1openarc.conf(5) File Formats Manual openarc.conf(5)
2
3
4
6 openarc.conf - Configuration file for openarc
7
8
10 /etc/openarc.conf
11
12
14 openarc(8) implements the ARC (Authenticated Received Chain) specifica‐
15 tion for verifying authentication and handling of messages as they are
16 routed to their destinations. This file is its configuration file.
17
18 Blank lines are ignored. Lines containing a hash ("#") character are
19 truncated at the hash character to allow for comments in the file.
20
21 Other content should be the name of a parameter, followed by white
22 space, followed by the value of that parameter, each on a separate
23 line.
24
25 For parameters that are Boolean in nature, only the first byte of the
26 value is processed. For positive values, the following are accepted:
27 "T", "t", "Y", "y", "1". For negative values, the following are
28 accepted: "F", "f", "N", "n", "0".
29
30 See the openarc(8) man page for details about how and when the configu‐
31 ration file contents are reloaded.
32
33 Unless otherwise stated, Boolean values default to "false", integer
34 values default to 0, and string and dataset values default to being
35 undefined.
36
37
39 AutoRestart (Boolean)
40 Automatically re-start on failures. Use with caution; if the
41 filter fails instantly after it starts, this can cause a tight
42 fork(2) loop.
43
44
45 AutoRestartCount (integer)
46 Sets the maximum automatic restart count. After this number of
47 automatic restarts, the filter will give up and terminate. A
48 value of 0 implies no limit; this is the default.
49
50
51 AutoRestartRate (string)
52 Sets the maximum automatic restart rate. If the filter begins
53 restarting faster than the rate defined here, it will give up
54 and terminate. This is a string of the form n/t[u] where n is
55 an integer limiting the count of restarts in the given interval
56 and t[u] defines the time interval through which the rate is
57 calculated; t is an integer and u defines the units thus repre‐
58 sented ("s" or "S" for seconds, the default; "m" or "M" for min‐
59 utes; "h" or "H" for hours; "d" or "D" for days). For example,
60 a value of "10/1h" limits the restarts to 10 in one hour. There
61 is no default, meaning restart rate is not limited.
62
63
64 Background (Boolean)
65 Causes openarc to fork and exits immediately, leaving the ser‐
66 vice running in the background. The default is "true".
67
68
69 Canonicalization (string)
70 Selects the canonicalization method(s) to be used when signing
71 messages. When verifying, the message's ARC-Message-Signature:
72 header field specifies the canonicalization method. The recog‐
73 nized values are relaxed and simple as defined by the DKIM spec‐
74 ification. The default is relaxed/simple. The value may
75 include two different canonicalizations separated by a slash
76 ("/") character, in which case the first will be applied to the
77 header and the second to the body.
78
79
80 ChangeRootDirectory (string)
81 Requests that the operating system change the effective root
82 directory of the process to the one specified here prior to
83 beginning execution. chroot(2) requires superuser access. A
84 warning will be generated if UserID is not also set.
85
86
87 EnableCoredumps (boolean)
88 On systems that have such support, make an explicit request to
89 the kernel to dump cores when the filter crashes for some rea‐
90 son. Some modern UNIX systems suppress core dumps during
91 crashes for security reasons if the user ID has changed during
92 the lifetime of the process. Currently only supported on Linux.
93
94
95 Include (string)
96 Names a file to be opened and read as an additional configura‐
97 tion file. Nesting is allowed to a maximum of five levels.
98
99
100 InternalHosts (dataset)
101 Identifies a set of hosts that identifies clients whose connec‐
102 tions should be treated as "internal" by this filter. Messages
103 received from such sources will not be verified and are instead
104 trusted as-is; in particular, their Authentication-Results
105 fields are trusted to be correct and authentic, meaning they
106 will be assumed to contain the correct chain status when gener‐
107 ating an outgoing seal. See the description of "PeerList" for a
108 description of the supported format. If no set is provided,
109 "127.0.0.1" is added to the list by default.
110
111
112 MilterDebug (integer)
113 Sets the debug level to be requested from the milter library.
114 The default is 0.
115
116
117 Mode (string)
118 Selects the operating mode(s) for this filter. If the string
119 contains the character "s", the filter will sign and seal mes‐
120 sages passing through the filter. If the string contains the
121 character "v", the filter will do signature and seal validation
122 of arriving messages. The two can be combined. If neither is
123 specified, the operating mode will be inferred on a per-connec‐
124 tion basis based on the entries in the InternalHosts list; con‐
125 nections from internal hosts will be assigned to signing mode,
126 and all others will be assigned to verify mode.
127
128
129 OversignHeaders (string)
130 Specifies a comma-separated list of header field names that
131 should be included in all signature header lists (the "h=" tag)
132 once more than the number of times they were actually present in
133 the signed message. The set is empty by default. The purpose
134 of this, and especially of listing an absent header field, is to
135 prevent the addition of important fields between the signer and
136 the verifier. Since the verifier would include that header
137 field when performing verification if it had been added by an
138 intermediary, the signed message and the verified message were
139 different and the verification would fail. Note that listing a
140 field name here and not listing it in the SignHeaders list is
141 likely to generate invalid signatures.
142
143
144 PeerList (dataset)
145 Identifies a set of "peers" that identifies clients whose con‐
146 nections should be accepted without processing by this filter.
147 The set should contain on each line a hostname, domain name
148 (e.g. ".example.com"), IP address, an IPv6 address (including an
149 IPv4 mapped address), or a CIDR-style IP specification (e.g.
150 "192.168.1.0/24"). An entry beginning with a bang ("!") charac‐
151 ter means "not", allowing exclusions of specific hosts that are
152 otherwise members of larger sets. Host and domain names are
153 matched first, then the IP or IPv6 address depending on the con‐
154 nection type. More precise entries are preferred over less pre‐
155 cise ones, i.e. "192.168.1.1" will match before
156 "!192.168.1.0/24". The text form of IPv6 addresses will be
157 forced to lowercase when queried (RFC5952), so the contents of
158 this data set should also use lowercase. The IP address portion
159 of an entry may optionally contain square brackets; both forms
160 (with and without) will be checked.
161
162
163 PidFile (string)
164 Specifies the path to a file that should be created at process
165 start containing the process ID.
166
167
168 SignatureAlgorithm (string)
169 Selects the signing algorithm to use when generating signatures.
170 Use 'openarc -V' to see the list of supported algorithms. The
171 default is rsa-sha256.
172
173
174 SignHeaders (string)
175 Specifies the set of header fields that should be included when
176 generating signatures. This is expected to be a comma-separated
177 list of header field names, and matching is case-insensitive.
178 If the list omits any header field that is mandated by the ARC
179 specification, those fields are implicitly added. By default,
180 those fields listed in the DKIM specification as "SHOULD" be
181 signed (RFC6376, Section 5.4) will be signed by the filter.
182
183
184 Socket (string)
185 Specifies the socket that should be established by the filter to
186 receive connections from sendmail(8) in order to provide ser‐
187 vice. socketspec is in one of two forms: local:path, which cre‐
188 ates a UNIX domain socket at the specified path, or
189 inet:port[@host] or inet6:port[@host] which creates a TCP socket
190 on the specified port and in the specified protocol family. If
191 the host is not given as either a hostname or an IP address, the
192 socket will be listening on all interfaces. A literal IP
193 address must be enclosed in square brackets. This option is
194 mandatory either in the configuration file or on the command
195 line.
196
197
198 Syslog (Boolean)
199 Log via calls to syslog(3) any interesting activity.
200
201
202 SyslogFacility (string)
203 Log via calls to syslog(3) using the named facility. The facil‐
204 ity names are the same as the ones allowed in syslog.conf(5).
205 The default is "mail".
206
207
208 UserID (string)
209 Attempts to become the specified userid before starting opera‐
210 tions. The value is of the form userid[:group]. The process
211 will be assigned all of the groups and primary group ID of the
212 named userid unless an alternate group is specified.
213
214
216 Features that involve specification of IPv4 addresses or CIDR blocks
217 will use the inet_addr(3) function to parse that information. Users
218 should be familiar with the way that function handles the non-trivial
219 cases (for example, "192.0.2/24" and "192.0.2.0/24" are not the same
220 thing).
221
223 /etc/openarc.conf
224 Default location of this file.
225
227 This man page covers version 1.0.0 of openarc.
228
229
231 Copyright (c) 2007, 2008, Sendmail, Inc. and its suppliers. All rights
232 reserved.
233
234 Copyright (c) 2009-2017, The Trusted Domain Project. All rights
235 reserved.
236
238 openarc(8), sendmail(8)
239
240 RFC5451 - Message Header Field for Indicating Message Authentication
241 Status
242
243 RFC5617 - DKIM Author Domain Signing Practises
244
245 RFC5965 - An Extensible Format for Email Feedback Reports
246
247 RFC6008 - Authentication-Results Registration for Differentiating among
248 Cryptographic Results
249
250 RFC6376 - DomainKeys Identified Mail
251
252 RFC6651 - Extensions to DomainKeys Identified Mail (DKIM) for Failure
253 Reporting
254
255
256
257 The Trusted Domain Project openarc.conf(5)