1opendkim.conf(5) File Formats Manual opendkim.conf(5)
2
3
4
6 opendkim.conf - Configuration file for opendkim
7
8
10 /etc/opendkim.conf
11
12
14 opendkim(8) implements the DKIM specification for signing and verifying
15 e-mail messages on a per-domain basis. This file is its configuration
16 file.
17
18 Blank lines are ignored. Lines containing a hash ("#") character are
19 truncated at the hash character to allow for comments in the file.
20
21 Other content should be the name of a parameter, followed by white
22 space, followed by the value of that parameter, each on a separate
23 line.
24
25 For parameters that are Boolean in nature, only the first byte of the
26 value is processed. For positive values, the following are accepted:
27 "T", "t", "Y", "y", "1". For negative values, the following are
28 accepted: "F", "f", "N", "n", "0".
29
30 Many, but not all, of these parameters are also available as command
31 line options to opendkim(8). However, new parameters are generally not
32 added as command line options so the complete set of options is avail‐
33 able here, and thus use of the configuration file is encouraged. In
34 some future release, the set of available command line options is
35 likely to get trimmed.
36
37 See the opendkim(8) man page for details about how and when the config‐
38 uration file contents are reloaded.
39
40 Some of these parameters are listed as having a type of "dataset". See
41 the opendkim(8) man page for a description of such parameters.
42
43 Unless otherwise stated, Boolean values default to "false", integer
44 values default to 0, and string and dataset values default to being
45 undefined.
46
47
49 AllowSHA1Only (Boolean)
50 Permit verify mode when only SHA1 support is available. RFC6376
51 requires that verifiers implement both SHA1 and SHA256 support.
52 Setting this feature changes the absence of SHA256 support from
53 an error to a warning.
54
55
56 AlwaysAddARHeader (Boolean)
57 Add an "Authentication-Results:" header field even to unsigned
58 messages from domains with no "signs all" policy. The reported
59 DKIM result will be "none" in such cases. Normally unsigned
60 mail from non-strict domains does not cause the results header
61 field to be added.
62
63
64 AuthservID (string)
65 Sets the "authserv-id" to use when generating the Authentica‐
66 tion-Results: header field after verifying a message. The
67 default is to use the name of the MTA processing the message.
68 If the string "HOSTNAME" is provided, the name of the host run‐
69 ning the filter (as returned by the gethostname(3) function)
70 will be used.
71
72
73 AuthservIDWithJobID (Boolean)
74 If "true", requests that the authserv-id portion of the added
75 Authentication-Results: header fields contain the job ID of the
76 message being evaluated.
77
78
79 AutoRestart (Boolean)
80 Automatically re-start on failures. Use with caution; if the
81 filter fails instantly after it starts, this can cause a tight
82 fork(2) loop.
83
84
85 AutoRestartCount (integer)
86 Sets the maximum automatic restart count. After this number of
87 automatic restarts, the filter will give up and terminate. A
88 value of 0 implies no limit; this is the default.
89
90
91 AutoRestartRate (string)
92 Sets the maximum automatic restart rate. If the filter begins
93 restarting faster than the rate defined here, it will give up
94 and terminate. This is a string of the form n/t[u] where n is
95 an integer limiting the count of restarts in the given interval
96 and t[u] defines the time interval through which the rate is
97 calculated; t is an integer and u defines the units thus repre‐
98 sented ("s" or "S" for seconds, the default; "m" or "M" for min‐
99 utes; "h" or "H" for hours; "d" or "D" for days). For example,
100 a value of "10/1h" limits the restarts to 10 in one hour. There
101 is no default, meaning restart rate is not limited.
102
103
104 Background (Boolean)
105 Causes opendkim to fork and exits immediately, leaving the ser‐
106 vice running in the background. The default is "true".
107
108
109 BaseDirectory (string)
110 If set, instructs the filter to change to the specified direc‐
111 tory using chdir(2) before doing anything else. This means any
112 files referenced elsewhere in the configuration file can be
113 specified relative to this directory. It's also useful for
114 arranging that any crash dumps will be saved to a specific loca‐
115 tion.
116
117
118 BodyLengthDB (dataset)
119 Requests that opendkim include a "l=" body length tag when the
120 set contains any of the envelope recipient addresses. The
121 addresses presented are tested against the database in various
122 forms as described under the SigningTable setting (below). This
123 feature of the protocol exists to improve the likelihood that a
124 signature will survive transit through a mailing list server, as
125 they commonly append footers to messages. Note, however, that
126 this creates a potential security issue since someone could add
127 arbitrary text to the signed message and the signature would
128 still validate. See the DKIM specification for details.
129
130
131 BogusKey (string)
132 Instructs the filter to treat a passing signature associated
133 with a bogus (forged) key in a special way. Possible values are
134 neutral (return a "neutral" result), none (take no special
135 action) and fail (return a "fail" result; this is the default).
136 (Not enabled for this installation.)
137
138
139 CaptureUnknownErrors (Boolean)
140 When set, and on systems where MTA quarantine is available, the
141 filter will request quarantine of a message that results in an
142 internal error or resource exhaustion.
143
144
145 Canonicalization (string)
146 Selects the canonicalization method(s) to be used when signing
147 messages. When verifying, the message's DKIM-Signature: header
148 field specifies the canonicalization method. The recognized
149 values are relaxed and simple as defined by the DKIM specifica‐
150 tion. The default is simple. The value may include two differ‐
151 ent canonicalizations separated by a slash ("/") character, in
152 which case the first will be applied to the header and the sec‐
153 ond to the body.
154
155
156 ChangeRootDirectory (string)
157 Requests that the operating system change the effective root
158 directory of the process to the one specified here prior to
159 beginning execution. chroot(2) requires superuser access. A
160 warning will be generated if UserID is not also set.
161
162
163 ClockDrift (integer)
164 Sets the tolerance in seconds to be applied when determining
165 whether a signature was either expired or generated in the
166 future. The default is 300.
167
168
169 Diagnostics (Boolean)
170 Requests the inclusion of "z=" tags in signatures, which encode
171 the original header field set for use by verifiers when diagnos‐
172 ing verification failures. Not recommended for normal opera‐
173 tion.
174
175
176 DiagnosticDirectory (string)
177 Directory into which to write diagnostic reports when message
178 verification fails on a message bearing a "z=" tag. If not set
179 (the default), these files are not generated.
180
181
182 DisableCryptoInit (Boolean)
183 If set, skips initialization of the SSL library initialization
184 steps, which are normally required in multi-threaded environ‐
185 ments. This assumes some other library opendkim is using will
186 do the required initialization and shutdown.
187
188
189 DNSConnect (Boolean)
190 Requests that the asynchronous resolver start using TCP immedi‐
191 ately rather than using UDP until TCP is actually needed. Does
192 not work with all resolvers.
193
194
195 DNSTimeout (integer)
196 Sets the DNS timeout in seconds. A value of 0 causes an infi‐
197 nite wait. The default is 5. Ignored if not using an asynchro‐
198 nous resolver package. See also the NOTES section below.
199
200
201 Domain (dataset)
202 A set of domains whose mail should be signed by this filter.
203 Mail from other domains will be verified rather than being
204 signed.
205
206 This parameter is not required if a SigningTable is in use; in
207 that case, the list of signed domains is implied by the lines in
208 that file.
209
210 This parameter is ignored if a KeyTable is defined.
211
212
213 DomainKeysCompat (boolean)
214 If set, backward compatibility with DomainKeys (RFC4870) key
215 records is enabled. When not set, such keys are considered to
216 be syntactically invalid.
217
218
219 DontSignMailTo (dataset)
220 A set of e-mail address, mail to which should never be signed by
221 the filter. Note that this is an "any" feature; if any one of
222 the recipients of the message matches a member of this list, the
223 message will not be signed.
224
225
226 EnableCoredumps (boolean)
227 On systems that have such support, make an explicit request to
228 the kernel to dump cores when the filter crashes for some rea‐
229 son. Some modern UNIX systems suppress core dumps during
230 crashes for security reasons if the user ID has changed during
231 the lifetime of the process. Currently only supported on Linux.
232
233
234 ExemptDomains (dataset)
235 Specifies a set of domains, mail from which should be ignored
236 entirely by the filter. This is similar to the PeerList setting
237 except that it bases its decision on the sender of the message
238 as identified from the header fields or other message data, not
239 the identity of the SMTP client sending the message.
240
241
242 ExternalIgnoreList (dataset)
243 Identifies a set of "external" hosts that may send mail through
244 the server as one of the signing domains without credentials as
245 such. This has the effect of suppressing the "external host
246 (hostname) tried to send mail as (domain)" log messages.
247 Entries in the data set should be of the same form as those of
248 the PeerList option below. The set is empty by default.
249
250
251 FinalPolicyScript (string)
252 Gives the name of a Lua script that should be run after the
253 entire message has been received. This can be used to enact
254 local policy decisions such as message rejection, quarantine,
255 rerouting, etc. based on signatures found on the message, the
256 results of attempts to verify them, and other properties of the
257 message or signatures. See opendkim-lua(3) for details.
258
259
260 FixCRLF (Boolean)
261 Requests that the DKIM library convert bare CRs and LFs to CRLFs
262 during body canonicalization, anticipating that an MTA somewhere
263 before delivery will do that conversion anyway. The default is
264 to leave them as-is.
265
266
267 IdentityHeader (string)
268 This specifies the header field where an identity is stored.
269 (Experimental feature not enabled for this installation.)
270
271
272 IdentityHeaderRemove (Boolean)
273 Remove the IdentityHeader after signing. (Experimental feature
274 not enabled for this installation.)
275
276
277 IgnoreMalformedMail (boolean)
278 Silently passes malformed messages without alteration. This
279 includes messages that fail the RequiredHeaders check, if
280 enabled. The default is to pass those messages but add an
281 Authentication-Results field indicating that they were mal‐
282 formed.
283
284
285 Include (string)
286 Names a file to be opened and read as an additional configura‐
287 tion file. Nesting is allowed to a maximum of five levels.
288
289
290 InternalHosts (dataset)
291 Identifies a set internal hosts whose mail should be signed
292 rather than verified. Entries in this data set follow the same
293 form as those of the PeerList option below. If not specified,
294 the default of "127.0.0.1" is applied. Naturally, providing a
295 value here overrides the default, so if mail from 127.0.0.1
296 should be signed, the list provided here should include that
297 address explicitly.
298
299
300 KeepAuthResults (boolean)
301 Suppresses removal of Authentication-Results header fields con‐
302 taining DKIM results apparently added by this filter (usually
303 the result of a misconfiguration or a forgery).
304
305
306 KeepTemporaryFiles (boolean)
307 Instructs the filter to create temporary files containing the
308 header and body canonicalizations of messages that are signed or
309 verified. The location of these files can be set using the Tem‐
310 poraryDirectory parameter. Intended only for debugging verifi‐
311 cation problems.
312
313
314 KeyFile (string)
315 Gives the location of a PEM-formatted private key to be used for
316 signing all messages. Ignored if a KeyTable is defined.
317
318
319 KeyTable (dataset)
320 Gives the location of a file mapping key names to signing keys.
321 If present, overrides any KeyFile setting in the configuration
322 file. The data set named here maps each key name to three val‐
323 ues: (a) the name of the domain to use in the signature's "d="
324 value; (b) the name of the selector to use in the signature's
325 "s=" value; and (c) either a private key or a path to a file
326 containing a private key. If the first value consists solely of
327 a percent sign ("%") character, it will be replaced by the
328 apparent domain of the sender when generating a signature. If
329 the third value starts with a slash ("/") character, or "./" or
330 "../", then it is presumed to refer to a file from which the
331 private key should be read, otherwise it is itself a PEM-encoded
332 private key or a base64-encoded DER private key; a "%" in the
333 third value in this case will be replaced by the apparent domain
334 name of the sender. The SigningTable (see below) is used to
335 select records from this table to be used to add signatures
336 based on the message sender.
337
338
339 LDAPAuthMechanism (string)
340 Names the authentication mechanism to use when connecting to an
341 LDAP server. The default is the empty string, meaning "simple"
342 authentication should be done.
343
344
345 LDAPAuthName (string)
346 Specifies the authenticating name to use when using SASL to
347 authenticate to an LDAP server. Requires SASL support be
348 installed on the local system. There is no default.
349
350
351 LDAPAuthRealm (string)
352 Specifies the authentication realm to use when using SASL to
353 authenticate to an LDAP server. Requires SASL support be
354 installed on the local system. There is no default.
355
356
357 LDAPAuthUser (string)
358 Specifies the authenticating user to use when using SASL to
359 authenticate to an LDAP server. Requires SASL support be
360 installed on the local system. There is no default.
361
362
363 LDAPBindPassword (string)
364 Specifies the password to use when conducting an LDAP "bind"
365 operation. There is no default.
366
367
368 LDAPBindUser (string)
369 Specifies the user ID to use when conducting an LDAP "bind"
370 operation. There is no default.
371
372
373 LDAPDisableCache (Boolean)
374 Suppresses creation of a local cache in front of LDAP queries.
375
376
377 LDAPKeepaliveIdle (integer)
378 Sets the number of seconds a connection to an LDAP server needs
379 to remain idle before TCP starts sending keepalive probes. If
380 not specified, the LDAP library default is used.
381
382
383 LDAPKeepaliveInterval (integer)
384 Sets the interval in seconds between TCP keepalive probes. If
385 not specified, the LDAP library default is used.
386
387
388 LDAPKeepaliveProbes (integer)
389 Sets the maximum number of keepalive probes TCP should send
390 before abandoning the connection. If not specified, the LDAP
391 library default is used.
392
393
394 LDAPTimeout (integer)
395 Sets the time in seconds after which an LDAP operation should be
396 abandoned. The default is 5.
397
398
399 LDAPUseTLS (Boolean)
400 Indicates whether or not a TLS connection should be established
401 when contacting an LDAP server. The default is "False".
402
403
404 LogResults (boolean)
405 If logging is enabled (see Syslog below), requests that the
406 results of evaluation of all signatures that were at least
407 partly intact (i.e., the "d=", "s=", and "b=" tags could be
408 extracted).
409
410
411 LogWhy (boolean)
412 If logging is enabled (see Syslog below), issues very detailed
413 logging about the logic behind the filter's decision to either
414 sign a message or verify it. The logic behind the decision is
415 non-trivial and can be confusing to administrators not familiar
416 with its operation. A description of how the decision is made
417 can be found in the OPERATIONS section of the opendkim(8) man
418 page. This causes a large increase in the amount of log data
419 generated for each message, so it should be limited to debugging
420 use and not enabled for general operation.
421
422
423 MacroList (dataset)
424 Defines a set of MTA-provided macros that should be checked to
425 see if the sender has been determined to be a local user and
426 therefore whether or not the message should be signed. If a
427 value is specified matching a macro name in the data set, the
428 value of the macro must match a value specified (matching is
429 case-sensitive), otherwise the macro must be defined but may
430 contain any value. The set is empty by default, meaning macros
431 are not considered when making the sign-verify decision. The
432 general format of the value is value1[|value2[|...]]; if one or
433 more value is defined then the macro must be set to one of the
434 listed values, otherwise the macro must be set but can contain
435 any value.
436
437 In order for the macro and its value to be available to the fil‐
438 ter for checking, the MTA must send it during the protocol
439 exchange. This is either accomplished via manual configuration
440 of the MTA to send the desired macros or, for MTA/filter combi‐
441 nations that support the feature, the filter can request those
442 macros that are of interest. The latter is a feature negotiated
443 at the time the filter receives a connection from the MTA and
444 its availability depends upon the version of milter used to com‐
445 pile the filter and the version of the MTA making the connec‐
446 tion.
447
448 This data set must be of type "file" or "csl".
449
450 MaximumHeaders (integer)
451 Defines the maximum number of bytes the header block of a mes‐
452 sage may consume before the filter will reject the message.
453 This mitigates a denial-of-service attack in which a client con‐
454 nects to the MTA and begins feeding an unbounded number of
455 header fields of arbitrary size; since the filter keeps a cache
456 of these, the attacker could cause the filter to allocate an
457 unspecified amount of memory. The default is 65536; a value of
458 0 removes the limit.
459
460
461 MaximumSignaturesToVerify (integer)
462 Defines the maximum number of signatures on a message for which
463 verification should be conducted. The default is three. Signa‐
464 tures are selected from the top of the message downward. If
465 TrustSignaturesFrom is set, signatures from domains in that data
466 set are always verified, which may consume part or all of, or
467 even exceed, this limit.
468
469
470 MaximumSignedBytes (integer)
471 Specifies the maximum number of bytes of message body to be
472 signed. Messages shorter than this limit will be signed in
473 their entirety. Setting this value implies use of BodyLengthDB
474 for all addresses.
475
476
477 MilterDebug (integer)
478 Sets the debug level to be requested from the milter library.
479 Currently, the highest meaningful value is 6.
480
481
482 Minimum (string)
483 Instructs the verification code to fail messages for which a
484 partial signature was received. There are three possible for‐
485 mats: min indicating at least min bytes of the message must be
486 signed (or if the message is smaller than min then all of it
487 must be signed); min% requiring that at least min percent of the
488 received message must be signed; and min+ meaning there may be
489 no more than min bytes of unsigned data appended to the message
490 for it to be considered valid.
491
492
493 MinimumKeyBits (integer)
494 Establishes a minimum key size for acceptable signatures. Sig‐
495 natures with smaller key sizes, even if they otherwise pass DKIM
496 validation, will me marked as invalid. The default is 1024. A
497 value of 0 accepts all keys.
498
499
500 Mode (string)
501 Selects operating modes. The string is a concatenation of char‐
502 acters that indicate which mode(s) of operation are desired.
503 Valid modes are s (signer) and v (verifier). The default is sv
504 except in test mode (see the opendkim(8) man page) in which case
505 the default is v. When signing mode is enabled, one of the fol‐
506 lowing combinations must also be set: (a) Domain, KeyFile,
507 Selector, no KeyTable, no SigningTable; (b) KeyTable, Sign‐
508 ingTable, no Domain, no KeyFile, no Selector; (c) KeyTable,
509 SetupPolicyScript, no Domain, no KeyFile, no Selector.
510
511
512 MTA (dataset)
513 A set of MTA names (a la the sendmail(8) DaemonPortOptions Name
514 parameter) whose mail should be signed by this filter. There is
515 no default, meaning MTA name is not considered when making the
516 sign-verify decision.
517
518
519 MTACommand (string)
520 Specifies the path to an executable to be used for sending mail
521 such as that generated by SendReports. The default is
522 /usr/sbin/sendmail. The executable should accept typical send‐
523 mail(8) command line options "-t" (take addresses from message
524 body) and "-f" (set envelope sender), accept the new message on
525 its standard input, and return a non-zero exit status on any
526 error.
527
528
529 MultipleSignatures (Boolean)
530 Allow addition of multiple signatures when a signing table is in
531 use. See SigningTable for more information.
532
533
534 MustBeSigned (dataset)
535 Specifies a set of header fields that, if present, must be cov‐
536 ered by the DKIM signature when verifying a message. If a
537 header field in this set is present in the message and is not
538 signed, the filter will treat even an otherwise valid signature
539 as invalid. The default is an empty list.
540
541
542 Nameservers (string)
543 Provides a comma-separated list of IP addresses that are to be
544 used when doing DNS queries to retrieve DKIM keys, VBR records,
545 etc. These override any local defaults built in to the resolver
546 in use, which may be defined in /etc/resolv.conf or hard-coded
547 into the software.
548
549
550 NoHeaderB (Boolean)
551 If set, this feature suppresses the use of "header.b" tags in
552 added Authentication-Results header fields. The default is
553 "false", which means those tags will be applied.
554
555
556 OmitHeaders (dataset)
557 Specifies a set of header fields that should be omitted when
558 generating signatures. If an entry in the list names any header
559 field that is mandated by the DKIM specification, the entry is
560 ignored. A set of header fields is listed in the DKIM specifi‐
561 cation (RFC6376, Section 5.4) as "SHOULD NOT" be signed; the
562 default list for this parameter contains those fields (Return-
563 Path, Received, Comments, Keywords, Bcc, Resent-Bcc and DKIM-
564 Signature). To omit no headers, simply use the string "." (or
565 any string that will match no header field names). Specifying a
566 list with this parameter replaces the default entirely, unless
567 one entry is "*" in which case the list is interpreted as a
568 delta to the default; for example, "*,+foobar" will use the
569 entire default list plus the name "foobar", while "*,-Bcc" would
570 use the entire default list except for the "Bcc" entry.
571
572
573 On-BadSignature (string)
574 Selects the action to be taken when a signature fails to vali‐
575 date. Possible values (with abbreviated forms in parentheses):
576 accept (a) accept the message; discard (d) discard the message;
577 quarantine (q) quarantine the message; reject (r) reject the
578 message; tempfail (t) temp-fail the message. The default is
579 accept. Note that the "t" (testing) flag in a DKIM key bypasses
580 this behaviour; a bad signature that references a testing flag
581 will still be delivered, though the added Authentication-Results
582 field will indicate both the failed result and the test mode so
583 that consumers of the message can take appropriate action.
584
585
586 On-Default (string)
587 Selects the action to be taken when any verification or internal
588 error of any kind is encountered. This is processed before the
589 other "On-" values so it can be used as a blanket setting fol‐
590 lowed by specific overrides.
591
592
593 On-DNSError (string)
594 Selects the action to be taken when a transient DNS error is
595 encountered. Possible values are the same as those for On-
596 BadSignature. The default is tempfail.
597
598
599 On-InternalError (string)
600 Selects the action to be taken when an internal error of some
601 kind is encountered. Possible values are the same as those for
602 On-BadSignature. The default is tempfail.
603
604
605 On-KeyNotFound (string)
606 Selects the action to be taken when the key referenced by a sig‐
607 nature is not present in the DNS. Possible values are the same
608 as those for On-BadSignature. The default is accept.
609
610
611 On-NoSignature (string)
612 Selects the action to be taken when a message arrives unsigned.
613 Possible values are the same as those for On-BadSignature. The
614 default is accept.
615
616
617 On-Security (string)
618 Selects the action to be taken when a message arrives containing
619 properties that may be a security concern. Possible values are
620 the same as those for On-BadSignature. The default is tempfail.
621
622
623 On-SignatureError (string)
624 Selects the action to be taken when a message cannot be signed
625 because of issues with the message or the key provided for sign‐
626 ing. Possible values are the same as those for On-BadSignature.
627 The default is reject.
628
629
630 OversignHeaders (dataset)
631 Specifies a set of header fields that should be included in all
632 signature header lists (the "h=" tag) once more than the number
633 of times they were actually present in the signed message. The
634 set is empty by default. The purpose of this, and especially of
635 listing an absent header field, is to prevent the addition of
636 important fields between the signer and the verifier. Since the
637 verifier would include that header field when performing verifi‐
638 cation if it had been added by an intermediary, the signed mes‐
639 sage and the verified message were different and the verifica‐
640 tion would fail. Note that listing a field name here and not
641 listing it in the SignHeaders list is likely to generate invalid
642 signatures.
643
644
645 PeerList (dataset)
646 Identifies a set of "peers" that identifies clients whose con‐
647 nections should be accepted without processing by this filter.
648 The set should contain on each line a hostname, domain name
649 (e.g. ".example.com"), IP address, an IPv6 address (including an
650 IPv4 mapped address), or a CIDR-style IP specification (e.g.
651 "192.168.1.0/24"). An entry beginning with a bang ("!") charac‐
652 ter means "not", allowing exclusions of specific hosts that are
653 otherwise members of larger sets. Host and domain names are
654 matched first, then the IP or IPv6 address depending on the con‐
655 nection type. More precise entries are preferred over less pre‐
656 cise ones, i.e. "192.168.1.1" will match before
657 "!192.168.1.0/24". The text form of IPv6 addresses will be
658 forced to lowercase when queried (RFC5952), so the contents of
659 this data set should also use lowercase. The IP address portion
660 of an entry may optionally contain square brackets; both forms
661 (with and without) will be checked.
662
663
664 PidFile (string)
665 Specifies the path to a file that should be created at process
666 start containing the process ID.
667
668
669 POPDBFile (dataset)
670 Requests that the filter consult a set for IP addresses that
671 should be allowed for signing. This feature was designed for
672 POP-before-SMTP datastores. (Not enabled for this installa‐
673 tion.)
674
675
676 Quarantine (Boolean)
677 Requests that messages which fail verification be quarantined by
678 the MTA. (Requires a sufficiently recent version of the milter
679 library.)
680
681
682 QueryCache (Boolean)
683 Instructs the DKIM library to maintain its own local cache of
684 keys and policies retrieved from DNS, rather than relying on the
685 nameserver for caching service. Useful if the nameserver being
686 used by the filter is not local.
687
688
689
690 RedirectFailuresTo (address)
691 Messages bearing signatures that failed to verify are redirected
692 to the specified address. The original envelope recipient set
693 is recorded in the header before redirection occurs. By
694 default, no redirection is done.
695
696
697 RemoveARAll (Boolean)
698 Removes all Authentication-Results: header fields that also sat‐
699 isfy the requirements of RemoveARFrom below. By default, only
700 those containing a DKIM result are removed.
701
702
703 RemoveARFrom (dataset)
704 Defines a set of hostnames whose Authentication-Results: header
705 fields should be removed before the message is passed for deliv‐
706 ery. By default only those header fields matching the local
707 host's canonical name will be removed. Matching is only done on
708 full hostnames (e.g. "host.example.com") or on domain names
709 (e.g. ".example.com").
710
711
712 RemoveOldSignatures (Boolean)
713 Removes all existing signatures when operating in signing mode.
714
715
716 ReplaceHeaders (data set)
717 Defines a set of header fields that should be affected by the
718 text replacement rules defined by the ReplaceRules setting. By
719 default, all header fields are included. (Experimental feature
720 not enabled for this installation.)
721
722
723 ReplaceRules (string)
724 Specifies a file containing a list of text replacement rules
725 that are applied to the message header fields to replace certain
726 content expected to be changed as the message passes through
727 local MTAs. This can be used to accommodate expected changes
728 such as those made to From: fields by MTA "masquerade" features.
729 Each entry in the file consists of a POSIX regular expression,
730 followed by a tab (ASCII 9), followed by the text that should be
731 used to replace the text matching the expression. The '#' char‐
732 acter denotes the beginning of a comment and text from that
733 point on in a single line is ignored. Blank lines are also
734 skipped. (Experimental feature not enabled for this installa‐
735 tion.)
736
737
738 ReportAddress (string)
739 Specifies the string to use in the From: header field for outgo‐
740 ing reports (see SendReports below). If not specified, the exe‐
741 cuting user and local hostname will be used to construct the
742 address.
743
744
745 ReportBccAddress (string)
746 Specifies address(es) to include in a Bcc: header field on out‐
747 going reports (see SendReports below). If multiple addresses are
748 required, they should be comma separated.
749
750
751 RequestReports (boolean)
752 When signing, includes a request for signature evaluation fail‐
753 ures in the signature. (See RFC6651 for details.)
754
755
756 RequiredHeaders (boolean)
757 Checks all messages for compliance with RFC5322 header field
758 count requirements. Non-compliant messages are rejected.
759
760
761 RequireSafeKeys (boolean)
762 When reading a key file, a message will be logged if the key
763 file has the read or write bit set other than for the owner or
764 for a group that the executing process is in. With this feature
765 set to "true", the filter will further consider this an error
766 and refuse to make use of the file's contents. The default is
767 "true".
768
769
770 ResignAll (boolean)
771 Where ResignMailTo triggers a re-signing action, this flag indi‐
772 cates whether or not all mail should be signed (if set) versus
773 only verified mail being signed (if not set). (Experimental
774 feature not enabled for this installation.)
775
776
777 ResignMailTo (dataset)
778 Checks each message recipient against the specified dataset for
779 a matching record. The full address is checked in each case,
780 then the hostname, then each domain preceded by ".". If there
781 is a match, the value returned is presumed to be the name of a
782 key in the KeyTable (if defined) to be used to re-sign the mes‐
783 sage in addition to verifying it. If there is a match without a
784 KeyTable, the default key is applied. (Experimental feature not
785 enabled for this installation.)
786
787
788 ResolverConfiguration (string)
789 Provides the given string as configuration information to the
790 underlying resolver. For the standard UNIX resolver, this is
791 unused; for Unbound, the string contains a filename that is con‐
792 sidered to be a configuration file. There is no default.
793
794
795 ResolverTracing (Boolean)
796 Requests resolver tracing features be enabled, if available.
797 The effect of this depends on how debugging features of the
798 resolver might be implemented. Currently only effective with
799 the OpenDKIM asynchronous resolver library.
800
801
802 ScreenPolicyScript (string)
803 Gives the name of a Lua script that should be run after all of
804 the header fields have been processed for a message; in particu‐
805 lar, this is useful after all DKIM signatures have been detected
806 and initial evaluation has been done. The script has access to
807 all of the header fields and connection information and can
808 direct that certain signatures be ignored based on that informa‐
809 tion. See opendkim-lua(3) for details.
810
811
812 SelectCanonicalizationHeader (string)
813 Defines a header field name which, if present, adjusts which
814 canonicalization will be used to generate an outgoing signature.
815 Overrides the Canonicalization setting if the header field is
816 present. The default is "X-Canonicalization".
817
818
819 Selector (string)
820 Defines the name of the selector to be used when signing mes‐
821 sages. See the DKIM specification for details. Used only when
822 signing with a single key; see the SigningTable parameter below
823 for more information.
824
825 This parameter is ignored if a KeyTable is defined.
826
827
828 SenderHeaders (dataset)
829 Specifies an ordered list of header fields that should be
830 searched to determine the sender of a message. The first header
831 field found is the one whose value is used. This is mainly used
832 when signing for deciding which signing request(s) to make. By
833 default, the "From" header field is the only one checked. See
834 the OmitHeaders setting for a description of possible values.
835
836
837 SenderMacro (string)
838 Use the milter macro string to determine the sender of the mes‐
839 sage. (Experimental feature not enabled for this installation.)
840
841
842 SendReports (Boolean)
843 If true, when a signature verification fails and the signature
844 included a reporting request ("r=y") and the signing domain
845 advertises a reporting address (i.e. ra=user) in a reporting
846 record in the DNS, the filter will send a structured report to
847 that address containing details needed to reproduce the problem.
848 See RFC6651 for a complete description of this mechanism.
849
850
851 SetupPolicyScript (string)
852 Gives the name of a Lua script that should be run once all
853 header fields for a message have arrived. The script has access
854 to all of the header fields and connection information and can
855 request DKIM verification or signing based on that information.
856 See opendkim-lua(3) for details.
857
858
859 SignatureAlgorithm (string)
860 Selects the signing algorithm to use when generating signatures.
861 Use 'opendkim -V' to see the list of supported algorithms. The
862 default is rsa-sha256 if it is available, otherwise it will be
863 rsa-sha1.
864
865
866 SignatureTTL (integer)
867 Sets the time-to-live, in seconds, of signatures generated by
868 the filter. If not set, no expiration time is added to signa‐
869 tures.
870
871
872 SignHeaders (dataset)
873 Specifies the set of header fields that should be included when
874 generating signatures. If the list omits any header field that
875 is mandated by the DKIM specification, those fields are implic‐
876 itly added. By default, those fields listed in the DKIM speci‐
877 fication as "SHOULD" be signed (RFC6376, Section 5.4) will be
878 signed by the filter. See the OmitHeaders configuration option
879 for more information about the format and interpretation of this
880 field.
881
882
883 SigningTable (dataset)
884 Defines a table used to select one or more signatures to apply
885 to a message based on the address found in the From: header
886 field. Keys in this table vary depending on the type of table
887 used; values in this data set should include one field that con‐
888 tains a name found in the KeyTable (see above) that identifies
889 which key should be used in generating the signature, and an
890 optional second field naming the signer of the message that will
891 be included in the "i=" tag in the generated signature. Note
892 that the "i=" value will not be included in the signature if it
893 conflicts with the signing domain (the "d=" value).
894
895 If the first field contains only a "%" character, it will be
896 replaced by the domain found in the From: header field. Simi‐
897 larly, within the optional second field, any "%" character will
898 be replaced by the domain found in the From: header field.
899
900 If this table specifies a regular expression file ("refile"),
901 then the keys are wildcard patterns that are matched against the
902 address found in the From: header field. Entries are checked in
903 the order in which they appear in the file.
904
905 For all other database types, the full user@host is checked
906 first, then simply host, then user@.domain (with all superdo‐
907 mains checked in sequence, so "foo.example.com" would first
908 check "user@foo.example.com", then "user@.example.com", then
909 "user@.com"), then .domain, then user@*, and finally *.
910
911 In any case, only the first match is applied, unless MultipleS‐
912 ignatures is enabled in which case all matches are applied.
913
914
915 SMTPURI (string)
916 Specifies a URI (e.g., "smtp://localhost") to which mail should
917 be sent via SMTP when notifications are generated. (Not enabled
918 for this installation.)
919
920
921 Socket (string)
922 Specifies the socket that should be established by the filter to
923 receive connections from sendmail(8) in order to provide ser‐
924 vice. socketspec is in one of two forms: local:path, which cre‐
925 ates a UNIX domain socket at the specified path, or
926 inet:port[@host] or inet6:port[@host] which creates a TCP socket
927 on the specified port and in the specified protocol family. If
928 the host is not given as either a hostname or an IP address, the
929 socket will be listening on all interfaces. A literal IP
930 address must be enclosed in square brackets. This option is
931 mandatory either in the configuration file or on the command
932 line.
933
934
935 SoftStart (Boolean)
936 If set, the inability to connect and authenticate to an LDAP or
937 SQL server will not prevent the filter from starting, and recon‐
938 nections will be attempted for each query. The default is
939 "False".
940
941
942 SoftwareHeader (Boolean)
943 Causes opendkim to add an "DKIM-Filter" header field indicating
944 the presence of this filter in the path of the message from
945 injection to delivery. The product's name, version, and the job
946 ID are included in the header field's contents. Note that the
947 header field is not added if the Mode setting causes the message
948 to be ignored (e.g., if only signing mode is enabled and the
949 configuration causes the message not to be signed, or only ver‐
950 ify mode is enabled and configuration would otherwise have
951 caused the message to be signed, then it will not have this
952 header field added).
953
954
955 Statistics (filename)
956 This specifies a file in which to store DKIM transaction statis‐
957 tics. See opendkim-stats(8) for a mechanism to parse the file's
958 contents, and opendkim-importstats() for a mechanism to trans‐
959 late the file's contents into SQL database insertions. (Experi‐
960 mental feature not enabled for this installation.)
961
962
963 StatisticsName (string)
964 Defines the name to be used as the reporting host in statistics
965 logs. By default, the local host's name returned by gethost‐
966 name(3) is used. (Experimental feature not enabled for this
967 installation.)
968
969
970 StatisticsPolicyScript (string)
971 The statistics script is run after all of the DKIM verification
972 and signing work has been completed but before any final message
973 handling is done. The main purpose of this script is to give
974 the user an opportunity to examine the message or its signatures
975 and make arbitrary additional statistical observations that
976 should be recorded by the statistics module.
977
978
979 StatisticsPrefix (string)
980 When AnonymousStatistics is enabled, this string may be speci‐
981 fied and will be prepended to all data before hashing for more
982 complete anonymization. This means two records from different
983 sources referencing the same source will still produce different
984 hashes, meaning such correlation is now only possible within the
985 data from a single repoter.
986
987
988 StrictHeaders (Boolean)
989 If set, instructs the DKIM library to refuse processing of a
990 message if the header field count does not conform to RFC5322
991 Section 3.6.
992
993
994 StrictTestMode (Boolean)
995 Selects strict CRLF mode during testing (see the -t command line
996 flag in the opendkim(8) man page); messages for which all header
997 fields and body lines are not CRLF-terminated are considered
998 malformed and will produce an error.
999
1000
1001 SubDomains (Boolean)
1002 Sign subdomains of those listed by the Domain parameter as well
1003 as the actual domains.
1004
1005
1006 Syslog (Boolean)
1007 Log via calls to syslog(3) any interesting activity.
1008
1009
1010 SyslogFacility (string)
1011 Log via calls to syslog(3) using the named facility. The facil‐
1012 ity names are the same as the ones allowed in syslog.conf(5).
1013 The default is "mail".
1014
1015
1016 SyslogName (string)
1017 Log via calls to syslog(3) using that name. That way one could
1018 distinguish multiple instances. The default is the name of the
1019 executable, normally "opendkim".
1020
1021
1022 SyslogSuccess (Boolean)
1023 Log via calls to syslog(3) additional entries indicating suc‐
1024 cessful signing or verification of messages.
1025
1026
1027 TemporaryDirectory (string)
1028 Specifies the directory in which temporary canonicalization
1029 files should be written. The default is to use the libopendkim
1030 default location, currently /tmp.
1031
1032
1033 TestDNSData (data set)
1034 Provides a data set whose keys will be treated as DNS record
1035 names and values as TXT record contents. Intended for use dur‐
1036 ing automated testing.
1037
1038
1039 TestPublicKeys (string)
1040 Names a file from which public keys should be read. Intended
1041 for use only during automated testing.
1042
1043
1044 TrustAnchorFile (string)
1045 Specifies a file from which trust anchor data should be read
1046 when doing DNS queries and applying the DNSSEC protocol. This
1047 is currently ignored unless the underlying library is compiled
1048 to use Unbound; see the documentation at at http://unbound.net
1049 for the expected format of this file.
1050
1051
1052 TrustSignaturesFrom (dataset)
1053 This value consists of a set of domains that are considered
1054 trustworthy in terms of third-party signatures. That is, if a
1055 message arrives with a signature from a domain that doesn't
1056 match the domain in the From: header, this setting determines
1057 whether or not that signature will be trusted. If this value is
1058 undefined, all signatures are trusted.
1059
1060
1061 UMask (integer)
1062 Requests a specific permissions mask to be used for file cre‐
1063 ation. This only really applies to creation of the socket when
1064 Socket specifies a UNIX domain socket, and to the PidFile (if
1065 any); temporary files are created by the mkstemp(3) function
1066 that enforces a specific file mode on creation regardless of the
1067 process umask. See umask(2) for more information.
1068
1069
1070 UnprotectedKey (string)
1071 Instructs the filter to treat a passing signature associated
1072 with a key found in an insecure (i.e. not protected by DNSSEC)
1073 DNS record in a special way. Possible values are neutral
1074 (return a "neutral" result), none (take no special action; this
1075 is the default) and fail (return a "fail" result). (Not enabled
1076 for this installation.)
1077
1078
1079 UserID (string)
1080 Attempts to become the specified userid before starting opera‐
1081 tions. The value is of the form userid[:group]. The process
1082 will be assigned all of the groups and primary group ID of the
1083 named userid unless an alternate group is specified.
1084
1085
1086 VBR-Certifiers (string)
1087 The default certifiers if not specified in X-VBR-Certifiers
1088 header field. (Experimental feature not enabled for this
1089 installation.)
1090
1091
1092 VBR-PurgeFields (string)
1093 If set, arranges to remove X-VBR-Certifiers and X-VBR-Type
1094 fields on messages prior to sending them. (Experimental feature
1095 not enabled for this installation.)
1096
1097
1098 VBR-TrustedCertifiers (string)
1099 A colon or comma sparated list of trusted certifiers to accept
1100 when verifying VBR-Info header field. (Experimental feature not
1101 enabled for this installation.)
1102
1103
1104 VBR-TrustedCertifiersOnly (Boolean)
1105 By default, the certifiers that are in both the trusted certi‐
1106 fiers list (above) and those in the message's VBR-Info header
1107 field will be checked for vouching. With this option set, the
1108 trusted certifiers will be checked and the ones claimed by the
1109 message will be ignored. (Experimental feature not enabled for
1110 this installation.)
1111
1112
1113 VBR-Type (string)
1114 This default VBR type if not specified in the X-VBR-Type header
1115 field. (Experimental feature not enabled for this installa‐
1116 tion.)
1117
1118
1119 WeakSyntaxChecks (Boolean)
1120 Requests that the library continue processing messages even if
1121 syntax errors are discovered early in message analysis. This
1122 means, for example, that a signed message with a mangled From:
1123 field will still proceed to verification even if the author's
1124 domain could not be determined.
1125
1126
1128 When using DNS timeouts (see the DNSTimeout option above), be sure not
1129 to use a timeout that is larger than the timeout being used for inter‐
1130 action between sendmail and the filter. Otherwise, the MTA could abort
1131 a message while waiting for a reply from the filter, which in turn is
1132 still waiting for a DNS reply.
1133
1134 Features that involve specification of IPv4 addresses or CIDR blocks
1135 will use the inet_addr(3) function to parse that information. Users
1136 should be familiar with the way that function handles the non-trivial
1137 cases (for example, "192.0.2/24" and "192.0.2.0/24" are not the same
1138 thing).
1139
1141 /etc/opendkim.conf
1142 Default location of this file.
1143
1145 This man page covers version 2.11.0 of opendkim.
1146
1147
1149 Copyright (c) 2007, 2008, Sendmail, Inc. and its suppliers. All rights
1150 reserved.
1151
1152 Copyright (c) 2009-2015, The Trusted Domain Project. All rights
1153 reserved.
1154
1156 opendkim(8), opendkim-lua(3), sendmail(8)
1157
1158 RFC5451 - Message Header Field for Indicating Message Authentication
1159 Status
1160
1161 RFC5617 - DKIM Author Domain Signing Practises
1162
1163 RFC5965 - An Extensible Format for Email Feedback Reports
1164
1165 RFC6008 - Authentication-Results Registration for Differentiating among
1166 Cryptographic Results
1167
1168 RFC6376 - DomainKeys Identified Mail
1169
1170 RFC6651 - Extensions to DomainKeys Identified Mail (DKIM) for Failure
1171 Reporting
1172
1173
1174
1175 The Trusted Domain Project opendkim.conf(5)