## opendmarc.conf -- configuration file for OpenDMARC filter ## ## Copyright (c) 2012-2015, 2018, 2021, The Trusted Domain Project. ## All rights reserved. ## DEPRECATED CONFIGURATION OPTIONS ## ## The following configuration options are no longer valid. They should be ## removed from your existing configuration file to prevent potential issues. ## Failure to do so may result in opendmarc being unable to start. ## ## Renamed in 1.3.0: ## ForensicReports became FailureReports ## ForensicReportsBcc became FailureReportsBcc ## ForensicReportsOnNone became FailureReportsOnNone ## ForensicReportsSentBy became FailureReportsSentBy ## CONFIGURATION OPTIONS ## AuthservID (string) ## defaults to MTA name ## ## Sets the "authserv-id" to use when generating the Authentication-Results: ## header field after verifying a message. If the string "HOSTNAME" is ## provided, the name of the host running the filter (as returned by the ## gethostname(3) function) will be used. # # AuthservID name ## AuthservIDWithJobID { true | false } ## default "false" ## ## If "true", requests that the authserv-id portion of the added ## Authentication-Results header fields contain the job ID of the message ## being evaluated. # # AuthservIDWithJobID false ## AutoRestart { true | false } ## default "false" ## ## Automatically re-start on failures. Use with caution; if the filter fails ## instantly after it starts, this can cause a tight fork(2) loop. # # AutoRestart false ## AutoRestartCount n ## default 0 ## ## Sets the maximum automatic restart count. After this number of automatic ## restarts, the filter will give up and terminate. A value of 0 implies no ## limit. # # AutoRestartCount 0 ## AutoRestartRate n/t[u] ## default (no limit) ## ## Sets the maximum automatic restart rate. If the filter begins restarting ## faster than the rate defined here, it will give up and terminate. This ## is a string of the form n/t[u] where n is an integer limiting the count ## of restarts in the given interval and t[u] defines the time interval ## through which the rate is calculated; t is an integer and u defines the ## units thus represented ("s" or "S" for seconds, the default; "m" or "M" ## for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a ## value of "10/1h" limits the restarts to 10 in one hour. There is no ## default, meaning restart rate is not limited. # # AutoRestartRate n/t[u] ## Background { true | false } ## default "true" ## ## Causes opendmarc to fork and exits immediately, leaving the service ## running in the background. # # Background true ## BaseDirectory (string) ## default (none) ## ## If set, instructs the filter to change to the specified directory using ## chdir(2) before doing anything else. This means any files referenced ## elsewhere in the configuration file can be specified relative to this ## directory. It's also useful for arranging that any crash dumps will be ## saved to a specific location. # BaseDirectory /var/opendmarc ## ChangeRootDirectory (string) ## default (none) ## ## Requests that the operating system change the effective root directory of ## the process to the one specified here prior to beginning execution. ## chroot(2) requires superuser access. A warning will be generated if ## UserID is not also set. # # ChangeRootDirectory /var/chroot/opendmarc ## CopyFailuresTo (string) ## default (none) ## ## Requests addition of the specified email address to the envelope of ## any message that fails the DMARC evaluation. # # CopyFailuresTo postmaster@localhost ## DomainWhitelist (string) ## default (none) ## ## A brief list of whitelisted domains for which ARC signature headers are ## trusted as determined by evaluating entries in the "arc.chain" field found ## in a locally generated Authentication-Results header. ## ## This list will be concatenated with DomainWhitelistFile (if provided). ## # # DomainWhitelist example.com ## DomainWhitelistFile path ## default (none) ## ## A comprehensive list of whitelisted domains for which ARC signature headers ## are trusted as determined by evaluating entries in the "arc.chain" field ## found in a locally generated Authentication-Results header. ## ## This list will be concatenated with DomainWhitelist (if provided). ## # # DomainWhitelistFile /usr/local/etc/opendmarc/whitelist.domains ## DomainWhitelistSize ## default 3000 ## ## The maximum number of entries in the DomainWhitelist including both entries ## in the DomainWhitelist configuration parameter (above) and entries in the ## DomainWhitelistFile. This number will be increased by approximately 20% to ## increase the efficiency of the hashing algorithm. ## # # DomainWhitelistSize 3000 ## DNSTimeout (integer) ## default 5 ## ## Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. ## (NOT YET IMPLEMENTED) # # DNSTimeout 5 ## EnableCoredumps { true | false } ## default "false" ## ## On systems that have such support, make an explicit request to the kernel ## to dump cores when the filter crashes for some reason. Some modern UNIX ## systems suppress core dumps during crashes for security reasons if the ## user ID has changed during the lifetime of the process. Currently only ## supported on Linux. # # EnableCoreDumps false ## FailureReports { true | false } ## default "false" ## ## Enables generation of failure reports when the DMARC test fails and the ## purported sender of the message has requested such reports. Reports are ## formatted per RFC6591. # # FailureReports false ## FailureReportsBcc (string) ## default (none) ## ## When failure reports are enabled and one is to be generated, always ## send one to the address(es) specified here. If a failure report is ## requested by the domain owner, the address(es) are added in a Bcc: field. ## If no request is made, they address(es) are used in a To: field. There ## is no default. # # FailureReportsBcc postmaster@example.coom ## FailureReportsOnNone { true | false } ## default "false" ## ## Supplements the "FailureReports" setting by generating reports for ## domains that advertise "none" policies. By default, reports are only ## generated (when enabled) for sending domains advertising a "quarantine" ## or "reject" policy. # # FailureReportsOnNone false ## FailureReportsSentBy string ## default "USER@HOSTNAME" ## ## Specifies the email address to use in the From: field of failure ## reports generated by the filter. The default is to use the userid of ## the user running the filter and the local hostname to construct an ## email address. "postmaster" is used in place of the userid if a name ## could not be determined. # # FailureReportsSentBy USER@HOSTNAME ## HistoryFile path ## default (none) ## ## If set, specifies the location of a text file to which records are written ## that can be used to generate DMARC aggregate reports. Records are groups ## of rows containing information about a single received message, and ## include all relevant information needed to generate a DMARC aggregate ## report. It is expected that this will not be used in its raw form, but ## rather periodically imported into a relational database from which the ## aggregate reports can be extracted by a tool such as opendmarc-import(8). # HistoryFile /var/opendmarc/opendmarc.dat ## HoldQuarantinedMessages { true | false } ## default "false" ## ## If set, the milter will signal to the mta that messages with ## p=quarantine, which fail dmarc authentication, should be held in ## the MTA's "Hold" or "Quarantine" queue. The name varies by MTA. ## If false, messsages will be accepted and passed along with the ## regular mail flow, and the quarantine will be left up to downstream ## MTA/MDA/MUA filters, if any, to handle by re-evaluating the headers, ## including the Authentication-Results header added by OpenDMARC # # HoldQuarantinedMessages false ## IgnoreAuthenticatedClients { true | false } ## default "false" ## ## If set, causes mail from authenticated clients (i.e., those that used ## SMTP AUTH) to be ignored by the filter. # # IgnoreAuthenticatedClients false ## HoldQuarantinedMessages { true | false } ## default "false" ## ## If set, the milter will signal to the mta that messages with ## p=quarantine, which fail dmarc authentication, should be held in ## the MTA's "Hold" or "Quarantine" queue. The name varies by MTA. ## If false, messsages will be accepted and passed along with the ## regular mail flow, and the quarantine will be left up to downstream ## MTA/MDA/MUA filters, if any, to handle by re-evaluating the headers, ## including the Authentication-Results header added by OpenDMARC # # HoldQuarantinedMessages false ## IgnoreHosts path ## default (internal) ## ## Specifies the path to a file that contains a list of hostnames, IP ## addresses, and/or CIDR expressions identifying hosts whose SMTP ## connections are to be ignored by the filter. If not specified, defaults ## to "127.0.0.1" only. # # IgnoreHosts /usr/local/etc/opendmarc/ignore.hosts ## IgnoreMailFrom domain[,...] ## default (none) ## ## Gives a list of domain names whose mail (based on the From: domain) is to ## be ignored by the filter. The list should be comma-separated. Matching ## against this list is case-insensitive. The default is an empty list, ## meaning no mail is ignored. # # IgnoreMailFrom example.com ## MilterDebug (integer) ## default 0 ## ## Sets the debug level to be requested from the milter library. # # MilterDebug 0 ## PidFile path ## default (none) ## ## Specifies the path to a file that should be created at process start ## containing the process ID. # PidFile /var/opendmarc/opendmarc.pid ## PublicSuffixList path ## default (none) ## ## Specifies the path to a file that contains top-level domains (TLDs) that ## will be used to compute the Organizational Domain for a given domain name, ## as described in the DMARC specification. If not provided, the filter will ## not be able to determine the Organizational Domain and only the presented ## domain will be evaluated. This file should be periodically updated. ## One location to retrieve the file from is https://publicsuffix.org/list/ # # PublicSuffixList path ## RecordAllMessages { true | false } ## default "false" ## ## If set and "HistoryFile" is in use, all received messages are recorded ## to the history file. If not set (the default), only messages for which ## the From: domain published a DMARC record will be recorded in the ## history file. # # RecordAllMessages false ## RejectFailures { true | false } ## default "false" ## ## If set, messages will be rejected if they fail the DMARC evaluation, or ## temp-failed if evaluation could not be completed. By default, no message ## will be rejected or temp-failed regardless of the outcome of the DMARC ## evaluation of the message. Instead, an Authentication-Results header ## field will be added. # # RejectFailures false ## RejectMultiValueFrom { true | false } ## default "false" ## ## If set, messages with multiple addresses in the From: field of the message ## will be rejected unless all domains in the field are the same. They will ## otherwise be ignored by the filter (the default). # # RejectMultiValueFrom false ## ReportCommand string ## default "/usr/sbin/sendmail -t" ## ## Indicates the shell command to which failure reports should be passed for ## delivery when "FailureReports" is enabled. # ReportCommand /usr/sbin/sendmail -t ## RequiredHeaders { true | false } ## default "false" ## ## If set, the filter will ensure the header of the message conforms to the ## basic header field count restrictions laid out in RFC5322, Section 3.6. ## Messages failing this test are rejected without further processing. A ## From: field from which no domain name could be extracted will also be ## rejected. # # RequiredHeaders false ## Socket socketspec ## default (none) ## ## Specifies the socket that should be established by the filter to receive ## connections from sendmail(8) in order to provide service. socketspec is ## in one of two forms: local:path, which creates a UNIX domain socket at ## the specified path, or inet:port[@host] or inet6:port[@host] which creates ## a TCP socket on the specified port for the appropriate protocol family. ## If the host is not given as either a hostname or an IP address, the ## socket will be listening on all interfaces. This option is mandatory ## either in the configuration file or on the command line. If an IP ## address is used, it must be enclosed in square brackets. # Socket inet:8893@localhost ## SoftwareHeader { true | false } ## default "false" ## ## Causes the filter to add a "DMARC-Filter" header field indicating the ## presence of this filter in the path of the message from injection to ## delivery. The product's name, version, and the job ID are included in ## the header field's contents. # # SoftwareHeader false ## SPFIgnoreResults { true | false } ## default "false" ## ## Causes the filter to ignore any SPF results in the header of the ## message. This is useful if you want the filter to perform SPF checks ## itself, or because you don't trust the arriving header. # # SPFIgnoreResults false ## SPFSelfValidate { true | false } ## default false ## ## Enable internal spf checking with --with-spf ## To use libspf2 instead: --with-spf --with-spf2-include=path --with-spf2-lib=path ## ## Causes the filter to perform a fallback SPF check itself when ## it can find no SPF results in the message header. If SPFIgnoreResults ## is also set, it never looks for SPF results in headers and ## always performs the SPF check itself when this is set. # # SPFSelfValidate false ## Syslog { true | false } ## default "false" ## ## Log via calls to syslog(3) any interesting activity. # Syslog true ## SyslogFacility facility-name ## default "mail" ## ## Log via calls to syslog(3) using the named facility. The facility names ## are the same as the ones allowed in syslog.conf(5). # SyslogFacility mail ## TrustedAuthservIDs string ## default HOSTNAME ## ## Specifies one or more "authserv-id" values to trust as relaying true ## upstream DKIM and SPF results. The default is to use the name of ## the MTA processing the message. To specify a list, separate each entry ## with a comma. The key word "HOSTNAME" will be replaced by the name of ## the host running the filter as reported by the gethostname(3) function. # # TrustedAuthservIDs HOSTNAME ## UMask mask ## default (none) ## ## Requests a specific permissions mask to be used for file creation. This ## only really applies to creation of the socket when Socket specifies a ## UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary ## files are normally created by the mkstemp(3) function that enforces a ## specific file mode on creation regardless of the process umask. See ## umask(2) for more information. # UMask 077 ## UserID user[:group] ## default (none) ## ## Attempts to become the specified userid before starting operations. ## The process will be assigned all of the groups and primary group ID of ## the named userid unless an alternate group is specified. # UserID opendmarc:opendmarc