## ## dkim-filter.conf -- configuration file for DKIM filter ## ## $Id: dkim-filter.conf.sample,v 1.13 2007/12/14 07:22:19 msk Exp $ ## ## AlwaysSignHeaders header-list ## default (none) ## ## Specifies a list of headers whose names should appear in signatures ## whether or not they were signed, preventing their later addition. # AlwaysSignHeaders header1:header2:... ## AutoRestart { yes | no } ## default "no" ## ## Indicate whether or not the filter should arrange to restart automatically ## if it crashes. AutoRestart Yes ## BodyLengths { yes | no } ## default "no" ## ## Indicate whether or not signatures with body length tags should be ## generated. # BodyLengths No ## Canonicalization hdrcanon[/bodycanon] ## default "simple/simple" ## ## Select canonicalizations to use when signing. If the "bodycanon" is ## omitted, "simple" is used. Valid values for each are "simple" and ## "relaxed". # Canonicalization simple/simple ## ClockDrift n ## default 300 ## ## Specify the tolerance range for expired signatures or signatures ## which appear to have timestamps in the future, allowing for clock ## drift. # ClockDrift 300 ## Diagnostics { yes | no } ## default "no" ## ## Specifies whether or not signatures with header diagnostic tags should ## be generated. # Diagnostics No ## DNSTimeout n ## default 10 ## ## Specify the time in seconds to wait for replies from the nameserver when ## requesting keys or signing policies. # DNSTimeout 10 ## Domain name[,...] ## ## Specify for which domain(s) signing should be done. No default; must ## be specified for signing. Domain integralblue.com ## ExternalIgnoreList filename ## ## Names a file from which a list of externally-trusted hosts is read. ## These are hosts which are allowed to send mail through you for signing. ## Automatically contains 127.0.0.1. See man page for file format. # ExternalIgnoreList filename ## KeyFile filename ## ## Specifies the path to the private key to use when signing. Ignored if ## Keylist is set. No default; must be specified for signing. KeyFile /etc/mail/dkim-filter/irrational.private ## KeyList filename ## ## Specifies the path to the list of keys and signing domains to be applied ## by the signing filter. The entries in this file should be of the form: ## ## pattern:domain:keypath ## ## ...where "pattern" is a pattern of user@host to match, with "*" being ## allowed as a wildcard; "domain" is the signing domain; and "keypath" ## is the path to the private key to use to generate signatures for such ## users. The selector used will be the filename portion of "keypath". ## Blank lines are ignored, and the hash ("#") character is interpreted ## as the beginning of a comment. See dkim-filter.conf(5) for more ## information. # KeyList /etc/mail/dkim-filter/keylist ## InternalHosts filename ## ## Names a file from which a list of internal hosts is read. These are ## hosts from which mail should be signed rather than verified. ## Automatically contains 127.0.0.1. See man page for file format. # InternalHosts /etc/mail/dkim-filter/internalhosts ## MacroList macro[=value][,...] ## ## Gives a set of MTA-provided macros which should be checked to see ## if the sender has been determined to be a local user and therefore ## whether or not signing should be done. See dkim-filter.conf(5) for ## more information. # Macrolist foo=bar,baz=blivit ## MaximumHeaders n ## ## Disallow messages whose header blocks are bigger than "n" bytes. ## Intended to detect and block a denial-of-service attack. The default ## is 65536. A value of 0 disables this test. # MaximumHeaders n ## MaximumSignedBytes n ## ## Don't sign more than "n" bytes of the message. The default is to ## sign the entire message. Setting this implies "BodyLengths". # MaximumSignedBytes n ## Minimum n[% | +] ## default 0 ## ## Sets a minimum signing volume; one of the following formats: ## n at least n bytes (or the whole message, whichever is less) ## must be signed ## n% at least n% of the message must be signed ## n+ if a length limit was presented in the signature, no more than ## n bytes may have been added # Minimum n ## Mode [sv] ## default sv ## ## Indicates which mode(s) of operation should be provided. "s" means ## "sign", "v" means "verify". # Mode sv ## MTA mtaname[,...] ## ## Specifies a list of MTAs whos mail should always be signed rather than ## verified. The "mtaname" is extracted from the DaemonPortOptions line ## in effect. # MTA name ## OmitHeaders ## default (none) ## ## Specifies a list of headers that should always be omitted when signing. ## Header names should be separated by commas. # OmitHeaders header1,header2,... ## On-... ## ## Specifies what to do when certain error conditions are encountered. ## ## See dkim-filter.conf(5) for more information. # On-Default # On-BadSignature # On-DNSError # On-InternalError # On-NoSignature # On-Security # On-SignatureMissing ## PeerList filename ## ## Contains a list of IP addresses, CIDR blocks, hostnames or domain names ## whose mail should be neither signed nor verified by this filter. See man ## page for file format. # PeerList filename ## Quarantine { yes | no } ## default "no" ## ## Indicates whether or not the filter should arrange to quarantine mail ## which fails verification. Intended for diagnostic use only. # Quarantine No ## RemoveARAll { yes | no } ## default "no" ## ## Remove all Authentication-Results: headers on all arriving mail. # RemoveARAll No ## RemoveARFrom list ## default (none) ## ## Remove all Authentication-Results: headers on all arriving mail that ## claim to have been added by hosts listed in this parameter. The list ## should be comma-separated. Entire domains may be specified by preceding ## the dopmain name by a single dot (".") character. # RemoveARFrom host1,host2,.domain1,.domain2,... ## RemoveOldSignatures { yes | no } ## default "no" ## ## Remove old signatures on messages, if any, when generating a signature. # RemoveOldSignatures No ## Selector name ## ## The name of the selector to use when signing. No default; must be ## specified for signing. Selector irrational ## SendReports { yes | no } ## default "no" ## ## Specifies whether or not the filter should generate report mail back ## to senders when verification fails and an address for such a purpose ## is provided. See dkim-filter.conf(5) for details. # SendReports No ## SignatureAlgorithm signalg ## default "rsa-sha256" ## ## Signature algorithm to use when generating signatures. Must be either ## "rsa-sha1" or "rsa-sha256". # SignatureAlgorithm rsa-sha256 ## SignatureTTL seconds ## default "0" ## ## Specifies the lifetime in seconds of signatures generated by the ## filter. A value of 0 means no expiration time is included in the ## signature. # SignatureTTL 0 ## Socket socketspec ## ## Names the socket where this filter should listen for milter connections ## from the MTA. Required. Should be in one of these forms: ## ## inet:port@address to listen on a specific interface ## inet:port to listen on all interfaces ## local:/path/to/socket to listen on a UNIX domain socket Socket local:/var/run/dkim-filter/dkim-filter.sock ## SubDomains { yes | no } ## default "no" ## ## Sign for subdomains as well? # SubDomains No ## Syslog { yes | no } ## default "no" ## ## Log informational and error activity to syslog? # Syslog No ## SyslogSuccess { yes | no } ## default "no" ## ## Log success activity to syslog? # SyslogSuccess No ## UMask mask ## default (none) ## ## Change the process umask for file creation to the specified value. ## The system has its own default which will be used (usually 022). ## See the umask(2) man page for more information. UMask 002 ## Userid userid ## default (none) ## ## Change to user "userid" before starting normal operation? May include ## a group ID as well, separated from the userid by a colon. UserID milter ## UseSSPDeny { yes | no } ## default "no" ## ## Reject messages which are determined to be "suspicious" according to the ## sending domain's published signing procedure (SSP) record if that record ## also recommends rejection of such messages. # UseSSPDeny No ## X-Header { yes | no } ## default "no" ## ## Add an X- header to messages passing through this filter to identify ## messages it has processed. X-Header Yes ## Statistics filename ## ## Names a file to which useful statistics will be saved. ## See man dkim-stats page Statistics /var/run/dkim-filter/dkim-filter.stats