Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
opendmarc.conf(5)	      File Formats Manual	     opendmarc.conf(5)

NAME
       opendmarc.conf -	Configuration file for opendmarc

LOCATION
       /usr/local/etc/opendmarc.conf

DESCRIPTION
       opendmarc(8)  implements	 the  proposed DMARC specification for message
       authentication, policy enforcement, and reporting.  This	 file  is  its
       configuration file.

       Blank  lines  are ignored.  Lines containing a hash ("#") character are
       truncated at the	hash character to allow	for comments in	the file.

       Other content should be the name	of  a  parameter,  followed  by	 white
       space,  followed	 by  the  value	 of that parameter, each on a separate
       line.

       For parameters that are Boolean in nature, only the first byte  of  the
       value  is  processed.  For positive values, the following are accepted:
       "T", "t", "Y", "y", "1".	 For negative values, the  following  are  ac-
       cepted: "F", "f", "N", "n", "0".

       Some,  but  not	all, of	these parameters are also available as command
       line options to opendmarc(8).  However, new  parameters	are  generally
       not  added  as  command	line options so	the complete set of options is
       available here, and thus	use of the configuration file  is  encouraged.
       In  some	 future	 release, the set of available command line options is
       likely to get trimmed.

       See the opendmarc(8) man	page for details about how and when  the  con-
       figuration file contents	are reloaded.

       Unless  otherwise  stated,  Boolean  values default to "false", integer
       values default to 0, and	string and dataset values default to being un-
       defined.

PARAMETERS
       AuthservID (string)
	      Sets the "authserv-id" to	use when  generating  the  Authentica-
	      tion-Results:  header  field after verifying a message.  The de-
	      fault is to use the name of the MTA processing the message.   If
	      the  string "HOSTNAME" is	provided, the name of the host running
	      the filter (as returned by the gethostname(3) function) will  be
	      used.

       AuthservIDWithJobID (Boolean)
	      If  "true",  requests  that the authserv-id portion of the added
	      Authentication-Results: header fields contain the	job ID of  the
	      message being evaluated.

       AutoRestart (Boolean)
	      Automatically  re-start  on  failures.  Use with caution;	if the
	      filter fails instantly after it starts, this can cause  a	 tight
	      fork(2) loop.

       AutoRestartCount	(integer)
	      Sets  the	maximum	automatic restart count.  After	this number of
	      automatic	restarts, the filter will give up  and	terminate.   A
	      value of 0 implies no limit; this	is the default.

       AutoRestartRate (string)
	      Sets  the	 maximum automatic restart rate.  If the filter	begins
	      restarting faster	than the rate defined here, it	will  give  up
	      and  terminate.	This is	a string of the	form n/t[u] where n is
	      an integer limiting the count of restarts	in the given  interval
	      and  t[u]	 defines  the  time interval through which the rate is
	      calculated; t is an integer and u	defines	the units thus	repre-
	      sented ("s" or "S" for seconds, the default; "m" or "M" for min-
	      utes;  "h" or "H"	for hours; "d" or "D" for days).  For example,
	      a	value of "10/1h" limits	the restarts to	10 in one hour.	 There
	      is no default, meaning restart rate is not limited.

       Background (Boolean)
	      Causes opendmarc to fork and exits immediately, leaving the ser-
	      vice running in the background.  The default is "true".

       BaseDirectory (string)
	      If set, instructs	the filter to change to	the  specified	direc-
	      tory  using chdir(2) before doing	anything else.	This means any
	      files referenced elsewhere in  the  configuration	 file  can  be
	      specified	 relative to this directory.  It's also	useful for ar-
	      ranging that any crash dumps will	be saved to a  specific	 loca-
	      tion.

       ChangeRootDirectory (string)
	      Requests that the	operating system change	the effective root di-
	      rectory of the process to	the one	specified here prior to	begin-
	      ning execution.  chroot (2) requires superuser access. A warning
	      will be generated	if UserID is not also set.

       CopyFailuresTo (string)
	      Adds  the	 specified  recipient  to the message's	envelope if it
	      fails the	DMARC evaluation.

       DomainWhitelist (string)
	      A	brief list of whitelisted  domains  for	 which	ARC  signature
	      headers  are  trusted as determined by evaluating	entries	in the
	      "arc.chain" field	found in a locally  generated  Authentication-
	      Results header.

	      This list	will be	concatenated with DomainWhitelistFile (if pro-
	      vided).

       DomainWhitelistFile (string)
	      A	comprehensive list of whitelisted domains for which ARC	signa-
	      ture  headers are	trusted	as determined by evaluating entries in
	      the "arc.chain" field found in a locally	generated  Authentica-
	      tion-Results header.

	      This  list  will	be  concatenated with DomainWhitelist (if pro-
	      vided).

       DomainWhitelistSize (integer)
	      Sets the capacity	of the whitelisted domains data	structure. The
	      value specifies the maximum number of entries including  domains
	      listed  in  the  DomainWhitelist configuration parameter and the
	      domains listed in	the DomainWhiteListFile. The final  size  will
	      be  increased by approximately 20% to increase the efficiency of
	      the hashing algorithm.

       DNSTimeout (integer)
	      Sets the DNS timeout in seconds.	A value	of 0 causes  an	 infi-
	      nite wait.  The default is 5.  Ignored if	not using an asynchro-
	      nous resolver package.

       EnableCoredumps (Boolean)
	      On  systems  that	have such support, make	an explicit request to
	      the kernel to dump cores when the	filter crashes for  some  rea-
	      son.   Some  modern  UNIX	 systems  suppress  core  dumps	during
	      crashes for security reasons if the user ID has  changed	during
	      the lifetime of the process.  Currently only supported on	Linux.

       FailureReports (Boolean)
	      Enables  generation of failure reports when the DMARC test fails
	      and the purported	sender of the message has requested  such  re-
	      ports.  Reports are formatted per	RFC6591.

       FailureReportsBcc (string)
	      When failure reports are enabled and one is to be	generated, al-
	      ways  send  one to the address(es) specified here.  If a failure
	      report is	requested by the domain	 owner,	 the  address(es)  are
	      added  in	a Bcc: field.  If no request is	made, they address(es)
	      are used in a To:	field.	There is no default.

       FailureReportsOnNone (Boolean)
	      Supplementary to the previous  setting,  enables	generation  of
	      failure  reports	for sending domains that publish a "none" pol-
	      icy.

       FailureReportsSentBy (string)
	      Sets the value of	the From: field	to be used when	sending	 fail-
	      ure  reports  (see  above).  The default is to use the userid of
	      the user executing the filter and	the local host	name  to  con-
	      struct an	email address.

       HistoryFile (string)
	      If  set,	specifies the location of a text file to which records
	      are written that can be used to  generate	 DMARC	aggregate  re-
	      ports.  Records are batches of rows containing information about
	      a	 single	received message, and include all relevant information
	      needed to	generate a DMARC aggregate  report.   It  is  expected
	      that  this will not be used in its raw form, but rather periodi-
	      cally imported into a relational database	from which the	aggre-
	      gate reports can be extracted using opendmarc-importstats(8).

       HoldQuarantinedMessages (Boolean)
	      If  set,	the  milter  will signal to the	mta that messages with
	      p=quarantine, which fail dmarc authentication, should be held in
	      the MTA's	"Hold" or "Quarantine" queue.  The name	varies by MTA.
	      If false,	messsages will be accepted and passed along  with  the
	      regular  mail  flow, and the quarantine will be left up to down-
	      stream MTA/MDA/MUA filters, if any, to handle  by	 re-evaluating
	      the  headers,  including the Authentication-Results header added
	      by this filter.  The default is "false".

       HoldQuarantinedMessages (Boolean)
	      If set, the milter will signal to	the  mta  that	messages  with
	      p=quarantine, which fail dmarc authentication, should be held in
	      the MTA's	"Hold" or "Quarantine" queue.  The name	varies by MTA.
	      If  false,  messsages will be accepted and passed	along with the
	      regular mail flow, and the quarantine will be left up  to	 down-
	      stream  MTA/MDA/MUA  filters, if any, to handle by re-evaluating
	      the headers, including the Authentication-Results	 header	 added
	      by this filter.  The default is "false".

       IgnoreAuthenticatedClients (Boolean)
	      If set, causes mail from authenticated clients (i.e., those that
	      used  SMTP  AUTH)	 to  be	ignored	by the filter.	The default is
	      "false".

       IgnoreHosts (string)
	      Specifies	the path to a file that	contains a list	of  hostnames,
	      IP  addresses,  and/or  CIDR expressions identifying hosts whose
	      SMTP connections are to be ignored by the	filter.	 If not	speci-
	      fied, defaults to	"127.0.0.1" only.

       IgnoreMailFrom (string)
	      Gives a list of domain names whose mail (based on	the From:  do-
	      main) is to be ignored by	the filter.  The list should be	comma-
	      separated.  Matching against this	list is	case-insensitive.  The
	      default is an empty list,	meaning	no mail	is ignored.

       MilterDebug (integer)
	      Sets  the	 debug	level to be requested from the milter library.
	      The default is 0.

       PidFile (string)
	      Specifies	the path to a file that	should be created  at  process
	      start containing the process ID.

       PublicSuffixList	(string)
	      Specifies	 the  path  to	a file that contains top-level domains
	      (TLDs) that will be used to compute  the	Organizational	Domain
	      for  a  given  domain name, as described in the DMARC specifica-
	      tion.  If	not provided, the filter will not be able to determine
	      the Organizational Domain	and only the presented domain will  be
	      evaluated.  This file should be periodically updated.  One loca-
	      tion to retrieve the file	from is	https://publicsuffix.org/list/

       RecordAllMessages (Boolean)
	      If  set  and  HistoryFile	 is  in	use, all received messages are
	      recorded to the history file.  If	not set	 (the  default),  only
	      messages	for  which  the	 From: domain published	a DMARC	record
	      will be recorded in the history file.

       RejectFailures (Boolean)
	      If set, messages will be rejected	if they	fail the DMARC evalua-
	      tion, or temp-failed if evaluation could not be  completed.   By
	      default,	no  message will be rejected or	temp-failed regardless
	      of the outcome of	the DMARC evaluation of	the message.  Instead,
	      an Authentication-Results	header field will be added.   The  de-
	      fault is "false".

       RejectMultiValueFrom (Boolean)
	      If  set,	messages with multiple addresses in the	From: field of
	      the message will be rejected unless all  domain  names  in  that
	      field  are the same.  They will otherwise	be ignored by the fil-
	      ter (the default).

       ReportCommand (string)
	      Indicates	the shell command to which failure reports  should  be
	      passed for delivery when FailureReports is enabled.  Defaults to
	      /usr/sbin/sendmail.

       RequiredHeaders (Boolean)
	      If  set,	the  filter will ensure	the header of the message con-
	      forms to the basic header	field count restrictions laid  out  in
	      RFC5322,	Section	 3.6.  Messages	failing	this test are rejected
	      without further processing.  A From: field from which no	domain
	      name could be extracted will also	be rejected.

       Socket (string)
	      Specifies	the socket that	should be established by the filter to
	      receive  connections  from  sendmail(8) in order to provide ser-
	      vice.  socketspec	is in one of two forms:	local:path, which cre-
	      ates  a  UNIX  domain  socket  at	  the	specified   path,   or
	      inet:port[@host] or inet6:port[@host] which creates a TCP	socket
	      on  the  specified port for the appropriate protocol family.  If
	      the host is not given as either a	hostname or an IP address, the
	      socket will be listening on  all	interfaces.   This  option  is
	      mandatory	 either	 in  the  configuration	file or	on the command
	      line.  If	an IP address is used, it must be enclosed  in	square
	      brackets.

       SoftwareHeader (Boolean)
	      Causes opendmarc to add a	"DMARC-Filter" header field indicating
	      the  presence of this filter in the path of the message from in-
	      jection to delivery.  The	product's name,	version, and  the  job
	      ID are included in the header field's contents.

       SPFIgnoreResults	(Boolean)
	      Causes the filter	to ignore any SPF results in the header	of the
	      message.	 This  is useful if you	want the filter	to perform SPF
	      checks itself, or	because	you don't trust	the  arriving  header.
	      The default is "false".

       SPFSelfValidate (Boolean)
	      Causes the filter	to perform a fallback SPF check	itself when it
	      can  find	no SPF results in the message header.  If SPFIgnoreRe-
	      sults is also set, it never looks	for SPF	results	in headers and
	      always performs the SPF check itself when	this is	set.  The  de-
	      fault is "false".

       Syslog (Boolean)
	      Log via calls to syslog(3) any interesting activity.

       SyslogFacility (string)
	      Log via calls to syslog(3) using the named facility.  The	facil-
	      ity  names  are  the same	as the ones allowed in syslog.conf(5).
	      The default is "mail".

       TrustedAuthservIDs (string)
	      Provides a list of authserv-ids that are to be used to  identify
	      Authentication-Results  header  fields  whose contents are to be
	      assumed as valid input for the DMARC assessment.	To  provide  a
	      list,  separate  values  by commas.  If the string "HOSTNAME" is
	      provided,	the name of the	host running the filter	 (as  returned
	      by  the gethostname(3) function) will be used.  Matching against
	      this list	is case-insensitive.  The default is to	use the	 value
	      of AuthservID.

       UMask (integer)
	      Requests	a  specific  permissions mask to be used for file cre-
	      ation.  This only	really applies to creation of the socket  when
	      Socket  specifies	 a  UNIX domain	socket,	and to the PidFile (if
	      any); temporary files are	created	 by  the  mkstemp(3)  function
	      that enforces a specific file mode on creation regardless	of the
	      process umask.  See umask(2) for more information.

       UserID (string)
	      Attempts	to  become the specified userid	before starting	opera-
	      tions.  The value	is of the form	userid[:group].	  The  process
	      will  be	assigned all of	the groups and primary group ID	of the
	      named userid unless an alternate group is	specified.

FILES
       /usr/local/etc/opendmarc.conf
	      Default location of this file.

VERSION
       This man	page covers version 1.4.2 of opendmarc.

COPYRIGHT
       Copyright (c) 2012-2015,	2018, 2021, The	Trusted	Domain	Project.   All
       rights reserved.

SEE ALSO
       opendmarc(8), opendmarc-importstats(8), sendmail(8)

       RFC4408 - Sender	Policy Framework

       RFC5451	-  Message  Header Field for Indicating	Message	Authentication
       Status

       RFC5965 - An Extensible Format for Email	Feedback Reports

       RFC6376 - DomainKeys Identified Mail

       RFC6591 - Authentication	Failure	Reporting Using	 the  Abuse  Reporting
       Format

			  The Trusted Domain Project	     opendmarc.conf(5)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=opendmarc.conf&sektion=5&manpath=FreeBSD+Ports+14.3.quarterly>

home | help