Man Linux: Main Page and Category List

NAME

       opendkim.conf - Configuration file for opendkim

LOCATION

       /etc/mail/opendkim.conf

DESCRIPTION

       opendkim(8) implements the DKIM specification for signing and verifying
       e-mail messages on a per-domain basis.  This file is its  configuration
       file.

       Blank  lines  are ignored.  Lines containing a hash ("#") character are
       truncated at the hash character to allow for comments in the file.

       Other content should be the name of  a  parameter,  followed  by  white
       space,  followed  by  the  value  of that parameter, each on a separate
       line.

       For parameters that are Boolean in nature, only the first byte  of  the
       value  is  processed.  For positive values, the following are accepted:
       "T", "t", "Y", "y",  "1".   For  negative  values,  the  following  are
       accepted: "F", "f", "N", "n", "0".

       Many,  but  not  all, of these parameters are also available as command
       line options to opendkim(8).  However, new parameters are generally not
       added  as  command  line  options  so  the  complete  set of options is
       available here, and thus use of the configuration file  is  encouraged.
       In  some  future  release, the set of available command line options is
       likely to get trimmed.

       See the opendkim(8) man  page  for  details  about  how  and  when  the
       configuration file contents are reloaded.

       Some of these parameters are listed as having a type of "dataset".  See
       the opendkim(8) man page for a description of such parameters.

PARAMETERS

       ADSPDiscard (Boolean)
              If "true", requests rejection of messages that are determined to
              be suspicious according to the author domain's published signing
              practises (ADSP) record if that record also  recommends  discard
              of such messages.

       ADSPNoSuchDomain (Boolean)
              If "true", requests rejection of messages that are determined to
              be from nonexistent  domains  according  to  the  author  domain
              signing practises (ADSP) test.

       AllowSHA1Only (Boolean)
              Permit verify mode when only SHA1 support is available.  RFC4871
              requires that verifiers implement both SHA1 and SHA256  support.
              Setting  this feature changes the absence of SHA256 support from
              an error to a warning.

       AlwaysAddARHeader (Boolean)
              Add an "Authentication-Results:" header field even  to  unsigned
              messages  from domains with no "signs all" policy.  The reported
              DKIM result will be "none" in  such  cases.   Normally  unsigned
              mail  from  non-strict domains does not cause the results header
              to be added.

       AlwaysSignHeaders (dataset)
              Specifies a set of header fields that should be included in  all
              signature  header  lists  (the  "h="  tag) even if they were not
              present at the time the signature was  generated.   The  set  is
              empty by default.  The purpose of listing an absent header is to
              prevent its addition between the signer and the verifier,  since
              the  verifier  would  include  that header if it were added when
              performing verification, which would mean the signed message and
              the  verified  message were different and the verification would
              fail.

       AuthservID (string)
              Sets   the   "authserv-id"   to   use   when   generating    the
              Authentication-Results:  header  after verifying a message.  The
              default is to use the local machine's hostname.

       AuthservIDWithJobID (Boolean)
              If "true", requests that the authserv-id portion  of  the  added
              Authentication-Results:  headers  contain  the  job  ID  of  the
              message being evaluated.

       AutoRestart (Boolean)
              Automatically re-start on failures.  Use with  caution;  if  the
              filter  fails  instantly after it starts, this can cause a tight
              fork(2) loop.

       AutoRestartCount (integer)
              Sets the maximum automatic restart count.  After this number  of
              automatic  restarts,  the  filter will give up and terminate.  A
              value of 0 implies no limit; this is the default.

       AutoRestartRate (string)
              Sets the maximum automatic restart rate.  If the  filter  begins
              restarting  faster  than  the rate defined here, it will give up
              and terminate.  This is a string of the form n/t[u] where  n  is
              an  integer limiting the count of restarts in the given interval
              and t[u] defines the time interval through  which  the  rate  is
              calculated;  t  is  an  integer  and  u  defines  the units thus
              represented ("s" or "S" for seconds, the default; "m" or "M" for
              minutes;  "h"  or  "H"  for  hours;  "d"  or "D" for days).  For
              example, a value of "10/1h" limits the restarts  to  10  in  one
              hour.  There is no default, meaning restart rate is not limited.

       Background (Boolean)
              Normally opendkim  forks  and  exits  immediately,  leaving  the
              service  running  in  the background.  This flag suppresses that
              behaviour so that it runs in the foreground.

       BaseDirectory (string)
              If  set,  instructs  the  filter  to  change  to  the  specified
              directory using chdir(2) before doing anything else.  This means
              any files referenced elsewhere in the configuration file can  be
              specified  relative  to  this  directory.   It's also useful for
              arranging that any crash dumps  will  be  saved  to  a  specific
              location.

       BodyLengths (Boolean)
              Requests  that  opendkim  include  the "l=" body length tag when
              generating signatures.  This indicates to the verifier that only
              a  certain  amount  of the original message was signed, allowing
              tolerance of things like mailing list managers that append list-
              specific  text  to  the  end of mailings it processes.  However,
              this also enables an abuse attack.  See the  DKIM  specification
              for more information.

       BodyLengthDBFile (dataset)
              Requests  that  opendkim include a "l=" body length tag when the
              set contains the recipient addresses.  (feature is experimental)

       BogusKey (string)
              Instructs  the  filter  to  treat a passing signature associated
              with a bogus (forged) key in a special way.  Possible values are
              neutral  (return  a  "neutral"  result),  none  (take no special
              action) and fail (return a "fail" result; this is the  default).

       BogusPolicy (string)
              Instructs  the  filter to treat an ADSP policy found in an bogus
              (forged) DNS record in a special way.  Possible values are apply
              (apply  the  policy)  and ignore (ignore the policy; this is the
              default).

       Canonicalization (string)
              Selects the canonicalization method(s) to be used  when  signing
              messages.   When verifying, the message's DKIM-Signature: header
              specifies the canonicalization method.   The  recognized  values
              are  relaxed  and  simple  as defined by the DKIM specification.
              The default is simple.  The  value  may  include  two  different
              canonicalizations separated by a slash ("/") character, in which
              case the first will be applied to the headers and the second  to
              the body.

       ClockDrift (integer)
              Sets  the  tolerance  in  seconds to be applied when determining
              whether a signature was  either  expired  or  generated  in  the
              future.  The default is 300.

       Diagnostics (Boolean)
              Requests  the inclusion of "z=" tags in signatures, which encode
              the original header set for use  by  verifiers  when  diagnosing
              verification failures.  Not recommended for normal operation.

       DiagnosticDirectory (string)
              Store   diagnostic   files   in  this  directory.   (feature  is
              experimental)

       DNSTimeout (integer)
              Sets the DNS timeout  in  seconds.   A  value  of  0  causes  an
              infinite  wait.   The  default  is  5.  Ignored if not using the
              asynchronous resolver  package.   See  also  the  NOTES  section
              below.

       Domain (dataset)
              A  set  of  domains  whose mail should be signed by this filter.
              Mail from other domains  will  be  verified  rather  than  being
              signed.

              This  parameter  is not required if a SigningTable is in use; in
              that case, the list of signed domains is implied by the lines in
              that file.

       DontSignMailTo (dataset)
              A set of e-mail address, mail to which should never be signed by
              the filter.  Note that this is an "any" feature; if any  one  of
              the recipients of the message matches a member of this list, the
              message will not be signed.

       EnableCoredumps (boolean)
              On systems that have such support, make an explicit  request  to
              the  kernel  to  dump  cores  when  the  filter crashes for some
              reason.  Some modern UNIX systems  suppress  core  dumps  during
              crashes  for  security reasons if the user ID has changed during
              the lifetime of the process.  Currently only supported on Linux.

       ExemptDomains (dataset)
              Specifies  a  set  of domains, mail from which should be ignored
              entirely by the filter.  This is similar to the PeerList setting
              except  that  it bases its decision on the sender of the message
              as identified from the header fields or other message data,  not
              the identity of the SMTP client sending the message.

       ExternalIgnoreList (dataset)
              Identifies  a set of "external" hosts that may send mail through
              the server as one of the signing domains without credentials  as
              such.   Basically suppresses the "external host (hostname) tried
              to send mail as (domain)" log messages.  Entries in the data set
              should  be  of  the  same  form  as those of the PeerList option
              below.  The set is empty by default.

       FinalPolicyScript (string)
              Gives the name of a Lua script that  should  be  run  after  the
              entire  message  has  been  received.  This can be used to enact
              local policy decisions such as  message  rejection,  quarantine,
              rerouting,  etc.  based  on signatures found on the message, the
              results of attempts to verify them, and other properties of  the
              message or signatures.  See opendkim-lua(3) for details.

       FixCRLF (Boolean)
              Requests that the DKIM library convert bare CRs and LFs to CRLFs
              during body canonicalization, anticipating that an MTA somewhere
              before  delivery will do that conversion anyway.  The default is
              to leave them as-is.

       IdentityHeader (string)
              This  specifies  the  header  where  an  identity   is   stored.
              (Experimental feature not enabled for this installation.)

       IdentityHeaderRemove (Boolean)
              Remove  the IdentityHeader after signing.  (Experimental feature
              not enabled for this installation.)

       Include (string)
              Names  a  file  to  be  opened  and  read   as   an   additional
              configuration  file.   Nesting  is  allowed to a maximum of five
              levels.

       InsecureKey (string)
              Instructs the filter to treat  a  passing  signature  associated
              with  an  insecure  key  in  a special way.  Possible values are
              neutral (return a  "neutral"  result),  none  (take  no  special
              action;  this is the default) and fail (return a "fail" result).

       InsecurePolicy (string)
              Instructs the filter  to  treat  an  ADSP  policy  found  in  an
              insecure DNS record in a special way.  Possible values are apply
              (apply the policy; this is the default) and ignore  (ignore  the
              policy).

       InternalHosts (dataset)
              Identifies  a  set  internal  hosts  whose mail should be signed
              rather than verified.  Entries in this data set follow the  same
              form  as  those of the PeerList option below.  If not specified,
              the default of "127.0.0.1" is applied.  Naturally,  providing  a
              value  here  overrides  the  default,  so if mail from 127.0.0.1
              should be signed, the list provided  here  should  include  that
              address explicitly.

       KeepTemporaryFiles (boolean)
              Instructs  the  filter  to create temporary files containing the
              header and body canonicalizations of messages that are signed or
              verified.   The  location  of  these  files can be set using the
              TemporaryDirectory  parameter.   Intended  only  for   debugging
              verification problems.

       KeyFile (string)
              Gives the location of a PEM-formatted private key to be used for
              signing all messages.  Ignored if a KeyTable is defined.

       KeyTable (dataset)
              Gives the location of a file mapping key names to signing  keys.
              If  present,  overrides any KeyFile setting in the configuration
              file.  The data set named here  maps  each  key  name  to  three
              values:  (a)  the  name  of the domain to use in the signature's
              "d=" value;  (b)  the  name  of  the  selector  to  use  in  the
              signature's  "s="  value; and (c) either a private key or a path
              to a file containing a private key.  If the third  value  starts
              with  a  slash  ("/")  character,  or  "./" or "../", then it is
              presumed to refer to a file from which the private key should be
              read,  otherwise  it  is  itself  a PEM-encoded private key or a
              base64-encoded DER private key.  The SigningTable (see below) is
              used  to  select  records  from  this  table  to  be used to add
              signatures based on the message sender.

       LDAPAuthMechanism (string)
              Names the authentication mechanism to use when connecting to  an
              LDAP  server.  The default is the empty string, meaning "simple"
              authentication should be done.

       LDAPAuthName (string)
              Specifies the authenticating name to  use  when  using  SASL  to
              authenticate  to  an  LDAP  server.   Requires  SASL  support be
              installed on the local system.  There is no default.

       LDAPAuthRealm (string)
              Specifies the authentication realm to use  when  using  SASL  to
              authenticate  to  an  LDAP  server.   Requires  SASL  support be
              installed on the local system.  There is no default.

       LDAPAuthUser (string)
              Specifies the authenticating user to  use  when  using  SASL  to
              authenticate  to  an  LDAP  server.   Requires  SASL  support be
              installed on the local system.  There is no default.

       LDAPBindPassword (string)
              Specifies the password to use when  conducting  an  LDAP  "bind"
              operation.  There is no default.

       LDAPBindUser (string)
              Specifies  the  user  ID  to  use when conducting an LDAP "bind"
              operation.  There is no default.

       LDAPUseTLS (Boolean)
              Indicates whether or not a TLS connection should be  established
              when contacting an LDAP server.  The default is "False".

       LocalADSP (dataset)
              Allows  specification of local ADSP overrides for domains.  This
              is expected to be a data set with keys and matching values;  the
              keys  are  each  either  a  fully-qualified  domain  name  (e.g.
              "foo.example.com") or a subdomain  name  preceded  by  a  period
              (e.g.  ".example.com"),  and the values are either unknown, all,
              or discardable, as per the ADSP specification  (RFC5617).   This
              allows  local  overrides of policies to enforce for domains that
              either don't publish ADSP or publish weaker  policies  than  the
              verifier would like to enforce.

       LogWhy (boolean)
              If  logging  is enabled (see Syslog below), issues very detailed
              logging about the logic behind the filter's decision  to  either
              sign  a  message or verify it.  The logic behind the decision is
              non-trivial and can be confusing to administrators not  familiar
              with  its  operation.  A description of how the decision is made
              can be found in the OPERATIONS section of  the  opendkim(8)  man
              page.   This  causes  a large increase in the amount of log data
              generated for each message, so it should be limited to debugging
              use and not enabled for general operation.

       MacroList (dataset)
              Defines  a  set of MTA-provided macros that should be checked to
              see if the sender has been determined to be  a  local  user  and
              therefore  whether  or  not  the message should be signed.  If a
              value is specified matching a macro name in the  data  set,  the
              value  of  the  macro  must match a value specified (matching is
              case-sensitive), otherwise the macro must  be  defined  but  may
              contain  any value.  The set is empty by default, meaning macros
              are not considered when making the  sign-verify  decision.   The
              general  format of the value is value1[|value2[|...]]; if one or
              more value is defined then the macro must be set to one  of  the
              listed  values,  otherwise the macro must be set but can contain
              any value.

              In order for the macro and its value  to  be  available  to  the
              filter  for  checking,  the MTA must send it during the protocol
              exchange.  This is either accomplished via manual  configuration
              of  the  MTA  to  send  the  desired  macros  or, for MTA/filter
              combinations that support the feature, the  filter  can  request
              those  macros  that  are  of  interest.  The latter is a feature
              negotiated at the time the filter receives a connection from the
              MTA and its availability depends upon the version of milter used
              to compile the filter and the version  of  the  MTA  making  the
              connection.

       MaximumHeaders (integer)
              Defines  the  maximum  number  of  bytes  the  header block of a
              message may consume before the filter will reject  the  message.
              This  mitigates  a  denial-of-service  attack  in which a client
              connects to the MTA and begins feeding an  unbounded  number  of
              header  fields of arbitrary size; since the filter keeps a cache
              of these, the attacker could cause the  filter  to  allocate  an
              unspecified  amount of memory.  The default is 65536; a value of
              0 removes the limit.

       MaximumSignedBytes (integer)
              Specifies the maximum number of bytes  of  message  body  to  be
              signed.   Messages  shorter  than  this  limit will be signed in
              their entirety.  Setting this value  forces  BodyLengths  to  be
              "True".

       MilterDebug (integer)
              Sets  the  debug  level to be requested from the milter library.
              The default is 0.

       Minimum (string)
              Instructs the verification code to fail  messages  for  which  a
              partial  signature  was  received.   There  are  three  possible
              formats: min indicating at least min bytes of the  message  must
              be  signed (or if the message is smaller than min then all of it
              must be signed); min% requiring that at least min percent of the
              received  message  must be signed; and min+ meaning there may be
              no more than min bytes of unsigned data appended to the  message
              for it to be considered valid.

       Mode (string)
              Selects  operating  modes.   The  string  is  a concatenation of
              characters that indicate which mode(s) of operation are desired.
              Valid  modes are s (signer) and v (verifier).  The default is sv
              except in test mode (see the opendkim(8) man page) in which case
              the  default  is  v.   When  signing mode is enabled, one of the
              following combinations must also be set:  (a)  Domain,  KeyFile,
              Selector,   no   KeyTable,   no   SigningTable;   (b)  KeyTable,
              SigningTable, no Domain, no KeyFile, no Selector; (c)  KeyTable,
              SetupPolicyScript, no Domain, no KeyFile, no Selector.

       MTA (dataset)
              A  set of MTA names (a la the sendmail(8) DaemonPortOptions Name
              parameter) whose mail should be signed by this filter.  There is
              no  default,  meaning MTA name is not considered when making the
              sign-verify decision.

       MultipleSignatures (Boolean)
              Allow addition of multiple signatures when key lists are in use.
              See SigningTable for more information.

       MustBeSigned (dataset)
              Specifies  a set of headers that, if present, must be covered by
              the DKIM signature when verifying a message.   If  a  header  in
              this set is present in the message and is not signed, the filter
              will treat even an otherwise valid signature  as  invalid.   The
              default is an empty list.

       OmitHeaders (dataset)
              Specifies  a  set  of  header fields that should be omitted when
              generating signatures.  If an entry in the list names any header
              that  is  mandated  by  the  DKIM  specification,  the  entry is
              ignored.  A set of headers is listed in the  DKIM  specification
              as  "SHOULD  NOT" be signed; the default list for this parameter
              contains  those  headers   (Return-Path,   Received,   Comments,
              Keywords,  Bcc,  Resent-Bcc  and  DKIM-Signature).   To  omit no
              headers, simply use the string "-"  (or  any  string  that  will
              match  no  headers).   Note  that  specifying  a  list with this
              parameter replaces the default entirely.

       On-BadSignature (string)
              Selects the action  to  be  taken  when  a  signature  fails  to
              validate.    Possible   values   (with   abbreviated   forms  in
              parentheses): accept (a) accept the message; discard (d) discard
              the  message;  tempfail  (t)  temp-fail  the message; reject (r)
              reject the message.  The default is accept.

       On-Default (string)
              Selects the action to be taken when any verification or internal
              error  of any kind is encountered.  This is processed before the
              other "On-" values so it  can  be  used  as  a  blanket  setting
              followed by specific overrides.

       On-DNSError (string)
              Selects  the  action  to  be taken when a transient DNS error is
              encountered.  Possible values are the  same  as  those  for  On-
              BadSignature.  The default is tempfail.

       On-InternalError (string)
              Selects  the  action  to be taken when an internal error of some
              kind is encountered.  Possible values are the same as those  for
              On-BadSignature.  The default is tempfail.

       On-KeyNotFound (string)
              Selects  the  action  to  be  taken when the key referenced by a
              signature is not present in the DNS.  Possible  values  are  the
              same as those for On-BadSignature.  The default is accept.

       On-NoSignature (string)
              Selects  the action to be taken when a message arrives unsigned.
              Possible values are the same as those for On-BadSignature.   The
              default is accept.

       On-PolicyError (string)
              Selects the action to be taken when a an attempt to retrieve and
              evaluate  the  author  domain's   signing   policy   (ADSP)   is
              unsuccessful.   Possible  values  are  the same as those for On-
              BadSignature.  The default is accept.

       On-Security (string)
              Selects the action to be taken when a message arrives containing
              properties  that may be a security concern.  Possible values are
              the same as those for On-BadSignature.  The default is tempfail.

       PeerList (dataset)
              Identifies  a  set  of  "peers"  that  identifies  clients whose
              connections  should  be  accepted  without  processing  by  this
              filter.   The set should contain on each line a hostname, domain
              name  (e.g.  ".example.com"),  IP  address,  an   IPv6   address
              (including   an   IPv4  mapped  address),  or  a  CIDR-style  IP
              specification (e.g. "192.168.1.0/24").  An entry beginning  with
              a  bang  ("!")  character  means  "not",  allowing exclusions of
              specific hosts that are otherwise members of larger sets.   More
              precise  entries  are  preferred  over  less  precise ones, i.e.
              "192.168.1.1" will match  before  "!192.168.1.0/24".   The  text
              form  of IPv6 addresses will be forced to lowercase when queried
              (which is a proposed standard), so the contents of this data set
              should also use lowercase.

       PidFile (string)
              Specifies  the  path to a file that should be created at process
              start containing the process ID.

       POPDBFile (dataset)
              Requests that the filter consult a set  for  IP  addresses  that
              should  be  allowed  for  signing. This feature was designed for
              POP-before-SMTP   datastores.     (Not    enabled    for    this
              installation.)

       Quarantine (Boolean)
              Requests  that messages that fail verification be quarantined by
              the MTA.  (Requires a sufficiently recent version of the  milter
              library.)

       QueryCache (Boolean)
              Instructs  the  DKIM  library to maintain its own local cache of
              keys and policies retrieved from DNS, rather than relying on the
              nameserver  for caching service.  Useful if the nameserver being
              used by  the  filter  is  not  local.   (Not  enabled  for  this
              installation.)

       ReplaceRules (string)
              Specifies  a file containing a list of POSIX regular expressions
              that  are  applied  the  the  message  headers.    (feature   is
              experimental)

       ReportIntervalDB (dataset)
              Specifies  a  set  of  domains  that correspond to how often, in
              seconds, to report DKIM signature failues. See  SendReports  for
              more details.  (feature is experimental)

       RemoveARAll (Boolean)
              Removes  all  Authentication-Results:  header  fields  that also
              satisfy the requirements of  RemoveARFrom  below.   By  default,
              only those containing a DKIM result are removed.

       RemoveARFrom (dataset)
              Defines  a set of hostnames whose Authentication-Results: header
              fields should be  removed  before  the  message  is  passed  for
              delivery.   By  default  only  those  headers matching the local
              host's canonical name will be removed.  Matching is only done on
              full  hostnames  (e.g.  "host.example.com")  or  on domain names
              (e.g. ".example.com").

       RemoveOldSignatures (Boolean)
              Removes all existing signatures when operating in signing  mode.

       ReportAddress (string)
              Specifies  the  string  to  use  in  the  From: header field for
              outgoing reports (see SendReports  and  SendADSPReports  below).
              If  not specified, the executing user and local hostname will be
              used to construct the address.

       ReputationFail (integer)
              If the reputation returned by the DNS reputation service exceeds
              this  value then the Authenticated Header result "x-dkim-rep" is
              set to  "fail".   Defaults  to  0.   (Experimental  feature  not
              enabled for this installation.)

       ReputationPass (integer)
              If the reputation returned by the DNS reputation service is less
              than this value then the Authenticated  Header  result  "x-dkim-
              rep"  is  set  to  "pass".   Defaults  to  0.  Values in between
              ReputationFail and ReputationPass result in  "x-dkim-rep"  being
              set  to  "neutral".   (Experimental feature not enabled for this
              installation.)

       ReputationReject (integer)
              If the reputation returned by the DNS reputation service exceeds
              this  value then the message is rejected. The default value here
              is  1001.   (Experimental   feature   not   enabled   for   this
              installation.)

       ReputationRoot (string)
              This  is  the  root directory of the DNS reputation service. Its
              interface  is  defined  at  http://www.dkim-reputation.org.  The
              default  value  here is "al.dkim-reputation.org".  (Experimental
              feature not enabled for this installation.)

       RequiredHeaders (boolean)
              Checks all messages for compliance  with  RFC5322  header  field
              count requirements.  Non-compliant messages are rejected.

       ResignAll (boolean)
              Where  ResignMailTo  triggers  a  re-signing  action,  this flag
              indicates whether or not all mail  should  be  signed  (if  set)
              versus  only  verified  mail  being  signed  (if  not set).  The
              default is "false".  (Experimental feature not enabled for  this
              installation.)

       ResignMailTo (dataset)
              Checks  each message recipient against the specified dataset for
              a matching record.  The full address is checked  in  each  case,
              then  the  hostname, then each domain preceded by ".".  If there
              is a match, the value returned is presumed to be the name  of  a
              key  in  the  KeyTable  (if  defined)  to be used to re-sign the
              message in addition to  verifying  it.   If  there  is  a  match
              without  a  KeyTable, the default key is applied.  (Experimental
              feature not enabled for this installation.)

       ScreenPolicyScript (string)
              Gives the name of a Lua script that should be run after  all  of
              the  header  fields  have  been  processed  for  a  message;  in
              particular, this is useful after all DKIM signatures  have  been
              detected  and  initial evaluation has been done.  The script has
              access to all of the headers and connection information and  can
              that  certain  signatures  be ignored based on that information.
              See opendkim-lua(3) for details.

       Selector (string)
              Defines the name  of  the  selector  to  be  used  when  signing
              messages.   See  the  DKIM specification for details.  Used only
              when signing with a single key; see the  SigningTable  parameter
              below for more information.

       SelectorHeader (string)
              Names  a  header  field  whose contents name the key to use when
              signing.  The  referenced  key  must  appear  in  the  KeyTable.
              (feature is experimental)

       SelectorHeaderRemove (Boolean)
              Remove   the   SelectorHeader   before   signing.   (feature  is
              experimental)

       SendADSPReports (Boolean)
              If true, when a policy evaluation fails  and  the  signing  site
              advertises  a  reporting  address  (i.e.   r=user  in its policy
              record) and a request for reports of such failures,  the  filter
              will send a structured report to that address containing details
              of the incident.

       SenderHeaders (dataset)
              Specifies an ordered  list  of  header  fields  that  should  be
              searched  to  determine the sender of a message.  This is mainly
              used when verifying a message to determine  the  origin  domain,
              particularly  for  doing domain policy queries.  By default, the
              DKIM library's internal list is used, which consists  solely  of
              the "From" header field.

       SenderMacro (string)
              Use  the  milter  macro  string  to  determine the sender of the
              message.    (Experimental   feature   not   enabled   for   this
              installation.)

       SendReports (Boolean)
              If  true,  when  a  signature verification fails and the signing
              site advertises a reporting address (i.e.  r=user in its  policy
              record)  and  a request for reports of such failures, the filter
              will send a structured report to that address containing details
              needed to reproduce the problem.

       SetupPolicyScript (string)
              Gives  the  name  of  a  Lua  script that should be run once all
              header fields for a message have arrived.  The script has access
              to all of the headers and connection information and can request
              DKIM verification or signing based  on  that  information.   See
              opendkim-lua(3) for details.

       SignatureAlgorithm (string)
              Selects the signing algorithm to use when generating signatures.
              Use 'dkim-filter -V' to see the list  of  supported  algorithms.
              The  default is rsa-sha256 if it is available, otherwise it will
              be rsa-sha1.

       SignatureTTL (integer)
              Sets the time-to-live, in seconds, of  signatures  generated  by
              the  filter.   If  not  set,  no  expiration  time  is  added to
              signatures.

       SignHeaders (dataset)
              Specifies the set  of  headers  that  should  be  included  when
              generating  signatures.   If  the  list omits any header that is
              mandated by the DKIM specification, those headers are implicitly
              added.    By   default,   those   headers  listed  in  the  DKIM
              specification as "SHOULD"  be  signed  will  be  signed  by  the
              filter.   Specifying  a  list  here replaces that list entirely.
              See the OmitHeaders configuration option for more information.

       SigningTable (dataset)
              Defines a table used to select one or more signatures  to  apply
              to  a  message  based  on  the address found in the From: header
              field.  Keys in this table vary depending on the type  of  table
              used;  values  in  this data set should refer to a name found in
              the KeyTable (see above) that identifies  which  key  should  be
              used in generating the signature.

              If  this  table  specifies a regular expression file ("refile"),
              then the keys are wildcard patterns that are matched against the
              address found in the From: header field.  Entries are checked in
              the order in which they appear in the file.

              For all other database types,  the  full  user@host  is  checked
              first,   then   simply   host,   then   user@.domain  (with  all
              superdomains checked in  sequence,  so  "foo.example.com"  would
              first  check  "user@foo.example.com",  then "user@.example.com",
              then "user@.com"), then .domain, then user@*, and finally *.

              In  any  case,  only  the  first  match   is   applied,   unless
              MultipleSignatures  is  enabled  in  which  case all matches are
              applied.

       Socket (string)
              Specifies the socket that should be established by the filter to
              receive   connections  from  sendmail(8)  in  order  to  provide
              service.  socketspec is in one of two forms:  local:path,  which
              creates   a  UNIX  domain  socket  at  the  specified  path,  or
              inet:port[@host], which creates a TCP socket  on  the  specified
              port.   If  the  host is not given as either a hostname or an IP
              address, the socket will be listening on all  interfaces.   This
              option  is  mandatory either in the configuration file or on the
              command line.

       Statistics (dataset)
              This specifies a data set  in  which  to  store  DKIM  operation
              totals  per domain.  The data set must be initialized before the
              filter can use it.   See  opendkim-stats(8)  for  details  about
              initialization,  what  data  are  recorded  and  how to read the
              current totals.  Currently the only allowed data  set  type  for
              this feature is "db".  (feature is experimental)

       StrictTestMode (Boolean)
              Selects strict CRLF mode during testing (see the -t command line
              flag in the opendkim(8) man page); messages for which all header
              fields  and  body  lines  are not CRLF-terminated are considered
              malformed and will produce an error.

       SubDomains (Boolean)
              Sign subdomains of those listed by the Domain parameter as  well
              as the actual domains.

       Syslog (Boolean)
              Log via calls to syslog(3) any interesting activity.

       SyslogFacility (string)
              Log  via  calls  to  syslog(3)  using  the  named facility.  The
              facility  names  are  the  same   as   the   ones   allowed   in
              syslog.conf(5).  The default is "mail".

       SyslogSuccess (Boolean)
              Log   via  calls  to  syslog(3)  additional  entries  indicating
              successful signing or verification of messages.

       TemporaryDirectory (string)
              Specifies the  directory  in  which  temporary  canonicalization
              files  should  be  written.   The  default is to use the libdkim
              default location, currently /var/tmp.

       TestPublicKeys (string)
              Names a file from which public keys should  be  read.   Intended
              for use only during automated testing.

       TrustAnchorFile (string)
              Specifies  a  file  from  which trust anchor data should be read
              when doing DNS queries and applying the  DNSSEC  protocol.   See
              the Unbound documentation at http://unbound.net for the expected
              format of this file.

       TrustSignaturesFrom (dataset)
              This value consists of a set  of  domains  that  are  considered
              trustworthy  in  terms of third-party signatures.  That is, if a
              message arrives with a signature  from  a  domain  that  doesn't
              match  the  domain  in the From: header, this setting determines
              whether or not that signature will be trusted.  If this value is
              undefined, all signatures are trusted.

       UMask (integer)
              Requests  a  specific  permissions  mask  to  be  used  for file
              creation.  This only really applies to creation  of  the  socket
              when  Socket  specifies a UNIX domain socket, and to the PidFile
              (if any); temporary files are created by the mkstemp(3) function
              that enforces a specific file mode on creation regardless of the
              process umask.  See umask(2) for more information.

       UserID (string)
              Attempts  to  become  the  specified  userid   before   starting
              operations.   The  value  is  of  the  form userid[:group].  The
              process will be assigned all of the groups and primary group  ID
              of the named userid unless an alternate group is specified.

       VBR-Certifiers (string)
              The  default  certifiers  if  not  specified in X-VBR-Certifiers
              header  field.   (Experimental  feature  not  enabled  for  this
              installation.)

       VBR-TrustedCertifiers (string)
              A  colon  or comma sparated list of trusted certifiers to accept
              when verifying VBR-Info headers.  Under revision and may not  be
              stable.     (Experimental   feature   not   enabled   for   this
              installation.)

       VBR-Type (string)
              This default VBR type if not specified in the X-VBR-Type  header
              field.     (Experimental    feature   not   enabled   for   this
              installation.)

       X-Header (Boolean)
              Causes opendkim to add a header indicating the presence of  this
              filter  in  the  path of the message from injection to delivery.
              The product's name, version, and the job ID are included in  the
              header's contents.

NOTES

       When  using DNS timeouts (see the DNSTimeout option above), be sure not
       to use a timeout that  is  larger  than  the  timeout  being  used  for
       interaction  between sendmail and the filter.  Otherwise, the MTA could
       abort a message while waiting for a reply from  the  filter,  which  in
       turn is still waiting for a DNS reply.

       Features  that  involve  specification of IPv4 addresses or CIDR blocks
       will use the inet_addr(3) function to parse  that  information.   Users
       should  be  familiar with the way that function handles the non-trivial
       cases (for example, "192.0.2/24" and "192.0.2.0/24" are  not  the  same
       thing).

VERSION

       This man page covers version 2.1.3 of opendkim.

COPYRIGHT

       Copyright (c) 2007, 2008, Sendmail, Inc. and its suppliers.  All rights
       reserved.

       Copyright (c) 2009, 2010, The OpenDKIM Project.  All rights reserved.

SEE ALSO

       opendkim(8), opendkim-lua(3), sendmail(8)

       RFC4871 - DomainKeys Identified Mail

       RFC5451 - Message Header Field for  Indicating  Message  Authentication
       Status

       RFC5617 - DKIM Author Domain Signing Practises

                             The OpenDKIM Project             opendkim.conf(5)