bionic (5) opendmarc.conf.5.gz

Provided by: opendmarc_1.3.2-3ubuntu0.2_amd64 bug

NAME

       opendmarc.conf - Configuration file for opendmarc

LOCATION

       /etc/opendmarc.conf

DESCRIPTION

       opendmarc(8)  implements the proposed DMARC specification for message authentication, policy enforcement,
       and reporting.  This file is its configuration file.

       Blank lines are ignored.  Lines containing a hash ("#") character are truncated at the hash character  to
       allow for comments in the file.

       Other  content  should be the name of a parameter, followed by white space, followed by the value of that
       parameter, each on a separate line.

       For parameters that are Boolean in nature, only the first byte of the value is processed.   For  positive
       values,  the  following  are  accepted:  "T", "t", "Y", "y", "1".  For negative values, the following are
       accepted: "F", "f", "N", "n", "0".

       Some, but not all, of these parameters are also  available  as  command  line  options  to  opendmarc(8).
       However, new parameters are generally not added as command line options so the complete set of options is
       available here, and thus use of the configuration file is encouraged.  In some future release, the set of
       available command line options is likely to get trimmed.

       See  the  opendmarc(8)  man  page  for  details  about  how  and when the configuration file contents are
       reloaded.

       Unless otherwise stated, Boolean values default to "false", integer values default to 0, and  string  and
       dataset values default to being undefined.

PARAMETERS

       AuthservID (string)
              Sets  the  "authserv-id"  to  use  when  generating the Authentication-Results: header field after
              verifying a message.  The default is to use the name of the MTA processing the  message.   If  the
              string  "HOSTNAME"  is  provided,  the  name  of  the  host running the filter (as returned by the
              gethostname(3) function) will be used.

       AuthservIDWithJobID (Boolean)
              If "true", requests that the authserv-id  portion  of  the  added  Authentication-Results:  header
              fields contain the job ID of the message being evaluated.

       AutoRestart (Boolean)
              Automatically  re-start  on  failures.   Use  with caution; if the filter fails instantly after it
              starts, this can cause a tight fork(2) loop.

       AutoRestartCount (integer)
              Sets the maximum automatic restart count.  After this number of  automatic  restarts,  the  filter
              will give up and terminate.  A value of 0 implies no limit; this is the default.

       AutoRestartRate (string)
              Sets  the  maximum  automatic  restart rate.  If the filter begins restarting faster than the rate
              defined here, it will give up and terminate.  This is a string of the form n/t[u] where  n  is  an
              integer  limiting  the  count of restarts in the given interval and t[u] defines the time interval
              through which the rate is calculated; t is an integer and u defines  the  units  thus  represented
              ("s" or "S" for seconds, the default; "m" or "M" for minutes; "h" or "H" for hours; "d" or "D" for
              days).  For example, a value of "10/1h" limits the restarts to  10  in  one  hour.   There  is  no
              default, meaning restart rate is not limited.

       Background (Boolean)
              Causes  opendmarc  to  fork  and exits immediately, leaving the service running in the background.
              The default is "true".

       BaseDirectory (string)
              If set, instructs the filter to change to the specified  directory  using  chdir(2)  before  doing
              anything  else.   This  means  any  files  referenced  elsewhere  in the configuration file can be
              specified relative to this directory.  It's also useful for arranging that any crash dumps will be
              saved to a specific location.

       ChangeRootDirectory (string)
              Requests  that  the operating system change the effective root directory of the process to the one
              specified here prior to beginning execution.  chroot (2) requires superuser access. A warning will
              be generated if UserID is not also set.

       CopyFailuresTo (string)
              Adds the specified recipient to the message's envelope if it fails the DMARC evaluation.

       DNSTimeout (integer)
              Sets  the  DNS  timeout  in  seconds.   A  value  of 0 causes an infinite wait.  The default is 5.
              Ignored if not using an asynchronous resolver package.

       EnableCoredumps (Boolean)
              On systems that have such support, make an explicit request to the kernel to dump cores  when  the
              filter  crashes  for some reason.  Some modern UNIX systems suppress core dumps during crashes for
              security reasons if the user ID has changed during the lifetime of the  process.   Currently  only
              supported on Linux.

       FailureReports (Boolean)
              Enables  generation  of  failure reports when the DMARC test fails and the purported sender of the
              message has requested such reports.  Reports are formatted per RFC6591.

       FailureReportsBcc (string)
              When failure reports are enabled and one is to be generated, always send one  to  the  address(es)
              specified  here.   If a failure report is requested by the domain owner, the address(es) are added
              in a Bcc: field.  If no request is made, they address(es) are used in a To: field.   There  is  no
              default.

       FailureReportsOnNone (Boolean)
              Supplementary  to  the previous setting, enables generation of failure reports for sending domains
              that publish a "none" policy.

       FailureReportsSentBy (string)
              Sets the value of the From: field to be used  when  sending  failure  reports  (see  above).   The
              default is to use the userid of the user executing the filter and the local host name to construct
              an email address.

       HistoryFile (string)
              If set, specifies the location of a text file to which records are written that  can  be  used  to
              generate  DMARC  aggregate  reports.   Records  are batches of rows containing information about a
              single received message, and include all relevant information needed to generate a DMARC aggregate
              report.   It  is  expected  that  this  will  not be used in its raw form, but rather periodically
              imported into a relational database from which the aggregate reports can be extracted.

       IgnoreAuthenticatedClients (Boolean)
              If set, causes mail from authenticated clients (i.e., those that used SMTP AUTH) to be ignored  by
              the filter.  The default is "false".

       IgnoreHosts (string)
              Specifies  the  path  to  a  file  that  contains  a  list of hostnames, IP addresses, and/or CIDR
              expressions identifying hosts whose SMTP connections are to be ignored  by  the  filter.   If  not
              specified, defaults to "127.0.0.1" only.

       IgnoreMailFrom (string)
              Gives  a  list  of  domain  names  whose  mail (based on the From: domain) is to be ignored by the
              filter.  The list should be comma-separated.  Matching against this list is case-insensitive.  The
              default is an empty list, meaning no mail is ignored.

       IgnoreMailTo (string)
              Gives  a  list  of  mail  addresses which aren't entered into the history file.  This is useful to
              prevent exchanging mutual message reports.  The list should be comma-separated.  Matching  against
              this list is case-insensitive.  The default is an empty list, meaning no mail is ignored.

       MilterDebug (integer)
              Sets the debug level to be requested from the milter library.  The default is 0.

       PidFile (string)
              Specifies the path to a file that should be created at process start containing the process ID.

       PublicSuffixList (string)
              Specifies  the  path to a file that contains top-level domains (TLDs) that will be used to compute
              the Organizational Domain for a given domain name, as described in the  DMARC  specification.   If
              not  provided,  the  filter  will  not be able to determine the Organizational Domain and only the
              presented domain will be evaluated.

       RecordAllMessages (Boolean)
              If set and HistoryFile is in use, all received messages are recorded to the history file.  If  not
              set  (the  default),  only  messages  for  which the From: domain published a DMARC record will be
              recorded in the history file.

       RejectFailures (Boolean)
              If set, messages will be rejected if they fail the DMARC evaluation, or temp-failed if  evaluation
              could  not be completed.  By default, no message will be rejected or temp-failed regardless of the
              outcome of the DMARC evaluation of the message.  Instead, an Authentication-Results  header  field
              will be added.  The default is "false".

       RejectString (string)
              This  string describes the reason of reject at SMTP level.  The message MUST contain the word "%s"
              once, which will be replaced by the RFC5322.From domain.  The default is "rejected by DMARC policy
              for %s"

       ReportCommand (string)
              Indicates  the  shell  command  to  which  failure  reports  should  be  passed  for delivery when
              FailureReports is enabled.  Defaults to /usr/sbin/sendmail.

       RequiredHeaders (Boolean)
              If set, the filter will ensure the header of the message conforms to the basic header field  count
              restrictions  laid  out  in RFC5322, Section 3.6.  Messages failing this test are rejected without
              further processing.  A From: field from which no domain name  could  be  extracted  will  also  be
              rejected.

       Socket (string)
              Specifies  the  socket  that  should  be  established  by  the  filter to receive connections from
              sendmail(8) in order to provide service.  socketspec is in one of  two  forms:  local:path,  which
              creates a UNIX domain socket at the specified path, or inet:port[@host] or inet6:port[@host] which
              creates a TCP socket on the specified port for the appropriate protocol family.  If  the  host  is
              not  given  as either a hostname or an IP address, the socket will be listening on all interfaces.
              This option is mandatory either in the configuration file or  on  the  command  line.   If  an  IP
              address is used, it must be enclosed in square brackets.

       SoftwareHeader (Boolean)
              Causes  opendmarc  to  add a "DMARC-Filter" header field indicating the presence of this filter in
              the path of the message from injection to delivery.  The product's name, version, and the  job  ID
              are included in the header field's contents.

       SPFIgnoreResults (Boolean)
              Causes  the  filter to ignore any SPF results in the header of the message.  This is useful if you
              want the filter to perfrom SPF checks itself, or because you don't trust the arriving header.  The
              default is "false".

       SPFSelfValidate (Boolean)
              Causes  the  filter  to perform a fallback SPF check itself when it can find no SPF results in the
              message header.  If SPFIgnoreResults is also set, it never looks for SPF results  in  headers  and
              always performs the SPF check itself when this is set.  The default is "false".

       Syslog (Boolean)
              Log via calls to syslog(3) any interesting activity.

       SyslogFacility (string)
              Log  via calls to syslog(3) using the named facility.  The facility names are the same as the ones
              allowed in syslog.conf(5).  The default is "mail".

       TrustedAuthservIDs (string)
              Provides a list of authserv-ids that are to be  used  to  identify  Authentication-Results  header
              fields  whose  contents  are  to be assumed as valid input for the DMARC assessment.  To provide a
              list, separate values by commas.  If the string "HOSTNAME" is  provided,  the  name  of  the  host
              running  the  filter  (as returned by the gethostname(3) function) will be used.  Matching against
              this list is case-insensitive.  The default is to use the value of AuthservID.

       UMask (integer)
              Requests a specific permissions mask to be used for file creation.  This only  really  applies  to
              creation  of  the  socket when Socket specifies a UNIX domain socket, and to the PidFile (if any);
              temporary files are created by the mkstemp(3) function that  enforces  a  specific  file  mode  on
              creation regardless of the process umask.  See umask(2) for more information.

       UserID (string)
              Attempts  to  become  the  specified  userid before starting operations.  The value is of the form
              userid[:group].  The process will be assigned all of the groups and primary group ID of the  named
              userid unless an alternate group is specified.

FILES

       /etc/opendmarc.conf
              Default location of this file.

VERSION

       This man page covers version 1.3.2 of opendmarc.

       Copyright (c) 2012-2015, The Trusted Domain Project.  All rights reserved.

SEE ALSO

       opendmarc(8), sendmail(8)

       RFC4408 - Sender Policy Framework

       RFC5451 - Message Header Field for Indicating Message Authentication Status

       RFC5965 - An Extensible Format for Email Feedback Reports

       RFC6376 - DomainKeys Identified Mail

       RFC6591 - Authentication Failure Reporting Using the Abuse Reporting Format

                                           The Trusted Domain Project                          opendmarc.conf(5)