FreeBSD Manual Pages
openarc.conf(5) File Formats Manual openarc.conf(5) NAME openarc.conf - Configuration file for openarc LOCATION /usr/local/etc/openarc.conf DESCRIPTION openarc(8) implements the ARC (Authenticated Received Chain) specifica- tion for verifying authentication and handling of messages as they are routed to their destinations. This file is its configuration file. Blank lines are ignored. Lines containing a hash ("#") character are truncated at the hash character to allow for comments in the file. Other content should be the name of a parameter, followed by white space, followed by the value of that parameter, each on a separate line. For parameters that are Boolean in nature, only the first byte of the value is processed. For positive values, the following are accepted: "T", "t", "Y", "y", "1". For negative values, the following are ac- cepted: "F", "f", "N", "n", "0". See the openarc(8) man page for details about how and when the configu- ration file contents are reloaded. Unless otherwise stated, Boolean values default to "false", integer values default to 0, and string and dataset values default to being un- defined. PARAMETERS AutoRestart (Boolean) Automatically re-start on failures. Use with caution; if the filter fails instantly after it starts, this can cause a tight fork(2) loop. AutoRestartCount (integer) Sets the maximum automatic restart count. After this number of automatic restarts, the filter will give up and terminate. A value of 0 implies no limit; this is the default. AutoRestartRate (string) Sets the maximum automatic restart rate. If the filter begins restarting faster than the rate defined here, it will give up and terminate. This is a string of the form n/t[u] where n is an integer limiting the count of restarts in the given interval and t[u] defines the time interval through which the rate is calculated; t is an integer and u defines the units thus repre- sented ("s" or "S" for seconds, the default; "m" or "M" for min- utes; "h" or "H" for hours; "d" or "D" for days). For example, a value of "10/1h" limits the restarts to 10 in one hour. There is no default, meaning restart rate is not limited. Background (Boolean) Causes openarc to fork and exits immediately, leaving the ser- vice running in the background. The default is "true". Canonicalization (string) Selects the canonicalization method(s) to be used when signing messages. When verifying, the message's ARC-Message-Signature: header field specifies the canonicalization method. The recog- nized values are relaxed and simple as defined by the DKIM spec- ification. The default is relaxed/simple. The value may in- clude two different canonicalizations separated by a slash ("/") character, in which case the first will be applied to the header and the second to the body. ChangeRootDirectory (string) Requests that the operating system change the effective root di- rectory of the process to the one specified here prior to begin- ning execution. chroot(2) requires superuser access. A warning will be generated if UserID is not also set. EnableCoredumps (boolean) On systems that have such support, make an explicit request to the kernel to dump cores when the filter crashes for some rea- son. Some modern UNIX systems suppress core dumps during crashes for security reasons if the user ID has changed during the lifetime of the process. Currently only supported on Linux. Include (string) Names a file to be opened and read as an additional configura- tion file. Nesting is allowed to a maximum of five levels. InternalHosts (dataset) Identifies a set of hosts that identifies clients whose connec- tions should be treated as "internal" by this filter. Messages received from such sources will not be verified and are instead trusted as-is; in particular, their Authentication-Results fields are trusted to be correct and authentic, meaning they will be assumed to contain the correct chain status when gener- ating an outgoing seal. See the description of "PeerList" for a description of the supported format. If no set is provided, "127.0.0.1" is added to the list by default. MilterDebug (integer) Sets the debug level to be requested from the milter library. The default is 0. Mode (string) Selects the operating mode(s) for this filter. If the string contains the character "s", the filter will sign and seal mes- sages passing through the filter. If the string contains the character "v", the filter will do signature and seal validation of arriving messages. The two can be combined. If neither is specified, the operating mode will be inferred on a per-connec- tion basis based on the entries in the InternalHosts list; con- nections from internal hosts will be assigned to signing mode, and all others will be assigned to verify mode. OversignHeaders (string) Specifies a comma-separated list of header field names that should be included in all signature header lists (the "h=" tag) once more than the number of times they were actually present in the signed message. The set is empty by default. The purpose of this, and especially of listing an absent header field, is to prevent the addition of important fields between the signer and the verifier. Since the verifier would include that header field when performing verification if it had been added by an intermediary, the signed message and the verified message were different and the verification would fail. Note that listing a field name here and not listing it in the SignHeaders list is likely to generate invalid signatures. PeerList (dataset) Identifies a set of "peers" that identifies clients whose con- nections should be accepted without processing by this filter. The set should contain on each line a hostname, domain name (e.g. ".example.com"), IP address, an IPv6 address (including an IPv4 mapped address), or a CIDR-style IP specification (e.g. "192.168.1.0/24"). An entry beginning with a bang ("!") charac- ter means "not", allowing exclusions of specific hosts that are otherwise members of larger sets. Host and domain names are matched first, then the IP or IPv6 address depending on the con- nection type. More precise entries are preferred over less pre- cise ones, i.e. "192.168.1.1" will match before "!192.168.1.0/24". The text form of IPv6 addresses will be forced to lowercase when queried (RFC5952), so the contents of this data set should also use lowercase. The IP address portion of an entry may optionally contain square brackets; both forms (with and without) will be checked. PidFile (string) Specifies the path to a file that should be created at process start containing the process ID. SealHeaderChecks (string) Identifies a file containing header checks that should be done to determine whether to seal a message. Each entry in this file must be of the form "name:regexp". When this feature is set, messages will only be processed by the filter if any instance of the named header field exists and has a value matching the pro- vided regular expression. If the value of an instance appears to be a JSON list, then the regular expression is applied to all strings in the list. SignatureAlgorithm (string) Selects the signing algorithm to use when generating signatures. Use 'openarc -V' to see the list of supported algorithms. The default is rsa-sha256. SignHeaders (string) Specifies the set of header fields that should be included when generating signatures. This is expected to be a comma-separated list of header field names, and matching is case-insensitive. If the list omits any header field that is mandated by the ARC specification, those fields are implicitly added. By default, those fields listed in the DKIM specification as "SHOULD" be signed (RFC6376, Section 5.4) will be signed by the filter. Socket (string) Specifies the socket that should be established by the filter to receive connections from sendmail(8) in order to provide ser- vice. socketspec is in one of two forms: local:path, which cre- ates a UNIX domain socket at the specified path, or inet:port[@host] or inet6:port[@host] which creates a TCP socket on the specified port and in the specified protocol family. If the host is not given as either a hostname or an IP address, the socket will be listening on all interfaces. A literal IP ad- dress must be enclosed in square brackets. This option is mandatory either in the configuration file or on the command line. Syslog (Boolean) Log via calls to syslog(3) any interesting activity. SyslogFacility (string) Log via calls to syslog(3) using the named facility. The facil- ity names are the same as the ones allowed in syslog.conf(5). The default is "mail". UserID (string) Attempts to become the specified userid before starting opera- tions. The value is of the form userid[:group]. The process will be assigned all of the groups and primary group ID of the named userid unless an alternate group is specified. NOTES Features that involve specification of IPv4 addresses or CIDR blocks will use the inet_addr(3) function to parse that information. Users should be familiar with the way that function handles the non-trivial cases (for example, "192.0.2/24" and "192.0.2.0/24" are not the same thing). FILES /usr/local/etc/openarc.conf Default location of this file. VERSION This man page covers version 1.0.0 of openarc. COPYRIGHT Copyright (c) 2007, 2008, Sendmail, Inc. and its suppliers. All rights reserved. Copyright (c) 2009-2017, The Trusted Domain Project. All rights re- served. SEE ALSO openarc(8), sendmail(8) RFC5451 - Message Header Field for Indicating Message Authentication Status RFC5617 - DKIM Author Domain Signing Practises RFC5965 - An Extensible Format for Email Feedback Reports RFC6008 - Authentication-Results Registration for Differentiating among Cryptographic Results RFC6376 - DomainKeys Identified Mail RFC6651 - Extensions to DomainKeys Identified Mail (DKIM) for Failure Reporting The Trusted Domain Project openarc.conf(5)
NAME | LOCATION | DESCRIPTION | PARAMETERS | NOTES | FILES | VERSION | COPYRIGHT | SEE ALSO
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=openarc.conf&sektion=5&manpath=FreeBSD+Ports+14.3.quarterly>