View Categories

Open DMARC

10 min read

Copy of: https://manpages.ubuntu.com/manpages/jammy/en/man5/opendmarc.conf.5.html

jammy (5opendmarc.conf.5.gz

Provided by: opendmarc_1.4.2-1_amd64 bug

NAME #

       opendmarc.conf - Configuration file for opendmarc

LOCATION #

       /etc/opendmarc.conf

DESCRIPTION #

       opendmarc(8)  implements  the  proposed  DMARC  specification  for message authentication,
       policy enforcement, and reporting.  This file is its configuration file.

       Blank lines are ignored.  Lines containing a hash ("#") character  are  truncated  at  the
       hash character to allow for comments in the file.

       Other  content should be the name of a parameter, followed by white space, followed by the
       value of that parameter, each on a separate line.

       For parameters that are Boolean in nature, only the first byte of the value is  processed.
       For  positive  values,  the following are accepted: "T", "t", "Y", "y", "1".  For negative
       values, the following are accepted: "F", "f", "N", "n", "0".

       Some, but not all, of these parameters are also  available  as  command  line  options  to
       opendmarc(8).   However, new parameters are generally not added as command line options so
       the complete set of options is available here, and thus use of the configuration  file  is
       encouraged.   In  some future release, the set of available command line options is likely
       to get trimmed.

       See the opendmarc(8) man page for details  about  how  and  when  the  configuration  file
       contents are reloaded.

       Unless  otherwise  stated, Boolean values default to "false", integer values default to 0,
       and string and dataset values default to being undefined.

PARAMETERS #

       AuthservID (string)
              Sets the "authserv-id" to use when generating  the  Authentication-Results:  header
              field  after  verifying  a  message.   The  default  is  to use the name of the MTA
              processing the message.  If the string "HOSTNAME" is provided, the name of the host
              running the filter (as returned by the gethostname(3) function) will be used.

       AuthservIDWithJobID (Boolean)
              If  "true",  requests  that  the  authserv-id  portion of the added Authentication-
              Results: header fields contain the job ID of the message being evaluated.

       AutoRestart (Boolean)
              Automatically re-start  on  failures.   Use  with  caution;  if  the  filter  fails
              instantly after it starts, this can cause a tight fork(2) loop.

       AutoRestartCount (integer)
              Sets the maximum automatic restart count.  After this number of automatic restarts,
              the filter will give up and terminate.  A value of 0 implies no limit; this is  the
              default.

       AutoRestartRate (string)
              Sets  the  maximum  automatic restart rate.  If the filter begins restarting faster
              than the rate defined here, it will give up and terminate.  This is a string of the
              form  n/t[u]  where  n  is  an  integer limiting the count of restarts in the given
              interval and t[u] defines the time interval through which the rate is calculated; t
              is an integer and u defines the units thus represented ("s" or "S" for seconds, the
              default; "m" or "M" for minutes; "h" or "H" for hours; "d" or "D" for  days).   For
              example,  a  value  of  "10/1h" limits the restarts to 10 in one hour.  There is no
              default, meaning restart rate is not limited.

       Background (Boolean)
              Causes opendmarc to fork and exits immediately, leaving the service running in  the
              background.  The default is "true".

       BaseDirectory (string)
              If  set,  instructs  the filter to change to the specified directory using chdir(2)
              before doing anything else.  This means  any  files  referenced  elsewhere  in  the
              configuration  file  can be specified relative to this directory.  It's also useful
              for arranging that any crash dumps will be saved to a specific location.

       ChangeRootDirectory (string)
              Requests that the operating system change  the  effective  root  directory  of  the
              process  to  the  one  specified  here  prior  to  beginning execution.  chroot (2)
              requires superuser access. A warning will be generated if UserID is not also set.

       CopyFailuresTo (string)
              Adds the specified recipient to the  message's  envelope  if  it  fails  the  DMARC
              evaluation.

       DomainWhitelist (string)
              A  brief list of whitelisted domains for which ARC signature headers are trusted as
              determined by evaluating entries in  the  "arc.chain"  field  found  in  a  locally
              generated Authentication-Results header.

              This list will be concatenated with DomainWhitelistFile (if provided).

       DomainWhitelistFile (string)
              A  comprehensive  list  of  whitelisted domains for which ARC signature headers are
              trusted as determined by evaluating entries in the "arc.chain"  field  found  in  a
              locally generated Authentication-Results header.

              This list will be concatenated with DomainWhitelist (if provided).

       DomainWhitelistSize (integer)
              Sets  the  capacity  of the whitelisted domains data structure. The value specifies
              the maximum number of entries  including  domains  listed  in  the  DomainWhitelist
              configuration  parameter  and  the  domains  listed in the DomainWhiteListFile. The
              final size will be increased by approximately 20% to increase the efficiency of the
              hashing algorithm.

       DNSTimeout (integer)
              Sets  the  DNS  timeout  in  seconds.   A  value of 0 causes an infinite wait.  The
              default is 5.  Ignored if not using an asynchronous resolver package.

       EnableCoredumps (Boolean)
              On systems that have such support, make an explicit request to the kernel  to  dump
              cores  when  the filter crashes for some reason.  Some modern UNIX systems suppress
              core dumps during crashes for security reasons if the user ID  has  changed  during
              the lifetime of the process.  Currently only supported on Linux.

       FailureReports (Boolean)
              Enables  generation  of failure reports when the DMARC test fails and the purported
              sender of the message has  requested  such  reports.   Reports  are  formatted  per
              RFC6591.

       FailureReportsBcc (string)
              When failure reports are enabled and one is to be generated, always send one to the
              address(es) specified here.  If a failure report is requested by the domain  owner,
              the address(es) are added in a Bcc: field.  If no request is made, they address(es)
              are used in a To: field.  There is no default.

       FailureReportsOnNone (Boolean)
              Supplementary to the previous setting, enables generation of  failure  reports  for
              sending domains that publish a "none" policy.

       FailureReportsSentBy (string)
              Sets  the  value  of  the  From: field to be used when sending failure reports (see
              above).  The default is to use the userid of the user executing the filter and  the
              local host name to construct an email address.

       HistoryFile (string)
              If set, specifies the location of a text file to which records are written that can
              be used  to  generate  DMARC  aggregate  reports.   Records  are  batches  of  rows
              containing  information  about  a single received message, and include all relevant
              information needed to generate a DMARC aggregate report.  It is expected that  this
              will  not  be  used  in  its  raw  form,  but  rather  periodically imported into a
              relational database from  which  the  aggregate  reports  can  be  extracted  using
              opendmarc-importstats(8).

       HoldQuarantinedMessages (Boolean)
              If  set,  the  milter will signal to the mta that messages with p=quarantine, which
              fail dmarc authentication, should be held  in  the  MTA's  "Hold"  or  "Quarantine"
              queue.   The  name  varies  by MTA.  If false, messages will be accepted and passed
              along with the regular mail flow, and the quarantine will be left up to  downstream
              MTA/MDA/MUA  filters, if any, to handle by re-evaluating the headers, including the
              Authentication-Results header added by this filter.  The default is "false".

       IgnoreAuthenticatedClients (Boolean)
              If set, causes mail from authenticated clients (i.e., those that used SMTP AUTH) to
              be ignored by the filter.  The default is "false".

       IgnoreHosts (string)
              Specifies  the  path  to  a  file  that contains a list of hostnames, IP addresses,
              and/or CIDR expressions identifying hosts whose SMTP connections are to be  ignored
              by the filter.  If not specified, defaults to "127.0.0.1" only.

       IgnoreMailFrom (string)
              Gives  a  list  of  domain  names  whose  mail (based on the From: domain) is to be
              ignored by the filter.  The list should be comma-separated.  Matching against  this
              list  is  case-insensitive.   The  default  is  an  empty  list, meaning no mail is
              ignored.

       IgnoreMailTo (string)
              Gives a list of mail addresses which aren't entered into the history file.  This is
              useful  to  prevent  exchanging  mutual message reports.  The list should be comma-
              separated.  Matching against this list is  case-insensitive.   The  default  is  an
              empty list, meaning no mail is ignored.

       MilterDebug (integer)
              Sets the debug level to be requested from the milter library.  The default is 0.

       PidFile (string)
              Specifies the path to a file that should be created at process start containing the
              process ID.

       PublicSuffixList (string)
              Specifies the path to a file that contains top-level domains (TLDs)  that  will  be
              used  to compute the Organizational Domain for a given domain name, as described in
              the DMARC specification.  If not provided, the filter will not be able to determine
              the  Organizational  Domain  and only the presented domain will be evaluated.  This
              file should be periodically updated.  One location to retrieve  the  file  from  is
              https://publicsuffix.org/list/

       RecordAllMessages (Boolean)
              If set and HistoryFile is in use, all received messages are recorded to the history
              file.  If not set (the default), only messages for which the From: domain published
              a DMARC record will be recorded in the history file.

       RejectFailures (Boolean)
              If set, messages will be rejected if they fail the DMARC evaluation, or temp-failed
              if evaluation could not be completed.  By default, no message will be  rejected  or
              temp-failed  regardless  of  the  outcome  of  the DMARC evaluation of the message.
              Instead, an Authentication-Results header field will  be  added.   The  default  is
              "false".

       RejectMultiValueFrom (Boolean)
              If  set, messages with multiple addresses in the From: field of the message will be
              rejected unless all domain names in that field are the same.  They  will  otherwise
              be ignored by the filter (the default).

       RejectString (string)
              This string describes the reason of reject at SMTP level.  The message MUST contain
              the word "%s" once, which will be replaced by the RFC5322.From domain.  The default
              is "rejected by DMARC policy for %s"

       ReportCommand (string)
              Indicates  the shell command to which failure reports should be passed for delivery
              when FailureReports is enabled.  Defaults to /usr/sbin/sendmail.

       RequiredHeaders (Boolean)
              If set, the filter will ensure the header of the  message  conforms  to  the  basic
              header field count restrictions laid out in RFC5322, Section 3.6.  Messages failing
              this test are rejected without further processing.  A From:  field  from  which  no
              domain name could be extracted will also be rejected.

       Socket (string)
              Specifies  the  socket  that  should  be  established  by  the  filter  to  receive
              connections from sendmail(8) in order to provide service.  socketspec is in one  of
              two forms: local:path, which creates a UNIX domain socket at the specified path, or
              inet:port[@host] or inet6:port[@host] which creates a TCP socket on  the  specified
              port  for  the  appropriate  protocol family.  If the host is not given as either a
              hostname or an IP address, the socket will be listening on  all  interfaces.   This
              option is mandatory either in the configuration file or on the command line.  If an
              IP address is used, it must be enclosed in square brackets.

       SoftwareHeader (Boolean)
              Causes opendmarc to add a "DMARC-Filter" header field indicating  the  presence  of
              this  filter  in the path of the message from injection to delivery.  The product's
              name, version, and the job ID are included in the header field's contents.

       SPFIgnoreResults (Boolean)
              Causes the filter to ignore any SPF results in the header of the message.  This  is
              useful  if  you  want the filter to perform SPF checks itself, or because you don't
              trust the arriving header.  The default is "false".

       SPFSelfValidate (Boolean)
              Causes the filter to perform a fallback SPF check itself when it can  find  no  SPF
              results in the message header.  If SPFIgnoreResults is also set, it never looks for
              SPF results in headers and always performs the SPF check itself when this  is  set.
              The default is "false".

       Syslog (Boolean)
              Log via calls to syslog(3) any interesting activity.

       SyslogFacility (string)
              Log  via  calls  to syslog(3) using the named facility.  The facility names are the
              same as the ones allowed in syslog.conf(5).  The default is "mail".

       TrustedAuthservIDs (string)
              Provides a list of authserv-ids that are to be  used  to  identify  Authentication-
              Results header fields whose contents are to be assumed as valid input for the DMARC
              assessment.  To  provide  a  list,  separate  values  by  commas.   If  the  string
              "HOSTNAME" is provided, the name of the host running the filter (as returned by the
              gethostname(3) function) will  be  used.   Matching  against  this  list  is  case-
              insensitive.  The default is to use the value of AuthservID.

       UMask (integer)
              Requests  a  specific  permissions  mask  to  be used for file creation.  This only
              really applies to creation of the  socket  when  Socket  specifies  a  UNIX  domain
              socket,  and to the PidFile (if any); temporary files are created by the mkstemp(3)
              function that enforces a specific file mode on creation regardless of  the  process
              umask.  See umask(2) for more information.

       UserID (string)
              Attempts  to  become the specified userid before starting operations.  The value is
              of the form userid[:group].  The process will be assigned all  of  the  groups  and
              primary group ID of the named userid unless an alternate group is specified.

FILES #

       /etc/opendmarc.conf
              Default location of this file.

VERSION #

       This man page covers version 1.4.2 of opendmarc.
       Copyright (c) 2012-2015, 2018, 2021, The Trusted Domain Project.  All rights reserved.

SEE ALSO #

       opendmarc(8), opendmarc-importstats(8), sendmail(8)

       RFC4408 - Sender Policy Framework

       RFC5451 - Message Header Field for Indicating Message Authentication Status

       RFC5965 - An Extensible Format for Email Feedback Reports

       RFC6376 - DomainKeys Identified Mail

       RFC6591 - Authentication Failure Reporting Using the Abuse Reporting Format

                                    The Trusted Domain Project                  opendmarc.conf(5)