1opendmarc.conf(5) File Formats Manual opendmarc.conf(5)
2
6 opendmarc.conf - Configuration file for opendmarc
7
10 /etc/opendmarc.conf
11
14 opendmarc(8) implements the proposed DMARC specification for message
15 authentication, policy enforcement, and reporting. This file is its
16 configuration file.
17 Blank lines are ignored. Lines containing a hash ("#") character are
19 truncated at the hash character to allow for comments in the file.
20 Other content should be the name of a parameter, followed by white
22 space, followed by the value of that parameter, each on a separate
23 line.
24 For parameters that are Boolean in nature, only the first byte of the
26 value is processed. For positive values, the following are accepted:
27 "T", "t", "Y", "y", "1". For negative values, the following are
28 accepted: "F", "f", "N", "n", "0".
29 Some, but not all, of these parameters are also available as command
31 line options to opendmarc(8). However, new parameters are generally
32 not added as command line options so the complete set of options is
33 available here, and thus use of the configuration file is encouraged.
34 In some future release, the set of available command line options is
35 likely to get trimmed.
36 See the opendmarc(8) man page for details about how and when the con‐
38 figuration file contents are reloaded.
39 Unless otherwise stated, Boolean values default to "false", integer
41 values default to 0, and string and dataset values default to being
42 undefined.
43
46 AuthservID (string)
47 Sets the "authserv-id" to use when generating the Authentica‐
48 tion-Results: header field after verifying a message. The
49 default is to use the name of the MTA processing the message.
50 If the string "HOSTNAME" is provided, the name of the host run‐
51 ning the filter (as returned by the gethostname(3) function)
52 will be used.
53 AuthservIDWithJobID (Boolean)
56 If "true", requests that the authserv-id portion of the added
57 Authentication-Results: header fields contain the job ID of the
58 message being evaluated.
59 AutoRestart (Boolean)
62 Automatically re-start on failures. Use with caution; if the
63 filter fails instantly after it starts, this can cause a tight
64 fork(2) loop.
65 AutoRestartCount (integer)
68 Sets the maximum automatic restart count. After this number of
69 automatic restarts, the filter will give up and terminate. A
70 value of 0 implies no limit; this is the default.
71 AutoRestartRate (string)
74 Sets the maximum automatic restart rate. If the filter begins
75 restarting faster than the rate defined here, it will give up
76 and terminate. This is a string of the form n/t[u] where n is
77 an integer limiting the count of restarts in the given interval
78 and t[u] defines the time interval through which the rate is
79 calculated; t is an integer and u defines the units thus repre‐
80 sented ("s" or "S" for seconds, the default; "m" or "M" for min‐
81 utes; "h" or "H" for hours; "d" or "D" for days). For example,
82 a value of "10/1h" limits the restarts to 10 in one hour. There
83 is no default, meaning restart rate is not limited.
84 Background (Boolean)
87 Causes opendmarc to fork and exits immediately, leaving the ser‐
88 vice running in the background. The default is "true".
89 BaseDirectory (string)
92 If set, instructs the filter to change to the specified direc‐
93 tory using chdir(2) before doing anything else. This means any
94 files referenced elsewhere in the configuration file can be
95 specified relative to this directory. It's also useful for
96 arranging that any crash dumps will be saved to a specific loca‐
97 tion.
98 ChangeRootDirectory (string)
101 Requests that the operating system change the effective root
102 directory of the process to the one specified here prior to
103 beginning execution. chroot (2) requires superuser access. A
104 warning will be generated if UserID is not also set.
105 CopyFailuresTo (string)
108 Adds the specified recipient to the message's envelope if it
109 fails the DMARC evaluation.
110 DNSTimeout (integer)
113 Sets the DNS timeout in seconds. A value of 0 causes an infi‐
114 nite wait. The default is 5. Ignored if not using an asynchro‐
115 nous resolver package.
116 EnableCoredumps (Boolean)
119 On systems that have such support, make an explicit request to
120 the kernel to dump cores when the filter crashes for some rea‐
121 son. Some modern UNIX systems suppress core dumps during
122 crashes for security reasons if the user ID has changed during
123 the lifetime of the process. Currently only supported on Linux.
124 FailureReports (Boolean)
127 Enables generation of failure reports when the DMARC test fails
128 and the purported sender of the message has requested such
129 reports. Reports are formatted per RFC6591.
130 FailureReportsBcc (string)
133 When failure reports are enabled and one is to be generated,
134 always send one to the address(es) specified here. If a failure
135 report is requested by the domain owner, the address(es) are
136 added in a Bcc: field. If no request is made, they address(es)
137 are used in a To: field. There is no default.
138 FailureReportsOnNone (Boolean)
141 Supplementary to the previous setting, enables generation of
142 failure reports for sending domains that publish a "none" pol‐
143 icy.
144 FailureReportsSentBy (string)
147 Sets the value of the From: field to be used when sending fail‐
148 ure reports (see above). The default is to use the userid of
149 the user executing the filter and the local host name to con‐
150 struct an email address.
151 HistoryFile (string)
154 If set, specifies the location of a text file to which records
155 are written that can be used to generate DMARC aggregate
156 reports. Records are batches of rows containing information
157 about a single received message, and include all relevant infor‐
158 mation needed to generate a DMARC aggregate report. It is
159 expected that this will not be used in its raw form, but rather
160 periodically imported into a relational database from which the
161 aggregate reports can be extracted.
162 IgnoreAuthenticatedClients (Boolean)
165 If set, causes mail from authenticated clients (i.e., those that
166 used SMTP AUTH) to be ignored by the filter. The default is
167 "false".
168 IgnoreHosts (string)
171 Specifies the path to a file that contains a list of hostnames,
172 IP addresses, and/or CIDR expressions identifying hosts whose
173 SMTP connections are to be ignored by the filter. If not speci‐
174 fied, defaults to "127.0.0.1" only.
175 IgnoreMailFrom (string)
178 Gives a list of domain names whose mail (based on the From:
179 domain) is to be ignored by the filter. The list should be
180 comma-separated. Matching against this list is case-insensi‐
181 tive. The default is an empty list, meaning no mail is ignored.
182 MilterDebug (integer)
185 Sets the debug level to be requested from the milter library.
186 The default is 0.
187 PidFile (string)
190 Specifies the path to a file that should be created at process
191 start containing the process ID.
192 PublicSuffixList (string)
195 Specifies the path to a file that contains top-level domains
196 (TLDs) that will be used to compute the Organizational Domain
197 for a given domain name, as described in the DMARC specifica‐
198 tion. If not provided, the filter will not be able to determine
199 the Organizational Domain and only the presented domain will be
200 evaluated.
201 RecordAllMessages (Boolean)
204 If set and HistoryFile is in use, all received messages are
205 recorded to the history file. If not set (the default), only
206 messages for which the From: domain published a DMARC record
207 will be recorded in the history file.
208 RejectFailures (Boolean)
211 If set, messages will be rejected if they fail the DMARC evalua‐
212 tion, or temp-failed if evaluation could not be completed. By
213 default, no message will be rejected or temp-failed regardless
214 of the outcome of the DMARC evaluation of the message. Instead,
215 an Authentication-Results header field will be added. The
216 default is "false".
217 ReportCommand (string)
220 Indicates the shell command to which failure reports should be
221 passed for delivery when FailureReports is enabled. Defaults to
222 /usr/sbin/sendmail.
223 RequiredHeaders (Boolean)
226 If set, the filter will ensure the header of the message con‐
227 forms to the basic header field count restrictions laid out in
228 RFC5322, Section 3.6. Messages failing this test are rejected
229 without further processing. A From: field from which no domain
230 name could be extracted will also be rejected.
231 Socket (string)
234 Specifies the socket that should be established by the filter to
235 receive connections from sendmail(8) in order to provide ser‐
236 vice. socketspec is in one of two forms: local:path, which cre‐
237 ates a UNIX domain socket at the specified path, or
238 inet:port[@host] or inet6:port[@host] which creates a TCP socket
239 on the specified port for the appropriate protocol family. If
240 the host is not given as either a hostname or an IP address, the
241 socket will be listening on all interfaces. This option is
242 mandatory either in the configuration file or on the command
243 line. If an IP address is used, it must be enclosed in square
244 brackets.
245 SoftwareHeader (Boolean)
248 Causes opendmarc to add a "DMARC-Filter" header field indicating
249 the presence of this filter in the path of the message from
250 injection to delivery. The product's name, version, and the job
251 ID are included in the header field's contents.
252 SPFIgnoreResults (Boolean)
255 Causes the filter to ignore any SPF results in the header of the
256 message. This is useful if you want the filter to perfrom SPF
257 checks itself, or because you don't trust the arriving header.
258 The default is "false".
259 SPFSelfValidate (Boolean)
262 Causes the filter to perform a fallback SPF check itself when it
263 can find no SPF results in the message header. If SPFIgnoreRe‐
264 sults is also set, it never looks for SPF results in headers and
265 always performs the SPF check itself when this is set. The
266 default is "false".
267 Syslog (Boolean)
270 Log via calls to syslog(3) any interesting activity.
271 SyslogFacility (string)
274 Log via calls to syslog(3) using the named facility. The facil‐
275 ity names are the same as the ones allowed in syslog.conf(5).
276 The default is "mail".
277 TrustedAuthservIDs (string)
280 Provides a list of authserv-ids that are to be used to identify
281 Authentication-Results header fields whose contents are to be
282 assumed as valid input for the DMARC assessment. To provide a
283 list, separate values by commas. If the string "HOSTNAME" is
284 provided, the name of the host running the filter (as returned
285 by the gethostname(3) function) will be used. Matching against
286 this list is case-insensitive. The default is to use the value
287 of AuthservID.
288 UMask (integer)
291 Requests a specific permissions mask to be used for file cre‐
292 ation. This only really applies to creation of the socket when
293 Socket specifies a UNIX domain socket, and to the PidFile (if
294 any); temporary files are created by the mkstemp(3) function
295 that enforces a specific file mode on creation regardless of the
296 process umask. See umask(2) for more information.
297 UserID (string)
300 Attempts to become the specified userid before starting opera‐
301 tions. The value is of the form userid[:group]. The process
302 will be assigned all of the groups and primary group ID of the
303 named userid unless an alternate group is specified.
304
306 /etc/opendmarc.conf
307 Default location of this file.
308
310 This man page covers version 1.3.2 of opendmarc.
311
314 Copyright (c) 2012-2015, The Trusted Domain Project. All rights
315 reserved.
316
318 opendmarc(8), sendmail(8)
319 RFC4408 - Sender Policy Framework
321 RFC5451 - Message Header Field for Indicating Message Authentication
323 Status
324 RFC5965 - An Extensible Format for Email Feedback Reports
326 RFC6376 - DomainKeys Identified Mail
328 RFC6591 - Authentication Failure Reporting Using the Abuse Reporting
330 Format
331 The Trusted Domain Project opendmarc.conf(5)