+##
+## dkim-filter.conf -- configuration file for DKIM filter
+##
+## $Id$
+##
+
+## ADSPDiscard { yes | no }
+## default "no"
+##
+## Reject messages which are determined to be "suspicious" according to the
+## sending domain's published signing procedure (ADSP) record if that record
+## also recommends rejection of such messages.
+
+# ADSPDiscard No
+
+## ADSPNoSuchDomain { yes | no }
+## default "no"
+##
+## Reject messages which are determined to be from nonexistent domains during
+## the Author Domain Signing Practises (ADSP) check.
+
+# ADSPNoSuchDomain No
+
+## AllowSHA1Only { yes | no }
+## default "no"
+##
+## By default, the filter will refuse to start if signing mode is enabled
+## but rsa-sha1 will be used (either because it is the only algorithm
+## available or because it was explicitly requested) since this violates
+## the strong recommendations of RFC4871 section 3.3.
+
+# AllowSHA1Only no
+
+## AlwaysAddARHeader { yes | no }
+## default "no"
+##
+## Add an "Authentication-Results:" header even to unsigned messages
+## from domains with no "signs all" policy. The reported DKIM result
+## will be "none" in such cases. Normally unsigned mail from non-strict
+## domains does not cause the results header to be added.
+
+# AlwaysAddARHeader no
+
+## AlwaysSignHeaders header-list
+## default (none)
+##
+## Specifies a list of headers whose names should appear in signatures
+## whether or not they were signed, preventing their later addition.
+
+# AlwaysSignHeaders header1,header2,...
+
+## AuthservID string
+## default (local host name)
+##
+## Defines the "authserv-id" token to be used when generating
+## Authentication-Results headers after message verification.
+
+# AuthservID example.com
+
+## AuthservIDWithJobID
+## default "no"
+##
+## Appends a "/" followed by the MTA's job ID to the "authserv-id" token
+## when generating Authentication-Results headers after message verification.
+
+# AuthservIDWithJobId no
+
+## AutoRestart { yes | no }
+## default "no"
+##
+## Indicate whether or not the filter should arrange to restart automatically
+## if it crashes.
+
+# AutoRestart No
+
+## AutoRestartCount n
+## default 0
+##
+## Sets the maximum automatic restart count. After this number of
+## automatic restarts, the filter will give up and terminate. A value of 0
+## implies no limit.
+
+# AutoRestartCount 0
+
+## AutoRestartRate n/t[u]
+## default (none)
+##
+## Sets the maximum automatic restart rate. See the dkim-filter.conf(5)
+## man page for the format of this parameter.
+
+# AutoRestartRate n/tu
+
+## Background { yes | no }
+## default "yes"
+##
+## Indicate whether or not the filter should run in the background.
+
+# Background Yes
+
+## BaseDirectory path
+## default (none)
+##
+## Causes the filter to change to the named directory before beginning
+## operation. Thus, cores will be dumped here and configuration files
+## are read relative to this location.
+
+# BaseDirectory /var/run/dkim-filter
+
+## BodyLengths { yes | no }
+## default "no"
+##
+## Indicate whether or not signatures with body length tags should be
+## generated.
+
+# BodyLengths No
+
+## Canonicalization hdrcanon[/bodycanon]
+## default "simple/simple"
+##
+## Select canonicalizations to use when signing. If the "bodycanon" is
+## omitted, "simple" is used. Valid values for each are "simple" and
+## "relaxed".
+
+# Canonicalization simple/simple
+
+## ClockDrift n
+## default 300
+##
+## Specify the tolerance range for expired signatures or signatures
+## which appear to have timestamps in the future, allowing for clock
+## drift.
+
+# ClockDrift 300
+
+## Diagnostics { yes | no }
+## default "no"
+##
+## Specifies whether or not signatures with header diagnostic tags should
+## be generated.
+
+# Diagnostics No
+
+## DNSTimeout n
+## default 10
+##
+## Specify the time in seconds to wait for replies from the nameserver when
+## requesting keys or signing policies.
+
+# DNSTimeout 10
+
+## Domain name[,...]
+## default (none)
+##
+## Specify for which domain(s) signing should be done. No default; must
+## be specified for signing.
+
+Domain ant.gliwice.pl
+
+## DontSignMailTo addrlist
+## default (none)
+##
+## Gives a list of recipient addresses or address patterns whose mail should
+## not be signed. Wildcard ("*") characters are allowed.
+
+# DontSignMailTo addr1,addr2,...
+
+## EnableCoredumps { yes | no }
+## default "no"
+##
+## On systems which have support for such, requests that the kernel dump
+## core even though the process may change user ID during its execution.
+
+# EnableCoredumps no
+
+## ExternalIgnoreList filename
+##
+## Names a file from which a list of externally-trusted hosts is read.
+## These are hosts which are allowed to send mail through you for signing.
+## Automatically contains 127.0.0.1. See man page for file format.
+
+# ExternalIgnoreList filename
+
+## FixCRLF { yes | no }
+##
+## Requests that the library convert "naked" CR and LF characters to
+## CRLFs during canonicalization. The default is "no".
+
+# FixCRLF no
+
+## InternalHosts filename
+##
+## Names a file from which a list of internal hosts is read. These are
+## hosts from which mail should be signed rather than verified.
+## Automatically contains 127.0.0.1. See man page for file format.
+
+# InternalHosts filename
+
+## KeepTemporaryFiles { yes | no }
+## default "no"
+##
+## If set, causes temporary files generated during message signing or
+## verifying to be left behind for debugging use. Not for normal operation;
+## can fill your disks quite fast on busy systems.
+
+# KeepTemporaryFiles no
+
+## KeyFile filename
+##
+## Specifies the path to the private key to use when signing. Ignored if
+## Keylist is set. No default; must be specified for signing.
+
+KeyFile /etc/mail/dkim-milter/ant.gliwice.pl.key
+
+## KeyList filename
+##
+## Specifies the path to the list of keys and signing domains to be applied
+## by the signing filter. The entries in this file should be of the form:
+##
+## pattern:domain:keypath
+##
+## ...where "pattern" is a pattern of user@host to match, with "*" being
+## allowed as a wildcard; "domain" is the signing domain; and "keypath"
+## is the path to the private key to use to generate signatures for such
+## users. The selector used will be the filename portion of "keypath".
+## Blank lines are ignored, and the hash ("#") character is interpreted
+## as the beginning of a comment. See dkim-filter.conf(5) for more
+## information.
+
+# KeyList /var/db/dkim/keylist
+
+## LocalADSP filename
+##
+## Allows specification of local ADSP overrides for domains. This should be
+## a path to a file containing entries, one per line, with comments and
+## blank lines allowed. An entry is of the form "domain:policy" where
+## "domain" is either a fully-qualified domain name (e.g. "foo.example.com")
+## or a subdomain name preceded by a period (e.g. ".example.com"), and
+## "policy" is either "unknown", "all", or "discardable", as per the current
+## ADSP draft specification. This allows local overrides of policies to
+## enforce for domains which either don't publish ADSP or publish weaker
+## policies than the verifier would like to enforce.
+
+# LocalADSP /etc/mail/local-adsp-rules
+
+## LogWhy { yes | no }
+## default "no"
+##
+## If logging is enabled (see Syslog below), issues very detailed logging
+## about the logic behind the filter's decision to either sign a message
+## or verify it. The logic behind the decision is non-trivial and can be
+## confusing to administrators not familiar with its operation. A
+## description of how the decision is made can be found in the OPERATIONS
+## section of the dkim-filter(8) man page. This causes a large increase
+## in the amount of log data generated for each message, so it should be
+## limited to debugging use and not enabled for general operation.
+
+# LogWhy no
+
+## MacroList macro[=value][,...]
+##
+## Gives a set of MTA-provided macros which should be checked to see
+## if the sender has been determined to be a local user and therefore
+## whether or not signing should be done. See dkim-filter.conf(5) for
+## more information.
+
+# MacroList foo=bar,baz=blivit
+
+## MaximumHeaders n
+##
+## Disallow messages whose header blocks are bigger than "n" bytes.
+## Intended to detect and block a denial-of-service attack. The default
+## is 65536. A value of 0 disables this test.
+
+# MaximumHeaders n
+
+## MaximumSignedBytes n
+##
+## Don't sign more than "n" bytes of the message. The default is to
+## sign the entire message. Setting this implies "BodyLengths".
+
+# MaximumSignedBytes n
+
+## MilterDebug n
+##
+## Request a debug level of "n" from the milter library. The default is 0.
+
+# MilterDebug 0
+
+## Minimum n[% | +]
+## default 0
+##
+## Sets a minimum signing volume; one of the following formats:
+## n at least n bytes (or the whole message, whichever is less)
+## must be signed
+## n% at least n% of the message must be signed
+## n+ if a length limit was presented in the signature, no more than
+## n bytes may have been added
+
+# Minimum n
+
+## Mode [sv]
+## default sv
+##
+## Indicates which mode(s) of operation should be provided. "s" means
+## "sign", "v" means "verify".
+
+# Mode sv
+Mode s
+
+## MTA mtaname[,...]
+##
+## Specifies a list of MTAs whos mail should always be signed rather than
+## verified. The "mtaname" is extracted from the DaemonPortOptions line
+## in effect.
+
+# MTA name
+
+## MustBeSigned
+## default (none)
+##
+## Defines a list of headers which, if present on a message, must be
+## signed for the signature to be considered acceptable.
+
+# MustBeSigned header1,header2,...
+
+## OmitHeaders headerlist
+## default (none)
+##
+## Specifies a list of headers that should always be omitted when signing.
+## Header names should be separated by commas.
+
+# OmitHeaders header1,header2,...
+
+## On-...
+##
+## Specifies what to do when certain error conditions are encountered.
+##
+## See dkim-filter.conf(5) for more information.
+
+# On-Default
+# On-BadSignature
+# On-DNSError
+# On-InternalError
+# On-NoSignature
+# On-Security
+
+## PeerList filename
+##
+## Contains a list of IP addresses, CIDR blocks, hostnames or domain names
+## whose mail should be neither signed nor verified by this filter. See man
+## page for file format.
+
+# PeerList filename
+
+## PidFile filename
+##
+## Name of the file where the filter should write its pid before beginning
+## normal operations.
+
+# PidFile filename
+PidFile /var/run/dkim-filter/dkim-filter.pid
+
+## POPDBFile filename
+##
+## Names a database which should be checked for "POP before SMTP" records
+## as a form of authentication of users who may be sending mail through
+## the MTA for signing. Requires special compilation of the filter.
+## See dkim-filter.conf(5) for more information.
+
+# POPDBFile filename
+
+## Quarantine { yes | no }
+## default "no"
+##
+## Indicates whether or not the filter should arrange to quarantine mail
+## which fails verification. Intended for diagnostic use only.
+
+# Quarantine No
+
+## QueryCache { yes | no }
+## default "no"
+##
+## Instructs the DKIM library to maintain its own local cache of keys and
+## policies retrieved from DNS, rather than relying on the nameserver for
+## caching service. Useful if the nameserver being used by the filter is
+## not local. The filter must be compiled with the QUERY_CACHE flag to enable
+## this feature, since it adds a library dependency.
+
+# QueryCache No
+
+## RemoveARAll { yes | no }
+## default "no"
+##
+## Remove all Authentication-Results: headers on all arriving mail.
+
+# RemoveARAll No
+
+## RemoveARFrom list
+## default (none)
+##
+## Remove all Authentication-Results: headers on all arriving mail that
+## claim to have been added by hosts listed in this parameter. The list
+## should be comma-separated. Entire domains may be specified by preceding
+## the dopmain name by a single dot (".") character.
+
+# RemoveARFrom host1,host2,.domain1,.domain2,...
+
+## RemoveOldSignatures { yes | no }
+## default "no"
+##
+## Remove old signatures on messages, if any, when generating a signature.
+
+# RemoveOldSignatures No
+
+## ReportAddress addr
+## default (executing user)
+##
+## Specifies the sending address to be used on From: headers of outgoing
+## failure reports. By default, the e-mail address of the user executing
+## the filter is used.
+
+# ReportAddress postmaster@example.com
+
+## RequiredHeaders { yes | no }
+## default no
+##
+## Rejects messages which don't conform to RFC2822 header count requirements.
+
+# RequiredHeaders No
+
+## Selector name
+##
+## The name of the selector to use when signing. No default; must be
+## specified for signing.
+## Selector is later used to select key from your domain record:
+## mail._domainkey.your.domain.org. IN TXT "v=DKIM1; g=*; k=rsa; t=y; p=
+Selector mail
+
+## SendADSPReports { yes | no }
+## default "no"
+##
+## Specifies whether or not the filter should generate report mail back
+## to senders when the ADSP (Author Domain Signing Practises) check fails for
+## a message. See dkim-filter.conf(5) for details.
+
+# SendADSPReports No
+
+## SendReports { yes | no }
+## default "no"
+##
+## Specifies whether or not the filter should generate report mail back
+## to senders when verification fails and an address for such a purpose
+## is provided. See dkim-filter.conf(5) for details.
+
+# SendReports No
+
+## SignatureAlgorithm signalg
+## default "rsa-sha256"
+##
+## Signature algorithm to use when generating signatures. Must be either
+## "rsa-sha1" or "rsa-sha256".
+
+# SignatureAlgorithm rsa-sha256
+
+## SignatureTTL seconds
+## default "0"
+##
+## Specifies the lifetime in seconds of signatures generated by the
+## filter. A value of 0 means no expiration time is included in the
+## signature.
+
+# SignatureTTL 0
+
+## SignHeaders header-list
+## default (none)
+##
+## Specifies the list of headers which should be included when generating
+## signatures. The string should be a comma-separated list of header names.
+## See the dkim-filter.conf(5) man page for more information.
+
+# SignHeaders header1,header2,...
+
+## Socket socketspec
+##
+## Names the socket where this filter should listen for milter connections
+## from the MTA. Required. Should be in one of these forms:
+##
+## inet:port@address to listen on a specific interface
+## inet:port to listen on all interfaces
+## local:/path/to/socket to listen on a UNIX domain socket
+
+Socket local:/var/run/dkim-filter/dkim-filter.sock
+
+## StrictTestMode { yes | no }
+## default "no"
+##
+## Selects strict CRLF mode during testing (see the "-t" command line
+## flag in the dkim-filter(8) man page). Messages for which all header
+## fields and body lines are not CRLF-terminated are considered malformed
+## and will produce an error.
+
+# StrictTestMode no
+
+## SubDomains { yes | no }
+## default "no"
+##
+## Sign for subdomains as well?
+
+# SubDomains No
+
+## Syslog { yes | no }
+## default "no"
+##
+## Log informational and error activity to syslog?
+
+# Syslog No
+Syslog yes
+
+## SyslogFacility facility
+## default "mail"
+##
+## Valid values are :
+## auth cron daemon kern lpr mail news security syslog user uucp
+## local0 local1 local2 local3 local4 local5 local6 local7
+##
+## syslog facility to be used
+
+# SyslogFacility mail
+SyslogFacility mail
+
+## SyslogSuccess { yes | no }
+## default "no"
+##
+## Log success activity to syslog?
+
+SyslogSuccess No
+# SyslogSuccess Yes # For tests mostly
+
+
+## TemporaryDirectory path
+## default /var/tmp
+##
+## Specifies which directory will be used for creating temporary files
+## during message processing.
+
+# TemporaryDirectory /var/tmp
+
+## TestPublicKeys filename
+## default (none)
+##
+## Names a file from which public keys should be read. Intended for use
+## only during automated testing.
+
+# TestPublicKeys /tmp/testkeys
+
+## UMask mask
+## default (none)
+##
+## Change the process umask for file creation to the specified value.
+## The system has its own default which will be used (usually 022).
+## See the umask(2) man page for more information.
+
+# UMask 022
+UMask 022
+
+## Userid userid
+## default (none)
+##
+## Change to user "userid" before starting normal operation? May include
+## a group ID as well, separated from the userid by a colon.
+
+# UserID userid
+UserID 62 # Postfix, probably change to dkim-filter user
+
+## X-Header { yes | no }
+## default "no"
+##
+## Add an X- header to messages passing through this filter to identify
+## messages it has processed.
+
+# X-Header No
+X-Header Yes
projects / packages / dkim-milter.git / commitdiff