## CONFIGURATION OPTIONS ## Specifies the path to the process ID file. PidFile /var/run/opendkim/opendkim.pid ## Selects operating modes. Valid modes are s (sign) and v (verify). Default is v. ## Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing ## messages. Mode {{ postfix_dkim_mode }} {% if "s" in postfix_dkim_mode %} ## SubDomains { yes | no } ## default "no" ## ## Sign for subdomains as well? SubDomains {{ postfix_dkim_sign_subdomains }} {% endif %} ## Log activity to the system log. Syslog {{ postfix_dkim_syslog }} ## Log additional entries indicating successful signing or verification of messages. SyslogSuccess {{ postfix_dkim_syslog_success }} ## If logging is enabled, include detailed logging about why or why not a message was ## signed or verified. This causes an increase in the amount of log data generated ## for each message, so set this to No (or comment it out) if it gets too noisy. LogWhy {{ postfix_dkim_logwhy }} ## Attempt to become the specified user before starting operations. UserID {{ postfix_dkim_user }}:{{ postfix_dkim_group }} ## Create a socket through which your MTA can communicate. Socket {{ postfix_dkim_socket }} ## Required to use local socket with MTAs that access the socket as a non- ## privileged user (e.g. Postfix) Umask 002 ## This specifies a text file in which to store DKIM transaction statistics. ## OpenDKIM must be manually compiled with --enable-stats to enable this feature. # Statistics /var/spool/opendkim/stats.dat {% if "v" in postfix_dkim_mode %} ## Specifies whether or not the filter should generate report mail back ## to senders when verification fails and an address for such a purpose ## is provided. See opendkim.conf(5) for details. SendReports {{ postfix_dkim_v_sendreports }} {% endif %} {% if postfix_dkim_reportaddress != '' %} ## Specifies the sending address to be used on From: headers of outgoing ## failure reports. By default, the e-mail address of the user executing ## the filter is used (executing_user@hostname). # ReportAddress {{ postfix_dkim_reportaddress }} {% endif %} ## Add a DKIM-Filter header field to messages passing through this filter ## to identify messages it has processed. SoftwareHeader yes {% if "s" in postfix_dkim_mode %} ## SIGNING OPTIONS ## Selects the canonicalization method(s) to be used when signing messages. Canonicalization {{ postfix_dkim_canonicalization }} ## Specifies the minimum number of key bits for acceptable keys and signatures. MinimumKeyBits {{ postfix_dkim_minkeybits }} ## Gives the location of a file mapping key names to signing keys. In simple terms, ## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile ## directive in the configuration file. Requires SigningTable be enabled. KeyTable /etc/opendkim/keytable ## Defines a table used to select one or more signatures to apply to a message based ## on the address found in the From: header field. In simple terms, this tells ## OpenDKIM how to use your keys. Requires KeyTable be enabled. SigningTable refile:/etc/opendkim/signingtable {% if postfix_dkim_trusted_hosts_enabled %} ## Identifies a set of "external" hosts that may send mail through the server as one ## of the signing domains without credentials as such. # ExternalIgnoreList refile:/etc/opendkim/TrustedHosts ## Identifies a set "internal" hosts whose mail should be signed rather than verified. InternalHosts refile:/etc/opendkim/TrustedHosts {% endif %} ## Always oversign From (sign using actual From and a null From to prevent ## malicious signatures header fields (From and/or others) between the signer ## and the verifier. From is oversigned by default in the Fedora package ## because it is often the identity key used by reputation systems and thus ## somewhat security sensitive. OversignHeaders From {% endif %} ## Instructs the DKIM library to maintain its own local cache of keys and ## policies retrieved from DNS, rather than relying on the nameserver for ## caching service. Useful if the nameserver being used by the filter is ## not local. # QueryCache yes