[packages/dkim-milter.git] / dkim-filter.conf

##
## dkim-filter.conf -- configuration file for DKIM filter
##
## $Id$
##

##  ADSPDiscard { yes | no }
##  	default "no"
##
##  Reject messages which are determined to be "suspicious" according to the
##  sending domain's published signing procedure (ADSP) record if that record
##  also recommends rejection of such messages.

# ADSPDiscard		No

##  ADSPNoSuchDomain { yes | no }
##  	default "no"
##
##  Reject messages which are determined to be from nonexistent domains during
##  the Author Domain Signing Practises (ADSP) check.

# ADSPNoSuchDomain	No

##  AllowSHA1Only { yes | no }
##  	default "no"
##
##  By default, the filter will refuse to start if signing mode is enabled
##  but rsa-sha1 will be used (either because it is the only algorithm
##  available or because it was explicitly requested) since this violates
##  the strong recommendations of RFC4871 section 3.3.

# AllowSHA1Only		no

##  AlwaysAddARHeader { yes | no }
##  	default "no"
##
##  Add an "Authentication-Results:" header even to unsigned messages
##  from domains with no "signs all" policy.  The reported DKIM result
##  will be "none" in such cases.  Normally unsigned mail from non-strict
##  domains does not cause the results header to be added.

# AlwaysAddARHeader	no

##  AlwaysSignHeaders header-list
##  	default (none)
##
##  Specifies a list of headers whose names should appear in signatures
##  whether or not they were signed, preventing their later addition.

# AlwaysSignHeaders	header1,header2,...

##  AuthservID string
##  	default (local host name)
##
##  Defines the "authserv-id" token to be used when generating 
##  Authentication-Results headers after message verification.

# AuthservID		example.com

##  AuthservIDWithJobID
##  	default "no"
##
##  Appends a "/" followed by the MTA's job ID to the "authserv-id" token
##  when generating Authentication-Results headers after message verification.

# AuthservIDWithJobId	no

##  AutoRestart { yes | no }
##  	default "no"
##
##  Indicate whether or not the filter should arrange to restart automatically
##  if it crashes.

# AutoRestart		No

##  AutoRestartCount n
##  	default 0
##
##  Sets the maximum automatic restart count.  After this number of
##  automatic restarts, the filter will give up and terminate.  A value of 0
##  implies no limit.

# AutoRestartCount	0

##  AutoRestartRate n/t[u]
##  	default (none)
## 
##  Sets the maximum automatic restart rate.  See the dkim-filter.conf(5)
##  man page for the format of this parameter.

# AutoRestartRate	n/tu

##  Background { yes | no }
##  	default "yes"
##
##  Indicate whether or not the filter should run in the background.

# Background		Yes

##  BaseDirectory path
##  	default (none)
##
##  Causes the filter to change to the named directory before beginning
##  operation.  Thus, cores will be dumped here and configuration files
##  are read relative to this location.

# BaseDirectory		/var/run/dkim-filter

##  BodyLengths { yes | no }
##  	default "no"
##
##  Indicate whether or not signatures with body length tags should be
##  generated.

# BodyLengths		No

##  Canonicalization hdrcanon[/bodycanon]
##  	default "simple/simple"
##
##  Select canonicalizations to use when signing.  If the "bodycanon" is
##  omitted, "simple" is used.  Valid values for each are "simple" and
##  "relaxed".

# Canonicalization	simple/simple

##  ClockDrift n
##  	default 300
##
##  Specify the tolerance range for expired signatures or signatures
##  which appear to have timestamps in the future, allowing for clock
##  drift.

# ClockDrift		300 

##  Diagnostics { yes | no }
##  	default "no"
##
##  Specifies whether or not signatures with header diagnostic tags should
##  be generated.

# Diagnostics		No

##  DNSTimeout n
##  	default 10
##
##  Specify the time in seconds to wait for replies from the nameserver when
##  requesting keys or signing policies.

# DNSTimeout		10

##  Domain name[,...]
##  	default (none)
##
##  Specify for which domain(s) signing should be done.  No default; must
##  be specified for signing.

Domain			ant.gliwice.pl

##  DontSignMailTo	addrlist
##  	default (none)
##
##  Gives a list of recipient addresses or address patterns whose mail should
##  not be signed.  Wildcard ("*") characters are allowed.

# DontSignMailTo	addr1,addr2,...

##  EnableCoredumps { yes | no }
##  	default "no"
##
##  On systems which have support for such, requests that the kernel dump
##  core even though the process may change user ID during its execution.

# EnableCoredumps	no

##  ExternalIgnoreList filename
##
##  Names a file from which a list of externally-trusted hosts is read.
##  These are hosts which are allowed to send mail through you for signing.
##  Automatically contains 127.0.0.1.  See man page for file format.

# ExternalIgnoreList	filename

##  FixCRLF { yes | no }
##
##  Requests that the library convert "naked" CR and LF characters to
##  CRLFs during canonicalization.  The default is "no".

# FixCRLF 		no

##  InternalHosts filename
##
##  Names a file from which a list of internal hosts is read.  These are
##  hosts from which mail should be signed rather than verified.
##  Automatically contains 127.0.0.1.  See man page for file format.

# InternalHosts		filename

##  KeepTemporaryFiles { yes | no }
##  	default "no"
##
##  If set, causes temporary files generated during message signing or
##  verifying to be left behind for debugging use.  Not for normal operation;
##  can fill your disks quite fast on busy systems.

# KeepTemporaryFiles	no

##  KeyFile filename
##
##  Specifies the path to the private key to use when signing.  Ignored if
##  Keylist is set.  No default; must be specified for signing.

KeyFile			/etc/mail/dkim-milter/ant.gliwice.pl.key

##  KeyList filename
##
##  Specifies the path to the list of keys and signing domains to be applied
##  by the signing filter.  The entries in this file should be of the form:
##
##  	pattern:domain:keypath
##
##  ...where "pattern" is a pattern of user@host to match, with "*" being
##  allowed as a wildcard; "domain" is the signing domain; and "keypath"
##  is the path to the private key to use to generate signatures for such
##  users.  The selector used will be the filename portion of "keypath".
##  Blank lines are ignored, and the hash ("#") character is interpreted
##  as the beginning of a comment.  See dkim-filter.conf(5) for more
##  information.

# KeyList		/var/db/dkim/keylist

##  LocalADSP filename
##
##  Allows specification of local ADSP overrides for domains.  This should be
##  a path to a file containing entries, one per line, with comments and
##  blank lines allowed.  An entry is of the form "domain:policy" where
##  "domain" is either a fully-qualified domain name (e.g. "foo.example.com")
##  or a subdomain name preceded by a period (e.g. ".example.com"), and
##  "policy" is either "unknown", "all", or "discardable", as per the current
##  ADSP draft specification.  This allows local overrides of policies to
##  enforce for domains which either don't publish ADSP or publish weaker
##  policies than the verifier would like to enforce.

# LocalADSP		/etc/mail/local-adsp-rules

##  LogWhy { yes | no }
##  	default "no"
##
##  If logging is enabled (see Syslog below), issues very detailed logging
##  about the logic behind the filter's decision to either sign a message
##  or verify it.  The logic behind the decision is non-trivial and can be
##  confusing to administrators not familiar with its operation.  A
##  description of how the decision is made can be found in the OPERATIONS
##  section of the dkim-filter(8) man page.  This causes a large increase
##  in the amount of log data generated for each message, so it should be
##  limited to debugging use and not enabled for general operation.

# LogWhy		no

##  MacroList macro[=value][,...]
##
##  Gives a set of MTA-provided macros which should be checked to see
##  if the sender has been determined to be a local user and therefore
##  whether or not signing should be done.  See dkim-filter.conf(5) for
##  more information.

# MacroList		foo=bar,baz=blivit

##  MaximumHeaders n
##
##  Disallow messages whose header blocks are bigger than "n" bytes.
##  Intended to detect and block a denial-of-service attack.  The default
##  is 65536.  A value of 0 disables this test.

# MaximumHeaders	n

##  MaximumSignedBytes n
##
##  Don't sign more than "n" bytes of the message.  The default is to 
##  sign the entire message.  Setting this implies "BodyLengths".

# MaximumSignedBytes	n

##  MilterDebug n
##
##  Request a debug level of "n" from the milter library.  The default is 0.

# MilterDebug		0

##  Minimum n[% | +]
##  	default 0
##
##  Sets a minimum signing volume; one of the following formats:
##	n	at least n bytes (or the whole message, whichever is less)
##		must be signed
##  	n%	at least n% of the message must be signed
##	n+	if a length limit was presented in the signature, no more than
##  		n bytes may have been added

# Minimum		n

##  Mode [sv]
##  	default sv
##
##  Indicates which mode(s) of operation should be provided.  "s" means
##  "sign", "v" means "verify".

# Mode			sv
Mode 			s

##  MTA mtaname[,...]
##  
##  Specifies a list of MTAs whos mail should always be signed rather than
##  verified.  The "mtaname" is extracted from the DaemonPortOptions line
##  in effect.

# MTA			name

##  MustBeSigned
##  	default (none)
##
##  Defines a list of headers which, if present on a message, must be
##  signed for the signature to be considered acceptable.

# MustBeSigned		header1,header2,...

##  OmitHeaders headerlist
##  	default (none)
##
##  Specifies a list of headers that should always be omitted when signing.
##  Header names should be separated by commas.

# OmitHeaders		header1,header2,...

##  On-...
##
##  Specifies what to do when certain error conditions are encountered.
##
##  See dkim-filter.conf(5) for more information.

# On-Default
# On-BadSignature
# On-DNSError
# On-InternalError
# On-NoSignature
# On-Security

##  PeerList filename
##
##  Contains a list of IP addresses, CIDR blocks, hostnames or domain names
##  whose mail should be neither signed nor verified by this filter.  See man
##  page for file format.

# PeerList		filename

##  PidFile filename
## 
##  Name of the file where the filter should write its pid before beginning
##  normal operations.

# PidFile		filename
PidFile /var/run/dkim-filter/dkim-filter.pid

##  POPDBFile filename
##
##  Names a database which should be checked for "POP before SMTP" records
##  as a form of authentication of users who may be sending mail through
##  the MTA for signing.  Requires special compilation of the filter.
##  See dkim-filter.conf(5) for more information.

# POPDBFile		filename

##  Quarantine { yes | no }
##  	default "no"
##
##  Indicates whether or not the filter should arrange to quarantine mail
##  which fails verification.  Intended for diagnostic use only.

# Quarantine		No

##  QueryCache { yes | no }
##  	default "no"
##
##  Instructs the DKIM library to maintain its own local cache of keys and
##  policies retrieved from DNS, rather than relying on the nameserver for
##  caching service.  Useful if the nameserver being used by the filter is
##  not local.  The filter must be compiled with the QUERY_CACHE flag to enable
##  this feature, since it adds a library dependency.

# QueryCache		No

##  RemoveARAll { yes | no }
##  	default "no"
##
##  Remove all Authentication-Results: headers on all arriving mail.

# RemoveARAll		No

##  RemoveARFrom list
##  	default (none)
##
##  Remove all Authentication-Results: headers on all arriving mail that
##  claim to have been added by hosts listed in this parameter.  The list
##  should be comma-separated.  Entire domains may be specified by preceding
##  the dopmain name by a single dot (".") character.

# RemoveARFrom		host1,host2,.domain1,.domain2,...

##  RemoveOldSignatures { yes | no }
##  	default "no"
##
##  Remove old signatures on messages, if any, when generating a signature.

# RemoveOldSignatures	No

##  ReportAddress addr
##  	default (executing user)
##
##  Specifies the sending address to be used on From: headers of outgoing
##  failure reports.  By default, the e-mail address of the user executing
##  the filter is used.

# ReportAddress		postmaster@example.com

##  RequiredHeaders { yes | no }
##  	default no
##
##  Rejects messages which don't conform to RFC2822 header count requirements.

# RequiredHeaders	No

##  Selector name
##
##  The name of the selector to use when signing.  No default; must be
##  specified for signing.
##  Selector is later used to select key from your domain record:
##  mail._domainkey.your.domain.org.         IN TXT "v=DKIM1; g=*; k=rsa; t=y; p=
Selector		mail

##  SendADSPReports { yes | no }
##  	default "no"
##
##  Specifies whether or not the filter should generate report mail back
##  to senders when the ADSP (Author Domain Signing Practises) check fails for
##  a message.  See dkim-filter.conf(5) for details.

# SendADSPReports	No

##  SendReports { yes | no }
##  	default "no"
##
##  Specifies whether or not the filter should generate report mail back
##  to senders when verification fails and an address for such a purpose
##  is provided.  See dkim-filter.conf(5) for details.

# SendReports		No

##  SignatureAlgorithm signalg
##  	default "rsa-sha256"
##
##  Signature algorithm to use when generating signatures.  Must be either
##  "rsa-sha1" or "rsa-sha256".

# SignatureAlgorithm	rsa-sha256

##  SignatureTTL seconds
##  	default "0"
##
##  Specifies the lifetime in seconds of signatures generated by the
##  filter.  A value of 0 means no expiration time is included in the
##  signature.

# SignatureTTL		0

##  SignHeaders header-list
##  	default (none)
##
##  Specifies the list of headers which should be included when generating
##  signatures.  The string should be a comma-separated list of header names.
##  See the dkim-filter.conf(5) man page for more information.

# SignHeaders		header1,header2,...

##  Socket socketspec
##
##  Names the socket where this filter should listen for milter connections
##  from the MTA.  Required.  Should be in one of these forms:
##
##  inet:port@address		to listen on a specific interface
##  inet:port			to listen on all interfaces
##  local:/path/to/socket	to listen on a UNIX domain socket

Socket			local:/var/run/dkim-filter/dkim-filter.sock

##  StrictTestMode { yes | no }
##  	default "no"
##
##  Selects strict CRLF mode during testing (see the "-t" command line
##  flag in the dkim-filter(8) man page).  Messages for which all header
##  fields and body lines are not CRLF-terminated are considered malformed
##  and will produce an error.

# StrictTestMode	no

##  SubDomains { yes | no }
##  	default "no"
##
##  Sign for subdomains as well?

# SubDomains		No

##  Syslog { yes | no }
##  	default "no"
##
##  Log informational and error activity to syslog?

# Syslog		No
Syslog 			yes

##  SyslogFacility      facility
##  	default "mail"
##
##  Valid values are :
##      auth cron daemon kern lpr mail news security syslog user uucp 
##      local0 local1 local2 local3 local4 local5 local6 local7
##
##  syslog facility to be used

# SyslogFacility	mail
SyslogFacility	mail

##  SyslogSuccess { yes | no }
##  	default "no"
##
##  Log success activity to syslog?

SyslogSuccess		No
# SyslogSuccess		Yes        # For tests mostly


##  TemporaryDirectory path
##  	default /var/tmp
##
##  Specifies which directory will be used for creating temporary files
##  during message processing.

# TemporaryDirectory	/var/tmp

##  TestPublicKeys filename
##  	default (none)
##
##  Names a file from which public keys should be read.  Intended for use
##  only during automated testing.

# TestPublicKeys	/tmp/testkeys

##  UMask mask
##  	default (none)
##
##  Change the process umask for file creation to the specified value.
##  The system has its own default which will be used (usually 022).
##  See the umask(2) man page for more information.

# UMask			022
UMask			022

##  Userid userid
##  	default (none)
##
##  Change to user "userid" before starting normal operation?  May include
##  a group ID as well, separated from the userid by a colon.

# UserID		userid
UserID			62   # Postfix, probably change to dkim-filter user                 

##  X-Header { yes | no }
##  	default "no"
##
##  Add an X- header to messages passing through this filter to identify
##  messages it has processed.

# X-Header		No
X-Header		Yes
Commit	Line	Data
0f040c42 MK	1	##
	2	## dkim-filter.conf -- configuration file for DKIM filter
	3	##
	4	## $Id$
	5	##
	6
	7	## ADSPDiscard { yes \| no }
	8	## default "no"
	9	##
	10	## Reject messages which are determined to be "suspicious" according to the
	11	## sending domain's published signing procedure (ADSP) record if that record
	12	## also recommends rejection of such messages.
	13
	14	# ADSPDiscard No
	15
	16	## ADSPNoSuchDomain { yes \| no }
	17	## default "no"
	18	##
	19	## Reject messages which are determined to be from nonexistent domains during
	20	## the Author Domain Signing Practises (ADSP) check.
	21
	22	# ADSPNoSuchDomain No
	23
	24	## AllowSHA1Only { yes \| no }
	25	## default "no"
	26	##
	27	## By default, the filter will refuse to start if signing mode is enabled
	28	## but rsa-sha1 will be used (either because it is the only algorithm
	29	## available or because it was explicitly requested) since this violates
	30	## the strong recommendations of RFC4871 section 3.3.
	31
	32	# AllowSHA1Only no
	33
	34	## AlwaysAddARHeader { yes \| no }
	35	## default "no"
	36	##
	37	## Add an "Authentication-Results:" header even to unsigned messages
	38	## from domains with no "signs all" policy. The reported DKIM result
	39	## will be "none" in such cases. Normally unsigned mail from non-strict
	40	## domains does not cause the results header to be added.
	41
	42	# AlwaysAddARHeader no
	43
	44	## AlwaysSignHeaders header-list
	45	## default (none)
	46	##
	47	## Specifies a list of headers whose names should appear in signatures
	48	## whether or not they were signed, preventing their later addition.
	49
	50	# AlwaysSignHeaders header1,header2,...
	51
	52	## AuthservID string
	53	## default (local host name)
	54	##
	55	## Defines the "authserv-id" token to be used when generating
	56	## Authentication-Results headers after message verification.
	57
	58	# AuthservID example.com
	59
	60	## AuthservIDWithJobID
	61	## default "no"
	62	##
	63	## Appends a "/" followed by the MTA's job ID to the "authserv-id" token
	64	## when generating Authentication-Results headers after message verification.
65
66	# AuthservIDWithJobId no
67
68	## AutoRestart { yes \| no }
69	## default "no"
70	##
71	## Indicate whether or not the filter should arrange to restart automatically
72	## if it crashes.
73
74	# AutoRestart No
75
76	## AutoRestartCount n
77	## default 0
78	##
79	## Sets the maximum automatic restart count. After this number of
80	## automatic restarts, the filter will give up and terminate. A value of 0
81	## implies no limit.
82
83	# AutoRestartCount 0
84
85	## AutoRestartRate n/t[u]
86	## default (none)
87	##
88	## Sets the maximum automatic restart rate. See the dkim-filter.conf(5)
89	## man page for the format of this parameter.
90
91	# AutoRestartRate n/tu
92
93	## Background { yes \| no }
94	## default "yes"
95	##
96	## Indicate whether or not the filter should run in the background.
97
98	# Background Yes
99
100	## BaseDirectory path
101	## default (none)
102	##
103	## Causes the filter to change to the named directory before beginning
104	## operation. Thus, cores will be dumped here and configuration files
105	## are read relative to this location.
106
107	# BaseDirectory /var/run/dkim-filter
108
109	## BodyLengths { yes \| no }
110	## default "no"
111	##
112	## Indicate whether or not signatures with body length tags should be
113	## generated.
114
115	# BodyLengths No
116
117	## Canonicalization hdrcanon[/bodycanon]
118	## default "simple/simple"
119	##
120	## Select canonicalizations to use when signing. If the "bodycanon" is
121	## omitted, "simple" is used. Valid values for each are "simple" and
122	## "relaxed".
123
124	# Canonicalization simple/simple
125
126	## ClockDrift n
127	## default 300
128	##
129	## Specify the tolerance range for expired signatures or signatures
130	## which appear to have timestamps in the future, allowing for clock
131	## drift.
132
133	# ClockDrift 300
134
135	## Diagnostics { yes \| no }
136	## default "no"
137	##
138	## Specifies whether or not signatures with header diagnostic tags should
139	## be generated.
140
141	# Diagnostics No
142
143	## DNSTimeout n
144	## default 10
145	##
146	## Specify the time in seconds to wait for replies from the nameserver when
147	## requesting keys or signing policies.
148
149	# DNSTimeout 10
150
151	## Domain name[,...]
152	## default (none)
153	##
154	## Specify for which domain(s) signing should be done. No default; must
155	## be specified for signing.
156
157	Domain ant.gliwice.pl
158
159	## DontSignMailTo addrlist
160	## default (none)
161	##
162	## Gives a list of recipient addresses or address patterns whose mail should
163	## not be signed. Wildcard ("*") characters are allowed.
164
165	# DontSignMailTo addr1,addr2,...
166
167	## EnableCoredumps { yes \| no }
168	## default "no"
169	##
170	## On systems which have support for such, requests that the kernel dump
171	## core even though the process may change user ID during its execution.
172
173	# EnableCoredumps no
174
175	## ExternalIgnoreList filename
176	##
177	## Names a file from which a list of externally-trusted hosts is read.
178	## These are hosts which are allowed to send mail through you for signing.
179	## Automatically contains 127.0.0.1. See man page for file format.
180
181	# ExternalIgnoreList filename
182
183	## FixCRLF { yes \| no }
184	##
185	## Requests that the library convert "naked" CR and LF characters to
186	## CRLFs during canonicalization. The default is "no".
187
188	# FixCRLF no
189
190	## InternalHosts filename
191	##
192	## Names a file from which a list of internal hosts is read. These are
193	## hosts from which mail should be signed rather than verified.
194	## Automatically contains 127.0.0.1. See man page for file format.
195
196	# InternalHosts filename
197
198	## KeepTemporaryFiles { yes \| no }
199	## default "no"
200	##
201	## If set, causes temporary files generated during message signing or
202	## verifying to be left behind for debugging use. Not for normal operation;
203	## can fill your disks quite fast on busy systems.
204
205	# KeepTemporaryFiles no
206
207	## KeyFile filename
208	##
209	## Specifies the path to the private key to use when signing. Ignored if
210	## Keylist is set. No default; must be specified for signing.
211
212	KeyFile /etc/mail/dkim-milter/ant.gliwice.pl.key
213
214	## KeyList filename
215	##
216	## Specifies the path to the list of keys and signing domains to be applied
217	## by the signing filter. The entries in this file should be of the form:
218	##
219	## pattern:domain:keypath
220	##
221	## ...where "pattern" is a pattern of user@host to match, with "*" being
222	## allowed as a wildcard; "domain" is the signing domain; and "keypath"
223	## is the path to the private key to use to generate signatures for such
224	## users. The selector used will be the filename portion of "keypath".
225	## Blank lines are ignored, and the hash ("#") character is interpreted
226	## as the beginning of a comment. See dkim-filter.conf(5) for more
227	## information.
228
229	# KeyList /var/db/dkim/keylist
230
231	## LocalADSP filename
232	##
233	## Allows specification of local ADSP overrides for domains. This should be
234	## a path to a file containing entries, one per line, with comments and
235	## blank lines allowed. An entry is of the form "domain:policy" where
236	## "domain" is either a fully-qualified domain name (e.g. "foo.example.com")
237	## or a subdomain name preceded by a period (e.g. ".example.com"), and
238	## "policy" is either "unknown", "all", or "discardable", as per the current
239	## ADSP draft specification. This allows local overrides of policies to
240	## enforce for domains which either don't publish ADSP or publish weaker
241	## policies than the verifier would like to enforce.
242
243	# LocalADSP /etc/mail/local-adsp-rules
244
245	## LogWhy { yes \| no }
246	## default "no"
247	##
248	## If logging is enabled (see Syslog below), issues very detailed logging
249	## about the logic behind the filter's decision to either sign a message
250	## or verify it. The logic behind the decision is non-trivial and can be
251	## confusing to administrators not familiar with its operation. A
252	## description of how the decision is made can be found in the OPERATIONS
253	## section of the dkim-filter(8) man page. This causes a large increase
254	## in the amount of log data generated for each message, so it should be
255	## limited to debugging use and not enabled for general operation.
256
257	# LogWhy no
258
259	## MacroList macro[=value][,...]
260	##
261	## Gives a set of MTA-provided macros which should be checked to see
262	## if the sender has been determined to be a local user and therefore
263	## whether or not signing should be done. See dkim-filter.conf(5) for
264	## more information.
265
266	# MacroList foo=bar,baz=blivit
267
268	## MaximumHeaders n
269	##
270	## Disallow messages whose header blocks are bigger than "n" bytes.
271	## Intended to detect and block a denial-of-service attack. The default
272	## is 65536. A value of 0 disables this test.
273
274	# MaximumHeaders n
275
276	## MaximumSignedBytes n
277	##
278	## Don't sign more than "n" bytes of the message. The default is to
279	## sign the entire message. Setting this implies "BodyLengths".
280
281	# MaximumSignedBytes n
282
283	## MilterDebug n
284	##
285	## Request a debug level of "n" from the milter library. The default is 0.
286
287	# MilterDebug 0
288
289	## Minimum n[% \| +]
290	## default 0
291	##
292	## Sets a minimum signing volume; one of the following formats:
293	## n at least n bytes (or the whole message, whichever is less)
294	## must be signed
295	## n% at least n% of the message must be signed
296	## n+ if a length limit was presented in the signature, no more than
297	## n bytes may have been added
298
299	# Minimum n
300
301	## Mode [sv]
302	## default sv
303	##
304	## Indicates which mode(s) of operation should be provided. "s" means
305	## "sign", "v" means "verify".
306
307	# Mode sv
308	Mode s
309
310	## MTA mtaname[,...]
311	##
312	## Specifies a list of MTAs whos mail should always be signed rather than
313	## verified. The "mtaname" is extracted from the DaemonPortOptions line
314	## in effect.
315
316	# MTA name
317
318	## MustBeSigned
319	## default (none)
320	##
321	## Defines a list of headers which, if present on a message, must be
322	## signed for the signature to be considered acceptable.
323
324	# MustBeSigned header1,header2,...
325
326	## OmitHeaders headerlist
327	## default (none)
328	##
329	## Specifies a list of headers that should always be omitted when signing.
330	## Header names should be separated by commas.
331
332	# OmitHeaders header1,header2,...
333
334	## On-...
335	##
336	## Specifies what to do when certain error conditions are encountered.
337	##
338	## See dkim-filter.conf(5) for more information.
339
340	# On-Default
341	# On-BadSignature
342	# On-DNSError
343	# On-InternalError
344	# On-NoSignature
345	# On-Security
346
347	## PeerList filename
348	##
349	## Contains a list of IP addresses, CIDR blocks, hostnames or domain names
350	## whose mail should be neither signed nor verified by this filter. See man
351	## page for file format.
352
353	# PeerList filename
354
355	## PidFile filename
356	##
357	## Name of the file where the filter should write its pid before beginning
358	## normal operations.
359
360	# PidFile filename
361	PidFile /var/run/dkim-filter/dkim-filter.pid
362
363	## POPDBFile filename
364	##
365	## Names a database which should be checked for "POP before SMTP" records
366	## as a form of authentication of users who may be sending mail through
367	## the MTA for signing. Requires special compilation of the filter.
368	## See dkim-filter.conf(5) for more information.
369
370	# POPDBFile filename
371
372	## Quarantine { yes \| no }
373	## default "no"
374	##
375	## Indicates whether or not the filter should arrange to quarantine mail
376	## which fails verification. Intended for diagnostic use only.
377
378	# Quarantine No
379
380	## QueryCache { yes \| no }
381	## default "no"
382	##
383	## Instructs the DKIM library to maintain its own local cache of keys and
384	## policies retrieved from DNS, rather than relying on the nameserver for
385	## caching service. Useful if the nameserver being used by the filter is
386	## not local. The filter must be compiled with the QUERY_CACHE flag to enable
387	## this feature, since it adds a library dependency.
388
389	# QueryCache No
390
391	## RemoveARAll { yes \| no }
392	## default "no"
393	##
394	## Remove all Authentication-Results: headers on all arriving mail.
395
396	# RemoveARAll No
397
398	## RemoveARFrom list
399	## default (none)
400	##
401	## Remove all Authentication-Results: headers on all arriving mail that
402	## claim to have been added by hosts listed in this parameter. The list
403	## should be comma-separated. Entire domains may be specified by preceding
404	## the dopmain name by a single dot (".") character.
405
406	# RemoveARFrom host1,host2,.domain1,.domain2,...
407
408	## RemoveOldSignatures { yes \| no }
409	## default "no"
410	##
411	## Remove old signatures on messages, if any, when generating a signature.
412
413	# RemoveOldSignatures No
414
415	## ReportAddress addr
416	## default (executing user)
417	##
418	## Specifies the sending address to be used on From: headers of outgoing
419	## failure reports. By default, the e-mail address of the user executing
420	## the filter is used.
421
422	# ReportAddress postmaster@example.com
423
424	## RequiredHeaders { yes \| no }
425	## default no
426	##
427	## Rejects messages which don't conform to RFC2822 header count requirements.
428
429	# RequiredHeaders No
430
431	## Selector name
432	##
433	## The name of the selector to use when signing. No default; must be
434	## specified for signing.
435	## Selector is later used to select key from your domain record:
436	## mail._domainkey.your.domain.org. IN TXT "v=DKIM1; g=*; k=rsa; t=y; p=
437	Selector mail
438
439	## SendADSPReports { yes \| no }
440	## default "no"
441	##
442	## Specifies whether or not the filter should generate report mail back
443	## to senders when the ADSP (Author Domain Signing Practises) check fails for
444	## a message. See dkim-filter.conf(5) for details.
445
446	# SendADSPReports No
447
448	## SendReports { yes \| no }
449	## default "no"
450	##
451	## Specifies whether or not the filter should generate report mail back
452	## to senders when verification fails and an address for such a purpose
453	## is provided. See dkim-filter.conf(5) for details.
454
455	# SendReports No
456
457	## SignatureAlgorithm signalg
458	## default "rsa-sha256"
459	##
460	## Signature algorithm to use when generating signatures. Must be either
461	## "rsa-sha1" or "rsa-sha256".
462
463	# SignatureAlgorithm rsa-sha256
464
465	## SignatureTTL seconds
466	## default "0"
467	##
468	## Specifies the lifetime in seconds of signatures generated by the
469	## filter. A value of 0 means no expiration time is included in the
470	## signature.
471
472	# SignatureTTL 0
473
474	## SignHeaders header-list
475	## default (none)
476	##
477	## Specifies the list of headers which should be included when generating
478	## signatures. The string should be a comma-separated list of header names.
479	## See the dkim-filter.conf(5) man page for more information.
480
481	# SignHeaders header1,header2,...
482
483	## Socket socketspec
484	##
485	## Names the socket where this filter should listen for milter connections
486	## from the MTA. Required. Should be in one of these forms:
487	##
488	## inet:port@address to listen on a specific interface
489	## inet:port to listen on all interfaces
490	## local:/path/to/socket to listen on a UNIX domain socket
491
492	Socket local:/var/run/dkim-filter/dkim-filter.sock
493
494	## StrictTestMode { yes \| no }
495	## default "no"
496	##
497	## Selects strict CRLF mode during testing (see the "-t" command line
498	## flag in the dkim-filter(8) man page). Messages for which all header
499	## fields and body lines are not CRLF-terminated are considered malformed
500	## and will produce an error.
501
502	# StrictTestMode no
503
504	## SubDomains { yes \| no }
505	## default "no"
506	##
507	## Sign for subdomains as well?
508
509	# SubDomains No
510
511	## Syslog { yes \| no }
512	## default "no"
513	##
514	## Log informational and error activity to syslog?
515
516	# Syslog No
517	Syslog yes
518
519	## SyslogFacility facility
520	## default "mail"
521	##
522	## Valid values are :
523	## auth cron daemon kern lpr mail news security syslog user uucp
524	## local0 local1 local2 local3 local4 local5 local6 local7
525	##
526	## syslog facility to be used
527
528	# SyslogFacility mail
529	SyslogFacility mail
530
531	## SyslogSuccess { yes \| no }
532	## default "no"
533	##
534	## Log success activity to syslog?
535
536	SyslogSuccess No
537	# SyslogSuccess Yes # For tests mostly
538
539
540	## TemporaryDirectory path
541	## default /var/tmp
542	##
543	## Specifies which directory will be used for creating temporary files
544	## during message processing.
545
546	# TemporaryDirectory /var/tmp
547
548	## TestPublicKeys filename
549	## default (none)
550	##
551	## Names a file from which public keys should be read. Intended for use
552	## only during automated testing.
553
554	# TestPublicKeys /tmp/testkeys
555
556	## UMask mask
557	## default (none)
558	##
559	## Change the process umask for file creation to the specified value.
560	## The system has its own default which will be used (usually 022).
561	## See the umask(2) man page for more information.
562
563	# UMask 022
564	UMask 022
565
566	## Userid userid
567	## default (none)
568	##
569	## Change to user "userid" before starting normal operation? May include
570	## a group ID as well, separated from the userid by a colon.
571
572	# UserID userid
573	UserID 62 # Postfix, probably change to dkim-filter user
574
575	## X-Header { yes \| no }
576	## default "no"
577	##
578	## Add an X- header to messages passing through this filter to identify
579	## messages it has processed.
580
581	# X-Header No
582	X-Header Yes