Update templates

templates/etc/opendkim.conf.j2

@@ -1,5 +1,5 @@
 ## BASIC OPENDKIM CONFIGURATION FILE
-## See opendkim.conf(5) or %{_pkgdocdir}/opendkim.conf.sample for more
+## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more
 
 ## BEFORE running OpenDKIM you must:
 
@@ -7,82 +7,133 @@
 ## - generate keys for your domain (if signing)
 ## - edit your DNS records to publish your public keys (if signing)
 
-## See %{_pkgdocdir}/INSTALL for detailed instructions.
+## See /usr/share/doc/opendkim/INSTALL for detailed instructions.
+
+## DEPRECATED CONFIGURATION OPTIONS
+## 
+## The following configuration options are no longer valid.  They should be
+## removed from your existing configuration file to prevent potential issues.
+## Failure to do so may result in opendkim being unable to start.
+## 
+## Removed in 2.10.0:
+##   AddAllSignatureResults
+##   ADSPAction
+##   ADSPNoSuchDomain
+##   BogusPolicy
+##   DisableADSP
+##   LDAPSoftStart
+##   LocalADSP
+##   NoDiscardableMailTo
+##   On-PolicyError
+##   SendADSPReports
+##   UnprotectedPolicy
 
 ## CONFIGURATION OPTIONS
 
 AutoRestart             Yes
 AutoRestartRate         10/1h
 
-# Specifies the path to the process ID file.
+##  Specifies the path to the process ID file.
 PidFile	/var/run/opendkim/opendkim.pid
 
-# Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.
-# Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing
-# messages.
+##  Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.
+##  Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing
+##  messages.
 Mode	sv
 
-# Log activity to the system log.
+##  Log activity to the system log.
 Syslog	yes
 
-# Log additional entries indicating successful signing or verification of messages.
+##  Log additional entries indicating successful signing or verification of messages.
 SyslogSuccess	yes
 
-# If logging is enabled, include detailed logging about why or why not a message was
-# signed or verified. This causes an increase in the amount of log data generated
-# for each message, so set this to No (or comment it out) if it gets too noisy.
+##  If logging is enabled, include detailed logging about why or why not a message was
+##  signed or verified. This causes an increase in the amount of log data generated
+##  for each message, so set this to No (or comment it out) if it gets too noisy.
 LogWhy	yes
 
-# Attempt to become the specified user before starting operations.
+##  Attempt to become the specified user before starting operations.
 UserID	opendkim:opendkim
 
-# Create a socket through which your MTA can communicate.
+##  Create a socket through which your MTA can communicate.
 Socket	inet:8891@localhost
 
-# Required to use local socket with MTAs that access the socket as a non-
-# privileged user (e.g. Postfix)
+##  Required to use local socket with MTAs that access the socket as a non-
+##  privileged user (e.g. Postfix)
 Umask	022
 
-# This specifies a text file in which to store DKIM transaction statistics.
-# OpenDKIM must be manually compiled with --enable-stats to enable this feature.
-#Statistics	/var/spool/opendkim/stats.dat
+##  This specifies a text file in which to store DKIM transaction statistics.
+##  OpenDKIM must be manually compiled with --enable-stats to enable this feature.
+# Statistics	/var/spool/opendkim/stats.dat
+
+##  Specifies whether or not the filter should generate report mail back
+##  to senders when verification fails and an address for such a purpose
+##  is provided. See opendkim.conf(5) for details.
+SendReports	yes
+
+##  Specifies the sending address to be used on From: headers of outgoing
+##  failure reports.  By default, the e-mail address of the user executing
+##  the filter is used (executing_user@hostname).
+# ReportAddress	"Example.com Postmaster" <postmaster@example.com>
+
+##  Add a DKIM-Filter header field to messages passing through this filter
+##  to identify messages it has processed.
+SoftwareHeader	yes
 
 ## SIGNING OPTIONS
 
-# Selects the canonicalization method(s) to be used when signing messages.
-Canonicalization	relaxed/simple
+##  Selects the canonicalization method(s) to be used when signing messages.
+Canonicalization	relaxed/relaxed
 
-# Domain(s) whose mail should be signed by this filter. Mail from other domains will
-# be verified rather than being signed. Uncomment and use your domain name.
-# This parameter is not required if a SigningTable is in use.
-#Domain	example.com
+##  Domain(s) whose mail should be signed by this filter. Mail from other domains will
+##  be verified rather than being signed. Uncomment and use your domain name.
+##  This parameter is not required if a SigningTable is in use.
+# Domain	example.com
 
-# Defines the name of the selector to be used when signing messages.
+##  Defines the name of the selector to be used when signing messages.
 Selector	default
 
-# Specifies the minimum number of key bits for acceptable keys and signatures.
-MinimumKeyBits 1024
+##  Specifies the minimum number of key bits for acceptable keys and signatures.
+MinimumKeyBits	1024
 
-# Gives the location of a private key to be used for signing ALL messages. This
-# directive is ignored if KeyTable is enabled.
+##  Gives the location of a private key to be used for signing ALL messages. This
+##  directive is ignored if KeyTable is enabled.
 #KeyFile	/etc/opendkim/keys/default.private
 
-# Gives the location of a file mapping key names to signing keys. In simple terms,
-# this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
-# directive in the configuration file. Requires SigningTable be enabled.
+##  Gives the location of a file mapping key names to signing keys. In simple terms,
+##  this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
+##  directive in the configuration file. Requires SigningTable be enabled.
 KeyTable	refile:/etc/opendkim/KeyTable
 
-# Defines a table used to select one or more signatures to apply to a message based
-# on the address found in the From: header field. In simple terms, this tells
-# OpenDKIM how to use your keys. Requires KeyTable be enabled.
+##  Defines a table used to select one or more signatures to apply to a message based
+##  on the address found in the From: header field. In simple terms, this tells
+##  OpenDKIM how to use your keys. Requires KeyTable be enabled.
 SigningTable	refile:/etc/opendkim/SigningTable
 
-# Identifies a set of "external" hosts that may send mail through the server as one
-# of the signing domains without credentials as such.
+##  Identifies a set of "external" hosts that may send mail through the server as one
+##  of the signing domains without credentials as such.
 ExternalIgnoreList	refile:/etc/opendkim/TrustedHosts
 
-# Identifies a set "internal" hosts whose mail should be signed rather than verified.
+##  Identifies a set "internal" hosts whose mail should be signed rather than verified.
 InternalHosts	refile:/etc/opendkim/TrustedHosts
 
+##  Contains a list of IP addresses, CIDR blocks, hostnames or domain names
+##  whose mail should be neither signed nor verified by this filter.  See man
+##  page for file format.
+# PeerList	X.X.X.X
+
+##  Always oversign From (sign using actual From and a null From to prevent
+##  malicious signatures header fields (From and/or others) between the signer
+##  and the verifier.  From is oversigned by default in the Fedora package
+##  because it is often the identity key used by reputation systems and thus
+##  somewhat security sensitive.
+OversignHeaders	From
+
+##  Instructs the DKIM library to maintain its own local cache of keys and
+##  policies retrieved from DNS, rather than relying on the nameserver for
+##  caching service. Useful if the nameserver being used by the filter is
+##  not local.
+# QueryCache	yes
+
 SignatureAlgorithm      rsa-sha256
 

templates/etc/opendmarc.conf.j2

@@ -2,7 +2,20 @@
 ## opendmarc.conf -- configuration file for OpenDMARC filter
 ##
 ## Copyright (c) 2012-2015, The Trusted Domain Project.  All rights reserved.
+
+## DEPRECATED CONFIGURATION OPTIONS
 ## 
+## The following configuration options are no longer valid.  They should be
+## removed from your existing configuration file to prevent potential issues.
+## Failure to do so may result in opendmarc being unable to start.
+## 
+## Renamed in 1.3.0:
+##   ForensicReports became FailureReports
+##   ForensicReportsBcc became FailureReportsBcc
+##   ForensicReportsOnNone became FailureReportsOnNone
+##   ForensicReportsSentBy became FailureReportsSentBy
+
+## CONFIGURATION OPTIONS
 
 ##  AuthservID (string)
 ##  	defaults to MTA name

templates/etc/postfix/master.cf.j2

@@ -44,7 +44,7 @@ submission inet n       -       n       -       -       smtpd
 #  -o smtpd_client_restrictions=$mua_client_restrictions
 #  -o smtpd_helo_restrictions=$mua_helo_restrictions
 #  -o smtpd_sender_restrictions=$mua_sender_restrictions
-#  -o smtpd_recipient_restrictions=
+#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
 #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
 {% endif %}
@@ -56,7 +56,7 @@ submission inet n       -       n       -       -       smtpd
 #  -o smtpd_client_restrictions=$mua_client_restrictions
 #  -o smtpd_helo_restrictions=$mua_helo_restrictions
 #  -o smtpd_sender_restrictions=$mua_sender_restrictions
-#  -o smtpd_recipient_restrictions=
+#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
 #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
 #628       inet  n       -       n       -       -       qmqpd