]>
Commit | Line | Data |
---|---|---|
0f040c42 MK |
1 | ## |
2 | ## dkim-filter.conf -- configuration file for DKIM filter | |
3 | ## | |
4 | ## $Id$ | |
5 | ## | |
6 | ||
7 | ## ADSPDiscard { yes | no } | |
8 | ## default "no" | |
9 | ## | |
10 | ## Reject messages which are determined to be "suspicious" according to the | |
11 | ## sending domain's published signing procedure (ADSP) record if that record | |
12 | ## also recommends rejection of such messages. | |
13 | ||
14 | # ADSPDiscard No | |
15 | ||
16 | ## ADSPNoSuchDomain { yes | no } | |
17 | ## default "no" | |
18 | ## | |
19 | ## Reject messages which are determined to be from nonexistent domains during | |
20 | ## the Author Domain Signing Practises (ADSP) check. | |
21 | ||
22 | # ADSPNoSuchDomain No | |
23 | ||
24 | ## AllowSHA1Only { yes | no } | |
25 | ## default "no" | |
26 | ## | |
27 | ## By default, the filter will refuse to start if signing mode is enabled | |
28 | ## but rsa-sha1 will be used (either because it is the only algorithm | |
29 | ## available or because it was explicitly requested) since this violates | |
30 | ## the strong recommendations of RFC4871 section 3.3. | |
31 | ||
32 | # AllowSHA1Only no | |
33 | ||
34 | ## AlwaysAddARHeader { yes | no } | |
35 | ## default "no" | |
36 | ## | |
37 | ## Add an "Authentication-Results:" header even to unsigned messages | |
38 | ## from domains with no "signs all" policy. The reported DKIM result | |
39 | ## will be "none" in such cases. Normally unsigned mail from non-strict | |
40 | ## domains does not cause the results header to be added. | |
41 | ||
42 | # AlwaysAddARHeader no | |
43 | ||
44 | ## AlwaysSignHeaders header-list | |
45 | ## default (none) | |
46 | ## | |
47 | ## Specifies a list of headers whose names should appear in signatures | |
48 | ## whether or not they were signed, preventing their later addition. | |
49 | ||
50 | # AlwaysSignHeaders header1,header2,... | |
51 | ||
52 | ## AuthservID string | |
53 | ## default (local host name) | |
54 | ## | |
55 | ## Defines the "authserv-id" token to be used when generating | |
56 | ## Authentication-Results headers after message verification. | |
57 | ||
58 | # AuthservID example.com | |
59 | ||
60 | ## AuthservIDWithJobID | |
61 | ## default "no" | |
62 | ## | |
63 | ## Appends a "/" followed by the MTA's job ID to the "authserv-id" token | |
64 | ## when generating Authentication-Results headers after message verification. | |
65 | ||
66 | # AuthservIDWithJobId no | |
67 | ||
68 | ## AutoRestart { yes | no } | |
69 | ## default "no" | |
70 | ## | |
71 | ## Indicate whether or not the filter should arrange to restart automatically | |
72 | ## if it crashes. | |
73 | ||
74 | # AutoRestart No | |
75 | ||
76 | ## AutoRestartCount n | |
77 | ## default 0 | |
78 | ## | |
79 | ## Sets the maximum automatic restart count. After this number of | |
80 | ## automatic restarts, the filter will give up and terminate. A value of 0 | |
81 | ## implies no limit. | |
82 | ||
83 | # AutoRestartCount 0 | |
84 | ||
85 | ## AutoRestartRate n/t[u] | |
86 | ## default (none) | |
87 | ## | |
88 | ## Sets the maximum automatic restart rate. See the dkim-filter.conf(5) | |
89 | ## man page for the format of this parameter. | |
90 | ||
91 | # AutoRestartRate n/tu | |
92 | ||
93 | ## Background { yes | no } | |
94 | ## default "yes" | |
95 | ## | |
96 | ## Indicate whether or not the filter should run in the background. | |
97 | ||
98 | # Background Yes | |
99 | ||
100 | ## BaseDirectory path | |
101 | ## default (none) | |
102 | ## | |
103 | ## Causes the filter to change to the named directory before beginning | |
104 | ## operation. Thus, cores will be dumped here and configuration files | |
105 | ## are read relative to this location. | |
106 | ||
107 | # BaseDirectory /var/run/dkim-filter | |
108 | ||
109 | ## BodyLengths { yes | no } | |
110 | ## default "no" | |
111 | ## | |
112 | ## Indicate whether or not signatures with body length tags should be | |
113 | ## generated. | |
114 | ||
115 | # BodyLengths No | |
116 | ||
117 | ## Canonicalization hdrcanon[/bodycanon] | |
118 | ## default "simple/simple" | |
119 | ## | |
120 | ## Select canonicalizations to use when signing. If the "bodycanon" is | |
121 | ## omitted, "simple" is used. Valid values for each are "simple" and | |
122 | ## "relaxed". | |
123 | ||
124 | # Canonicalization simple/simple | |
125 | ||
126 | ## ClockDrift n | |
127 | ## default 300 | |
128 | ## | |
129 | ## Specify the tolerance range for expired signatures or signatures | |
130 | ## which appear to have timestamps in the future, allowing for clock | |
131 | ## drift. | |
132 | ||
133 | # ClockDrift 300 | |
134 | ||
135 | ## Diagnostics { yes | no } | |
136 | ## default "no" | |
137 | ## | |
138 | ## Specifies whether or not signatures with header diagnostic tags should | |
139 | ## be generated. | |
140 | ||
141 | # Diagnostics No | |
142 | ||
143 | ## DNSTimeout n | |
144 | ## default 10 | |
145 | ## | |
146 | ## Specify the time in seconds to wait for replies from the nameserver when | |
147 | ## requesting keys or signing policies. | |
148 | ||
149 | # DNSTimeout 10 | |
150 | ||
151 | ## Domain name[,...] | |
152 | ## default (none) | |
153 | ## | |
154 | ## Specify for which domain(s) signing should be done. No default; must | |
155 | ## be specified for signing. | |
156 | ||
157 | Domain ant.gliwice.pl | |
158 | ||
159 | ## DontSignMailTo addrlist | |
160 | ## default (none) | |
161 | ## | |
162 | ## Gives a list of recipient addresses or address patterns whose mail should | |
163 | ## not be signed. Wildcard ("*") characters are allowed. | |
164 | ||
165 | # DontSignMailTo addr1,addr2,... | |
166 | ||
167 | ## EnableCoredumps { yes | no } | |
168 | ## default "no" | |
169 | ## | |
170 | ## On systems which have support for such, requests that the kernel dump | |
171 | ## core even though the process may change user ID during its execution. | |
172 | ||
173 | # EnableCoredumps no | |
174 | ||
175 | ## ExternalIgnoreList filename | |
176 | ## | |
177 | ## Names a file from which a list of externally-trusted hosts is read. | |
178 | ## These are hosts which are allowed to send mail through you for signing. | |
179 | ## Automatically contains 127.0.0.1. See man page for file format. | |
180 | ||
181 | # ExternalIgnoreList filename | |
182 | ||
183 | ## FixCRLF { yes | no } | |
184 | ## | |
185 | ## Requests that the library convert "naked" CR and LF characters to | |
186 | ## CRLFs during canonicalization. The default is "no". | |
187 | ||
188 | # FixCRLF no | |
189 | ||
190 | ## InternalHosts filename | |
191 | ## | |
192 | ## Names a file from which a list of internal hosts is read. These are | |
193 | ## hosts from which mail should be signed rather than verified. | |
194 | ## Automatically contains 127.0.0.1. See man page for file format. | |
195 | ||
196 | # InternalHosts filename | |
197 | ||
198 | ## KeepTemporaryFiles { yes | no } | |
199 | ## default "no" | |
200 | ## | |
201 | ## If set, causes temporary files generated during message signing or | |
202 | ## verifying to be left behind for debugging use. Not for normal operation; | |
203 | ## can fill your disks quite fast on busy systems. | |
204 | ||
205 | # KeepTemporaryFiles no | |
206 | ||
207 | ## KeyFile filename | |
208 | ## | |
209 | ## Specifies the path to the private key to use when signing. Ignored if | |
210 | ## Keylist is set. No default; must be specified for signing. | |
211 | ||
212 | KeyFile /etc/mail/dkim-milter/ant.gliwice.pl.key | |
213 | ||
214 | ## KeyList filename | |
215 | ## | |
216 | ## Specifies the path to the list of keys and signing domains to be applied | |
217 | ## by the signing filter. The entries in this file should be of the form: | |
218 | ## | |
219 | ## pattern:domain:keypath | |
220 | ## | |
221 | ## ...where "pattern" is a pattern of user@host to match, with "*" being | |
222 | ## allowed as a wildcard; "domain" is the signing domain; and "keypath" | |
223 | ## is the path to the private key to use to generate signatures for such | |
224 | ## users. The selector used will be the filename portion of "keypath". | |
225 | ## Blank lines are ignored, and the hash ("#") character is interpreted | |
226 | ## as the beginning of a comment. See dkim-filter.conf(5) for more | |
227 | ## information. | |
228 | ||
229 | # KeyList /var/db/dkim/keylist | |
230 | ||
231 | ## LocalADSP filename | |
232 | ## | |
233 | ## Allows specification of local ADSP overrides for domains. This should be | |
234 | ## a path to a file containing entries, one per line, with comments and | |
235 | ## blank lines allowed. An entry is of the form "domain:policy" where | |
236 | ## "domain" is either a fully-qualified domain name (e.g. "foo.example.com") | |
237 | ## or a subdomain name preceded by a period (e.g. ".example.com"), and | |
238 | ## "policy" is either "unknown", "all", or "discardable", as per the current | |
239 | ## ADSP draft specification. This allows local overrides of policies to | |
240 | ## enforce for domains which either don't publish ADSP or publish weaker | |
241 | ## policies than the verifier would like to enforce. | |
242 | ||
243 | # LocalADSP /etc/mail/local-adsp-rules | |
244 | ||
245 | ## LogWhy { yes | no } | |
246 | ## default "no" | |
247 | ## | |
248 | ## If logging is enabled (see Syslog below), issues very detailed logging | |
249 | ## about the logic behind the filter's decision to either sign a message | |
250 | ## or verify it. The logic behind the decision is non-trivial and can be | |
251 | ## confusing to administrators not familiar with its operation. A | |
252 | ## description of how the decision is made can be found in the OPERATIONS | |
253 | ## section of the dkim-filter(8) man page. This causes a large increase | |
254 | ## in the amount of log data generated for each message, so it should be | |
255 | ## limited to debugging use and not enabled for general operation. | |
256 | ||
257 | # LogWhy no | |
258 | ||
259 | ## MacroList macro[=value][,...] | |
260 | ## | |
261 | ## Gives a set of MTA-provided macros which should be checked to see | |
262 | ## if the sender has been determined to be a local user and therefore | |
263 | ## whether or not signing should be done. See dkim-filter.conf(5) for | |
264 | ## more information. | |
265 | ||
266 | # MacroList foo=bar,baz=blivit | |
267 | ||
268 | ## MaximumHeaders n | |
269 | ## | |
270 | ## Disallow messages whose header blocks are bigger than "n" bytes. | |
271 | ## Intended to detect and block a denial-of-service attack. The default | |
272 | ## is 65536. A value of 0 disables this test. | |
273 | ||
274 | # MaximumHeaders n | |
275 | ||
276 | ## MaximumSignedBytes n | |
277 | ## | |
278 | ## Don't sign more than "n" bytes of the message. The default is to | |
279 | ## sign the entire message. Setting this implies "BodyLengths". | |
280 | ||
281 | # MaximumSignedBytes n | |
282 | ||
283 | ## MilterDebug n | |
284 | ## | |
285 | ## Request a debug level of "n" from the milter library. The default is 0. | |
286 | ||
287 | # MilterDebug 0 | |
288 | ||
289 | ## Minimum n[% | +] | |
290 | ## default 0 | |
291 | ## | |
292 | ## Sets a minimum signing volume; one of the following formats: | |
293 | ## n at least n bytes (or the whole message, whichever is less) | |
294 | ## must be signed | |
295 | ## n% at least n% of the message must be signed | |
296 | ## n+ if a length limit was presented in the signature, no more than | |
297 | ## n bytes may have been added | |
298 | ||
299 | # Minimum n | |
300 | ||
301 | ## Mode [sv] | |
302 | ## default sv | |
303 | ## | |
304 | ## Indicates which mode(s) of operation should be provided. "s" means | |
305 | ## "sign", "v" means "verify". | |
306 | ||
307 | # Mode sv | |
308 | Mode s | |
309 | ||
310 | ## MTA mtaname[,...] | |
311 | ## | |
312 | ## Specifies a list of MTAs whos mail should always be signed rather than | |
313 | ## verified. The "mtaname" is extracted from the DaemonPortOptions line | |
314 | ## in effect. | |
315 | ||
316 | # MTA name | |
317 | ||
318 | ## MustBeSigned | |
319 | ## default (none) | |
320 | ## | |
321 | ## Defines a list of headers which, if present on a message, must be | |
322 | ## signed for the signature to be considered acceptable. | |
323 | ||
324 | # MustBeSigned header1,header2,... | |
325 | ||
326 | ## OmitHeaders headerlist | |
327 | ## default (none) | |
328 | ## | |
329 | ## Specifies a list of headers that should always be omitted when signing. | |
330 | ## Header names should be separated by commas. | |
331 | ||
332 | # OmitHeaders header1,header2,... | |
333 | ||
334 | ## On-... | |
335 | ## | |
336 | ## Specifies what to do when certain error conditions are encountered. | |
337 | ## | |
338 | ## See dkim-filter.conf(5) for more information. | |
339 | ||
340 | # On-Default | |
341 | # On-BadSignature | |
342 | # On-DNSError | |
343 | # On-InternalError | |
344 | # On-NoSignature | |
345 | # On-Security | |
346 | ||
347 | ## PeerList filename | |
348 | ## | |
349 | ## Contains a list of IP addresses, CIDR blocks, hostnames or domain names | |
350 | ## whose mail should be neither signed nor verified by this filter. See man | |
351 | ## page for file format. | |
352 | ||
353 | # PeerList filename | |
354 | ||
355 | ## PidFile filename | |
356 | ## | |
357 | ## Name of the file where the filter should write its pid before beginning | |
358 | ## normal operations. | |
359 | ||
360 | # PidFile filename | |
361 | PidFile /var/run/dkim-filter/dkim-filter.pid | |
362 | ||
363 | ## POPDBFile filename | |
364 | ## | |
365 | ## Names a database which should be checked for "POP before SMTP" records | |
366 | ## as a form of authentication of users who may be sending mail through | |
367 | ## the MTA for signing. Requires special compilation of the filter. | |
368 | ## See dkim-filter.conf(5) for more information. | |
369 | ||
370 | # POPDBFile filename | |
371 | ||
372 | ## Quarantine { yes | no } | |
373 | ## default "no" | |
374 | ## | |
375 | ## Indicates whether or not the filter should arrange to quarantine mail | |
376 | ## which fails verification. Intended for diagnostic use only. | |
377 | ||
378 | # Quarantine No | |
379 | ||
380 | ## QueryCache { yes | no } | |
381 | ## default "no" | |
382 | ## | |
383 | ## Instructs the DKIM library to maintain its own local cache of keys and | |
384 | ## policies retrieved from DNS, rather than relying on the nameserver for | |
385 | ## caching service. Useful if the nameserver being used by the filter is | |
386 | ## not local. The filter must be compiled with the QUERY_CACHE flag to enable | |
387 | ## this feature, since it adds a library dependency. | |
388 | ||
389 | # QueryCache No | |
390 | ||
391 | ## RemoveARAll { yes | no } | |
392 | ## default "no" | |
393 | ## | |
394 | ## Remove all Authentication-Results: headers on all arriving mail. | |
395 | ||
396 | # RemoveARAll No | |
397 | ||
398 | ## RemoveARFrom list | |
399 | ## default (none) | |
400 | ## | |
401 | ## Remove all Authentication-Results: headers on all arriving mail that | |
402 | ## claim to have been added by hosts listed in this parameter. The list | |
403 | ## should be comma-separated. Entire domains may be specified by preceding | |
404 | ## the dopmain name by a single dot (".") character. | |
405 | ||
406 | # RemoveARFrom host1,host2,.domain1,.domain2,... | |
407 | ||
408 | ## RemoveOldSignatures { yes | no } | |
409 | ## default "no" | |
410 | ## | |
411 | ## Remove old signatures on messages, if any, when generating a signature. | |
412 | ||
413 | # RemoveOldSignatures No | |
414 | ||
415 | ## ReportAddress addr | |
416 | ## default (executing user) | |
417 | ## | |
418 | ## Specifies the sending address to be used on From: headers of outgoing | |
419 | ## failure reports. By default, the e-mail address of the user executing | |
420 | ## the filter is used. | |
421 | ||
422 | # ReportAddress postmaster@example.com | |
423 | ||
424 | ## RequiredHeaders { yes | no } | |
425 | ## default no | |
426 | ## | |
427 | ## Rejects messages which don't conform to RFC2822 header count requirements. | |
428 | ||
429 | # RequiredHeaders No | |
430 | ||
431 | ## Selector name | |
432 | ## | |
433 | ## The name of the selector to use when signing. No default; must be | |
434 | ## specified for signing. | |
435 | ## Selector is later used to select key from your domain record: | |
436 | ## mail._domainkey.your.domain.org. IN TXT "v=DKIM1; g=*; k=rsa; t=y; p= | |
437 | Selector mail | |
438 | ||
439 | ## SendADSPReports { yes | no } | |
440 | ## default "no" | |
441 | ## | |
442 | ## Specifies whether or not the filter should generate report mail back | |
443 | ## to senders when the ADSP (Author Domain Signing Practises) check fails for | |
444 | ## a message. See dkim-filter.conf(5) for details. | |
445 | ||
446 | # SendADSPReports No | |
447 | ||
448 | ## SendReports { yes | no } | |
449 | ## default "no" | |
450 | ## | |
451 | ## Specifies whether or not the filter should generate report mail back | |
452 | ## to senders when verification fails and an address for such a purpose | |
453 | ## is provided. See dkim-filter.conf(5) for details. | |
454 | ||
455 | # SendReports No | |
456 | ||
457 | ## SignatureAlgorithm signalg | |
458 | ## default "rsa-sha256" | |
459 | ## | |
460 | ## Signature algorithm to use when generating signatures. Must be either | |
461 | ## "rsa-sha1" or "rsa-sha256". | |
462 | ||
463 | # SignatureAlgorithm rsa-sha256 | |
464 | ||
465 | ## SignatureTTL seconds | |
466 | ## default "0" | |
467 | ## | |
468 | ## Specifies the lifetime in seconds of signatures generated by the | |
469 | ## filter. A value of 0 means no expiration time is included in the | |
470 | ## signature. | |
471 | ||
472 | # SignatureTTL 0 | |
473 | ||
474 | ## SignHeaders header-list | |
475 | ## default (none) | |
476 | ## | |
477 | ## Specifies the list of headers which should be included when generating | |
478 | ## signatures. The string should be a comma-separated list of header names. | |
479 | ## See the dkim-filter.conf(5) man page for more information. | |
480 | ||
481 | # SignHeaders header1,header2,... | |
482 | ||
483 | ## Socket socketspec | |
484 | ## | |
485 | ## Names the socket where this filter should listen for milter connections | |
486 | ## from the MTA. Required. Should be in one of these forms: | |
487 | ## | |
488 | ## inet:port@address to listen on a specific interface | |
489 | ## inet:port to listen on all interfaces | |
490 | ## local:/path/to/socket to listen on a UNIX domain socket | |
491 | ||
492 | Socket local:/var/run/dkim-filter/dkim-filter.sock | |
493 | ||
494 | ## StrictTestMode { yes | no } | |
495 | ## default "no" | |
496 | ## | |
497 | ## Selects strict CRLF mode during testing (see the "-t" command line | |
498 | ## flag in the dkim-filter(8) man page). Messages for which all header | |
499 | ## fields and body lines are not CRLF-terminated are considered malformed | |
500 | ## and will produce an error. | |
501 | ||
502 | # StrictTestMode no | |
503 | ||
504 | ## SubDomains { yes | no } | |
505 | ## default "no" | |
506 | ## | |
507 | ## Sign for subdomains as well? | |
508 | ||
509 | # SubDomains No | |
510 | ||
511 | ## Syslog { yes | no } | |
512 | ## default "no" | |
513 | ## | |
514 | ## Log informational and error activity to syslog? | |
515 | ||
516 | # Syslog No | |
517 | Syslog yes | |
518 | ||
519 | ## SyslogFacility facility | |
520 | ## default "mail" | |
521 | ## | |
522 | ## Valid values are : | |
523 | ## auth cron daemon kern lpr mail news security syslog user uucp | |
524 | ## local0 local1 local2 local3 local4 local5 local6 local7 | |
525 | ## | |
526 | ## syslog facility to be used | |
527 | ||
528 | # SyslogFacility mail | |
529 | SyslogFacility mail | |
530 | ||
531 | ## SyslogSuccess { yes | no } | |
532 | ## default "no" | |
533 | ## | |
534 | ## Log success activity to syslog? | |
535 | ||
536 | SyslogSuccess No | |
537 | # SyslogSuccess Yes # For tests mostly | |
538 | ||
539 | ||
540 | ## TemporaryDirectory path | |
541 | ## default /var/tmp | |
542 | ## | |
543 | ## Specifies which directory will be used for creating temporary files | |
544 | ## during message processing. | |
545 | ||
546 | # TemporaryDirectory /var/tmp | |
547 | ||
548 | ## TestPublicKeys filename | |
549 | ## default (none) | |
550 | ## | |
551 | ## Names a file from which public keys should be read. Intended for use | |
552 | ## only during automated testing. | |
553 | ||
554 | # TestPublicKeys /tmp/testkeys | |
555 | ||
556 | ## UMask mask | |
557 | ## default (none) | |
558 | ## | |
559 | ## Change the process umask for file creation to the specified value. | |
560 | ## The system has its own default which will be used (usually 022). | |
561 | ## See the umask(2) man page for more information. | |
562 | ||
563 | # UMask 022 | |
564 | UMask 022 | |
565 | ||
566 | ## Userid userid | |
567 | ## default (none) | |
568 | ## | |
569 | ## Change to user "userid" before starting normal operation? May include | |
570 | ## a group ID as well, separated from the userid by a colon. | |
571 | ||
572 | # UserID userid | |
573 | UserID 62 # Postfix, probably change to dkim-filter user | |
574 | ||
575 | ## X-Header { yes | no } | |
576 | ## default "no" | |
577 | ## | |
578 | ## Add an X- header to messages passing through this filter to identify | |
579 | ## messages it has processed. | |
580 | ||
581 | # X-Header No | |
582 | X-Header Yes |