opendmarc.conf(5)opendmarc.conf(5)NAMEopendmarc.conf - Configuration file for opendmarc
LOCATION
/usr/local/etc/opendmarc.conf
DESCRIPTIONopendmarc(8) implements the proposed DMARC specification for message
authentication, policy enforcement, and reporting. This file is its
configuration file.
Blank lines are ignored. Lines containing a hash ("#") character are
truncated at the hash character to allow for comments in the file.
Other content should be the name of a parameter, followed by white
space, followed by the value of that parameter, each on a separate
line.
For parameters that are Boolean in nature, only the first byte of the
value is processed. For positive values, the following are accepted:
"T", "t", "Y", "y", "1". For negative values, the following are
accepted: "F", "f", "N", "n", "0".
Some, but not all, of these parameters are also available as command
line options to opendmarc(8). However, new parameters are generally
not added as command line options so the complete set of options is
available here, and thus use of the configuration file is encouraged.
In some future release, the set of available command line options is
likely to get trimmed.
See the opendmarc(8) man page for details about how and when the con‐
figuration file contents are reloaded.
Unless otherwise stated, Boolean values default to "false", integer
values default to 0, and string and dataset values default to being
undefined.
PARAMETERS
AuthservID (string)
Sets the "authserv-id" to use when generating the Authentica‐
tion-Results: header field after verifying a message. The
default is to use the name of the MTA processing the message.
If the string "HOSTNAME" is provided, the name of the host run‐
ning the filter (as returned by the gethostname(3) function)
will be used.
AuthservIDWithJobID (Boolean)
If "true", requests that the authserv-id portion of the added
Authentication-Results: header fields contain the job ID of the
message being evaluated.
AutoRestart (Boolean)
Automatically re-start on failures. Use with caution; if the
filter fails instantly after it starts, this can cause a tight
fork(2) loop.
AutoRestartCount (integer)
Sets the maximum automatic restart count. After this number of
automatic restarts, the filter will give up and terminate. A
value of 0 implies no limit; this is the default.
AutoRestartRate (string)
Sets the maximum automatic restart rate. If the filter begins
restarting faster than the rate defined here, it will give up
and terminate. This is a string of the form n/t[u] where n is
an integer limiting the count of restarts in the given interval
and t[u] defines the time interval through which the rate is
calculated; t is an integer and u defines the units thus repre‐
sented ("s" or "S" for seconds, the default; "m" or "M" for min‐
utes; "h" or "H" for hours; "d" or "D" for days). For example,
a value of "10/1h" limits the restarts to 10 in one hour. There
is no default, meaning restart rate is not limited.
Background (Boolean)
Causes opendmarc to fork and exits immediately, leaving the ser‐
vice running in the background. The default is "true".
BaseDirectory (string)
If set, instructs the filter to change to the specified direc‐
tory using chdir(2) before doing anything else. This means any
files referenced elsewhere in the configuration file can be
specified relative to this directory. It's also useful for
arranging that any crash dumps will be saved to a specific loca‐
tion.
ChangeRootDirectory (string)
Requests that the operating system change the effective root
directory of the process to the one specified here prior to
beginning execution. chroot (2) requires superuser access. A
warning will be generated if UserID is not also set.
CopyFailuresTo (string)
Adds the specified recipient to the message's envelope if it
fails the DMARC evaluation.
DNSTimeout (integer)
Sets the DNS timeout in seconds. A value of 0 causes an infi‐
nite wait. The default is 5. Ignored if not using an asynchro‐
nous resolver package.
EnableCoredumps (Boolean)
On systems that have such support, make an explicit request to
the kernel to dump cores when the filter crashes for some rea‐
son. Some modern UNIX systems suppress core dumps during
crashes for security reasons if the user ID has changed during
the lifetime of the process. Currently only supported on Linux.
FailureReports (Boolean)
Enables generation of failure reports when the DMARC test fails
and the purported sender of the message has requested such
reports. Reports are formatted per RFC6591.
FailureReportsBcc (string)
When failure reports are enabled and one is to be generated,
always send one to the address(es) specified here. If a failure
report is requested by the domain owner, the address(es) are
added in a Bcc: field. If no request is made, they address(es)
are used in a To: field. There is no default.
FailureReportsOnNone (Boolean)
Supplementary to the previous setting, enables generation of
failure reports for sending domains that publish a "none" pol‐
icy.
FailureReportsSentBy (string)
Sets the value of the From: field to be used when sending fail‐
ure reports (see above). The default is to use the userid of
the user executing the filter and the local host name to con‐
struct an email address.
HistoryFile (string)
If set, specifies the location of a text file to which records
are written that can be used to generate DMARC aggregate
reports. Records are batches of rows containing information
about a single received message, and include all relevant infor‐
mation needed to generate a DMARC aggregate report. It is
expected that this will not be used in its raw form, but rather
periodically imported into a relational database from which the
aggregate reports can be extracted.
IgnoreAuthenticatedClients (Boolean)
If set, causes mail from authenticated clients (i.e., those that
used SMTP AUTH) to be ignored by the filter. The default is
"false".
IgnoreHosts (string)
Specifies the path to a file that contains a list of hostnames,
IP addresses, and/or CIDR expressions identifying hosts whose
SMTP connections are to be ignored by the filter. If not speci‐
fied, defaults to "127.0.0.1" only.
IgnoreMailFrom (string)
Gives a list of domain names whose mail (based on the From:
domain) is to be ignored by the filter. The list should be
comma-separated. Matching against this list is case-insensi‐
tive. The default is an empty list, meaning no mail is ignored.
MilterDebug (integer)
Sets the debug level to be requested from the milter library.
The default is 0.
PidFile (string)
Specifies the path to a file that should be created at process
start containing the process ID.
PublicSuffixList (string)
Specifies the path to a file that contains top-level domains
(TLDs) that will be used to compute the Organizational Domain
for a given domain name, as described in the DMARC specifica‐
tion. If not provided, the filter will not be able to determine
the Organizational Domain and only the presented domain will be
evaluated.
RecordAllMessages (Boolean)
If set and HistoryFile is in use, all received messages are
recorded to the history file. If not set (the default), only
messages for which the From: domain published a DMARC record
will be recorded in the history file.
RejectFailures (Boolean)
If set, messages will be rejected if they fail the DMARC evalua‐
tion, or temp-failed if evaluation could not be completed. By
default, no message will be rejected or temp-failed regardless
of the outcome of the DMARC evaluation of the message. Instead,
an Authentication-Results header field will be added. The
default is "false".
ReportCommand (string)
Indicates the shell command to which failure reports should be
passed for delivery when FailureReports is enabled. Defaults to
/usr/sbin/sendmail.
RequiredHeaders (Boolean)
If set, the filter will ensure the header of the message con‐
forms to the basic header field count restrictions laid out in
RFC5322, Section 3.6. Messages failing this test are rejected
without further processing. A From: field from which no domain
name could be extracted will also be rejected.
Socket (string)
Specifies the socket that should be established by the filter to
receive connections from sendmail(8) in order to provide ser‐
vice. socketspec is in one of two forms: local:path, which cre‐
ates a UNIX domain socket at the specified path, or
inet:port[@host] or inet6:port[@host] which creates a TCP socket
on the specified port for the appropriate protocol family. If
the host is not given as either a hostname or an IP address, the
socket will be listening on all interfaces. This option is
mandatory either in the configuration file or on the command
line. If an IP address is used, it must be enclosed in square
brackets.
SoftwareHeader (Boolean)
Causes opendmarc to add a "DMARC-Filter" header field indicating
the presence of this filter in the path of the message from
injection to delivery. The product's name, version, and the job
ID are included in the header field's contents.
SPFIgnoreResults (Boolean)
Causes the filter to ignore any SPF results in the header of the
message. This is useful if you want the filter to perfrom SPF
checks itself, or because you don't trust the arriving header.
The default is "false".
SPFSelfValidate (Boolean)
Causes the filter to perform a fallback SPF check itself when it
can find no SPF results in the message header. If SPFIgnoreRe‐
sults is also set, it never looks for SPF results in headers and
always performs the SPF check itself when this is set. The
default is "false".
Syslog (Boolean)
Log via calls to syslog(3) any interesting activity.
SyslogFacility (string)
Log via calls to syslog(3) using the named facility. The facil‐
ity names are the same as the ones allowed in syslog.conf(5).
The default is "mail".
TrustedAuthservIDs (string)
Provides a list of authserv-ids that are to be used to identify
Authentication-Results header fields whose contents are to be
assumed as valid input for the DMARC assessment. To provide a
list, separate values by commas. If the string "HOSTNAME" is
provided, the name of the host running the filter (as returned
by the gethostname(3) function) will be used. Matching against
this list is case-insensitive. The default is to use the value
of AuthservID.
UMask (integer)
Requests a specific permissions mask to be used for file cre‐
ation. This only really applies to creation of the socket when
Socket specifies a UNIX domain socket, and to the PidFile (if
any); temporary files are created by the mkstemp(3) function
that enforces a specific file mode on creation regardless of the
process umask. See umask(2) for more information.
UserID (string)
Attempts to become the specified userid before starting opera‐
tions. The value is of the form userid[:group]. The process
will be assigned all of the groups and primary group ID of the
named userid unless an alternate group is specified.
FILES
/usr/local/etc/opendmarc.conf
Default location of this file.
VERSION
This man page covers version 1.3.1 of opendmarc.
COPYRIGHT
Copyright (c) 2012-2015, The Trusted Domain Project. All rights
reserved.
SEE ALSOopendmarc(8), sendmail(8)
RFC4408 - Sender Policy Framework
RFC5451 - Message Header Field for Indicating Message Authentication
Status
RFC5965 - An Extensible Format for Email Feedback Reports
RFC6376 - DomainKeys Identified Mail
RFC6591 - Authentication Failure Reporting Using the Abuse Reporting
Format
The Trusted Domain Project opendmarc.conf(5)
