## opendmarc.conf -- configuration file for OpenDMARC filter
##
## Copyright (c) 2012-2015, 2018, 2021, The Trusted Domain Project.
##   All rights reserved.

## DEPRECATED CONFIGURATION OPTIONS
##
## The following configuration options are no longer valid.  They should be
## removed from your existing configuration file to prevent potential issues.
## Failure to do so may result in opendmarc being unable to start.
##
## Renamed in 1.3.0:
##   ForensicReports became FailureReports
##   ForensicReportsBcc became FailureReportsBcc
##   ForensicReportsOnNone became FailureReportsOnNone
##   ForensicReportsSentBy became FailureReportsSentBy

## CONFIGURATION OPTIONS

##  AuthservID (string)
##  	defaults to MTA name
##
##  Sets the "authserv-id" to use when generating the Authentication-Results:
##  header field after verifying a message.  If the string "HOSTNAME" is
##  provided, the name of the host running the filter (as returned by the
##  gethostname(3) function) will be used.
#
# AuthservID name

##  AuthservIDWithJobID { true | false }
##  	default "false"
##
##  If "true", requests that the authserv-id portion of the added
##  Authentication-Results header fields contain the job ID of the message
##  being evaluated.
#
# AuthservIDWithJobID false

##  AutoRestart { true | false }
##  	default "false"
##
##  Automatically re-start on failures. Use with caution; if the filter fails
##  instantly after it starts, this can cause a tight fork(2) loop.
#
# AutoRestart false

##  AutoRestartCount n
##  	default 0
##
##  Sets the maximum automatic restart count.  After this number of automatic
##  restarts, the filter will give up and terminate.  A value of 0 implies no
##  limit.
#
# AutoRestartCount 0

##  AutoRestartRate n/t[u]
##  	default (no limit)
##
##  Sets the maximum automatic restart rate.  If the filter begins restarting
##  faster than the rate defined here, it will give up and terminate.  This
##  is a string of the form n/t[u] where n is an integer limiting the count
##  of restarts in the given interval and t[u] defines the time interval
##  through which the rate is calculated; t is an integer and u defines the
##  units thus represented ("s" or "S" for seconds, the default; "m" or "M"
##  for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
##  value of "10/1h" limits the restarts to 10 in one hour. There is no
##  default, meaning restart rate is not limited.
#
# AutoRestartRate n/t[u]

##  Background { true | false }
##  	default "true"
##
##  Causes opendmarc to fork and exits immediately, leaving the service
##  running in the background.
#
# Background true

##  BaseDirectory (string)
##  	default (none)
##
##  If set, instructs the filter to change to the specified directory using
##  chdir(2) before doing anything else.  This means any files referenced
##  elsewhere in the configuration file can be specified relative to this
##  directory.  It's also useful for arranging that any crash dumps will be
##  saved to a specific location.
#
# BaseDirectory /var/run/opendmarc

##  ChangeRootDirectory (string)
##  	default (none)
##
##  Requests that the operating system change the effective root directory of
##  the process to the one specified here prior to beginning execution.
##  chroot(2) requires superuser access.  A warning will be generated if
##  UserID is not also set.
#
# ChangeRootDirectory /var/chroot/opendmarc

##  CopyFailuresTo (string)
##  	default (none)
##
##  Requests addition of the specified email address to the envelope of
##  any message that fails the DMARC evaluation.
#
# CopyFailuresTo postmaster@localhost

##  DomainWhitelist (string)
##  	default (none)
##
##  A brief list of whitelisted domains for which ARC signature headers are
##  trusted as determined by evaluating entries in the "arc.chain" field found
##  in a locally generated Authentication-Results header.
##
##  This list will be concatenated with DomainWhitelistFile (if provided).
##
# 
# DomainWhitelist example.com

##  DomainWhitelistFile path
##  	default (none)
##
##  A comprehensive list of whitelisted domains for which ARC signature headers
##  are trusted as determined by evaluating entries in the "arc.chain" field
##  found in a locally generated Authentication-Results header.
##
##  This list will be concatenated with DomainWhitelist (if provided).
##
# 
# DomainWhitelistFile /etc/opendmarc/whitelist.domains

##  DomainWhitelistSize
##  	default 3000
##
##  The maximum number of entries in the DomainWhitelist including both entries
##  in the DomainWhitelist configuration parameter (above) and entries in the
##  DomainWhitelistFile. This number will be increased by approximately 20% to
##  increase the efficiency of the hashing algorithm.
##
# 
# DomainWhitelistSize 3000

##  DNSTimeout (integer)
##  	default 5
##
##  Sets the DNS timeout in seconds.  A value of 0 causes an infinite wait.
##  (NOT YET IMPLEMENTED)
#
# DNSTimeout 5

##  EnableCoredumps { true | false }
##  	default "false"
##
##  On systems that have such support, make an explicit request to the kernel
##  to dump cores when the filter crashes for some reason.  Some modern UNIX
##  systems suppress core dumps during crashes for security reasons if the
##  user ID has changed during the lifetime of the process.  Currently only
##  supported on Linux.
#
# EnableCoreDumps false

##  FailureReports { true | false }
##  	default "false"
##
##  Enables generation of failure reports when the DMARC test fails and the
##  purported sender of the message has requested such reports.  Reports are
##  formatted per RFC6591.
#
# FailureReports false

##  FailureReportsBcc (string)
##  	default (none)
##
##  When failure reports are enabled and one is to be generated, always
##  send one to the address(es) specified here.  If a failure report is
##  requested by the domain owner, the address(es) are added in a Bcc: field.
##  If no request is made, they address(es) are used in a To: field.  There
##  is no default.
#
# FailureReportsBcc postmaster@example.coom

##  FailureReportsOnNone { true | false }
##  	default "false"
##
##  Supplements the "FailureReports" setting by generating reports for
##  domains that advertise "none" policies.  By default, reports are only
##  generated (when enabled) for sending domains advertising a "quarantine"
##  or "reject" policy.
#
# FailureReportsOnNone false

##  FailureReportsSentBy string
##  	default "USER@HOSTNAME"
##
##  Specifies the email address to use in the From: field of failure
##  reports generated by the filter.  The default is to use the userid of
##  the user running the filter and the local hostname to construct an
##  email address.  "postmaster" is used in place of the userid if a name
##  could not be determined.
#
# FailureReportsSentBy USER@HOSTNAME

##  HistoryFile path
##  	default (none)
##
##  If set, specifies the location of a text file to which records are written
##  that can be used to generate DMARC aggregate reports.  Records are groups
##  of rows containing information about a single received message, and
##  include all relevant information needed to generate a DMARC aggregate
##  report.  It is expected that this will not be used in its raw form, but
##  rather periodically imported into a relational database from which the
##  aggregate reports can be extracted by a tool such as opendmarc-import(8).
#
# HistoryFile /var/spool/opendmarc/opendmarc.dat

##  HoldQuarantinedMessages { true | false }
##  	default "false"
##
##  If set, the milter will signal to the mta that messages with
##  p=quarantine, which fail dmarc authentication, should be held in
##  the MTA's "Hold" or "Quarantine" queue.  The name varies by MTA.
##  If false, messsages will be accepted and passed along with the 
##  regular mail flow, and the quarantine will be left up to downstream
##  MTA/MDA/MUA filters, if any, to handle by re-evaluating the headers,
##  including the Authentication-Results header added by OpenDMARC
#
# HoldQuarantinedMessages false

##  IgnoreAuthenticatedClients { true | false }
##  	default "false"
##
##  If set, causes mail from authenticated clients (i.e., those that used
##  SMTP AUTH) to be ignored by the filter.
#
# IgnoreAuthenticatedClients false
#>GNUNUX
IgnoreAuthenticatedClients true
#<GNUNUX

## HoldQuarantinedMessages { true | false }
##  	default "false"
##
##  If set, the milter will signal to the mta that messages with
##  p=quarantine, which fail dmarc authentication, should be held in
##  the MTA's "Hold" or "Quarantine" queue.  The name varies by MTA.
##  If false, messsages will be accepted and passed along with the 
##  regular mail flow, and the quarantine will be left up to downstream
##  MTA/MDA/MUA filters, if any, to handle by re-evaluating the headers,
##  including the Authentication-Results header added by OpenDMARC
#
# HoldQuarantinedMessages false


##  IgnoreHosts path
##  	default (internal)
##
##  Specifies the path to a file that contains a list of hostnames, IP
##  addresses, and/or CIDR expressions identifying hosts whose SMTP
##  connections are to be ignored by the filter.  If not specified, defaults
##  to "127.0.0.1" only.
#
# IgnoreHosts /etc/opendmarc/ignore.hosts

##  IgnoreMailFrom domain[,...]
##  	default (none)
##
##  Gives a list of domain names whose mail (based on the From: domain) is to
##  be ignored by the filter.  The list should be comma-separated.  Matching
##  against this list is case-insensitive.  The default is an empty list,
##  meaning no mail is ignored.
#
# IgnoreMailFrom example.com

##  MilterDebug (integer)
##  	default 0
##
##  Sets the debug level to be requested from the milter library.
#
# MilterDebug 0

##  PidFile path
##  	default (none)
##
##  Specifies the path to a file that should be created at process start
##  containing the process ID.
#
# PidFile /var/run/opendmarc.pid

##  PublicSuffixList path
##  	default (none)
##
##  Specifies the path to a file that contains top-level domains (TLDs) that
##  will be used to compute the Organizational Domain for a given domain name,
##  as described in the DMARC specification.  If not provided, the filter will
##  not be able to determine the Organizational Domain and only the presented
##  domain will be evaluated.  This file should be periodically updated.
##  One location to retrieve the file from is https://publicsuffix.org/list/
#
# PublicSuffixList path

##  RecordAllMessages { true | false }
##  	default "false"
##
##  If set and "HistoryFile" is in use, all received messages are recorded
##  to the history file.  If not set (the default), only messages for which
##  the From: domain published a DMARC record will be recorded in the
##  history file.
#
# RecordAllMessages false

##  RejectFailures { true | false }
##  	default "false"
##
##  If set, messages will be rejected if they fail the DMARC evaluation, or
##  temp-failed if evaluation could not be completed.  By default, no message
##  will be rejected or temp-failed regardless of the outcome of the DMARC
##  evaluation of the message.  Instead, an Authentication-Results header
##  field will be added.
#
# RejectFailures false
#>GNUNUX
RejectFailures true
#<GNUNUX

##  RejectMultiValueFrom { true | false }
##  	default "false"
##
##  If set, messages with multiple addresses in the From: field of the message
##  will be rejected unless all domains in the field are the same.  They will
##  otherwise be ignored by the filter (the default).
# 
# RejectMultiValueFrom false

##  ReportCommand string
##  	default "/usr/sbin/sendmail -t"
##
##  Indicates the shell command to which failure reports should be passed for
##  delivery when "FailureReports" is enabled.
#
# ReportCommand /usr/sbin/sendmail -t

##  RequiredHeaders { true | false }
##  	default "false"
##
##  If set, the filter will ensure the header of the message conforms to the
##  basic header field count restrictions laid out in RFC5322, Section 3.6.
##  Messages failing this test are rejected without further processing.  A
##  From: field from which no domain name could be extracted will also be
##  rejected.
#
# RequiredHeaders false
#>GNUNUX
RequiredHeaders true
#<GNUNUX

##  Socket socketspec
##  	default (none)
##
##  Specifies the socket that should be established by the filter to receive
##  connections from sendmail(8) in order to provide service.  socketspec is
##  in one of two forms: local:path, which creates a UNIX domain socket at
##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
##  a TCP socket on the specified port for the appropriate protocol family.
##  If the host is not given as either a hostname or an IP address, the
##  socket will be listening on all interfaces.  This option is mandatory
##  either in the configuration file or on the command line.  If an IP
##  address is used, it must be enclosed in square brackets.
#
Socket inet:8893@localhost

##  SoftwareHeader { true | false }
##  	default "false"
##
##  Causes the filter to add a "DMARC-Filter" header field indicating the
##  presence of this filter in the path of the message from injection to
##  delivery.  The product's name, version, and the job ID are included in
##  the header field's contents.
#
SoftwareHeader true

##  SPFIgnoreResults { true | false }
##	default "false"
##
##  Causes the filter to ignore any SPF results in the header of the
##  message.  This is useful if you want the filter to perform SPF checks
##  itself, or because you don't trust the arriving header.
#
SPFIgnoreResults true

##  SPFSelfValidate { true | false }
##	default false
##
##  Enable internal spf checking with --with-spf
##  To use libspf2 instead:  --with-spf --with-spf2-include=path --with-spf2-lib=path
##
##  Causes the filter to perform a fallback SPF check itself when
##  it can find no SPF results in the message header.  If SPFIgnoreResults
##  is also set, it never looks for SPF results in headers and
##  always performs the SPF check itself when this is set.
#
SPFSelfValidate true

##  Syslog { true | false }
##  	default "false"
##
##  Log via calls to syslog(3) any interesting activity.
#
Syslog true

##  SyslogFacility facility-name
##  	default "mail"
##
##  Log via calls to syslog(3) using the named facility.  The facility names
##  are the same as the ones allowed in syslog.conf(5).
#
# SyslogFacility mail

##  TrustedAuthservIDs string
##  	default HOSTNAME
##
##  Specifies one or more "authserv-id" values to trust as relaying true
##  upstream DKIM and SPF results.  The default is to use the name of
##  the MTA processing the message.  To specify a list, separate each entry
##  with a comma.  The key word "HOSTNAME" will be replaced by the name of
##  the host running the filter as reported by the gethostname(3) function.
#
# TrustedAuthservIDs HOSTNAME
#>GNUNUX
TrustedAuthservIDs %%postfix_mail_hostname
#>GNUNUX

##  UMask mask
##  	default (none)
##
##  Requests a specific permissions mask to be used for file creation.  This
##  only really applies to creation of the socket when Socket specifies a
##  UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
##  files are normally created by the mkstemp(3) function that enforces a
##  specific file mode on creation regardless of the process umask.  See
##  umask(2) for more information.
#
UMask 007

##  UserID user[:group]
##  	default (none)
##
##  Attempts to become the specified userid before starting operations.
##  The process will be assigned all of the groups and primary group ID of
##  the named userid unless an alternate group is specified.
#
UserID opendmarc:mail