opendmarc.conf - Configuration file for opendmarc
opendmarc(8) implements the proposed DMARC
specification for message authentication, policy enforcement, and reporting.
This file is its configuration file.
Blank lines are ignored. Lines containing a hash ("#")
character are truncated at the hash character to allow for comments in the
file.
Other content should be the name of a parameter, followed by white
space, followed by the value of that parameter, each on a separate line.
For parameters that are Boolean in nature, only the first byte of
the value is processed. For positive values, the following are accepted:
"T", "t", "Y", "y", "1".
For negative values, the following are accepted: "F",
"f", "N", "n", "0".
Some, but not all, of these parameters are also available as
command line options to opendmarc(8). However, new parameters are
generally not added as command line options so the complete set of options
is available here, and thus use of the configuration file is encouraged. In
some future release, the set of available command line options is likely to
get trimmed.
See the opendmarc(8) man page for details about how and
when the configuration file contents are reloaded.
Unless otherwise stated, Boolean values default to
"false", integer values default to 0, and string and dataset
values default to being undefined.
- AuthservID
(string)
- Sets the "authserv-id" to use when generating the
Authentication-Results: header field after verifying a message. The
default is to use the name of the MTA processing the message. If the
string "HOSTNAME" is provided, the name of the host running the
filter (as returned by the gethostname(3) function) will be used.
- AuthservIDWithJobID
(Boolean)
- If "true", requests that the authserv-id portion of the added
Authentication-Results: header fields contain the job ID of the message
being evaluated.
- AutoRestart
(Boolean)
- Automatically re-start on failures. Use with caution; if the filter fails
instantly after it starts, this can cause a tight fork(2) loop.
- AutoRestartCount
(integer)
- Sets the maximum automatic restart count. After this number of automatic
restarts, the filter will give up and terminate. A value of 0 implies no
limit; this is the default.
- AutoRestartRate
(string)
- Sets the maximum automatic restart rate. If the filter begins restarting
faster than the rate defined here, it will give up and terminate. This is
a string of the form n/t[u] where n is an integer limiting
the count of restarts in the given interval and t[u] defines the
time interval through which the rate is calculated; t is an integer
and u defines the units thus represented ("s" or
"S" for seconds, the default; "m" or "M" for
minutes; "h" or "H" for hours; "d" or
"D" for days). For example, a value of "10/1h" limits
the restarts to 10 in one hour. There is no default, meaning restart rate
is not limited.
- Background
(Boolean)
- Causes opendmarc to fork and exits immediately, leaving the service
running in the background. The default is "true".
- BaseDirectory
(string)
- If set, instructs the filter to change to the specified directory using
chdir(2) before doing anything else. This means any files
referenced elsewhere in the configuration file can be specified relative
to this directory. It's also useful for arranging that any crash dumps
will be saved to a specific location.
- ChangeRootDirectory
(string)
- Requests that the operating system change the effective root directory of
the process to the one specified here prior to beginning execution.
chroot (2) requires superuser access. A warning will be generated
if UserID is not also set.
- CopyFailuresTo
(string)
- Adds the specified recipient to the message's envelope if it fails the
DMARC evaluation.
- DomainWhitelist
(string)
- A brief list of whitelisted domains for which ARC signature headers are
trusted as determined by evaluating entries in the "arc.chain"
field found in a locally generated Authentication-Results header.
This list will be concatenated with DomainWhitelistFile (if
provided).
- DomainWhitelistFile
(string)
- A comprehensive list of whitelisted domains for which ARC signature
headers are trusted as determined by evaluating entries in the
"arc.chain" field found in a locally generated
Authentication-Results header.
This list will be concatenated with DomainWhitelist (if
provided).
- DomainWhitelistSize
(integer)
- Sets the capacity of the whitelisted domains data structure. The value
specifies the maximum number of entries including domains listed in the
DomainWhitelist configuration parameter and the domains listed in the
DomainWhiteListFile. The final size will be increased by approximately 20%
to increase the efficiency of the hashing algorithm.
- DNSTimeout
(integer)
- Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The
default is 5. Ignored if not using an asynchronous resolver package.
- EnableCoredumps
(Boolean)
- On systems that have such support, make an explicit request to the kernel
to dump cores when the filter crashes for some reason. Some modern UNIX
systems suppress core dumps during crashes for security reasons if the
user ID has changed during the lifetime of the process. Currently only
supported on Linux.
- FailureReports
(Boolean)
- Enables generation of failure reports when the DMARC test fails and the
purported sender of the message has requested such reports. Reports are
formatted per RFC6591.
- FailureReportsBcc
(string)
- When failure reports are enabled and one is to be generated, always send
one to the address(es) specified here. If a failure report is requested by
the domain owner, the address(es) are added in a Bcc: field. If no request
is made, they address(es) are used in a To: field. There is no default.
- FailureReportsOnNone
(Boolean)
- Supplementary to the previous setting, enables generation of failure
reports for sending domains that publish a "none" policy.
- FailureReportsSentBy
(string)
- Sets the value of the From: field to be used when sending failure reports
(see above). The default is to use the userid of the user executing the
filter and the local host name to construct an email address.
- HistoryFile
(string)
- If set, specifies the location of a text file to which records are written
that can be used to generate DMARC aggregate reports. Records are batches
of rows containing information about a single received message, and
include all relevant information needed to generate a DMARC aggregate
report. It is expected that this will not be used in its raw form, but
rather periodically imported into a relational database from which the
aggregate reports can be extracted using opendmarc-importstats(8).
- HoldQuarantinedMessages
(Boolean)
- If set, the milter will signal to the mta that messages with p=quarantine,
which fail dmarc authentication, should be held in the MTA's
"Hold" or "Quarantine" queue. The name varies by MTA.
If false, messages will be accepted and passed along with the regular mail
flow, and the quarantine will be left up to downstream MTA/MDA/MUA
filters, if any, to handle by re-evaluating the headers, including the
Authentication-Results header added by this filter. The default is
"false".
- IgnoreAuthenticatedClients
(Boolean)
- If set, causes mail from authenticated clients (i.e., those that used SMTP
AUTH) to be ignored by the filter. The default is "false".
- IgnoreHosts
(string)
- Specifies the path to a file that contains a list of hostnames, IP
addresses, and/or CIDR expressions identifying hosts whose SMTP
connections are to be ignored by the filter. If not specified, defaults to
"127.0.0.1" only.
- IgnoreMailFrom
(string)
- Gives a list of domain names whose mail (based on the From: domain) is to
be ignored by the filter. The list should be comma-separated. Matching
against this list is case-insensitive. The default is an empty list,
meaning no mail is ignored.
- IgnoreMailTo
(string)
- Gives a list of mail addresses which aren't entered into the history file.
This is useful to prevent exchanging mutual message reports. The list
should be comma-separated. Matching against this list is case-insensitive.
The default is an empty list, meaning no mail is ignored.
- MilterDebug
(integer)
- Sets the debug level to be requested from the milter library. The default
is 0.
- PidFile
(string)
- Specifies the path to a file that should be created at process start
containing the process ID.
- PublicSuffixList
(string)
- Specifies the path to a file that contains top-level domains (TLDs) that
will be used to compute the Organizational Domain for a given domain name,
as described in the DMARC specification. If not provided, the filter will
not be able to determine the Organizational Domain and only the presented
domain will be evaluated. This file should be periodically updated. One
location to retrieve the file from is https://publicsuffix.org/list/
- RecordAllMessages
(Boolean)
- If set and HistoryFile is in use, all received messages are
recorded to the history file. If not set (the default), only messages for
which the From: domain published a DMARC record will be recorded in the
history file.
- RejectFailures
(Boolean)
- If set, messages will be rejected if they fail the DMARC evaluation, or
temp-failed if evaluation could not be completed. By default, no message
will be rejected or temp-failed regardless of the outcome of the DMARC
evaluation of the message. Instead, an Authentication-Results header field
will be added. The default is "false".
- RejectMultiValueFrom
(Boolean)
- If set, messages with multiple addresses in the From: field of the message
will be rejected unless all domain names in that field are the same. They
will otherwise be ignored by the filter (the default).
- RejectString
(string)
- This string describes the reason of reject at SMTP level. The message MUST
contain the word "%s" once, which will be replaced by the
RFC5322.From domain. The default is "rejected by DMARC policy for
%s"
- ReportCommand
(string)
- Indicates the shell command to which failure reports should be passed for
delivery when FailureReports is enabled. Defaults to
/usr/sbin/sendmail.
- If set, the filter will ensure the header of the message conforms to the
basic header field count restrictions laid out in RFC5322, Section 3.6.
Messages failing this test are rejected without further processing. A
From: field from which no domain name could be extracted will also be
rejected.
- Socket
(string)
- Specifies the socket that should be established by the filter to receive
connections from sendmail(8) in order to provide service.
socketspec is in one of two forms: local:path, which creates
a UNIX domain socket at the specified path, or
inet:port[@host] or inet6:port[@host] which creates a TCP
socket on the specified port for the appropriate protocol family.
If the host is not given as either a hostname or an IP address, the
socket will be listening on all interfaces. This option is mandatory
either in the configuration file or on the command line. If an IP address
is used, it must be enclosed in square brackets.
- Causes opendmarc to add a "DMARC-Filter" header field
indicating the presence of this filter in the path of the message from
injection to delivery. The product's name, version, and the job ID are
included in the header field's contents.
- SPFIgnoreResults
(Boolean)
- Causes the filter to ignore any SPF results in the header of the message.
This is useful if you want the filter to perform SPF checks itself, or
because you don't trust the arriving header. The default is
"false".
- SPFSelfValidate
(Boolean)
- Causes the filter to perform a fallback SPF check itself when it can find
no SPF results in the message header. If SPFIgnoreResults is also set, it
never looks for SPF results in headers and always performs the SPF check
itself when this is set. The default is "false".
- Syslog
(Boolean)
- Log via calls to syslog(3) any interesting activity.
- SyslogFacility
(string)
- Log via calls to syslog(3) using the named facility. The facility
names are the same as the ones allowed in syslog.conf(5). The
default is "mail".
- TrustedAuthservIDs
(string)
- Provides a list of authserv-ids that are to be used to identify
Authentication-Results header fields whose contents are to be assumed as
valid input for the DMARC assessment. To provide a list, separate values
by commas. If the string "HOSTNAME" is provided, the name of the
host running the filter (as returned by the gethostname(3)
function) will be used. Matching against this list is case-insensitive.
The default is to use the value of AuthservID.
- UMask
(integer)
- Requests a specific permissions mask to be used for file creation. This
only really applies to creation of the socket when Socket specifies
a UNIX domain socket, and to the PidFile (if any); temporary files
are created by the mkstemp(3) function that enforces a specific
file mode on creation regardless of the process umask. See umask(2)
for more information.
- UserID
(string)
- Attempts to become the specified userid before starting operations. The
value is of the form userid[:group]. The process will be assigned
all of the groups and primary group ID of the named userid unless
an alternate group is specified.
- /etc/opendmarc.conf
- Default location of this file.
This man page covers version 1.4.2 of opendmarc.
Copyright (c) 2012-2015, 2018, 2021, The Trusted Domain Project.
All rights reserved.
opendmarc(8), opendmarc-importstats(8), sendmail(8)
RFC4408 - Sender Policy Framework
RFC5451 - Message Header Field for Indicating Message
Authentication Status
RFC5965 - An Extensible Format for Email Feedback Reports
RFC6376 - DomainKeys Identified Mail
RFC6591 - Authentication Failure Reporting Using the Abuse
Reporting Format