1openarc.conf(5) File Formats Manual openarc.conf(5)
2
6 openarc.conf - Configuration file for openarc
7
10 /etc/openarc.conf
11
14 openarc(8) implements the ARC (Authenticated Received Chain) specifica‐
15 tion for verifying authentication and handling of messages as they are
16 routed to their destinations. This file is its configuration file.
17 Blank lines are ignored. Lines containing a hash ("#") character are
19 truncated at the hash character to allow for comments in the file.
20 Other content should be the name of a parameter, followed by white
22 space, followed by the value of that parameter, each on a separate
23 line.
24 For parameters that are Boolean in nature, only the first byte of the
26 value is processed. For positive values, the following are accepted:
27 "T", "t", "Y", "y", "1". For negative values, the following are
28 accepted: "F", "f", "N", "n", "0".
29 See the openarc(8) man page for details about how and when the configu‐
31 ration file contents are reloaded.
32 Unless otherwise stated, Boolean values default to "false", integer
34 values default to 0, and string and dataset values default to being
35 undefined.
36
39 AutoRestart (Boolean)
40 Automatically re-start on failures. Use with caution; if the
41 filter fails instantly after it starts, this can cause a tight
42 fork(2) loop.
43 AutoRestartCount (integer)
46 Sets the maximum automatic restart count. After this number of
47 automatic restarts, the filter will give up and terminate. A
48 value of 0 implies no limit; this is the default.
49 AutoRestartRate (string)
52 Sets the maximum automatic restart rate. If the filter begins
53 restarting faster than the rate defined here, it will give up
54 and terminate. This is a string of the form n/t[u] where n is
55 an integer limiting the count of restarts in the given interval
56 and t[u] defines the time interval through which the rate is
57 calculated; t is an integer and u defines the units thus repre‐
58 sented ("s" or "S" for seconds, the default; "m" or "M" for min‐
59 utes; "h" or "H" for hours; "d" or "D" for days). For example,
60 a value of "10/1h" limits the restarts to 10 in one hour. There
61 is no default, meaning restart rate is not limited.
62 Background (Boolean)
65 Causes openarc to fork and exits immediately, leaving the ser‐
66 vice running in the background. The default is "true".
67 Canonicalization (string)
70 Selects the canonicalization method(s) to be used when signing
71 messages. When verifying, the message's ARC-Message-Signature:
72 header field specifies the canonicalization method. The recog‐
73 nized values are relaxed and simple as defined by the DKIM spec‐
74 ification. The default is relaxed/simple. The value may
75 include two different canonicalizations separated by a slash
76 ("/") character, in which case the first will be applied to the
77 header and the second to the body.
78 ChangeRootDirectory (string)
81 Requests that the operating system change the effective root
82 directory of the process to the one specified here prior to
83 beginning execution. chroot(2) requires superuser access. A
84 warning will be generated if UserID is not also set.
85 EnableCoredumps (boolean)
88 On systems that have such support, make an explicit request to
89 the kernel to dump cores when the filter crashes for some rea‐
90 son. Some modern UNIX systems suppress core dumps during
91 crashes for security reasons if the user ID has changed during
92 the lifetime of the process. Currently only supported on Linux.
93 Include (string)
96 Names a file to be opened and read as an additional configura‐
97 tion file. Nesting is allowed to a maximum of five levels.
98 InternalHosts (dataset)
101 Identifies a set of hosts that identifies clients whose connec‐
102 tions should be treated as "internal" by this filter. Messages
103 received from such sources will not be verified and are instead
104 trusted as-is; in particular, their Authentication-Results
105 fields are trusted to be correct and authentic, meaning they
106 will be assumed to contain the correct chain status when gener‐
107 ating an outgoing seal. See the description of "PeerList" for a
108 description of the supported format. If no set is provided,
109 "127.0.0.1" is added to the list by default.
110 MilterDebug (integer)
113 Sets the debug level to be requested from the milter library.
114 The default is 0.
115 Mode (string)
118 Selects the operating mode(s) for this filter. If the string
119 contains the character "s", the filter will sign and seal mes‐
120 sages passing through the filter. If the string contains the
121 character "v", the filter will do signature and seal validation
122 of arriving messages. The two can be combined. If neither is
123 specified, the operating mode will be inferred on a per-connec‐
124 tion basis based on the entries in the InternalHosts list; con‐
125 nections from internal hosts will be assigned to signing mode,
126 and all others will be assigned to verify mode.
127 OversignHeaders (string)
130 Specifies a comma-separated list of header field names that
131 should be included in all signature header lists (the "h=" tag)
132 once more than the number of times they were actually present in
133 the signed message. The set is empty by default. The purpose
134 of this, and especially of listing an absent header field, is to
135 prevent the addition of important fields between the signer and
136 the verifier. Since the verifier would include that header
137 field when performing verification if it had been added by an
138 intermediary, the signed message and the verified message were
139 different and the verification would fail. Note that listing a
140 field name here and not listing it in the SignHeaders list is
141 likely to generate invalid signatures.
142 PeerList (dataset)
145 Identifies a set of "peers" that identifies clients whose con‐
146 nections should be accepted without processing by this filter.
147 The set should contain on each line a hostname, domain name
148 (e.g. ".example.com"), IP address, an IPv6 address (including an
149 IPv4 mapped address), or a CIDR-style IP specification (e.g.
150 "192.168.1.0/24"). An entry beginning with a bang ("!") charac‐
151 ter means "not", allowing exclusions of specific hosts that are
152 otherwise members of larger sets. Host and domain names are
153 matched first, then the IP or IPv6 address depending on the con‐
154 nection type. More precise entries are preferred over less pre‐
155 cise ones, i.e. "192.168.1.1" will match before
156 "!192.168.1.0/24". The text form of IPv6 addresses will be
157 forced to lowercase when queried (RFC5952), so the contents of
158 this data set should also use lowercase. The IP address portion
159 of an entry may optionally contain square brackets; both forms
160 (with and without) will be checked.
161 PidFile (string)
164 Specifies the path to a file that should be created at process
165 start containing the process ID.
166 SealHeaderChecks (string)
169 Identifies a file containing header checks that should be done
170 to determine whether to seal a message. Each entry in this file
171 must be of the form "name:regexp". When this feature is set,
172 messages will only be processed by the filter if any instance of
173 the named header field exists and has a value matching the pro‐
174 vided regular expression. If the value of an instance appears
175 to be a JSON list, then the regular expression is applied to all
176 strings in the list.
177 SignatureAlgorithm (string)
180 Selects the signing algorithm to use when generating signatures.
181 Use 'openarc -V' to see the list of supported algorithms. The
182 default is rsa-sha256.
183 SignHeaders (string)
186 Specifies the set of header fields that should be included when
187 generating signatures. This is expected to be a comma-separated
188 list of header field names, and matching is case-insensitive.
189 If the list omits any header field that is mandated by the ARC
190 specification, those fields are implicitly added. By default,
191 those fields listed in the DKIM specification as "SHOULD" be
192 signed (RFC6376, Section 5.4) will be signed by the filter.
193 Socket (string)
196 Specifies the socket that should be established by the filter to
197 receive connections from sendmail(8) in order to provide ser‐
198 vice. socketspec is in one of two forms: local:path, which cre‐
199 ates a UNIX domain socket at the specified path, or
200 inet:port[@host] or inet6:port[@host] which creates a TCP socket
201 on the specified port and in the specified protocol family. If
202 the host is not given as either a hostname or an IP address, the
203 socket will be listening on all interfaces. A literal IP
204 address must be enclosed in square brackets. This option is
205 mandatory either in the configuration file or on the command
206 line.
207 Syslog (Boolean)
210 Log via calls to syslog(3) any interesting activity.
211 SyslogFacility (string)
214 Log via calls to syslog(3) using the named facility. The facil‐
215 ity names are the same as the ones allowed in syslog.conf(5).
216 The default is "mail".
217 UserID (string)
220 Attempts to become the specified userid before starting opera‐
221 tions. The value is of the form userid[:group]. The process
222 will be assigned all of the groups and primary group ID of the
223 named userid unless an alternate group is specified.
224
227 Features that involve specification of IPv4 addresses or CIDR blocks
228 will use the inet_addr(3) function to parse that information. Users
229 should be familiar with the way that function handles the non-trivial
230 cases (for example, "192.0.2/24" and "192.0.2.0/24" are not the same
231 thing).
232
234 /etc/openarc.conf
235 Default location of this file.
236
238 This man page covers version 1.0.0 of openarc.
239
242 Copyright (c) 2007, 2008, Sendmail, Inc. and its suppliers. All rights
243 reserved.
244 Copyright (c) 2009-2017, The Trusted Domain Project. All rights
246 reserved.
247
249 openarc(8), sendmail(8)
250 RFC5451 - Message Header Field for Indicating Message Authentication
252 Status
253 RFC5617 - DKIM Author Domain Signing Practises
255 RFC5965 - An Extensible Format for Email Feedback Reports
257 RFC6008 - Authentication-Results Registration for Differentiating among
259 Cryptographic Results
260 RFC6376 - DomainKeys Identified Mail
262 RFC6651 - Extensions to DomainKeys Identified Mail (DKIM) for Failure
264 Reporting
265 The Trusted Domain Project openarc.conf(5)