diff --git a/templates/etc/opendkim.conf.j2 b/templates/etc/opendkim.conf.j2 index 10697ab..b1a5529 100644 --- a/templates/etc/opendkim.conf.j2 +++ b/templates/etc/opendkim.conf.j2 @@ -1,5 +1,5 @@ ## BASIC OPENDKIM CONFIGURATION FILE -## See opendkim.conf(5) or %{_pkgdocdir}/opendkim.conf.sample for more +## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more ## BEFORE running OpenDKIM you must: @@ -7,82 +7,133 @@ ## - generate keys for your domain (if signing) ## - edit your DNS records to publish your public keys (if signing) -## See %{_pkgdocdir}/INSTALL for detailed instructions. +## See /usr/share/doc/opendkim/INSTALL for detailed instructions. + +## DEPRECATED CONFIGURATION OPTIONS +## +## The following configuration options are no longer valid. They should be +## removed from your existing configuration file to prevent potential issues. +## Failure to do so may result in opendkim being unable to start. +## +## Removed in 2.10.0: +## AddAllSignatureResults +## ADSPAction +## ADSPNoSuchDomain +## BogusPolicy +## DisableADSP +## LDAPSoftStart +## LocalADSP +## NoDiscardableMailTo +## On-PolicyError +## SendADSPReports +## UnprotectedPolicy ## CONFIGURATION OPTIONS AutoRestart Yes AutoRestartRate 10/1h -# Specifies the path to the process ID file. +## Specifies the path to the process ID file. PidFile /var/run/opendkim/opendkim.pid -# Selects operating modes. Valid modes are s (sign) and v (verify). Default is v. -# Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing -# messages. +## Selects operating modes. Valid modes are s (sign) and v (verify). Default is v. +## Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing +## messages. Mode sv -# Log activity to the system log. +## Log activity to the system log. Syslog yes -# Log additional entries indicating successful signing or verification of messages. +## Log additional entries indicating successful signing or verification of messages. SyslogSuccess yes -# If logging is enabled, include detailed logging about why or why not a message was -# signed or verified. This causes an increase in the amount of log data generated -# for each message, so set this to No (or comment it out) if it gets too noisy. +## If logging is enabled, include detailed logging about why or why not a message was +## signed or verified. This causes an increase in the amount of log data generated +## for each message, so set this to No (or comment it out) if it gets too noisy. LogWhy yes -# Attempt to become the specified user before starting operations. +## Attempt to become the specified user before starting operations. UserID opendkim:opendkim -# Create a socket through which your MTA can communicate. +## Create a socket through which your MTA can communicate. Socket inet:8891@localhost -# Required to use local socket with MTAs that access the socket as a non- -# privileged user (e.g. Postfix) +## Required to use local socket with MTAs that access the socket as a non- +## privileged user (e.g. Postfix) Umask 022 -# This specifies a text file in which to store DKIM transaction statistics. -# OpenDKIM must be manually compiled with --enable-stats to enable this feature. -#Statistics /var/spool/opendkim/stats.dat +## This specifies a text file in which to store DKIM transaction statistics. +## OpenDKIM must be manually compiled with --enable-stats to enable this feature. +# Statistics /var/spool/opendkim/stats.dat + +## Specifies whether or not the filter should generate report mail back +## to senders when verification fails and an address for such a purpose +## is provided. See opendkim.conf(5) for details. +SendReports yes + +## Specifies the sending address to be used on From: headers of outgoing +## failure reports. By default, the e-mail address of the user executing +## the filter is used (executing_user@hostname). +# ReportAddress "Example.com Postmaster" + +## Add a DKIM-Filter header field to messages passing through this filter +## to identify messages it has processed. +SoftwareHeader yes ## SIGNING OPTIONS -# Selects the canonicalization method(s) to be used when signing messages. -Canonicalization relaxed/simple +## Selects the canonicalization method(s) to be used when signing messages. +Canonicalization relaxed/relaxed -# Domain(s) whose mail should be signed by this filter. Mail from other domains will -# be verified rather than being signed. Uncomment and use your domain name. -# This parameter is not required if a SigningTable is in use. -#Domain example.com +## Domain(s) whose mail should be signed by this filter. Mail from other domains will +## be verified rather than being signed. Uncomment and use your domain name. +## This parameter is not required if a SigningTable is in use. +# Domain example.com -# Defines the name of the selector to be used when signing messages. +## Defines the name of the selector to be used when signing messages. Selector default -# Specifies the minimum number of key bits for acceptable keys and signatures. -MinimumKeyBits 1024 +## Specifies the minimum number of key bits for acceptable keys and signatures. +MinimumKeyBits 1024 -# Gives the location of a private key to be used for signing ALL messages. This -# directive is ignored if KeyTable is enabled. +## Gives the location of a private key to be used for signing ALL messages. This +## directive is ignored if KeyTable is enabled. #KeyFile /etc/opendkim/keys/default.private -# Gives the location of a file mapping key names to signing keys. In simple terms, -# this tells OpenDKIM where to find your keys. If present, overrides any KeyFile -# directive in the configuration file. Requires SigningTable be enabled. +## Gives the location of a file mapping key names to signing keys. In simple terms, +## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile +## directive in the configuration file. Requires SigningTable be enabled. KeyTable refile:/etc/opendkim/KeyTable -# Defines a table used to select one or more signatures to apply to a message based -# on the address found in the From: header field. In simple terms, this tells -# OpenDKIM how to use your keys. Requires KeyTable be enabled. +## Defines a table used to select one or more signatures to apply to a message based +## on the address found in the From: header field. In simple terms, this tells +## OpenDKIM how to use your keys. Requires KeyTable be enabled. SigningTable refile:/etc/opendkim/SigningTable -# Identifies a set of "external" hosts that may send mail through the server as one -# of the signing domains without credentials as such. +## Identifies a set of "external" hosts that may send mail through the server as one +## of the signing domains without credentials as such. ExternalIgnoreList refile:/etc/opendkim/TrustedHosts -# Identifies a set "internal" hosts whose mail should be signed rather than verified. +## Identifies a set "internal" hosts whose mail should be signed rather than verified. InternalHosts refile:/etc/opendkim/TrustedHosts +## Contains a list of IP addresses, CIDR blocks, hostnames or domain names +## whose mail should be neither signed nor verified by this filter. See man +## page for file format. +# PeerList X.X.X.X + +## Always oversign From (sign using actual From and a null From to prevent +## malicious signatures header fields (From and/or others) between the signer +## and the verifier. From is oversigned by default in the Fedora package +## because it is often the identity key used by reputation systems and thus +## somewhat security sensitive. +OversignHeaders From + +## Instructs the DKIM library to maintain its own local cache of keys and +## policies retrieved from DNS, rather than relying on the nameserver for +## caching service. Useful if the nameserver being used by the filter is +## not local. +# QueryCache yes + SignatureAlgorithm rsa-sha256 diff --git a/templates/etc/opendmarc.conf.j2 b/templates/etc/opendmarc.conf.j2 index 42dbdf1..f01ad17 100644 --- a/templates/etc/opendmarc.conf.j2 +++ b/templates/etc/opendmarc.conf.j2 @@ -2,7 +2,20 @@ ## opendmarc.conf -- configuration file for OpenDMARC filter ## ## Copyright (c) 2012-2015, The Trusted Domain Project. All rights reserved. -## + +## DEPRECATED CONFIGURATION OPTIONS +## +## The following configuration options are no longer valid. They should be +## removed from your existing configuration file to prevent potential issues. +## Failure to do so may result in opendmarc being unable to start. +## +## Renamed in 1.3.0: +## ForensicReports became FailureReports +## ForensicReportsBcc became FailureReportsBcc +## ForensicReportsOnNone became FailureReportsOnNone +## ForensicReportsSentBy became FailureReportsSentBy + +## CONFIGURATION OPTIONS ## AuthservID (string) ## defaults to MTA name diff --git a/templates/etc/postfix/master.cf.j2 b/templates/etc/postfix/master.cf.j2 index cadbb70..d660b3f 100644 --- a/templates/etc/postfix/master.cf.j2 +++ b/templates/etc/postfix/master.cf.j2 @@ -44,7 +44,7 @@ submission inet n - n - - smtpd # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -# -o smtpd_recipient_restrictions= +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING {% endif %} @@ -56,7 +56,7 @@ submission inet n - n - - smtpd # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -# -o smtpd_recipient_restrictions= +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd