opendkim.conf.j2 24 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807
  1. {% if ansible_controlled is defined and ansible_controlled != "" %}
  2. #
  3. # {{ ansible_controlled }}
  4. #
  5. {% endif %}
  6. ##
  7. ## opendkim.conf -- configuration file for OpenDKIM filter
  8. ##
  9. ## Copyright (c) 2010-2014, The Trusted Domain Project. All rights reserved.
  10. ##
  11. ##
  12. ## For settings that refer to a "dataset", see the opendkim(8) man page.
  13. ##
  14. ## AddAllSignatureResults { yes | no }
  15. ## default "no"
  16. ##
  17. ## If enabled, results for all signatures will be reported by an added
  18. ## Authentication-Results header field. Otherwise, only one signature will
  19. ## be reported, and which one depends on the TrustSignaturesFrom
  20. ## setting or, in its absence, which one(s) passed first or, if none passed,
  21. ## which one was found first during message processing.
  22. # AddAllSignatureResults no
  23. ## ADSPAction { continue | discard | reject }
  24. ## default "continue"
  25. ##
  26. ## Defines the action to be taken when a message is passed through the
  27. ## ADSP algorithm and found to be discardable. By default, no action is
  28. ## taken, though the failure will be noted by the addition of an
  29. ## Authentication-Results report.
  30. # ADSPAction continue
  31. ## ADSPNoSuchDomain { yes | no }
  32. ## default "no"
  33. ##
  34. ## Reject messages which are determined to be from nonexistent domains during
  35. ## the Author Domain Signing Practises (ADSP) check.
  36. # ADSPNoSuchDomain No
  37. ## AllowSHA1Only { yes | no }
  38. ## default "no"
  39. ##
  40. ## By default, the filter will refuse to start if support for SHA256 is
  41. ## not available since this violates the strong recommendations of
  42. ## RFC6376 Section 3.3, which says:
  43. ##
  44. ## "Verifiers MUST implement both rsa-sha1 and rsa-sha256. Signers MUST
  45. ## implement and SHOULD sign using rsa-sha256."
  46. ##
  47. ## This forces that violation to be explicitly selected by the administrator.
  48. # AllowSHA1Only no
  49. ## AlwaysAddARHeader { yes | no }
  50. ## default "no"
  51. ##
  52. ## Add an "Authentication-Results:" header even to unsigned messages
  53. ## from domains with no "signs all" policy. The reported DKIM result
  54. ## will be "none" in such cases. Normally unsigned mail from non-strict
  55. ## domains does not cause the results header to be added.
  56. AlwaysAddARHeader yes
  57. ## AuthservID string
  58. ## default (local host name)
  59. ##
  60. ## Defines the "authserv-id" token to be used when generating
  61. ## Authentication-Results headers after message verification.
  62. # AuthservID example.com
  63. ## AuthservIDWithJobID
  64. ## default "no"
  65. ##
  66. ## Appends a "/" followed by the MTA's job ID to the "authserv-id" token
  67. ## when generating Authentication-Results headers after message verification.
  68. # AuthservIDWithJobId no
  69. ## AutoRestart { yes | no }
  70. ## default "no"
  71. ##
  72. ## Indicate whether or not the filter should arrange to restart automatically
  73. ## if it crashes.
  74. # AutoRestart No
  75. ## AutoRestartCount n
  76. ## default 0
  77. ##
  78. ## Sets the maximum automatic restart count. After this number of
  79. ## automatic restarts, the filter will give up and terminate. A value of 0
  80. ## implies no limit.
  81. # AutoRestartCount 0
  82. ## AutoRestartRate n/t[u]
  83. ## default (none)
  84. ##
  85. ## Sets the maximum automatic restart rate. See the opendkim.conf(5)
  86. ## man page for the format of this parameter.
  87. # AutoRestartRate n/tu
  88. ## Background { yes | no }
  89. ## default "yes"
  90. ##
  91. ## Indicate whether or not the filter should run in the background.
  92. # Background Yes
  93. ## BaseDirectory path
  94. ## default (none)
  95. ##
  96. ## Causes the filter to change to the named directory before beginning
  97. ## operation. Thus, cores will be dumped here and configuration files
  98. ## are read relative to this location.
  99. # BaseDirectory /var/run/opendkim
  100. ## BodyLengthDB dataset
  101. ## default (none)
  102. ##
  103. ## A data set that is checked against envelope recipients to see if a
  104. ## body length tag should be included in the generated signature.
  105. ## This has security implications; see opendkim.conf(5) for details.
  106. # BodyLengthDB dataset
  107. ## Canonicalization hdrcanon[/bodycanon]
  108. ## default "simple/simple"
  109. ##
  110. ## Select canonicalizations to use when signing. If the "bodycanon" is
  111. ## omitted, "simple" is used. Valid values for each are "simple" and
  112. ## "relaxed".
  113. # Canonicalization simple/simple
  114. ## ClockDrift n
  115. ## default 300
  116. ##
  117. ## Specify the tolerance range for expired signatures or signatures
  118. ## which appear to have timestamps in the future, allowing for clock
  119. ## drift.
  120. # ClockDrift 300
  121. ## Diagnostics { yes | no }
  122. ## default "no"
  123. ##
  124. ## Specifies whether or not signatures with header diagnostic tags should
  125. ## be generated.
  126. # Diagnostics No
  127. ## DisableADSP { yes | no }
  128. ## default "no"
  129. ##
  130. ## Suppresses Author Domain Signing Practices (ADSP) checks, which conduct
  131. ## additional DNS queries.
  132. # DisableADSP No
  133. ## DNSTimeout n
  134. ## default 10
  135. ##
  136. ## Specify the time in seconds to wait for replies from the nameserver when
  137. ## requesting keys or signing policies.
  138. # DNSTimeout 10
  139. ## Domain dataset
  140. ## default (none)
  141. ##
  142. ## Specify for which domain(s) signing should be done. No default; must
  143. ## be specified for signing.
  144. # Domain example.com
  145. ## DomainKeysCompat { yes | no }
  146. ## default "no"
  147. ##
  148. ## When enabled, backward compatibility with DomainKeys (RFC4870) key
  149. ## records is enabled. Otherwise, such key records are considered to be
  150. ## syntactically invalid.
  151. # DomainKeysCompat no
  152. ## DontSignMailTo dataset
  153. ## default (none)
  154. ##
  155. ## Gives a list of recipient addresses or address patterns whose mail should
  156. ## not be signed.
  157. # DontSignMailTo addr1,addr2,...
  158. ## EnableCoredumps { yes | no }
  159. ## default "no"
  160. ##
  161. ## On systems which have support for such, requests that the kernel dump
  162. ## core even though the process may change user ID during its execution.
  163. # EnableCoredumps no
  164. ## ExemptDomains dataset
  165. ## default (none)
  166. ##
  167. ## A data set of domain names that are checked against the message sender's
  168. ## domain. If a match is found, the message is ignored by the filter.
  169. # ExemptDomains domain1,domain2,...
  170. ## ExternalIgnoreList filename
  171. ##
  172. ## Names a file from which a list of externally-trusted hosts is read.
  173. ## These are hosts which are allowed to send mail through you for signing.
  174. ## Automatically contains 127.0.0.1. See man page for file format.
  175. # ExternalIgnoreList filename
  176. ## FixCRLF { yes | no }
  177. ##
  178. ## Requests that the library convert "naked" CR and LF characters to
  179. ## CRLFs during canonicalization. The default is "no".
  180. # FixCRLF no
  181. ## InternalHosts dataset
  182. ## default "127.0.0.1"
  183. ##
  184. ## Names a file from which a list of internal hosts is read. These are
  185. ## hosts from which mail should be signed rather than verified.
  186. ## Automatically contains 127.0.0.1.
  187. InternalHosts file:/etc/opendkim/InternalHosts
  188. ## KeepTemporaryFiles { yes | no }
  189. ## default "no"
  190. ##
  191. ## If set, causes temporary files generated during message signing or
  192. ## verifying to be left behind for debugging use. Not for normal operation;
  193. ## can fill your disks quite fast on busy systems.
  194. # KeepTemporaryFiles no
  195. ## KeyFile filename
  196. ## default (none)
  197. ##
  198. ## Specifies the path to the private key to use when signing. Ignored if
  199. ## SigningTable and KeyTable are used. No default; must be specified for
  200. ## signing if SigningTable/KeyTable are not in use.
  201. #KeyFile /var/db/dkim/example.private
  202. ## KeyTable dataset
  203. ## default (none)
  204. ##
  205. ## Defines a table that will be queried to convert key names to
  206. ## sets of data of the form (signing domain, signing selector, private key).
  207. ## The private key can either contain a PEM-formatted private key,
  208. ## a base64-encoded DER format private key, or a path to a file containing
  209. ## one of those.
  210. KeyTable file:/etc/opendkim/KeyTable
  211. ## LocalADSP dataset
  212. ## default (none)
  213. ##
  214. ## Allows specification of local ADSP overrides for domains. This should be
  215. ## a path to a file containing entries, one per line, with comments and
  216. ## blank lines allowed. An entry is of the form "domain:policy" where
  217. ## "domain" is either a fully-qualified domain name (e.g. "foo.example.com")
  218. ## or a subdomain name preceded by a period (e.g. ".example.com"), and
  219. ## "policy" is either "unknown", "all", or "discardable", as per the current
  220. ## ADSP draft specification. This allows local overrides of policies to
  221. ## enforce for domains which either don't publish ADSP or publish weaker
  222. ## policies than the verifier would like to enforce.
  223. # LocalADSP /etc/mail/local-adsp-rules
  224. ## LogWhy { yes | no }
  225. ## default "no"
  226. ##
  227. ## If logging is enabled (see Syslog below), issues very detailed logging
  228. ## about the logic behind the filter's decision to either sign a message
  229. ## or verify it. The logic behind the decision is non-trivial and can be
  230. ## confusing to administrators not familiar with its operation. A
  231. ## description of how the decision is made can be found in the OPERATIONS
  232. ## section of the opendkim(8) man page. This causes a large increase
  233. ## in the amount of log data generated for each message, so it should be
  234. ## limited to debugging use and not enabled for general operation.
  235. LogWhy yes
  236. ## MacroList macro[=value][,...]
  237. ##
  238. ## Gives a set of MTA-provided macros which should be checked to see
  239. ## if the sender has been determined to be a local user and therefore
  240. ## whether or not signing should be done. See opendkim.conf(5) for
  241. ## more information.
  242. # MacroList foo=bar,baz=blivit
  243. ## MaximumHeaders n
  244. ##
  245. ## Disallow messages whose header blocks are bigger than "n" bytes.
  246. ## Intended to detect and block a denial-of-service attack. The default
  247. ## is 65536. A value of 0 disables this test.
  248. # MaximumHeaders n
  249. ## MaximumSignaturesToVerify n
  250. ## (default 3)
  251. ##
  252. ## Verify no more than "n" signatures on an arriving message.
  253. ## A value of 0 means "no limit".
  254. # MaximumSignaturesToVerify n
  255. ## MaximumSignedBytes n
  256. ##
  257. ## Don't sign more than "n" bytes of the message. The default is to
  258. ## sign the entire message. Setting this implies "BodyLengths".
  259. # MaximumSignedBytes n
  260. ## MilterDebug n
  261. ##
  262. ## Request a debug level of "n" from the milter library. The default is 0.
  263. # MilterDebug 0
  264. ## Minimum n[% | +]
  265. ## default 0
  266. ##
  267. ## Sets a minimum signing volume; one of the following formats:
  268. ## n at least n bytes (or the whole message, whichever is less)
  269. ## must be signed
  270. ## n% at least n% of the message must be signed
  271. ## n+ if a length limit was presented in the signature, no more than
  272. ## n bytes may have been added
  273. # Minimum n
  274. ## MinimumKeyBits n
  275. ## default 1024
  276. ##
  277. ## Causes the library not to accept signatures matching keys made of fewer
  278. ## than the specified number of bits, even if they would otherwise pass
  279. ## DKIM signing.
  280. # MinimumKeyBits 1024
  281. ## Mode [sv]
  282. ## default sv
  283. ##
  284. ## Indicates which mode(s) of operation should be provided. "s" means
  285. ## "sign", "v" means "verify".
  286. # Mode sv
  287. ## MTA dataset
  288. ## default (none)
  289. ##
  290. ## Specifies a list of MTAs whos mail should always be signed rather than
  291. ## verified. The "mtaname" is extracted from the DaemonPortOptions line
  292. ## in effect.
  293. # MTA name
  294. ## MultipleSignatures { yes | no }
  295. ## default no
  296. ##
  297. ## Allows multiple signatures to be added. If set to "true" and a SigningTable
  298. ## is in use, all SigningTable entries that match the candidate message will
  299. ## cause a signature to be added. Otherwise, only the first matching
  300. ## SigningTable entry will be added, or only the key defined by Domain,
  301. ## Selector and KeyFile will be added.
  302. # MultipleSignatures no
  303. ## MustBeSigned dataset
  304. ## default (none)
  305. ##
  306. ## Defines a list of headers which, if present on a message, must be
  307. ## signed for the signature to be considered acceptable.
  308. # MustBeSigned header1,header2,...
  309. ## Nameservers addr1[,addr2[,...]]
  310. ## default (none)
  311. ##
  312. ## Provides a comma-separated list of IP addresses that are to be used when
  313. ## doing DNS queries to retrieve DKIM keys, ADSP policies, VBR records, etc.
  314. ## These override any local defaults built in to the resolver in use, which
  315. ## may be defined in /etc/resolv.conf or hard-coded into the software.
  316. # Nameservers addr1,addr2,...
  317. ## NoHeaderB { yes | no }
  318. ## default "no"
  319. ##
  320. ## Suppresses addition of "header.b" tags on Authentication-Results
  321. ## header fields.
  322. # NoHeaderB no
  323. ## OmitHeaders dataset
  324. ## default (none)
  325. ##
  326. ## Specifies a list of headers that should always be omitted when signing.
  327. ## Header names should be separated by commas.
  328. # OmitHeaders header1,header2,...
  329. ## On-...
  330. ##
  331. ## Specifies what to do when certain error conditions are encountered.
  332. ##
  333. ## See opendkim.conf(5) for more information.
  334. # On-Default
  335. # On-BadSignature
  336. # On-DNSError
  337. # On-InternalError
  338. # On-NoSignature
  339. # On-Security
  340. # On-SignatureError
  341. ## OversignHeaders dataset
  342. ## default (none)
  343. ##
  344. ## Specifies a set of header fields that should be included in all signature
  345. ## header lists (the "h=" tag) once more than the number of times they were
  346. ## actually present in the signed message. See opendkim.conf(5) for more
  347. ## information.
  348. # OverSignHeaders header1,header2,...
  349. ## PeerList dataset
  350. ## default (none)
  351. ##
  352. ## Contains a list of IP addresses, CIDR blocks, hostnames or domain names
  353. ## whose mail should be neither signed nor verified by this filter. See man
  354. ## page for file format.
  355. # PeerList filename
  356. ## PidFile filename
  357. ## default (none)
  358. ##
  359. ## Name of the file where the filter should write its pid before beginning
  360. ## normal operations.
  361. # PidFile filename
  362. ## POPDBFile dataset
  363. ## default (none)
  364. ##
  365. ## Names a database which should be checked for "POP before SMTP" records
  366. ## as a form of authentication of users who may be sending mail through
  367. ## the MTA for signing. Requires special compilation of the filter.
  368. ## See opendkim.conf(5) for more information.
  369. # POPDBFile filename
  370. ## Quarantine { yes | no }
  371. ## default "no"
  372. ##
  373. ## Indicates whether or not the filter should arrange to quarantine mail
  374. ## which fails verification. Intended for diagnostic use only.
  375. # Quarantine No
  376. ## QueryCache { yes | no }
  377. ## default "no"
  378. ##
  379. ## Instructs the DKIM library to maintain its own local cache of keys and
  380. ## policies retrieved from DNS, rather than relying on the nameserver for
  381. ## caching service. Useful if the nameserver being used by the filter is
  382. ## not local. The filter must be compiled with the QUERY_CACHE flag to enable
  383. ## this feature, since it adds a library dependency.
  384. # QueryCache No
  385. ## RedirectFailuresTo address
  386. ## default (none)
  387. ##
  388. ## Redirects signed messages to the specified address if none of the
  389. ## signatures present failed to verify.
  390. # RedirectFailuresTo postmaster@example.com
  391. ## RemoveARAll { yes | no }
  392. ## default "no"
  393. ##
  394. ## Remove all Authentication-Results: headers on all arriving mail.
  395. # RemoveARAll No
  396. ## RemoveARFrom dataset
  397. ## default (none)
  398. ##
  399. ## Remove all Authentication-Results: headers on all arriving mail that
  400. ## claim to have been added by hosts listed in this parameter. The list
  401. ## should be comma-separated. Entire domains may be specified by preceding
  402. ## the dopmain name by a single dot (".") character.
  403. # RemoveARFrom host1,host2,.domain1,.domain2,...
  404. ## RemoveOldSignatures { yes | no }
  405. ## default "no"
  406. ##
  407. ## Remove old signatures on messages, if any, when generating a signature.
  408. # RemoveOldSignatures No
  409. ## ReportAddress addr
  410. ## default (executing user)@(hostname)
  411. ##
  412. ## Specifies the sending address to be used on From: headers of outgoing
  413. ## failure reports. By default, the e-mail address of the user executing
  414. ## the filter is used.
  415. # ReportAddress "DKIM Error Postmaster" <postmaster@example.com>
  416. ## ReportBccAddress addr
  417. ## default (none)
  418. ##
  419. ## Specifies additional recipient address(es) to receive outgoing failure
  420. ## reports.
  421. # ReportBccAddress postmaster@example.com, john@example.com
  422. ## RequiredHeaders { yes | no }
  423. ## default no
  424. ##
  425. ## Rejects messages which don't conform to RFC5322 header count requirements.
  426. # RequiredHeaders No
  427. ## RequireSafeKeys { yes | no }
  428. ## default yes
  429. ##
  430. ## Refuses to use key files that appear to have unsafe permissions.
  431. # RequireSafeKeys Yes
  432. ## ResignAll { yes | no }
  433. ## default no
  434. ##
  435. ## Where ResignMailTo triggers a re-signing action, this flag indicates
  436. ## whether or not all mail should be signed (if set) versus only verified
  437. ## mail being signed (if not set).
  438. # ResignAll No
  439. ## ResignMailTo dataset
  440. ## default (none)
  441. ##
  442. ## Checks each message recipient against the specified dataset for a
  443. ## matching record. The full address is checked in each case, then the
  444. ## hostname, then each domain preceded by ".". If there is a match, the
  445. ## value returned is presumed to be the name of a key in the KeyTable
  446. ## (if defined) to be used to re-sign the message in addition to
  447. ## verifying it. If there is a match without a KeyTable, the default key
  448. ## is applied.
  449. # ResignMailTo dataset
  450. ## ResolverConfiguration string
  451. ##
  452. ## Passes arbitrary configuration data to the resolver. For the stock UNIX
  453. ## resolver, this is ignored; for Unbound, it names a resolv.conf(5)-style
  454. ## file that should be read for configuration information.
  455. # ResolverConfiguration string
  456. ## ResolverTracing { yes | no }
  457. ##
  458. ## Requests enabling of resolver trace features, if available. The effect
  459. ## of setting this flag depends on how trace features, if any, are implemented
  460. ## in the resolver in use. Currently only effective when used with the
  461. ## OpenDKIM asynchronous resolver.
  462. # ResolverTracing no
  463. ## Selector name
  464. ##
  465. ## The name of the selector to use when signing. No default; must be
  466. ## specified for signing.
  467. Selector default
  468. ## SendADSPReports { yes | no }
  469. ## default "no"
  470. ##
  471. ## Specifies whether or not the filter should generate report mail back
  472. ## to senders when the ADSP (Author Domain Signing Practises) check fails for
  473. ## a message. See opendkim.conf(5) for details.
  474. # SendADSPReports No
  475. ## SenderHeaders dataset
  476. ## default (none)
  477. ##
  478. ## Overrides the default list of headers that will be used to determine
  479. ## the sending domain for use when evaluating ADSP. See opendkim.conf(5)
  480. ## for details.
  481. SenderHeaders From
  482. ## SendReports { yes | no }
  483. ## default "no"
  484. ##
  485. ## Specifies whether or not the filter should generate report mail back
  486. ## to senders when verification fails and an address for such a purpose
  487. ## is provided. See opendkim.conf(5) for details.
  488. # SendReports No
  489. ## SignatureAlgorithm signalg
  490. ## default "rsa-sha256"
  491. ##
  492. ## Signature algorithm to use when generating signatures. Must be either
  493. ## "rsa-sha1" or "rsa-sha256".
  494. # SignatureAlgorithm rsa-sha256
  495. ## SignatureTTL seconds
  496. ## default "0"
  497. ##
  498. ## Specifies the lifetime in seconds of signatures generated by the
  499. ## filter. A value of 0 means no expiration time is included in the
  500. ## signature.
  501. # SignatureTTL 0
  502. ## SignHeaders dataset
  503. ## default (none)
  504. ##
  505. ## Specifies the list of headers which should be included when generating
  506. ## signatures. The string should be a comma-separated list of header names.
  507. ## See the opendkim.conf(5) man page for more information.
  508. # SignHeaders header1,header2,...
  509. ## SigningTable dataset
  510. ## default (none)
  511. ##
  512. ## Defines a dataset that will be queried for the message sender's address
  513. ## to determine which private key(s) (if any) should be used to sign the
  514. ## message. The sender is determined from the value of the sender
  515. ## header fields as described with SenderHeaders above. The key for this
  516. ## lookup should be an address or address pattern that matches senders;
  517. ## see the opendkim.conf(5) man page for more information. The value
  518. ## of the lookup should return the name of a key found in the KeyTable
  519. ## that should be used to sign the message. If MultipleSignatures
  520. ## is set, all possible lookup keys will be attempted which may result
  521. ## in multiple signatures being applied.
  522. SigningTable refile:/etc/opendkim/SigningTable
  523. ## SingleAuthResult { yes | no}
  524. ## default "no"
  525. ##
  526. ## When DomainKeys verification is enabled, multiple Authentication-Results
  527. ## will be added, one for DK and one for DKIM. With this enabled, only
  528. ## a DKIM result will be reported unless DKIM failed but DK passed, in which
  529. ## case only a DK result will be reported.
  530. # SingleAuthResult no
  531. ## SMTPURI uri
  532. ##
  533. ## Specifies a URI (e.g., "smtp://localhost") to which mail should be sent
  534. ## via SMTP when notifications are generated.
  535. # Socket smtp://localhost
  536. ## Socket socketspec
  537. ##
  538. ## Names the socket where this filter should listen for milter connections
  539. ## from the MTA. Required. Should be in one of these forms:
  540. ##
  541. ## inet:port@address to listen on a specific interface
  542. ## inet:port to listen on all interfaces
  543. ## local:/path/to/socket to listen on a UNIX domain socket
  544. Socket inet:8891@localhost
  545. ## SoftwareHeader { yes | no }
  546. ## default "no"
  547. ##
  548. ## Add a DKIM-Filter header field to messages passing through this filter
  549. ## to identify messages it has processed.
  550. SoftwareHeader yes
  551. ## StrictHeaders { yes | no }
  552. ## default "no"
  553. ##
  554. ## Requests that the DKIM library refuse to process a message whose
  555. ## header fields do not conform to the standards, in particular Section 3.6
  556. ## of RFC5322.
  557. # StrictHeaders no
  558. ## StrictTestMode { yes | no }
  559. ## default "no"
  560. ##
  561. ## Selects strict CRLF mode during testing (see the "-t" command line
  562. ## flag in the opendkim(8) man page). Messages for which all header
  563. ## fields and body lines are not CRLF-terminated are considered malformed
  564. ## and will produce an error.
  565. # StrictTestMode no
  566. ## SubDomains { yes | no }
  567. ## default "no"
  568. ##
  569. ## Sign for subdomains as well?
  570. # SubDomains No
  571. ## Syslog { yes | no }
  572. ## default "yes"
  573. ##
  574. ## Log informational and error activity to syslog?
  575. Syslog Yes
  576. ## SyslogFacility facility
  577. ## default "mail"
  578. ##
  579. ## Valid values are :
  580. ## auth cron daemon kern lpr mail news security syslog user uucp
  581. ## local0 local1 local2 local3 local4 local5 local6 local7
  582. ##
  583. ## syslog facility to be used
  584. SyslogFacility mail
  585. ## SyslogSuccess { yes | no }
  586. ## default "no"
  587. ##
  588. ## Log success activity to syslog?
  589. # SyslogSuccess No
  590. ## TemporaryDirectory path
  591. ## default /tmp
  592. ##
  593. ## Specifies which directory will be used for creating temporary files
  594. ## during message processing.
  595. # TemporaryDirectory /tmp
  596. ## TestPublicKeys filename
  597. ## default (none)
  598. ##
  599. ## Names a file from which public keys should be read. Intended for use
  600. ## only during automated testing.
  601. # TestPublicKeys /tmp/testkeys
  602. ## TrustAnchorFile filename
  603. ## default (none)
  604. ##
  605. ## Specifies a file from which trust anchor data should be read when doing
  606. ## DNS queries and applying the DNSSEC protocol. See the Unbound documentation
  607. ## at http://unbound.net for the expected format of this file.
  608. # TrustAnchorFile /var/named/trustanchor
  609. ## UMask mask
  610. ## default (none)
  611. ##
  612. ## Change the process umask for file creation to the specified value.
  613. ## The system has its own default which will be used (usually 022).
  614. ## See the umask(2) man page for more information.
  615. # UMask 022
  616. ## UnboundConfigFile filename
  617. ## default (none)
  618. ##
  619. ## Specifies a configuration file to be passed to the Unbound library that
  620. ## performs DNS queries applying the DNSSEC protocol. See the Unbound
  621. ## documentation at http://unbound.net for the expected content of this file.
  622. ## The results of using this and the TrustAnchorFile setting at the same
  623. ## time are undefined.
  624. # UnboundConfigFile /var/named/unbound.conf
  625. ## Userid userid
  626. ## default (none)
  627. ##
  628. ## Change to user "userid" before starting normal operation? May include
  629. ## a group ID as well, separated from the userid by a colon.
  630. # UserID userid