Ubuntu Manpage: opendmarc.conf - Configuration file for opendmarc

Provided by: opendmarc_1.4.2-4.1build2_amd64

NAME

       opendmarc.conf - Configuration file for opendmarc

LOCATION

       /etc/opendmarc.conf

DESCRIPTION

       opendmarc(8)  implements the proposed DMARC specification for message authentication, policy enforcement,
       and reporting.  This file is its configuration file.

       Blank lines are ignored.  Lines containing a hash ("#") character are truncated at the hash character  to
       allow for comments in the file.

       Other  content  should be the name of a parameter, followed by white space, followed by the value of that
       parameter, each on a separate line.

       For parameters that are Boolean in nature, only the first byte of the value is processed.   For  positive
       values,  the  following  are  accepted:  "T", "t", "Y", "y", "1".  For negative values, the following are
       accepted: "F", "f", "N", "n", "0".

       Some, but not all, of these parameters are also  available  as  command  line  options  to  opendmarc(8).
       However, new parameters are generally not added as command line options so the complete set of options is
       available here, and thus use of the configuration file is encouraged.  In some future release, the set of
       available command line options is likely to get trimmed.

       See  the  opendmarc(8)  man  page  for  details  about  how  and when the configuration file contents are
       reloaded.

       Unless otherwise stated, Boolean values default to "false", integer values default to 0, and  string  and
       dataset values default to being undefined.

PARAMETERS

AuthservID (string)
Sets the "authserv-id" to use when generating the Authentication-Results: header field after
verifying a message. The default is to use the name of the MTA processing the message. If the
string "HOSTNAME" is provided, the name of the host running the filter (as returned by the
gethostname(3) function) will be used.

AuthservIDWithJobID (Boolean)
If "true", requests that the authserv-id portion of the added Authentication-Results: header
fields contain the job ID of the message being evaluated.

AutoRestart (Boolean)
Automatically re-start on failures. Use with caution; if the filter fails instantly after it
starts, this can cause a tight fork(2) loop.

AutoRestartCount (integer)
Sets the maximum automatic restart count. After this number of automatic restarts, the filter
will give up and terminate. A value of 0 implies no limit; this is the default.

AutoRestartRate (string)
Sets the maximum automatic restart rate. If the filter begins restarting faster than the rate
defined here, it will give up and terminate. This is a string of the form n/t[u] where n is an
integer limiting the count of restarts in the given interval and t[u] defines the time interval
through which the rate is calculated; t is an integer and u defines the units thus represented
("s" or "S" for seconds, the default; "m" or "M" for minutes; "h" or "H" for hours; "d" or "D" for
days). For example, a value of "10/1h" limits the restarts to 10 in one hour. There is no
default, meaning restart rate is not limited.

Background (Boolean)
Causes opendmarc to fork and exits immediately, leaving the service running in the background.
The default is "true".

BaseDirectory (string)
If set, instructs the filter to change to the specified directory using chdir(2) before doing
anything else. This means any files referenced elsewhere in the configuration file can be
specified relative to this directory. It's also useful for arranging that any crash dumps will be
saved to a specific location.

ChangeRootDirectory (string)
Requests that the operating system change the effective root directory of the process to the one
specified here prior to beginning execution. chroot (2) requires superuser access. A warning will
be generated if UserID is not also set.

CopyFailuresTo (string)
Adds the specified recipient to the message's envelope if it fails the DMARC evaluation.

DomainWhitelist (string)
A brief list of whitelisted domains for which ARC signature headers are trusted as determined by
evaluating entries in the "arc.chain" field found in a locally generated Authentication-Results
header.

This list will be concatenated with DomainWhitelistFile (if provided).

DomainWhitelistFile (string)
A comprehensive list of whitelisted domains for which ARC signature headers are trusted as
determined by evaluating entries in the "arc.chain" field found in a locally generated
Authentication-Results header.

This list will be concatenated with DomainWhitelist (if provided).

DomainWhitelistSize (integer)
Sets the capacity of the whitelisted domains data structure. The value specifies the maximum
number of entries including domains listed in the DomainWhitelist configuration parameter and the
domains listed in the DomainWhiteListFile. The final size will be increased by approximately 20%
to increase the efficiency of the hashing algorithm.

DNSTimeout (integer)
Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The default is 5.
Ignored if not using an asynchronous resolver package.

EnableCoredumps (Boolean)
On systems that have such support, make an explicit request to the kernel to dump cores when the
filter crashes for some reason. Some modern UNIX systems suppress core dumps during crashes for
security reasons if the user ID has changed during the lifetime of the process. Currently only
supported on Linux.

FailureReports (Boolean)
Enables generation of failure reports when the DMARC test fails and the purported sender of the
message has requested such reports. Reports are formatted per RFC6591.

FailureReportsBcc (string)
When failure reports are enabled and one is to be generated, always send one to the address(es)
specified here. If a failure report is requested by the domain owner, the address(es) are added
in a Bcc: field. If no request is made, they address(es) are used in a To: field. There is no
default.

FailureReportsOnNone (Boolean)
Supplementary to the previous setting, enables generation of failure reports for sending domains
that publish a "none" policy.

FailureReportsSentBy (string)
Sets the value of the From: field to be used when sending failure reports (see above). The
default is to use the userid of the user executing the filter and the local host name to construct
an email address.

HistoryFile (string)
If set, specifies the location of a text file to which records are written that can be used to
generate DMARC aggregate reports. Records are batches of rows containing information about a
single received message, and include all relevant information needed to generate a DMARC aggregate
report. It is expected that this will not be used in its raw form, but rather periodically
imported into a relational database from which the aggregate reports can be extracted using
opendmarc-importstats(8).

HoldQuarantinedMessages (Boolean)
If set, the milter will signal to the mta that messages with p=quarantine, which fail dmarc
authentication, should be held in the MTA's "Hold" or "Quarantine" queue. The name varies by MTA.
If false, messages will be accepted and passed along with the regular mail flow, and the
quarantine will be left up to downstream MTA/MDA/MUA filters, if any, to handle by re-evaluating
the headers, including the Authentication-Results header added by this filter. The default is
"false".

IgnoreAuthenticatedClients (Boolean)
If set, causes mail from authenticated clients (i.e., those that used SMTP AUTH) to be ignored by
the filter. The default is "false".

IgnoreHosts (string)
Specifies the path to a file that contains a list of hostnames, IP addresses, and/or CIDR
expressions identifying hosts whose SMTP connections are to be ignored by the filter. If not
specified, defaults to "127.0.0.1" only.

IgnoreMailFrom (string)
Gives a list of domain names whose mail (based on the From: domain) is to be ignored by the
filter. The list should be comma-separated. Matching against this list is case-insensitive. The
default is an empty list, meaning no mail is ignored.

IgnoreMailTo (string)
Gives a list of mail addresses which aren't entered into the history file. This is useful to
prevent exchanging mutual message reports. The list should be comma-separated. Matching against
this list is case-insensitive. The default is an empty list, meaning no mail is ignored.

MilterDebug (integer)
Sets the debug level to be requested from the milter library. The default is 0.

PidFile (string)
Specifies the path to a file that should be created at process start containing the process ID.

PublicSuffixList (string)
Specifies the path to a file that contains top-level domains (TLDs) that will be used to compute
the Organizational Domain for a given domain name, as described in the DMARC specification. If
not provided, the filter will not be able to determine the Organizational Domain and only the
presented domain will be evaluated. This file should be periodically updated. One location to
retrieve the file from is https://publicsuffix.org/list/

RecordAllMessages (Boolean)
If set and HistoryFile is in use, all received messages are recorded to the history file. If not
set (the default), only messages for which the From: domain published a DMARC record will be
recorded in the history file.

RejectFailures (Boolean)
If set, messages will be rejected if they fail the DMARC evaluation, or temp-failed if evaluation
could not be completed. By default, no message will be rejected or temp-failed regardless of the
outcome of the DMARC evaluation of the message. Instead, an Authentication-Results header field
will be added. The default is "false".

RejectMultiValueFrom (Boolean)
If set, messages with multiple addresses in the From: field of the message will be rejected unless
all domain names in that field are the same. They will otherwise be ignored by the filter (the
default).

RejectString (string)
This string describes the reason of reject at SMTP level. The message MUST contain the word "%s"
once, which will be replaced by the RFC5322.From domain. The default is "rejected by DMARC policy
for %s"

ReportCommand (string)
Indicates the shell command to which failure reports should be passed for delivery when
FailureReports is enabled. Defaults to /usr/sbin/sendmail.

RequiredHeaders (Boolean)
If set, the filter will ensure the header of the message conforms to the basic header field count
restrictions laid out in RFC5322, Section 3.6. Messages failing this test are rejected without
further processing. A From: field from which no domain name could be extracted will also be
rejected.

Socket (string)
Specifies the socket that should be established by the filter to receive connections from
sendmail(8) in order to provide service. socketspec is in one of two forms: local:path, which
creates a UNIX domain socket at the specified path, or inet:port[@host] or inet6:port[@host] which
creates a TCP socket on the specified port for the appropriate protocol family. If the host is
not given as either a hostname or an IP address, the socket will be listening on all interfaces.
This option is mandatory either in the configuration file or on the command line. If an IP
address is used, it must be enclosed in square brackets.

SoftwareHeader (Boolean)
Causes opendmarc to add a "DMARC-Filter" header field indicating the presence of this filter in
the path of the message from injection to delivery. The product's name, version, and the job ID
are included in the header field's contents.

SPFIgnoreResults (Boolean)
Causes the filter to ignore any SPF results in the header of the message. This is useful if you
want the filter to perform SPF checks itself, or because you don't trust the arriving header. The
default is "false".

SPFSelfValidate (Boolean)
Causes the filter to perform a fallback SPF check itself when it can find no SPF results in the
message header. If SPFIgnoreResults is also set, it never looks for SPF results in headers and
always performs the SPF check itself when this is set. The default is "false".

Syslog (Boolean)
Log via calls to syslog(3) any interesting activity.

SyslogFacility (string)
Log via calls to syslog(3) using the named facility. The facility names are the same as the ones
allowed in syslog.conf(5). The default is "mail".

TrustedAuthservIDs (string)
Provides a list of authserv-ids that are to be used to identify Authentication-Results header
fields whose contents are to be assumed as valid input for the DMARC assessment. To provide a
list, separate values by commas. If the string "HOSTNAME" is provided, the name of the host
running the filter (as returned by the gethostname(3) function) will be used. Matching against
this list is case-insensitive. The default is to use the value of AuthservID.

UMask (integer)
Requests a specific permissions mask to be used for file creation. This only really applies to
creation of the socket when Socket specifies a UNIX domain socket, and to the PidFile (if any);
temporary files are created by the mkstemp(3) function that enforces a specific file mode on
creation regardless of the process umask. See umask(2) for more information.

UserID (string)
Attempts to become the specified userid before starting operations. The value is of the form
userid[:group]. The process will be assigned all of the groups and primary group ID of the named
userid unless an alternate group is specified.

FILES

       /etc/opendmarc.conf
              Default location of this file.

VERSION

       This man page covers version 1.4.2 of opendmarc.

COPYRIGHT

       Copyright (c) 2012-2015, 2018, 2021, The Trusted Domain Project.  All rights reserved.