chomp($mydomain = "sarah.uhu-banane.de");
-@local_domains_maps = 1;
+#@local_domains_maps = 1;
+@local_domains_maps = ( [
+ ".$mydomain",
+ ".brehm-berlin.de",
+ ".brehm-online.com",
+ ".brehm-online.eu",
+ ".frankepedia.eu",
+ ".hennig-berlin.org",
+ ".uhu-banane.com",
+ ".uhu-banane.de",
+ ".uhu-banane.eu",
+ ".uhu-banane.net",
+ ".uhu-banane.org",
+] );
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );
$signed_header_fields{'to'} = 1;
# Add dkim_key here.
+dkim_key("brehm-berlin.de", "dkim", "/var/lib/dkim/uhu-banane.net.pem");
+dkim_key("brehm-online.com", "dkim", "/var/lib/dkim/uhu-banane.net.pem");
+dkim_key("brehm-online.eu", "dkim", "/var/lib/dkim/uhu-banane.net.pem");
+dkim_key("frankepedia.eu", "mail-2017-04-05", "/var/lib/dkim/frankepedia.eu.2017-04-05.pem");
+dkim_key("hennig-berlin.org", "dkim", "/var/lib/dkim/uhu-banane.net.pem");
+dkim_key("uhu-banane.com", "dkim", "/var/lib/dkim/uhu-banane.net.pem");
+dkim_key("uhu-banane.de", "dkim", "/var/lib/dkim/uhu-banane.net.pem");
+dkim_key("uhu-banane.eu", "dkim", "/var/lib/dkim/uhu-banane.net.pem");
dkim_key("uhu-banane.net", "dkim", "/var/lib/dkim/uhu-banane.net.pem");
+dkim_key("uhu-banane.org", "dkim", "/var/lib/dkim/uhu-banane.net.pem");
# Note that signing mail for subdomains with a key of a parent
# domain is treated by recipients as a third-party key, which
#"spam-reporter@uhu-banane.net" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 7*24*3600 },
# explicit 'd' forces a third-party signature on foreign (hosted) domains
- "brehm-berlin.de" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
- "brehm-online.com" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
- "brehm-online.eu" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
- "frankepedia.eu" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
- "hennig-berlin.org" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
- "uhu-banane.com" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
- "uhu-banane.de" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
- "uhu-banane.eu" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
- "uhu-banane.net" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
- "uhu-banane.org" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
+ # "brehm-berlin.de" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
+ # "brehm-online.com" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
+ # "brehm-online.eu" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
+ # "frankepedia.eu" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
+ # "hennig-berlin.org" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
+ # "uhu-banane.com" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
+ # "uhu-banane.de" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
+ # "uhu-banane.eu" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
+ # "uhu-banane.net" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
+ # "uhu-banane.org" => { d => "uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
#"host1.uhu-banane.net" => { d => "host1.uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
#"host2.uhu-banane.net" => { d => "host2.uhu-banane.net", a => 'rsa-sha256', ttl => 10*24*3600 },
# ---- End domain: uhu-banane.net ----
# Enable DKIM signing/verification
$enable_dkim_verification = 1;
-#$enable_dkim_signing = 1; # we have dkim signing enabled in policy banks.
+$enable_dkim_signing = 1; # we have dkim signing enabled in policy banks.
# Amavisd log level. Verbosity: 0, 1, 2, 3, 4, 5, -d.
$log_level = 0;
--- /dev/null
+##
+## opendkim.conf -- configuration file for OpenDKIM filter
+##
+## Copyright (c) 2010-2014, The Trusted Domain Project. All rights reserved.
+##
+
+##
+## For settings that refer to a "dataset", see the opendkim(8) man page.
+##
+
+## AddAllSignatureResults { yes | no }
+## default "no"
+##
+## If enabled, results for all signatures will be reported by an added
+## Authentication-Results header field. Otherwise, only one signature will
+## be reported, and which one depends on the TrustSignaturesFrom
+## setting or, in its absence, which one(s) passed first or, if none passed,
+## which one was found first during message processing.
+
+# AddAllSignatureResults no
+
+## ADSPAction { continue | discard | reject }
+## default "continue"
+##
+## Defines the action to be taken when a message is passed through the
+## ADSP algorithm and found to be discardable. By default, no action is
+## taken, though the failure will be noted by the addition of an
+## Authentication-Results report.
+
+# ADSPAction continue
+
+## ADSPNoSuchDomain { yes | no }
+## default "no"
+##
+## Reject messages which are determined to be from nonexistent domains during
+## the Author Domain Signing Practises (ADSP) check.
+
+# ADSPNoSuchDomain No
+
+## AllowSHA1Only { yes | no }
+## default "no"
+##
+## By default, the filter will refuse to start if support for SHA256 is
+## not available since this violates the strong recommendations of
+## RFC6376 Section 3.3, which says:
+##
+## "Verifiers MUST implement both rsa-sha1 and rsa-sha256. Signers MUST
+## implement and SHOULD sign using rsa-sha256."
+##
+## This forces that violation to be explicitly selected by the administrator.
+
+# AllowSHA1Only no
+
+## AlwaysAddARHeader { yes | no }
+## default "no"
+##
+## Add an "Authentication-Results:" header even to unsigned messages
+## from domains with no "signs all" policy. The reported DKIM result
+## will be "none" in such cases. Normally unsigned mail from non-strict
+## domains does not cause the results header to be added.
+
+# AlwaysAddARHeader no
+
+## AuthservID string
+## default (local host name)
+##
+## Defines the "authserv-id" token to be used when generating
+## Authentication-Results headers after message verification.
+
+# AuthservID example.com
+
+## AuthservIDWithJobID
+## default "no"
+##
+## Appends a "/" followed by the MTA's job ID to the "authserv-id" token
+## when generating Authentication-Results headers after message verification.
+
+# AuthservIDWithJobId no
+
+## AutoRestart { yes | no }
+## default "no"
+##
+## Indicate whether or not the filter should arrange to restart automatically
+## if it crashes.
+
+# AutoRestart No
+
+## AutoRestartCount n
+## default 0
+##
+## Sets the maximum automatic restart count. After this number of
+## automatic restarts, the filter will give up and terminate. A value of 0
+## implies no limit.
+
+# AutoRestartCount 0
+
+## AutoRestartRate n/t[u]
+## default (none)
+##
+## Sets the maximum automatic restart rate. See the opendkim.conf(5)
+## man page for the format of this parameter.
+
+# AutoRestartRate n/tu
+
+## Background { yes | no }
+## default "yes"
+##
+## Indicate whether or not the filter should run in the background.
+
+# Background Yes
+
+## BaseDirectory path
+## default (none)
+##
+## Causes the filter to change to the named directory before beginning
+## operation. Thus, cores will be dumped here and configuration files
+## are read relative to this location.
+
+# BaseDirectory /var/run/opendkim
+
+## BodyLengthDB dataset
+## default (none)
+##
+## A data set that is checked against envelope recipients to see if a
+## body length tag should be included in the generated signature.
+## This has security implications; see opendkim.conf(5) for details.
+
+# BodyLengthDB dataset
+
+## Canonicalization hdrcanon[/bodycanon]
+## default "simple/simple"
+##
+## Select canonicalizations to use when signing. If the "bodycanon" is
+## omitted, "simple" is used. Valid values for each are "simple" and
+## "relaxed".
+
+# Canonicalization simple/simple
+
+## ClockDrift n
+## default 300
+##
+## Specify the tolerance range for expired signatures or signatures
+## which appear to have timestamps in the future, allowing for clock
+## drift.
+
+# ClockDrift 300
+
+## Diagnostics { yes | no }
+## default "no"
+##
+## Specifies whether or not signatures with header diagnostic tags should
+## be generated.
+
+# Diagnostics No
+
+## DisableADSP { yes | no }
+## default "no"
+##
+## Suppresses Author Domain Signing Practices (ADSP) checks, which conduct
+## additional DNS queries.
+
+# DisableADSP No
+
+## DNSTimeout n
+## default 10
+##
+## Specify the time in seconds to wait for replies from the nameserver when
+## requesting keys or signing policies.
+
+# DNSTimeout 10
+
+## Domain dataset
+## default (none)
+##
+## Specify for which domain(s) signing should be done. No default; must
+## be specified for signing.
+
+Domain example.com
+
+## DomainKeysCompat { yes | no }
+## default "no"
+##
+## When enabled, backward compatibility with DomainKeys (RFC4870) key
+## records is enabled. Otherwise, such key records are considered to be
+## syntactically invalid.
+
+# DomainKeysCompat no
+
+## DontSignMailTo dataset
+## default (none)
+##
+## Gives a list of recipient addresses or address patterns whose mail should
+## not be signed.
+
+# DontSignMailTo addr1,addr2,...
+
+## EnableCoredumps { yes | no }
+## default "no"
+##
+## On systems which have support for such, requests that the kernel dump
+## core even though the process may change user ID during its execution.
+
+# EnableCoredumps no
+
+## ExemptDomains dataset
+## default (none)
+##
+## A data set of domain names that are checked against the message sender's
+## domain. If a match is found, the message is ignored by the filter.
+
+# ExemptDomains domain1,domain2,...
+
+## ExternalIgnoreList filename
+##
+## Names a file from which a list of externally-trusted hosts is read.
+## These are hosts which are allowed to send mail through you for signing.
+## Automatically contains 127.0.0.1. See man page for file format.
+
+# ExternalIgnoreList filename
+
+## FixCRLF { yes | no }
+##
+## Requests that the library convert "naked" CR and LF characters to
+## CRLFs during canonicalization. The default is "no".
+
+# FixCRLF no
+
+## InternalHosts dataset
+## default "127.0.0.1"
+##
+## Names a file from which a list of internal hosts is read. These are
+## hosts from which mail should be signed rather than verified.
+## Automatically contains 127.0.0.1.
+
+# InternalHosts dataset
+
+## KeepTemporaryFiles { yes | no }
+## default "no"
+##
+## If set, causes temporary files generated during message signing or
+## verifying to be left behind for debugging use. Not for normal operation;
+## can fill your disks quite fast on busy systems.
+
+# KeepTemporaryFiles no
+
+## KeyFile filename
+## default (none)
+##
+## Specifies the path to the private key to use when signing. Ignored if
+## SigningTable and KeyTable are used. No default; must be specified for
+## signing if SigningTable/KeyTable are not in use.
+
+KeyFile /var/db/dkim/example.private
+
+## KeyTable dataset
+## default (none)
+##
+## Defines a table that will be queried to convert key names to
+## sets of data of the form (signing domain, signing selector, private key).
+## The private key can either contain a PEM-formatted private key,
+## a base64-encoded DER format private key, or a path to a file containing
+## one of those.
+
+# KeyTable dataset
+
+## LocalADSP dataset
+## default (none)
+##
+## Allows specification of local ADSP overrides for domains. This should be
+## a path to a file containing entries, one per line, with comments and
+## blank lines allowed. An entry is of the form "domain:policy" where
+## "domain" is either a fully-qualified domain name (e.g. "foo.example.com")
+## or a subdomain name preceded by a period (e.g. ".example.com"), and
+## "policy" is either "unknown", "all", or "discardable", as per the current
+## ADSP draft specification. This allows local overrides of policies to
+## enforce for domains which either don't publish ADSP or publish weaker
+## policies than the verifier would like to enforce.
+
+# LocalADSP /etc/mail/local-adsp-rules
+
+## LogWhy { yes | no }
+## default "no"
+##
+## If logging is enabled (see Syslog below), issues very detailed logging
+## about the logic behind the filter's decision to either sign a message
+## or verify it. The logic behind the decision is non-trivial and can be
+## confusing to administrators not familiar with its operation. A
+## description of how the decision is made can be found in the OPERATIONS
+## section of the opendkim(8) man page. This causes a large increase
+## in the amount of log data generated for each message, so it should be
+## limited to debugging use and not enabled for general operation.
+
+# LogWhy no
+
+## MacroList macro[=value][,...]
+##
+## Gives a set of MTA-provided macros which should be checked to see
+## if the sender has been determined to be a local user and therefore
+## whether or not signing should be done. See opendkim.conf(5) for
+## more information.
+
+# MacroList foo=bar,baz=blivit
+
+## MaximumHeaders n
+##
+## Disallow messages whose header blocks are bigger than "n" bytes.
+## Intended to detect and block a denial-of-service attack. The default
+## is 65536. A value of 0 disables this test.
+
+# MaximumHeaders n
+
+## MaximumSignaturesToVerify n
+## (default 3)
+##
+## Verify no more than "n" signatures on an arriving message.
+## A value of 0 means "no limit".
+
+# MaximumSignaturesToVerify n
+
+## MaximumSignedBytes n
+##
+## Don't sign more than "n" bytes of the message. The default is to
+## sign the entire message. Setting this implies "BodyLengths".
+
+# MaximumSignedBytes n
+
+## MilterDebug n
+##
+## Request a debug level of "n" from the milter library. The default is 0.
+
+# MilterDebug 0
+
+## Minimum n[% | +]
+## default 0
+##
+## Sets a minimum signing volume; one of the following formats:
+## n at least n bytes (or the whole message, whichever is less)
+## must be signed
+## n% at least n% of the message must be signed
+## n+ if a length limit was presented in the signature, no more than
+## n bytes may have been added
+
+# Minimum n
+
+## MinimumKeyBits n
+## default 1024
+##
+## Causes the library not to accept signatures matching keys made of fewer
+## than the specified number of bits, even if they would otherwise pass
+## DKIM signing.
+
+# MinimumKeyBits 1024
+
+## Mode [sv]
+## default sv
+##
+## Indicates which mode(s) of operation should be provided. "s" means
+## "sign", "v" means "verify".
+
+# Mode sv
+
+## MTA dataset
+## default (none)
+##
+## Specifies a list of MTAs whos mail should always be signed rather than
+## verified. The "mtaname" is extracted from the DaemonPortOptions line
+## in effect.
+
+# MTA name
+
+## MultipleSignatures { yes | no }
+## default no
+##
+## Allows multiple signatures to be added. If set to "true" and a SigningTable
+## is in use, all SigningTable entries that match the candidate message will
+## cause a signature to be added. Otherwise, only the first matching
+## SigningTable entry will be added, or only the key defined by Domain,
+## Selector and KeyFile will be added.
+
+# MultipleSignatures no
+
+## MustBeSigned dataset
+## default (none)
+##
+## Defines a list of headers which, if present on a message, must be
+## signed for the signature to be considered acceptable.
+
+# MustBeSigned header1,header2,...
+
+## Nameservers addr1[,addr2[,...]]
+## default (none)
+##
+## Provides a comma-separated list of IP addresses that are to be used when
+## doing DNS queries to retrieve DKIM keys, ADSP policies, VBR records, etc.
+## These override any local defaults built in to the resolver in use, which
+## may be defined in /etc/resolv.conf or hard-coded into the software.
+
+# Nameservers addr1,addr2,...
+
+## NoHeaderB { yes | no }
+## default "no"
+##
+## Suppresses addition of "header.b" tags on Authentication-Results
+## header fields.
+
+# NoHeaderB no
+
+## OmitHeaders dataset
+## default (none)
+##
+## Specifies a list of headers that should always be omitted when signing.
+## Header names should be separated by commas.
+
+# OmitHeaders header1,header2,...
+
+## On-...
+##
+## Specifies what to do when certain error conditions are encountered.
+##
+## See opendkim.conf(5) for more information.
+
+# On-Default
+# On-BadSignature
+# On-DNSError
+# On-InternalError
+# On-NoSignature
+# On-Security
+# On-SignatureError
+
+## OversignHeaders dataset
+## default (none)
+##
+## Specifies a set of header fields that should be included in all signature
+## header lists (the "h=" tag) once more than the number of times they were
+## actually present in the signed message. See opendkim.conf(5) for more
+## information.
+
+# OverSignHeaders header1,header2,...
+
+## PeerList dataset
+## default (none)
+##
+## Contains a list of IP addresses, CIDR blocks, hostnames or domain names
+## whose mail should be neither signed nor verified by this filter. See man
+## page for file format.
+
+# PeerList filename
+
+## PidFile filename
+## default (none)
+##
+## Name of the file where the filter should write its pid before beginning
+## normal operations.
+
+# PidFile filename
+
+## POPDBFile dataset
+## default (none)
+##
+## Names a database which should be checked for "POP before SMTP" records
+## as a form of authentication of users who may be sending mail through
+## the MTA for signing. Requires special compilation of the filter.
+## See opendkim.conf(5) for more information.
+
+# POPDBFile filename
+
+## Quarantine { yes | no }
+## default "no"
+##
+## Indicates whether or not the filter should arrange to quarantine mail
+## which fails verification. Intended for diagnostic use only.
+
+# Quarantine No
+
+## QueryCache { yes | no }
+## default "no"
+##
+## Instructs the DKIM library to maintain its own local cache of keys and
+## policies retrieved from DNS, rather than relying on the nameserver for
+## caching service. Useful if the nameserver being used by the filter is
+## not local. The filter must be compiled with the QUERY_CACHE flag to enable
+## this feature, since it adds a library dependency.
+
+# QueryCache No
+
+## RedirectFailuresTo address
+## default (none)
+##
+## Redirects signed messages to the specified address if none of the
+## signatures present failed to verify.
+
+# RedirectFailuresTo postmaster@example.com
+
+## RemoveARAll { yes | no }
+## default "no"
+##
+## Remove all Authentication-Results: headers on all arriving mail.
+
+# RemoveARAll No
+
+## RemoveARFrom dataset
+## default (none)
+##
+## Remove all Authentication-Results: headers on all arriving mail that
+## claim to have been added by hosts listed in this parameter. The list
+## should be comma-separated. Entire domains may be specified by preceding
+## the dopmain name by a single dot (".") character.
+
+# RemoveARFrom host1,host2,.domain1,.domain2,...
+
+## RemoveOldSignatures { yes | no }
+## default "no"
+##
+## Remove old signatures on messages, if any, when generating a signature.
+
+# RemoveOldSignatures No
+
+## ReportAddress addr
+## default (executing user)@(hostname)
+##
+## Specifies the sending address to be used on From: headers of outgoing
+## failure reports. By default, the e-mail address of the user executing
+## the filter is used.
+
+# ReportAddress "DKIM Error Postmaster" <postmaster@example.com>
+
+## ReportBccAddress addr
+## default (none)
+##
+## Specifies additional recipient address(es) to receive outgoing failure
+## reports.
+
+# ReportBccAddress postmaster@example.com, john@example.com
+
+## RequiredHeaders { yes | no }
+## default no
+##
+## Rejects messages which don't conform to RFC5322 header count requirements.
+
+# RequiredHeaders No
+
+## RequireSafeKeys { yes | no }
+## default yes
+##
+## Refuses to use key files that appear to have unsafe permissions.
+
+# RequireSafeKeys Yes
+
+## ResignAll { yes | no }
+## default no
+##
+## Where ResignMailTo triggers a re-signing action, this flag indicates
+## whether or not all mail should be signed (if set) versus only verified
+## mail being signed (if not set).
+
+# ResignAll No
+
+## ResignMailTo dataset
+## default (none)
+##
+## Checks each message recipient against the specified dataset for a
+## matching record. The full address is checked in each case, then the
+## hostname, then each domain preceded by ".". If there is a match, the
+## value returned is presumed to be the name of a key in the KeyTable
+## (if defined) to be used to re-sign the message in addition to
+## verifying it. If there is a match without a KeyTable, the default key
+## is applied.
+
+# ResignMailTo dataset
+
+## ResolverConfiguration string
+##
+## Passes arbitrary configuration data to the resolver. For the stock UNIX
+## resolver, this is ignored; for Unbound, it names a resolv.conf(5)-style
+## file that should be read for configuration information.
+
+# ResolverConfiguration string
+
+## ResolverTracing { yes | no }
+##
+## Requests enabling of resolver trace features, if available. The effect
+## of setting this flag depends on how trace features, if any, are implemented
+## in the resolver in use. Currently only effective when used with the
+## OpenDKIM asynchronous resolver.
+
+# ResolverTracing no
+
+## Selector name
+##
+## The name of the selector to use when signing. No default; must be
+## specified for signing.
+
+Selector my-selector-name
+
+## SendADSPReports { yes | no }
+## default "no"
+##
+## Specifies whether or not the filter should generate report mail back
+## to senders when the ADSP (Author Domain Signing Practises) check fails for
+## a message. See opendkim.conf(5) for details.
+
+# SendADSPReports No
+
+## SenderHeaders dataset
+## default (none)
+##
+## Overrides the default list of headers that will be used to determine
+## the sending domain for use when evaluating ADSP. See opendkim.conf(5)
+## for details.
+
+# SenderHeaders From
+
+## SendReports { yes | no }
+## default "no"
+##
+## Specifies whether or not the filter should generate report mail back
+## to senders when verification fails and an address for such a purpose
+## is provided. See opendkim.conf(5) for details.
+
+# SendReports No
+
+## SignatureAlgorithm signalg
+## default "rsa-sha256"
+##
+## Signature algorithm to use when generating signatures. Must be either
+## "rsa-sha1" or "rsa-sha256".
+
+# SignatureAlgorithm rsa-sha256
+
+## SignatureTTL seconds
+## default "0"
+##
+## Specifies the lifetime in seconds of signatures generated by the
+## filter. A value of 0 means no expiration time is included in the
+## signature.
+
+# SignatureTTL 0
+
+## SignHeaders dataset
+## default (none)
+##
+## Specifies the list of headers which should be included when generating
+## signatures. The string should be a comma-separated list of header names.
+## See the opendkim.conf(5) man page for more information.
+
+# SignHeaders header1,header2,...
+
+## SigningTable dataset
+## default (none)
+##
+## Defines a dataset that will be queried for the message sender's address
+## to determine which private key(s) (if any) should be used to sign the
+## message. The sender is determined from the value of the sender
+## header fields as described with SenderHeaders above. The key for this
+## lookup should be an address or address pattern that matches senders;
+## see the opendkim.conf(5) man page for more information. The value
+## of the lookup should return the name of a key found in the KeyTable
+## that should be used to sign the message. If MultipleSignatures
+## is set, all possible lookup keys will be attempted which may result
+## in multiple signatures being applied.
+
+# SigningTable filename
+
+## SingleAuthResult { yes | no}
+## default "no"
+##
+## When DomainKeys verification is enabled, multiple Authentication-Results
+## will be added, one for DK and one for DKIM. With this enabled, only
+## a DKIM result will be reported unless DKIM failed but DK passed, in which
+## case only a DK result will be reported.
+
+# SingleAuthResult no
+
+## SMTPURI uri
+##
+## Specifies a URI (e.g., "smtp://localhost") to which mail should be sent
+## via SMTP when notifications are generated.
+
+# Socket smtp://localhost
+
+## Socket socketspec
+##
+## Names the socket where this filter should listen for milter connections
+## from the MTA. Required. Should be in one of these forms:
+##
+## inet:port@address to listen on a specific interface
+## inet:port to listen on all interfaces
+## local:/path/to/socket to listen on a UNIX domain socket
+
+Socket inet:port@localhost
+
+## SoftwareHeader { yes | no }
+## default "no"
+##
+## Add a DKIM-Filter header field to messages passing through this filter
+## to identify messages it has processed.
+
+# SoftwareHeader no
+
+## StrictHeaders { yes | no }
+## default "no"
+##
+## Requests that the DKIM library refuse to process a message whose
+## header fields do not conform to the standards, in particular Section 3.6
+## of RFC5322.
+
+# StrictHeaders no
+
+## StrictTestMode { yes | no }
+## default "no"
+##
+## Selects strict CRLF mode during testing (see the "-t" command line
+## flag in the opendkim(8) man page). Messages for which all header
+## fields and body lines are not CRLF-terminated are considered malformed
+## and will produce an error.
+
+# StrictTestMode no
+
+## SubDomains { yes | no }
+## default "no"
+##
+## Sign for subdomains as well?
+
+# SubDomains No
+
+## Syslog { yes | no }
+## default "yes"
+##
+## Log informational and error activity to syslog?
+
+Syslog Yes
+
+## SyslogFacility facility
+## default "mail"
+##
+## Valid values are :
+## auth cron daemon kern lpr mail news security syslog user uucp
+## local0 local1 local2 local3 local4 local5 local6 local7
+##
+## syslog facility to be used
+
+# SyslogFacility mail
+
+## SyslogSuccess { yes | no }
+## default "no"
+##
+## Log success activity to syslog?
+
+# SyslogSuccess No
+
+## TemporaryDirectory path
+## default /tmp
+##
+## Specifies which directory will be used for creating temporary files
+## during message processing.
+
+# TemporaryDirectory /tmp
+
+## TestPublicKeys filename
+## default (none)
+##
+## Names a file from which public keys should be read. Intended for use
+## only during automated testing.
+
+# TestPublicKeys /tmp/testkeys
+
+## TrustAnchorFile filename
+## default (none)
+##
+## Specifies a file from which trust anchor data should be read when doing
+## DNS queries and applying the DNSSEC protocol. See the Unbound documentation
+## at http://unbound.net for the expected format of this file.
+
+# TrustAnchorFile /var/named/trustanchor
+
+## UMask mask
+## default (none)
+##
+## Change the process umask for file creation to the specified value.
+## The system has its own default which will be used (usually 022).
+## See the umask(2) man page for more information.
+
+# UMask 022
+
+## UnboundConfigFile filename
+## default (none)
+##
+## Specifies a configuration file to be passed to the Unbound library that
+## performs DNS queries applying the DNSSEC protocol. See the Unbound
+## documentation at http://unbound.net for the expected content of this file.
+## The results of using this and the TrustAnchorFile setting at the same
+## time are undefined.
+
+# UnboundConfigFile /var/named/unbound.conf
+
+## Userid userid
+## default (none)
+##
+## Change to user "userid" before starting normal operation? May include
+## a group ID as well, separated from the userid by a colon.
+
+# UserID userid
projects / config / sarah / etc.git / commitdiff