You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
133 lines
5.1 KiB
133 lines
5.1 KiB
## BASIC OPENDKIM CONFIGURATION FILE |
|
## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more |
|
|
|
## BEFORE running OpenDKIM you must: |
|
|
|
## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM |
|
## - generate keys for your domain (if signing) |
|
## - edit your DNS records to publish your public keys (if signing) |
|
|
|
## See /usr/share/doc/opendkim/INSTALL for detailed instructions. |
|
|
|
## DEPRECATED CONFIGURATION OPTIONS |
|
## |
|
## The following configuration options are no longer valid. They should be |
|
## removed from your existing configuration file to prevent potential issues. |
|
## Failure to do so may result in opendkim being unable to start. |
|
## |
|
## Removed in 2.10.0: |
|
## AddAllSignatureResults |
|
## ADSPAction |
|
## ADSPNoSuchDomain |
|
## BogusPolicy |
|
## DisableADSP |
|
## LDAPSoftStart |
|
## LocalADSP |
|
## NoDiscardableMailTo |
|
## On-PolicyError |
|
## SendADSPReports |
|
## UnprotectedPolicy |
|
|
|
## CONFIGURATION OPTIONS |
|
|
|
## Specifies the path to the process ID file. |
|
PidFile /run/opendkim/opendkim.pid |
|
|
|
## Selects operating modes. Valid modes are s (sign) and v (verify). Default is v. |
|
## Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing |
|
## messages. |
|
Mode v |
|
|
|
## Log activity to the system log. |
|
Syslog yes |
|
|
|
## Log additional entries indicating successful signing or verification of messages. |
|
SyslogSuccess yes |
|
|
|
## If logging is enabled, include detailed logging about why or why not a message was |
|
## signed or verified. This causes an increase in the amount of log data generated |
|
## for each message, so set this to No (or comment it out) if it gets too noisy. |
|
LogWhy yes |
|
|
|
## Attempt to become the specified user before starting operations. |
|
UserID opendkim:opendkim |
|
|
|
## Create a socket through which your MTA can communicate. |
|
Socket inet:8891@localhost |
|
|
|
## Required to use local socket with MTAs that access the socket as a non- |
|
## privileged user (e.g. Postfix) |
|
Umask 002 |
|
|
|
## This specifies a text file in which to store DKIM transaction statistics. |
|
## OpenDKIM must be manually compiled with --enable-stats to enable this feature. |
|
# Statistics /var/spool/opendkim/stats.dat |
|
|
|
## Specifies whether or not the filter should generate report mail back |
|
## to senders when verification fails and an address for such a purpose |
|
## is provided. See opendkim.conf(5) for details. |
|
SendReports yes |
|
|
|
## Specifies the sending address to be used on From: headers of outgoing |
|
## failure reports. By default, the e-mail address of the user executing |
|
## the filter is used (executing_user@hostname). |
|
# ReportAddress "Example.com Postmaster" <postmaster@example.com> |
|
|
|
## Add a DKIM-Filter header field to messages passing through this filter |
|
## to identify messages it has processed. |
|
SoftwareHeader yes |
|
|
|
## SIGNING OPTIONS |
|
|
|
## Selects the canonicalization method(s) to be used when signing messages. |
|
Canonicalization relaxed/relaxed |
|
|
|
## Domain(s) whose mail should be signed by this filter. Mail from other domains will |
|
## be verified rather than being signed. Uncomment and use your domain name. |
|
## This parameter is not required if a SigningTable is in use. |
|
# Domain example.com |
|
|
|
## Defines the name of the selector to be used when signing messages. |
|
Selector default |
|
|
|
## Specifies the minimum number of key bits for acceptable keys and signatures. |
|
MinimumKeyBits 1024 |
|
|
|
## Gives the location of a private key to be used for signing ALL messages. This |
|
## directive is ignored if KeyTable is enabled. |
|
KeyFile /etc/opendkim/keys/default.private |
|
|
|
## Gives the location of a file mapping key names to signing keys. In simple terms, |
|
## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile |
|
## directive in the configuration file. Requires SigningTable be enabled. |
|
# KeyTable /etc/opendkim/KeyTable |
|
|
|
## Defines a table used to select one or more signatures to apply to a message based |
|
## on the address found in the From: header field. In simple terms, this tells |
|
## OpenDKIM how to use your keys. Requires KeyTable be enabled. |
|
# SigningTable refile:/etc/opendkim/SigningTable |
|
|
|
## Identifies a set of "external" hosts that may send mail through the server as one |
|
## of the signing domains without credentials as such. |
|
# ExternalIgnoreList refile:/etc/opendkim/TrustedHosts |
|
|
|
## Identifies a set "internal" hosts whose mail should be signed rather than verified. |
|
# InternalHosts refile:/etc/opendkim/TrustedHosts |
|
|
|
## Contains a list of IP addresses, CIDR blocks, hostnames or domain names |
|
## whose mail should be neither signed nor verified by this filter. See man |
|
## page for file format. |
|
# PeerList X.X.X.X |
|
|
|
## Always oversign From (sign using actual From and a null From to prevent |
|
## malicious signatures header fields (From and/or others) between the signer |
|
## and the verifier. From is oversigned by default in the Fedora package |
|
## because it is often the identity key used by reputation systems and thus |
|
## somewhat security sensitive. |
|
OversignHeaders From |
|
|
|
## Instructs the DKIM library to maintain its own local cache of keys and |
|
## policies retrieved from DNS, rather than relying on the nameserver for |
|
## caching service. Useful if the nameserver being used by the filter is |
|
## not local. |
|
# QueryCache yes
|
|
|