Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
opendmarc.conf(5)	      File Formats Manual	     opendmarc.conf(5)

       opendmarc.conf -	Configuration file for opendmarc


       opendmarc(8)  implements	 the  proposed DMARC specification for message
       authentication, policy enforcement, and reporting.  This	 file  is  its
       configuration file.

       Blank  lines  are ignored.  Lines containing a hash ("#") character are
       truncated at the	hash character to allow	for comments in	the file.

       Other content should be the name	of  a  parameter,  followed  by	 white
       space,  followed	 by  the  value	 of that parameter, each on a separate

       For parameters that are Boolean in nature, only the first byte  of  the
       value  is  processed.  For positive values, the following are accepted:
       "T", "t", "Y", "y", "1".	 For negative values, the  following  are  ac-
       cepted: "F", "f", "N", "n", "0".

       Some,  but  not	all, of	these parameters are also available as command
       line options to opendmarc(8).  However, new  parameters	are  generally
       not  added  as  command	line options so	the complete set of options is
       available here, and thus	use of the configuration file  is  encouraged.
       In  some	 future	 release, the set of available command line options is
       likely to get trimmed.

       See the opendmarc(8) man	page for details about how and when  the  con-
       figuration file contents	are reloaded.

       Unless  otherwise  stated,  Boolean  values default to "false", integer
       values default to 0, and	string and dataset values default to being un-

       AuthservID (string)
	      Sets  the	 "authserv-id"	to use when generating the Authentica-
	      tion-Results: header field after verifying a message.   The  de-
	      fault  is	to use the name	of the MTA processing the message.  If
	      the string "HOSTNAME" is provided, the name of the host  running
	      the  filter (as returned by the gethostname(3) function) will be

       AuthservIDWithJobID (Boolean)
	      If "true", requests that the authserv-id portion	of  the	 added
	      Authentication-Results:  header fields contain the job ID	of the
	      message being evaluated.

       AutoRestart (Boolean)
	      Automatically re-start on	failures.  Use with  caution;  if  the
	      filter  fails  instantly after it	starts,	this can cause a tight
	      fork(2) loop.

       AutoRestartCount	(integer)
	      Sets the maximum automatic restart count.	 After this number  of
	      automatic	 restarts,  the	 filter	will give up and terminate.  A
	      value of 0 implies no limit; this	is the default.

       AutoRestartRate (string)
	      Sets the maximum automatic restart rate.	If the	filter	begins
	      restarting  faster  than	the rate defined here, it will give up
	      and terminate.  This is a	string of the form n/t[u] where	 n  is
	      an  integer limiting the count of	restarts in the	given interval
	      and t[u] defines the time	interval through  which	 the  rate  is
	      calculated;  t is	an integer and u defines the units thus	repre-
	      sented ("s" or "S" for seconds, the default; "m" or "M" for min-
	      utes;  "h" or "H"	for hours; "d" or "D" for days).  For example,
	      a	value of "10/1h" limits	the restarts to	10 in one hour.	 There
	      is no default, meaning restart rate is not limited.

       Background (Boolean)
	      Causes opendmarc to fork and exits immediately, leaving the ser-
	      vice running in the background.  The default is "true".

       BaseDirectory (string)
	      If set, instructs	the filter to change to	the  specified	direc-
	      tory  using chdir(2) before doing	anything else.	This means any
	      files referenced elsewhere in  the  configuration	 file  can  be
	      specified	 relative to this directory.  It's also	useful for ar-
	      ranging that any crash dumps will	be saved to a  specific	 loca-

       ChangeRootDirectory (string)
	      Requests that the	operating system change	the effective root di-
	      rectory of the process to	the one	specified here prior to	begin-
	      ning execution.  chroot (2) requires superuser access. A warning
	      will be generated	if UserID is not also set.

       CopyFailuresTo (string)
	      Adds the specified recipient to the  message's  envelope	if  it
	      fails the	DMARC evaluation.

       DNSTimeout (integer)
	      Sets  the	 DNS timeout in	seconds.  A value of 0 causes an infi-
	      nite wait.  The default is 5.  Ignored if	not using an asynchro-
	      nous resolver package.

       EnableCoredumps (Boolean)
	      On  systems  that	have such support, make	an explicit request to
	      the kernel to dump cores when the	filter crashes for  some  rea-
	      son.   Some  modern  UNIX	 systems  suppress  core  dumps	during
	      crashes for security reasons if the user ID has  changed	during
	      the lifetime of the process.  Currently only supported on	Linux.

       FailureReports (Boolean)
	      Enables  generation of failure reports when the DMARC test fails
	      and the purported	sender of the message has requested  such  re-
	      ports.  Reports are formatted per	RFC6591.

       FailureReportsBcc (string)
	      When failure reports are enabled and one is to be	generated, al-
	      ways send	one to the address(es) specified here.	If  a  failure
	      report  is  requested  by	 the domain owner, the address(es) are
	      added in a Bcc: field.  If no request is made, they  address(es)
	      are used in a To:	field.	There is no default.

       FailureReportsOnNone (Boolean)
	      Supplementary  to	 the  previous	setting, enables generation of
	      failure reports for sending domains that publish a  "none"  pol-

       FailureReportsSentBy (string)
	      Sets  the	value of the From: field to be used when sending fail-
	      ure reports (see above).	The default is to use  the  userid  of
	      the  user	 executing  the	filter and the local host name to con-
	      struct an	email address.

       HistoryFile (string)
	      If set, specifies	the location of	a text file to	which  records
	      are  written  that  can  be used to generate DMARC aggregate re-
	      ports.  Records are batches of rows containing information about
	      a	 single	received message, and include all relevant information
	      needed to	generate a DMARC aggregate  report.   It  is  expected
	      that  this will not be used in its raw form, but rather periodi-
	      cally imported into a relational database	from which the	aggre-
	      gate reports can be extracted.

       IgnoreAuthenticatedClients (Boolean)
	      If set, causes mail from authenticated clients (i.e., those that
	      used SMTP	AUTH) to be ignored by the  filter.   The  default  is

       IgnoreHosts (string)
	      Specifies	 the path to a file that contains a list of hostnames,
	      IP addresses, and/or CIDR	expressions  identifying  hosts	 whose
	      SMTP connections are to be ignored by the	filter.	 If not	speci-
	      fied, defaults to	"" only.

       IgnoreMailFrom (string)
	      Gives a list of domain names whose mail (based on	the From:  do-
	      main) is to be ignored by	the filter.  The list should be	comma-
	      separated.  Matching against this	list is	case-insensitive.  The
	      default is an empty list,	meaning	no mail	is ignored.

       MilterDebug (integer)
	      Sets  the	 debug	level to be requested from the milter library.
	      The default is 0.

       PidFile (string)
	      Specifies	the path to a file that	should be created  at  process
	      start containing the process ID.

       PublicSuffixList	(string)
	      Specifies	 the  path  to	a file that contains top-level domains
	      (TLDs) that will be used to compute  the	Organizational	Domain
	      for  a  given  domain name, as described in the DMARC specifica-
	      tion.  If	not provided, the filter will not be able to determine
	      the  Organizational Domain and only the presented	domain will be

       RecordAllMessages (Boolean)
	      If set and HistoryFile is	in  use,  all  received	 messages  are
	      recorded	to  the	 history file.	If not set (the	default), only
	      messages for which the From: domain  published  a	 DMARC	record
	      will be recorded in the history file.

       RejectFailures (Boolean)
	      If set, messages will be rejected	if they	fail the DMARC evalua-
	      tion, or temp-failed if evaluation could not be  completed.   By
	      default,	no  message will be rejected or	temp-failed regardless
	      of the outcome of	the DMARC evaluation of	the message.  Instead,
	      an  Authentication-Results  header field will be added.  The de-
	      fault is "false".

       ReportCommand (string)
	      Indicates	the shell command to which failure reports  should  be
	      passed for delivery when FailureReports is enabled.  Defaults to

       RequiredHeaders (Boolean)
	      If set, the filter will ensure the header	of  the	 message  con-
	      forms  to	 the basic header field	count restrictions laid	out in
	      RFC5322, Section 3.6.  Messages failing this test	 are  rejected
	      without  further processing.  A From: field from which no	domain
	      name could be extracted will also	be rejected.

       Socket (string)
	      Specifies	the socket that	should be established by the filter to
	      receive  connections  from  sendmail(8) in order to provide ser-
	      vice.  socketspec	is in one of two forms:	local:path, which cre-
	      ates   a	 UNIX	domain	 socket	 at  the  specified  path,  or
	      inet:port[@host] or inet6:port[@host] which creates a TCP	socket
	      on  the  specified port for the appropriate protocol family.  If
	      the host is not given as either a	hostname or an IP address, the
	      socket  will  be	listening  on  all interfaces.	This option is
	      mandatory	either in the configuration file  or  on  the  command
	      line.   If  an IP	address	is used, it must be enclosed in	square

       SoftwareHeader (Boolean)
	      Causes opendmarc to add a	"DMARC-Filter" header field indicating
	      the  presence of this filter in the path of the message from in-
	      jection to delivery.  The	product's name,	version, and  the  job
	      ID are included in the header field's contents.

       SPFIgnoreResults	(Boolean)
	      Causes the filter	to ignore any SPF results in the header	of the
	      message.	This is	useful if you want the filter to  perfrom  SPF
	      checks  itself,  or because you don't trust the arriving header.
	      The default is "false".

       SPFSelfValidate (Boolean)
	      Causes the filter	to perform a fallback SPF check	itself when it
	      can  find	no SPF results in the message header.  If SPFIgnoreRe-
	      sults is also set, it never looks	for SPF	results	in headers and
	      always  performs the SPF check itself when this is set.  The de-
	      fault is "false".

       Syslog (Boolean)
	      Log via calls to syslog(3) any interesting activity.

       SyslogFacility (string)
	      Log via calls to syslog(3) using the named facility.  The	facil-
	      ity  names  are  the same	as the ones allowed in syslog.conf(5).
	      The default is "mail".

       TrustedAuthservIDs (string)
	      Provides a list of authserv-ids that are to be used to  identify
	      Authentication-Results  header  fields  whose contents are to be
	      assumed as valid input for the DMARC assessment.	To  provide  a
	      list,  separate  values  by commas.  If the string "HOSTNAME" is
	      provided,	the name of the	host running the filter	 (as  returned
	      by  the gethostname(3) function) will be used.  Matching against
	      this list	is case-insensitive.  The default is to	use the	 value
	      of AuthservID.

       UMask (integer)
	      Requests	a  specific  permissions mask to be used for file cre-
	      ation.  This only	really applies to creation of the socket  when
	      Socket  specifies	 a  UNIX domain	socket,	and to the PidFile (if
	      any); temporary files are	created	 by  the  mkstemp(3)  function
	      that enforces a specific file mode on creation regardless	of the
	      process umask.  See umask(2) for more information.

       UserID (string)
	      Attempts to become the specified userid before  starting	opera-
	      tions.   The  value  is of the form userid[:group].  The process
	      will be assigned all of the groups and primary group ID  of  the
	      named userid unless an alternate group is	specified.

	      Default location of this file.

       This man	page covers version 1.3.2 of opendmarc.

       Copyright  (c)  2012-2015,  The Trusted Domain Project.	All rights re-

       opendmarc(8), sendmail(8)

       RFC4408 - Sender	Policy Framework

       RFC5451 - Message Header	Field for  Indicating  Message	Authentication

       RFC5965 - An Extensible Format for Email	Feedback Reports

       RFC6376 - DomainKeys Identified Mail

       RFC6591	-  Authentication  Failure Reporting Using the Abuse Reporting

			  The Trusted Domain Project	     opendmarc.conf(5)


Want to link to this manual page? Use this URL:

home | help