders header1,header2,...
|
|
|
+
|
|
|
+## On-...
|
|
|
+##
|
|
|
+## Specifies what to do when certain error conditions are encountered.
|
|
|
+##
|
|
|
+## See opendkim.conf(5) for more information.
|
|
|
+
|
|
|
+# On-Default
|
|
|
+# On-BadSignature
|
|
|
+# On-DNSError
|
|
|
+# On-InternalError
|
|
|
+# On-NoSignature
|
|
|
+# On-Security
|
|
|
+# On-SignatureError
|
|
|
+
|
|
|
+## OversignHeaders dataset
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Specifies a set of header fields that should be included in all signature
|
|
|
+## header lists (the "h=" tag) once more than the number of times they were
|
|
|
+## actually present in the signed message. See opendkim.conf(5) for more
|
|
|
+## information.
|
|
|
+
|
|
|
+# OverSignHeaders header1,header2,...
|
|
|
+
|
|
|
+## PeerList dataset
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Contains a list of IP addresses, CIDR blocks, hostnames or domain names
|
|
|
+## whose mail should be neither signed nor verified by this filter. See man
|
|
|
+## page for file format.
|
|
|
+
|
|
|
+# PeerList filename
|
|
|
+
|
|
|
+## PidFile filename
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Name of the file where the filter should write its pid before beginning
|
|
|
+## normal operations.
|
|
|
+
|
|
|
+# PidFile filename
|
|
|
+
|
|
|
+## POPDBFile dataset
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Names a database which should be checked for "POP before SMTP" records
|
|
|
+## as a form of authentication of users who may be sending mail through
|
|
|
+## the MTA for signing. Requires special compilation of the filter.
|
|
|
+## See opendkim.conf(5) for more information.
|
|
|
+
|
|
|
+# POPDBFile filename
|
|
|
+
|
|
|
+## Quarantine { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## Indicates whether or not the filter should arrange to quarantine mail
|
|
|
+## which fails verification. Intended for diagnostic use only.
|
|
|
+
|
|
|
+# Quarantine No
|
|
|
+
|
|
|
+## QueryCache { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## Instructs the DKIM library to maintain its own local cache of keys and
|
|
|
+## policies retrieved from DNS, rather than relying on the nameserver for
|
|
|
+## caching service. Useful if the nameserver being used by the filter is
|
|
|
+## not local. The filter must be compiled with the QUERY_CACHE flag to enable
|
|
|
+## this feature, since it adds a library dependency.
|
|
|
+
|
|
|
+# QueryCache No
|
|
|
+
|
|
|
+## RedirectFailuresTo address
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Redirects signed messages to the specified address if none of the
|
|
|
+## signatures present failed to verify.
|
|
|
+
|
|
|
+# RedirectFailuresTo postmaster@example.com
|
|
|
+
|
|
|
+## RemoveARAll { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## Remove all Authentication-Results: headers on all arriving mail.
|
|
|
+
|
|
|
+# RemoveARAll No
|
|
|
+
|
|
|
+## RemoveARFrom dataset
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Remove all Authentication-Results: headers on all arriving mail that
|
|
|
+## claim to have been added by hosts listed in this parameter. The list
|
|
|
+## should be comma-separated. Entire domains may be specified by preceding
|
|
|
+## the dopmain name by a single dot (".") character.
|
|
|
+
|
|
|
+# RemoveARFrom host1,host2,.domain1,.domain2,...
|
|
|
+
|
|
|
+## RemoveOldSignatures { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## Remove old signatures on messages, if any, when generating a signature.
|
|
|
+
|
|
|
+# RemoveOldSignatures No
|
|
|
+
|
|
|
+## ReportAddress addr
|
|
|
+## default (executing user)@(hostname)
|
|
|
+##
|
|
|
+## Specifies the sending address to be used on From: headers of outgoing
|
|
|
+## failure reports. By default, the e-mail address of the user executing
|
|
|
+## the filter is used.
|
|
|
+
|
|
|
+# ReportAddress "DKIM Error Postmaster" <postmaster@example.com>
|
|
|
+
|
|
|
+## ReportBccAddress addr
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Specifies additional recipient address(es) to receive outgoing failure
|
|
|
+## reports.
|
|
|
+
|
|
|
+# ReportBccAddress postmaster@example.com, john@example.com
|
|
|
+
|
|
|
+## RequiredHeaders { yes | no }
|
|
|
+## default no
|
|
|
+##
|
|
|
+## Rejects messages which don't conform to RFC5322 header count requirements.
|
|
|
+
|
|
|
+# RequiredHeaders No
|
|
|
+
|
|
|
+## RequireSafeKeys { yes | no }
|
|
|
+## default yes
|
|
|
+##
|
|
|
+## Refuses to use key files that appear to have unsafe permissions.
|
|
|
+
|
|
|
+# RequireSafeKeys Yes
|
|
|
+
|
|
|
+## ResignAll { yes | no }
|
|
|
+## default no
|
|
|
+##
|
|
|
+## Where ResignMailTo triggers a re-signing action, this flag indicates
|
|
|
+## whether or not all mail should be signed (if set) versus only verified
|
|
|
+## mail being signed (if not set).
|
|
|
+
|
|
|
+# ResignAll No
|
|
|
+
|
|
|
+## ResignMailTo dataset
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Checks each message recipient against the specified dataset for a
|
|
|
+## matching record. The full address is checked in each case, then the
|
|
|
+## hostname, then each domain preceded by ".". If there is a match, the
|
|
|
+## value returned is presumed to be the name of a key in the KeyTable
|
|
|
+## (if defined) to be used to re-sign the message in addition to
|
|
|
+## verifying it. If there is a match without a KeyTable, the default key
|
|
|
+## is applied.
|
|
|
+
|
|
|
+# ResignMailTo dataset
|
|
|
+
|
|
|
+## ResolverConfiguration string
|
|
|
+##
|
|
|
+## Passes arbitrary configuration data to the resolver. For the stock UNIX
|
|
|
+## resolver, this is ignored; for Unbound, it names a resolv.conf(5)-style
|
|
|
+## file that should be read for configuration information.
|
|
|
+
|
|
|
+# ResolverConfiguration string
|
|
|
+
|
|
|
+## ResolverTracing { yes | no }
|
|
|
+##
|
|
|
+## Requests enabling of resolver trace features, if available. The effect
|
|
|
+## of setting this flag depends on how trace features, if any, are implemented
|
|
|
+## in the resolver in use. Currently only effective when used with the
|
|
|
+## OpenDKIM asynchronous resolver.
|
|
|
+
|
|
|
+# ResolverTracing no
|
|
|
+
|
|
|
+## Selector name
|
|
|
+##
|
|
|
+## The name of the selector to use when signing. No default; must be
|
|
|
+## specified for signing.
|
|
|
+
|
|
|
+Selector default
|
|
|
+
|
|
|
+## SendADSPReports { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## Specifies whether or not the filter should generate report mail back
|
|
|
+## to senders when the ADSP (Author Domain Signing Practises) check fails for
|
|
|
+## a message. See opendkim.conf(5) for details.
|
|
|
+
|
|
|
+# SendADSPReports No
|
|
|
+
|
|
|
+## SenderHeaders dataset
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Overrides the default list of headers that will be used to determine
|
|
|
+## the sending domain for use when evaluating ADSP. See opendkim.conf(5)
|
|
|
+## for details.
|
|
|
+
|
|
|
+# SenderHeaders From
|
|
|
+
|
|
|
+## SendReports { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## Specifies whether or not the filter should generate report mail back
|
|
|
+## to senders when verification fails and an address for such a purpose
|
|
|
+## is provided. See opendkim.conf(5) for details.
|
|
|
+
|
|
|
+# SendReports No
|
|
|
+
|
|
|
+## SignatureAlgorithm signalg
|
|
|
+## default "rsa-sha256"
|
|
|
+##
|
|
|
+## Signature algorithm to use when generating signatures. Must be either
|
|
|
+## "rsa-sha1" or "rsa-sha256".
|
|
|
+
|
|
|
+# SignatureAlgorithm rsa-sha256
|
|
|
+
|
|
|
+## SignatureTTL seconds
|
|
|
+## default "0"
|
|
|
+##
|
|
|
+## Specifies the lifetime in seconds of signatures generated by the
|
|
|
+## filter. A value of 0 means no expiration time is included in the
|
|
|
+## signature.
|
|
|
+
|
|
|
+# SignatureTTL 0
|
|
|
+
|
|
|
+## SignHeaders dataset
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Specifies the list of headers which should be included when generating
|
|
|
+## signatures. The string should be a comma-separated list of header names.
|
|
|
+## See the opendkim.conf(5) man page for more information.
|
|
|
+
|
|
|
+# SignHeaders header1,header2,...
|
|
|
+
|
|
|
+## SigningTable dataset
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Defines a dataset that will be queried for the message sender's address
|
|
|
+## to determine which private key(s) (if any) should be used to sign the
|
|
|
+## message. The sender is determined from the value of the sender
|
|
|
+## header fields as described with SenderHeaders above. The key for this
|
|
|
+## lookup should be an address or address pattern that matches senders;
|
|
|
+## see the opendkim.conf(5) man page for more information. The value
|
|
|
+## of the lookup should return the name of a key found in the KeyTable
|
|
|
+## that should be used to sign the message. If MultipleSignatures
|
|
|
+## is set, all possible lookup keys will be attempted which may result
|
|
|
+## in multiple signatures being applied.
|
|
|
+
|
|
|
+SigningTable refile:/etc/opendkim/SigningTable
|
|
|
+
|
|
|
+## SingleAuthResult { yes | no}
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## When DomainKeys verification is enabled, multiple Authentication-Results
|
|
|
+## will be added, one for DK and one for DKIM. With this enabled, only
|
|
|
+## a DKIM result will be reported unless DKIM failed but DK passed, in which
|
|
|
+## case only a DK result will be reported.
|
|
|
+
|
|
|
+# SingleAuthResult no
|
|
|
+
|
|
|
+## SMTPURI uri
|
|
|
+##
|
|
|
+## Specifies a URI (e.g., "smtp://localhost") to which mail should be sent
|
|
|
+## via SMTP when notifications are generated.
|
|
|
+
|
|
|
+# Socket smtp://localhost
|
|
|
+
|
|
|
+## Socket socketspec
|
|
|
+##
|
|
|
+## Names the socket where this filter should listen for milter connections
|
|
|
+## from the MTA. Required. Should be in one of these forms:
|
|
|
+##
|
|
|
+## inet:port@address to listen on a specific interface
|
|
|
+## inet:port to listen on all interfaces
|
|
|
+## local:/path/to/socket to listen on a UNIX domain socket
|
|
|
+
|
|
|
+Socket inet:8891@localhost
|
|
|
+
|
|
|
+## SoftwareHeader { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## Add a DKIM-Filter header field to messages passing through this filter
|
|
|
+## to identify messages it has processed.
|
|
|
+
|
|
|
+SoftwareHeader yes
|
|
|
+
|
|
|
+## StrictHeaders { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## Requests that the DKIM library refuse to process a message whose
|
|
|
+## header fields do not conform to the standards, in particular Section 3.6
|
|
|
+## of RFC5322.
|
|
|
+
|
|
|
+# StrictHeaders no
|
|
|
+
|
|
|
+## StrictTestMode { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## Selects strict CRLF mode during testing (see the "-t" command line
|
|
|
+## flag in the opendkim(8) man page). Messages for which all header
|
|
|
+## fields and body lines are not CRLF-terminated are considered malformed
|
|
|
+## and will produce an error.
|
|
|
+
|
|
|
+# StrictTestMode no
|
|
|
+
|
|
|
+## SubDomains { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## Sign for subdomains as well?
|
|
|
+
|
|
|
+# SubDomains No
|
|
|
+
|
|
|
+## Syslog { yes | no }
|
|
|
+## default "yes"
|
|
|
+##
|
|
|
+## Log informational and error activity to syslog?
|
|
|
+
|
|
|
+Syslog Yes
|
|
|
+
|
|
|
+## SyslogFacility facility
|
|
|
+## default "mail"
|
|
|
+##
|
|
|
+## Valid values are :
|
|
|
+## auth cron daemon kern lpr mail news security syslog user uucp
|
|
|
+## local0 local1 local2 local3 local4 local5 local6 local7
|
|
|
+##
|
|
|
+## syslog facility to be used
|
|
|
+
|
|
|
+SyslogFacility mail
|
|
|
+
|
|
|
+## SyslogSuccess { yes | no }
|
|
|
+## default "no"
|
|
|
+##
|
|
|
+## Log success activity to syslog?
|
|
|
+
|
|
|
+# SyslogSuccess No
|
|
|
+
|
|
|
+## TemporaryDirectory path
|
|
|
+## default /tmp
|
|
|
+##
|
|
|
+## Specifies which directory will be used for creating temporary files
|
|
|
+## during message processing.
|
|
|
+
|
|
|
+# TemporaryDirectory /tmp
|
|
|
+
|
|
|
+## TestPublicKeys filename
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Names a file from which public keys should be read. Intended for use
|
|
|
+## only during automated testing.
|
|
|
+
|
|
|
+# TestPublicKeys /tmp/testkeys
|
|
|
+
|
|
|
+## TrustAnchorFile filename
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Specifies a file from which trust anchor data should be read when doing
|
|
|
+## DNS queries and applying the DNSSEC protocol. See the Unbound documentation
|
|
|
+## at http://unbound.net for the expected format of this file.
|
|
|
+
|
|
|
+# TrustAnchorFile /var/named/trustanchor
|
|
|
+
|
|
|
+## UMask mask
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Change the process umask for file creation to the specified value.
|
|
|
+## The system has its own default which will be used (usually 022).
|
|
|
+## See the umask(2) man page for more information.
|
|
|
+
|
|
|
+# UMask 022
|
|
|
+
|
|
|
+## UnboundConfigFile filename
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Specifies a configuration file to be passed to the Unbound library that
|
|
|
+## performs DNS queries applying the DNSSEC protocol. See the Unbound
|
|
|
+## documentation at http://unbound.net for the expected content of this file.
|
|
|
+## The results of using this and the TrustAnchorFile setting at the same
|
|
|
+## time are undefined.
|
|
|
+
|
|
|
+# UnboundConfigFile /var/named/unbound.conf
|
|
|
+
|
|
|
+## Userid userid
|
|
|
+## default (none)
|
|
|
+##
|
|
|
+## Change to user "userid" before starting normal operation? May include
|
|
|
+## a group ID as well, separated from the userid by a colon.
|
|
|
+
|
|
|
+# UserID userid
|
