2 ## dkim-filter.conf -- configuration file for DKIM filter
7 ## ADSPDiscard { yes | no }
10 ## Reject messages which are determined to be "suspicious" according to the
11 ## sending domain's published signing procedure (ADSP) record if that record
12 ## also recommends rejection of such messages.
16 ## ADSPNoSuchDomain { yes | no }
19 ## Reject messages which are determined to be from nonexistent domains during
20 ## the Author Domain Signing Practises (ADSP) check.
24 ## AllowSHA1Only { yes | no }
27 ## By default, the filter will refuse to start if signing mode is enabled
28 ## but rsa-sha1 will be used (either because it is the only algorithm
29 ## available or because it was explicitly requested) since this violates
30 ## the strong recommendations of RFC4871 section 3.3.
34 ## AlwaysAddARHeader { yes | no }
37 ## Add an "Authentication-Results:" header even to unsigned messages
38 ## from domains with no "signs all" policy. The reported DKIM result
39 ## will be "none" in such cases. Normally unsigned mail from non-strict
40 ## domains does not cause the results header to be added.
42 # AlwaysAddARHeader no
44 ## AlwaysSignHeaders header-list
47 ## Specifies a list of headers whose names should appear in signatures
48 ## whether or not they were signed, preventing their later addition.
50 # AlwaysSignHeaders header1,header2,...
53 ## default (local host name)
55 ## Defines the "authserv-id" token to be used when generating
56 ## Authentication-Results headers after message verification.
58 # AuthservID example.com
60 ## AuthservIDWithJobID
63 ## Appends a "/" followed by the MTA's job ID to the "authserv-id" token
64 ## when generating Authentication-Results headers after message verification.
66 # AuthservIDWithJobId no
68 ## AutoRestart { yes | no }
71 ## Indicate whether or not the filter should arrange to restart automatically
79 ## Sets the maximum automatic restart count. After this number of
80 ## automatic restarts, the filter will give up and terminate. A value of 0
85 ## AutoRestartRate n/t[u]
88 ## Sets the maximum automatic restart rate. See the dkim-filter.conf(5)
89 ## man page for the format of this parameter.
91 # AutoRestartRate n/tu
93 ## Background { yes | no }
96 ## Indicate whether or not the filter should run in the background.
100 ## BaseDirectory path
103 ## Causes the filter to change to the named directory before beginning
104 ## operation. Thus, cores will be dumped here and configuration files
105 ## are read relative to this location.
107 # BaseDirectory /var/run/dkim-filter
109 ## BodyLengths { yes | no }
112 ## Indicate whether or not signatures with body length tags should be
117 ## Canonicalization hdrcanon[/bodycanon]
118 ## default "simple/simple"
120 ## Select canonicalizations to use when signing. If the "bodycanon" is
121 ## omitted, "simple" is used. Valid values for each are "simple" and
124 # Canonicalization simple/simple
129 ## Specify the tolerance range for expired signatures or signatures
130 ## which appear to have timestamps in the future, allowing for clock
135 ## Diagnostics { yes | no }
138 ## Specifies whether or not signatures with header diagnostic tags should
146 ## Specify the time in seconds to wait for replies from the nameserver when
147 ## requesting keys or signing policies.
154 ## Specify for which domain(s) signing should be done. No default; must
155 ## be specified for signing.
157 Domain ant.gliwice.pl
159 ## DontSignMailTo addrlist
162 ## Gives a list of recipient addresses or address patterns whose mail should
163 ## not be signed. Wildcard ("*") characters are allowed.
165 # DontSignMailTo addr1,addr2,...
167 ## EnableCoredumps { yes | no }
170 ## On systems which have support for such, requests that the kernel dump
171 ## core even though the process may change user ID during its execution.
175 ## ExternalIgnoreList filename
177 ## Names a file from which a list of externally-trusted hosts is read.
178 ## These are hosts which are allowed to send mail through you for signing.
179 ## Automatically contains 127.0.0.1. See man page for file format.
181 # ExternalIgnoreList filename
183 ## FixCRLF { yes | no }
185 ## Requests that the library convert "naked" CR and LF characters to
186 ## CRLFs during canonicalization. The default is "no".
190 ## InternalHosts filename
192 ## Names a file from which a list of internal hosts is read. These are
193 ## hosts from which mail should be signed rather than verified.
194 ## Automatically contains 127.0.0.1. See man page for file format.
196 # InternalHosts filename
198 ## KeepTemporaryFiles { yes | no }
201 ## If set, causes temporary files generated during message signing or
202 ## verifying to be left behind for debugging use. Not for normal operation;
203 ## can fill your disks quite fast on busy systems.
205 # KeepTemporaryFiles no
209 ## Specifies the path to the private key to use when signing. Ignored if
210 ## Keylist is set. No default; must be specified for signing.
212 KeyFile /etc/mail/dkim-milter/ant.gliwice.pl.key
216 ## Specifies the path to the list of keys and signing domains to be applied
217 ## by the signing filter. The entries in this file should be of the form:
219 ## pattern:domain:keypath
221 ## ...where "pattern" is a pattern of user@host to match, with "*" being
222 ## allowed as a wildcard; "domain" is the signing domain; and "keypath"
223 ## is the path to the private key to use to generate signatures for such
224 ## users. The selector used will be the filename portion of "keypath".
225 ## Blank lines are ignored, and the hash ("#") character is interpreted
226 ## as the beginning of a comment. See dkim-filter.conf(5) for more
229 # KeyList /var/db/dkim/keylist
231 ## LocalADSP filename
233 ## Allows specification of local ADSP overrides for domains. This should be
234 ## a path to a file containing entries, one per line, with comments and
235 ## blank lines allowed. An entry is of the form "domain:policy" where
236 ## "domain" is either a fully-qualified domain name (e.g. "foo.example.com")
237 ## or a subdomain name preceded by a period (e.g. ".example.com"), and
238 ## "policy" is either "unknown", "all", or "discardable", as per the current
239 ## ADSP draft specification. This allows local overrides of policies to
240 ## enforce for domains which either don't publish ADSP or publish weaker
241 ## policies than the verifier would like to enforce.
243 # LocalADSP /etc/mail/local-adsp-rules
245 ## LogWhy { yes | no }
248 ## If logging is enabled (see Syslog below), issues very detailed logging
249 ## about the logic behind the filter's decision to either sign a message
250 ## or verify it. The logic behind the decision is non-trivial and can be
251 ## confusing to administrators not familiar with its operation. A
252 ## description of how the decision is made can be found in the OPERATIONS
253 ## section of the dkim-filter(8) man page. This causes a large increase
254 ## in the amount of log data generated for each message, so it should be
255 ## limited to debugging use and not enabled for general operation.
259 ## MacroList macro[=value][,...]
261 ## Gives a set of MTA-provided macros which should be checked to see
262 ## if the sender has been determined to be a local user and therefore
263 ## whether or not signing should be done. See dkim-filter.conf(5) for
266 # MacroList foo=bar,baz=blivit
270 ## Disallow messages whose header blocks are bigger than "n" bytes.
271 ## Intended to detect and block a denial-of-service attack. The default
272 ## is 65536. A value of 0 disables this test.
276 ## MaximumSignedBytes n
278 ## Don't sign more than "n" bytes of the message. The default is to
279 ## sign the entire message. Setting this implies "BodyLengths".
281 # MaximumSignedBytes n
285 ## Request a debug level of "n" from the milter library. The default is 0.
292 ## Sets a minimum signing volume; one of the following formats:
293 ## n at least n bytes (or the whole message, whichever is less)
295 ## n% at least n% of the message must be signed
296 ## n+ if a length limit was presented in the signature, no more than
297 ## n bytes may have been added
304 ## Indicates which mode(s) of operation should be provided. "s" means
305 ## "sign", "v" means "verify".
312 ## Specifies a list of MTAs whos mail should always be signed rather than
313 ## verified. The "mtaname" is extracted from the DaemonPortOptions line
321 ## Defines a list of headers which, if present on a message, must be
322 ## signed for the signature to be considered acceptable.
324 # MustBeSigned header1,header2,...
326 ## OmitHeaders headerlist
329 ## Specifies a list of headers that should always be omitted when signing.
330 ## Header names should be separated by commas.
332 # OmitHeaders header1,header2,...
336 ## Specifies what to do when certain error conditions are encountered.
338 ## See dkim-filter.conf(5) for more information.
349 ## Contains a list of IP addresses, CIDR blocks, hostnames or domain names
350 ## whose mail should be neither signed nor verified by this filter. See man
351 ## page for file format.
357 ## Name of the file where the filter should write its pid before beginning
358 ## normal operations.
361 PidFile /var/run/dkim-filter/dkim-filter.pid
363 ## POPDBFile filename
365 ## Names a database which should be checked for "POP before SMTP" records
366 ## as a form of authentication of users who may be sending mail through
367 ## the MTA for signing. Requires special compilation of the filter.
368 ## See dkim-filter.conf(5) for more information.
372 ## Quarantine { yes | no }
375 ## Indicates whether or not the filter should arrange to quarantine mail
376 ## which fails verification. Intended for diagnostic use only.
380 ## QueryCache { yes | no }
383 ## Instructs the DKIM library to maintain its own local cache of keys and
384 ## policies retrieved from DNS, rather than relying on the nameserver for
385 ## caching service. Useful if the nameserver being used by the filter is
386 ## not local. The filter must be compiled with the QUERY_CACHE flag to enable
387 ## this feature, since it adds a library dependency.
391 ## RemoveARAll { yes | no }
394 ## Remove all Authentication-Results: headers on all arriving mail.
401 ## Remove all Authentication-Results: headers on all arriving mail that
402 ## claim to have been added by hosts listed in this parameter. The list
403 ## should be comma-separated. Entire domains may be specified by preceding
404 ## the dopmain name by a single dot (".") character.
406 # RemoveARFrom host1,host2,.domain1,.domain2,...
408 ## RemoveOldSignatures { yes | no }
411 ## Remove old signatures on messages, if any, when generating a signature.
413 # RemoveOldSignatures No
415 ## ReportAddress addr
416 ## default (executing user)
418 ## Specifies the sending address to be used on From: headers of outgoing
419 ## failure reports. By default, the e-mail address of the user executing
420 ## the filter is used.
422 # ReportAddress postmaster@example.com
424 ## RequiredHeaders { yes | no }
427 ## Rejects messages which don't conform to RFC2822 header count requirements.
433 ## The name of the selector to use when signing. No default; must be
434 ## specified for signing.
435 ## Selector is later used to select key from your domain record:
436 ## mail._domainkey.your.domain.org. IN TXT "v=DKIM1; g=*; k=rsa; t=y; p=
439 ## SendADSPReports { yes | no }
442 ## Specifies whether or not the filter should generate report mail back
443 ## to senders when the ADSP (Author Domain Signing Practises) check fails for
444 ## a message. See dkim-filter.conf(5) for details.
448 ## SendReports { yes | no }
451 ## Specifies whether or not the filter should generate report mail back
452 ## to senders when verification fails and an address for such a purpose
453 ## is provided. See dkim-filter.conf(5) for details.
457 ## SignatureAlgorithm signalg
458 ## default "rsa-sha256"
460 ## Signature algorithm to use when generating signatures. Must be either
461 ## "rsa-sha1" or "rsa-sha256".
463 # SignatureAlgorithm rsa-sha256
465 ## SignatureTTL seconds
468 ## Specifies the lifetime in seconds of signatures generated by the
469 ## filter. A value of 0 means no expiration time is included in the
474 ## SignHeaders header-list
477 ## Specifies the list of headers which should be included when generating
478 ## signatures. The string should be a comma-separated list of header names.
479 ## See the dkim-filter.conf(5) man page for more information.
481 # SignHeaders header1,header2,...
485 ## Names the socket where this filter should listen for milter connections
486 ## from the MTA. Required. Should be in one of these forms:
488 ## inet:port@address to listen on a specific interface
489 ## inet:port to listen on all interfaces
490 ## local:/path/to/socket to listen on a UNIX domain socket
492 Socket local:/var/run/dkim-filter/dkim-filter.sock
494 ## StrictTestMode { yes | no }
497 ## Selects strict CRLF mode during testing (see the "-t" command line
498 ## flag in the dkim-filter(8) man page). Messages for which all header
499 ## fields and body lines are not CRLF-terminated are considered malformed
500 ## and will produce an error.
504 ## SubDomains { yes | no }
507 ## Sign for subdomains as well?
511 ## Syslog { yes | no }
514 ## Log informational and error activity to syslog?
519 ## SyslogFacility facility
522 ## Valid values are :
523 ## auth cron daemon kern lpr mail news security syslog user uucp
524 ## local0 local1 local2 local3 local4 local5 local6 local7
526 ## syslog facility to be used
528 # SyslogFacility mail
531 ## SyslogSuccess { yes | no }
534 ## Log success activity to syslog?
537 # SyslogSuccess Yes # For tests mostly
540 ## TemporaryDirectory path
543 ## Specifies which directory will be used for creating temporary files
544 ## during message processing.
546 # TemporaryDirectory /var/tmp
548 ## TestPublicKeys filename
551 ## Names a file from which public keys should be read. Intended for use
552 ## only during automated testing.
554 # TestPublicKeys /tmp/testkeys
559 ## Change the process umask for file creation to the specified value.
560 ## The system has its own default which will be used (usually 022).
561 ## See the umask(2) man page for more information.
569 ## Change to user "userid" before starting normal operation? May include
570 ## a group ID as well, separated from the userid by a colon.
573 UserID 62 # Postfix, probably change to dkim-filter user
575 ## X-Header { yes | no }
578 ## Add an X- header to messages passing through this filter to identify
579 ## messages it has processed.