Compare commits

...

9 Commits

13 changed files with 2363 additions and 4 deletions

View File

@ -61,6 +61,8 @@ vars:
"modules" data => '[
{m:"php",f:"libphp8.2"},
{m:"ssl",f:"mod_ssl"},
{m:"proxy",f:"mod_proxy"},
{m:"proxy_fcgi",f:"mod_proxy_fcgi"}
]';

View File

@ -28,7 +28,7 @@ vars:
"dovecot-core",
"dovecot-mysql",
"dovecot-managesieved",
"dovecot-submissiond",
# "dovecot-submissiond",
"dovecot-lmtpd",
"dovecot-imapd",
"dovecot-pop3d"

View File

@ -149,11 +149,11 @@ vars:
files:
!create_cron::
"/etc/cron.d/$(cfg[db_name])"
"/etc/cron.d/dump-mysql-db-$(cfg[db_name])"
delete=>tidy;
create_cron::
"/etc/cron.d/$(cfg[db_name])"
"/etc/cron.d/dump-mysql-db-$(cfg[db_name])"
perms => m("644"),
create => "true",
content => "

217
postfix.cf Normal file
View File

@ -0,0 +1,217 @@
#
#
#
bundle agent postfix(cfg)
{
vars:
freebsd::
"pkgs" slist => {
"postfix-sasl",
};
"db_dir" string => "/var/db";
"service_name" string => "postfix";
"cfg_dir" string => "/usr/local/etc/postfix";
"master_cf" string => "/usr/local/etc/postfix/master.cf";
"main_cf" string => "/usr/local/etc/postfix/main.cf";
"mailer_conf" string => "/usr/local/etc/mail/mailer.conf";
"mail_group" string => "maildrop";
"daemon_dir" string => "/usr/local/libexec/postfix";
"queue_dir" string => "/var/spool/postfix";
"bin_dir" string => "/usr/local/bin";
"sbin_dir" string => "/usr/local/sbin";
"user" string => "postfix";
"group" string => "wheel";
"mail_owner" string => "postfix";
debian::
"pkgs" slist => {
"postfix",
"postfix-mysql"
};
"service_name" string => "postfix";
"cfg_dir" string => "/etc/postfix";
"master_cf" string => "/etc/postfix/master.cf";
"main_cf" string => "/etc/postfix/main.cf";
"mailer_conf" string => "/usr/local/etc/mail/mailer.conf";
"mail_group" string => "postdrop";
"daemon_dir" string => "/usr/lib/postfix/sbin";
"bin_dir" string => "/usr/bin";
"sbin_dir" string => "/usr/sbin";
"queue_dir" string => "/var/spool/postfix";
"db_dir" string => "/var/db";
"user" string => "postfix";
"group" string => "postfix";
"mail_owner" string => "postfix";
"postmap_cmd" string => "/usr/sbin/postmap";
any::
"data_dir" string => "$(db_dir)/postfix";
users:
debian::
"$(postfix.user)"
policy => "present",
groups_secondary => { "mail","sasl" },
classes => if_repaired(postfix_repaired);
methods:
"any" usebundle => wmde_install_packages(@(pkgs),"postfix");
"any" usebundle => wmde_service("$(service_name)","postfix_kept","postfix_repaired"),
depends_on => {
"postfix_pkgs_installed",
"postfix_master_cfg_ready",
"postfix_main_cfg_ready"
};
files:
"$(postfix.cfg_dir)/."
create => "true",
perms => m(755);
"$(postfix.db_dir)/."
create => "true",
perms => mog("755","root","root"),
handle => "postfix_db_dir_created";
"$(postfix.data_dir)/."
create => "true",
depends_on => {"postfix_db_dir_created"},
perms => mog("750","$(postfix.user)","$(postfix.group)");
"$(postfix.main_cf)"
classes => if_repaired(postfix_repaired),
create => "true",
perms => m("644"),
template_method => "mustache",
handle => "postfix_main_cfg_ready",
depends_on => {"postfix_pkgs_installed"},
edit_template => "$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/postfix-main.cf.mustache";
vars:
"master_cf_content" string => string_mustache(
readfile("$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/postfix-master.cf.mustache")
),
handle => "master_cf_content_ready";
files:
"$(postfix.master_cf)"
create => "true",
depends_on => {"postfix_pkgs_installed","master_cf_content_ready"},
handle => "postfix_master_cfg_ready",
perms => m("644"),
classes => if_repaired(postfix_repaired),
# content => "$(master_cf_content)";
content => regex_replace("$(master_cf_content)", "\\\\dollar", "$", "g");
# "$(postfix.master_cf)"
# create => "true",
# template_method => "mustache",
# depends_on => {"postfix_pkgs_installed"},
# handle => "postfix_master_cfg_ready",
# classes => if_repaired(postfix_repaired),
# edit_template => "$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/postfix-master.cf.mustache";
reports:
}
bundle agent install_postfix
{
services:
"$(postfix.service_name)"
depends_on => {"postfix_installed"},
service_policy => "start",
handle => "postfix_running";
"postfix_changed"::
"$(postfix.service_name)"
service_policy => "restart",
depends_on => {"postfix_installed","postfix_running"};
packages:
freebsd::
"$(postfix.pkgs)"
policy => "present",
package_module => pkg,
classes => if_repaired(postfix_changed),
handle=>"postfix_installed";
debian::
"$(postfix.pkgs)"
policy => "present",
package_module => apt_get,
classes => if_repaired(postfix_changed),
handle=>"postfix_installed";
#perms => uperm("$(postfix.user)","$(postfix.group)","750");
reports:
"postfix_installed"::
"Postfix was installed";
}
body perms m_rxdirs_on(mode)
{
inherit_from => m( $(mode) );
rxdirs => "true";
}
bundle agent postfix_vimbadmin_sql(cfg)
{
vars:
"file[virtual_alias_maps]" string =>"query = SELECT goto FROM alias WHERE address = '%s' AND active = '1'";
"file[virtual_domains_maps]" string => "query = SELECT domain FROM domain WHERE domain = '%s' AND backupmx = '0' AND active = '1'";
"file[virtual_mailbox_maps]" string => "query = SELECT maildir FROM mailbox WHERE username = '%s' AND active = '1'";
# "file[relay_domains]" string => "query = SELECT domain FROM domain WHERE domain = '%s' AND backupmx = '0' AND active = '1'";
# "file[relay_recipient_maps]" string => "query = SELECT maildir FROM mailbox WHERE username = '%s' AND active = '1'";
"idx" slist => getindices("file");
"sql_dir" string => "$(postfix.cfg_dir)/sql";
"$(idx)" string => "$(sql_dir)/$(idx).sql";
files:
"$(sql_dir)/."
create => "true",
perms => m("755");
"$(sql_dir)/$(idx).sql"
create=>"true",
perms=>m("644"),
content=>"
user = $(cfg[db_user])
password = $(cfg[db_pass])
hosts = $(cfg[db_host])
dbname = $(cfg[db_name])
$(file[$(idx)])
";
reports:
}
bundle agent postfix_copy_tsv(src_dir,dst_dir,file)
{
classes:
"run_postmap" expression => fileexists("$(dst_dir)/$(file).db");
files:
"$(dst_dir)/$(file).tsv"
copy_from => sync_cp("$(src_dir)/$(file).tsv","$(sys.policy_hub)"),
classes => if_repaired(run_postmap); #"postfix_$(file)_changed");
commands:
run_postmap::
"$(postfix.postmap_cmd)"
args => "$(dst_dir)/$(file).tsv";
reports:
}

View File

@ -74,7 +74,6 @@ commands:
methods:
run_backups::
# "any" usebundle => mysql_backup_db(@(cfg),"$(cfg[backup_dir])/roundcube.sql");
"any" usebundle => create_mysql_backup_cron_job(@(cfg),"$(cfg[backup_dir])/roundcube.sql","users","true");
!run_backups::
"any" usebundle => create_mysql_backup_cron_job(@(cfg),"$(cfg[backup_dir])/roundcube.sql","users","false");

498
sympa.cf Normal file
View File

@ -0,0 +1,498 @@
#
#
#
bundle agent sympa
{
classes:
"sympa_b";
vars:
debian&sympa_b::
"lib_dir" string => "/usr/lib/sympa";
"var_lib_dir" string => "/var/lib/sympa";
"share_dir" string => "/usr/share/sympa";
"conf_dir" string => "/etc/sympa";
"sympa_conf" string => "$(conf_dir)/sympa/sympa.conf";
"service_name" string => "sympa";
"wwservice_name" string => "wwsympa";
"wwsympa_socket" string => "/var/run/sympa/wwsympa.socket";
"sympa_pl_cmd" string => "/usr/bin/sympa";
"pkgs" slist => {
"sympa"
};
debian&sympa_s::
"install_dir" string => "/usr/local/sympa";
"queue_cmd" string => "$(install_dir)/bin/queue";
"bouncequeue_cmd" string => "$(install_dir)/bin/bouncequeue";
"static_content_dir" string => "$(install_dir)/static_content";
"css_dir" string => "$(static_content_dir)/css";
"pictures_dir" string => "$(static_content_dir)/pictures";
any::
"queue_cmd" string => "$(lib_dir)/bin/queue";
"bouncequeue_cmd" string => "$(lib_dir)/bin/bouncequeue";
"static_content_dir" string => "$(share_dir)/static_content";
"pictures_dir" string => "$(static_content_dir)/pictures";
"css_dir" string => "$(var_lib_dir)/css";
"sendmail_aliases" string => "$(conf_dir)/sympa_transport";
"postfix_master_cfg" string => readfile("$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/sympa/postfix-master-cfg.mustache");
"apache_cfg" string =>
"
<IfModule mod_proxy_fcgi.c>
Alias /css-sympa $(sympa.css_dir)
Alias /pictures-sympa $(sympa.pictures_dir)
Alias /static-sympa $(sympa.static_content_dir)
<Directory $(sympa.static_content_dir)>
Require all granted
</Directory>
<Directory $(sympa.css_dir)>
Require all granted
</Directory>
<Directory $(sympa.pictures_dir)>
Require all granted
</Directory>
<LocationMatch \\\"^/(?!.*-sympa)\\\">
SetHandler \\\"proxy:unix:$(sympa.wwsympa_socket)|fcgi://\\\"
Require all granted
</LocationMatch>
</IfModule>
";
reports:
# "MUSTACHE: $(postfix_master_cfg_m)";
# "RF: $(sys.workdir)/inputs/$(wmde_lib)/templates/sympa-postfix-master-cfg.mustache";
}
bundle agent sympa_init_db(cfg)
{
classes:
"run_backups" expression => isvariable("cfg[backup_dir]");
run_backups::
"sql_backup_exists" expression => fileexists("$(cfg[backup_dir])/sympa.sql");
methods:
"any" usebundle => mysql_table_exists(@(cfg[db_settings]),"user_table");
run_backups::
"any" usebundle => restore_mysql_db(@(cfg[db_settings]),"$(cfg[backup_dir])/sympa.sql"),
depends_on => {"sympa_config_updated"},
if => "sql_backup_exists&(!mysql_sympa_user_table_exists)",
handle => "sympa_db_initialized";
commands:
"!mysql_sympa_user_table_exists"::
"$(sympa.sympa_pl_cmd)"
args => "--health_check",
handle => "sympa_db_initialized",
depends_on => {"sympa_config_updated"};
}
bundle agent sympa_create_postfix_maps
{
classes:
"sympa_run_postmap" expression => not(fileexists("$(sympa.sendmail_aliases).db"));
files:
"$(sympa.sendmail_aliases)"
create => "true",
classes => if_repaired("sympa_run_postmap"),
perms => mog("644","sympa","sympa"),
handle => "sympa_sendmail_aliases_created";
"$(sympa.conf_dir)/list_aliases.tt2"
create => "true",
copy_from => local_dcp("$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/sympa/list_aliases.tt2.mustache"),
perms => mog("644","sympa","sympa");
commands:
"sympa_run_postmap"::
"$(postfix.postmap_cmd)"
args => "$(sympa.sendmail_aliases)",
classes => if_repaired("postfix_repaired"),
depends_on => {"sympa_sendmail_aliases_created"};
reports:
"create maps";
"sympa_sendmail_aliases_repaired"::
"POSTMAP CALL";
}
bundle agent sympa_postfix_sql(cfg)
{
vars:
"file[sympa_virtual_mailbox_maps]" string => "query = SELECT 'present' FROM list_table WHERE name_list='%u'
or name_list = replace('%u', '-request', '')
or name_list = replace('%u', '-editor', '')
or name_list = replace('%u', '-subscribe', '')
or name_list = replace('%u', '-unsubscribe', '')
";
"idx" slist => getindices("file");
"sql_dir" string => "$(postfix.cfg_dir)/sql";
"$(idx)" string => "$(sql_dir)/$(idx).sql";
files:
"$(sql_dir)/."
create => "true",
perms => m("755");
"$(sql_dir)/$(idx).sql"
create=>"true",
perms=>m("644"),
content=>"
user = $(cfg[db_user])
password = $(cfg[db_pass])
hosts = $(cfg[db_host])
dbname = $(cfg[db_name])
$(file[$(idx)])
";
reports:
}
bundle agent sympa_update_config(cfg)
{
vars:
"default_settings" data => '{
"aliases_db_type":"hash",
"aliases_program":"$(postfix.postmap_cmd)",
"sendmail_aliases":"$(sympa.sendmail_aliases)",
"db_type":"$(cfg[db_settings][db_type])",
"db_name":"$(cfg[db_settings][db_name])",
"db_host":"$(cfg[db_settings][db_host])",
"db_passwd":"$(cfg[db_settings][db_pass])",
"db_user":"$(cfg[db_settings][db_user])"
}';
"settings_data" data => mergedata(@(default_settings),@(cfg[settings]));
"idx" slist => getindices(@(settings_data));
"settings[$(idx)]" string => "$(settings_data[$(idx)])";
files:
"$(sympa.sympa_conf)"
edit_line => set_config_values("$(this.bundle).settings"),
handle => "sympa_config_updated",
classes => if_repaired("sympa_repaired"),
depends_on => { "sympa_pkgs_installed" };
reports:
}
bundle agent install_sympa_domain(domain,data)
{
vars:
"default_settings" data => '{
}';
"settings_data" data => mergedata(@(default_settings),@(data[settings]));
"idx" slist => getindices(@(settings_data));
"settings[$(idx)]" string => "$(settings_data[$(idx)])";
"settings[domain]" string => "$(domain)";
files:
"$(sympa.conf_dir)/$(domain)/."
create => "true",
perms => m("755");
"$(sympa.conf_dir)/$(domain)/robot.conf"
perms => m("644"),
copy_from => seed_cp("$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/sympa/robot.conf"),
handle => "sympa_robot_$(domain)_ready";
"$(sympa.conf_dir)/$(domain)/robot.conf"
create => "true",
perms => m("644"), #"sympa","sympa"),
edit_line => set_config_values("$(this.bundle).settings"),
handle => "sympa_robots_created",
classes => if_repaired("sympa_repaired"),
depends_on => { "sympa_pkgs_installed","sympa_robot_$(domain)_ready" };
reports:
# "INSTALL DOMAIN $(domain)";
# "WWSYMuRL:$(data[settings][wwsympa_url])";
# "OUT: $(settings)";
# "JO: $(jo)";
}
bundle agent install_sympa_domains(dl)
{
vars:
"idx" slist => getindices(@(dl));
methods:
"any" usebundle => install_sympa_domain("$(idx)",@(dl[$(idx)]));
reports:
}
bundle agent install_sympa(cfg)
{
vars:
# "cfg_domains" data => @(cfg[domains]);
"domains_idx" slist => getindices(@(cfg[domains]));
# "cfg_domains" slist => {"a","b","c"};
methods:
"any" usebundle => wmde_install_packages(@(sympa.pkgs),"sympa");
"any" usebundle => sympa_update_config(@(cfg));
"any" usebundle => sympa_init_db(@(cfg));
"any" usebundle => wmde_service("$(sympa.service_name)","sympa_kept","sympa_repaired"),
depends_on => {
"sympa_pkgs_installed",
"sympa_config_updated"
};
"any" usebundle => wmde_service("$(sympa.wwservice_name)","sympa_kept","sympa_repaired"),
depends_on => {
"sympa_pkgs_installed",
"sympa_config_updated",
"sympa_robots_created"
};
# "any" usebundle => install_sympa_domain("@(cfg[domains][$(domains_idx)])");
"any" usebundle => install_sympa_domains(@(cfg[domains2]));
reports:
# "IDX $(domains_idx)";
# "DOMCONF: $(cfg[$(idx)])";
}
bundle agent install_sympa_src(cfg)
{
classes:
"run_backups" expression => isvariable("cfg[backup_dir]");
run_backups::
"sql_backup_exists" expression => fileexists("$(cfg[backup_dir])/sympa.sql");
methods:
"any" usebundle => mysql_table_exists(@(cfg),"user_table");
"run_backups&sql_backup_exists&(!mysql_sympa_user_table_exists)"::
"any" usebundle => restore_mysql_db(@(cfg),"$(cfg[backup_dir])/sympa.sql");
vars:
debian::
"pkgs" slist => {
"clang",
"gcc",
"make",
"mhonarc",
"libdbd-mysql-perl",
"spawn-fcgi",
"libdbd-mysql-perl",
"libdatetime-format-mail-perl",
"libmime-encwords-perl",
"libmime-lite-html-perl",
"cpanminus"
};
"cfg_file" string => "/etc/sympa/sympa.conf";
"log_file" string => "/var/log/sympa.log";
"syslog_cfg" string => "/etc/rsyslog.d/sympa.conf";
"syslog_service" string => "rsyslog";
freebsd::
"pkgs" slist => {};
"cfg_file" string => "/usr/local/etc/sympa/sympa.conf";
"log_file" string => "/var/log/sympa.log";
"syslog_cfg" string => "/etc/syslog.d/sympa.conf";
"syslog_service" string => "syslogd";
any::
"src_tgz" string => "sympa-$(cfg[version]).tar.gz";
"extract_dir" string => "$(sys.workdir)/data/agent/sympa";
"compile_dir" string => "$(extract_dir)/sympa-$(cfg[version])";
"configure_options" string => "--prefix $(sympa.install_dir)";
"sympa_pl_cmd" string => "$(sympa.install_dir)/bin/sympa.pl";
classes:
"compile_and_install" expression => not(fileexists("$(compile_dir)/installed.txt"));
commands:
'if grep -q sympa /etc/group ; then echo "+sympa_group_exists"; else echo "-sympa_group_exists" ; fi'
module => "true",
inform => "false",
contain => wmde_cmd_useshell;
debian&(!sympa_group_exists)::
"/usr/sbin/groupadd"
args => "sympa",
handle => "sympa_group_created";
debian&sympa_group_exists::
"/usr/bin/true"
inform => "false",
handle => "sympa_group_created";
methods:
"any" usebundle => wmde_install_packages(@(pkgs),"sympabuild");
files:
"$(extract_dir)/."
create => "true",
handle => "sympa_extract_dir_created";
users:
"sympa"
policy => "present",
description => "Sympa System",
home_dir => "$(sympa.install_dir)",
group_primary => "sympa",
depends_on => {"sympa_group_created"},
shell => "/bin/bash";
methods:
"any" usebundle => download_and_untar (
"sympa",
"$(def.hub_public_dir)/$(src_tgz)",
"$(sys.workdir)/data/public/$(src_tgz)",
"$(extract_dir)",
"$(compile_dir)/configure"
),
depends_on => {"sympabuild_pkgs_installed","sympa_extract_dir_created"},
handle => "sympa_downloaded";
commands:
compile_and_install::
"cd $(compile_dir) && ./configure $(configure_options) && make && make install && cpanm --installdeps --with-recommends -n . && touch installed.txt"
contain => wmde_cmd_useshell,
depends_on => {"sympa_downloaded"},
handle => "sympa_installed";
!compile_and_install::
"/usr/bin/true"
inform => "false",
handle => "sympa_installed";
vars:
"settings[domain]" string => "$(cfg[domain])";
"settings[listmaster]" string => "$(cfg[listmaster])";
"settings[db_type]" string => "$(cfg[db_type])";
"settings[db_host]" string => "$(cfg[db_host])";
"settings[db_user]" string => "$(cfg[db_user])";
"settings[db_passwd]" string => "$(cfg[db_pass])";
"settings[wwsympa_url]" string => "$(cfg[wwsympa_url])";
"settings[listmaster]" string => "$(cfg[listmaster])";
"settings[sendmail_aliases]" string=> "$(cfg[sendmail_aliases])";
"settings[aliases_program]" string=> "$(cfg[aliases_program])";
files:
"$(cfg_file)"
edit_line => set_config_values("$(this.bundle).settings"),
handle => "sympa_config_edited_old",
classes => if_repaired("sympa_config_changed"),
depends_on => { "sympa_installed" };
commands:
"sympa_config_changed|(!mysql_sympa_user_table_exists)"::
"$(sympa.sympa_pl_cmd)"
args => "--health_check",
depends_on => {"sympa_config_edited_old"};
# Sympa Logs
files:
"$(log_file)"
create=>"true",
perms=>m("644");
"$(syslog_cfg)"
create=>"true",
content=>"local1.* -/var/log/sympa.log
",
handle => "sympa_syslog_cfg_ready",
classes => if_repaired("sympa_syslog_cfg_repaired");
services:
sympa_syslog_cfg_repaired::
"$(syslog_service)"
depends_on => {"sympa_syslog_cfg_ready"},
service_policy=>"restart";
# Configure Backup stuff
files:
run_backups::
"$(cfg[backup_dir])/."
create => "true";
methods:
run_backups::
"any" usebundle => create_mysql_backup_cron_job(@(cfg),"$(cfg[backup_dir])/sympa.sql","user_table","true");
!run_backups::
"any" usebundle => create_mysql_backup_cron_job(@(cfg),"$(cfg[backup_dir])/sympa.sql","user_table","false");
reports:
}

View File

@ -0,0 +1,776 @@
#
# Managed by CFengine
#
#
##
## opendkim.conf -- configuration file for OpenDKIM filter
##
## Copyright (c) 2010-2015, The Trusted Domain Project. All rights reserved.
##
##
## For settings that refer to a "dataset", see the opendkim(8) man page.
##
## DEPRECATED CONFIGURATION OPTIONS
##
## The following configuration options are no longer valid. They should be
## removed from your existing configuration file to prevent potential issues.
## Failure to do so may result in opendkim being unable to start.
##
## Removed in 2.10.0:
## AddAllSignatureResults
## ADSPAction
## ADSPNoSuchDomain
## BogusPolicy
## DisableADSP
## LDAPSoftStart
## LocalADSP
## NoDiscardableMailTo
## On-PolicyError
## SendADSPReports
## UnprotectedPolicy
## CONFIGURATION OPTIONS
## AllowSHA1Only { yes | no }
## default "no"
##
## By default, the filter will refuse to start if support for SHA256 is
## not available since this violates the strong recommendations of
## RFC6376 Section 3.3, which says:
##
## "Verifiers MUST implement both rsa-sha1 and rsa-sha256. Signers MUST
## implement and SHOULD sign using rsa-sha256."
##
## This forces that violation to be explicitly selected by the administrator.
# AllowSHA1Only no
## AlwaysAddARHeader { yes | no }
## default "no"
##
## Add an "Authentication-Results:" header even to unsigned messages
## from domains with no "signs all" policy. The reported DKIM result
## will be "none" in such cases. Normally unsigned mail from non-strict
## domains does not cause the results header to be added.
# AlwaysAddARHeader no
## AuthservID string
## default (local host name)
##
## Defines the "authserv-id" token to be used when generating
## Authentication-Results headers after message verification.
# AuthservID example.com
## AuthservIDWithJobID
## default "no"
##
## Appends a "/" followed by the MTA's job ID to the "authserv-id" token
## when generating Authentication-Results headers after message verification.
# AuthservIDWithJobId no
## AutoRestart { yes | no }
## default "no"
##
## Indicate whether or not the filter should arrange to restart automatically
## if it crashes.
# AutoRestart No
## AutoRestartCount n
## default 0
##
## Sets the maximum automatic restart count. After this number of
## automatic restarts, the filter will give up and terminate. A value of 0
## implies no limit.
# AutoRestartCount 0
## AutoRestartRate n/t[u]
## default (none)
##
## Sets the maximum automatic restart rate. See the opendkim.conf(5)
## man page for the format of this parameter.
# AutoRestartRate n/tu
## Background { yes | no }
## default "yes"
##
## Indicate whether or not the filter should run in the background.
# Background Yes
## BaseDirectory path
## default (none)
##
## Causes the filter to change to the named directory before beginning
## operation. Thus, cores will be dumped here and configuration files
## are read relative to this location.
# BaseDirectory /var/run/opendkim
## BodyLengthDB dataset
## default (none)
##
## A data set that is checked against envelope recipients to see if a
## body length tag should be included in the generated signature.
## This has security implications; see opendkim.conf(5) for details.
# BodyLengthDB dataset
## Canonicalization hdrcanon[/bodycanon]
## default "simple/simple"
##
## Select canonicalizations to use when signing. If the "bodycanon" is
## omitted, "simple" is used. Valid values for each are "simple" and
## "relaxed".
# Canonicalization simple/simple
## ClockDrift n
## default 300
##
## Specify the tolerance range for expired signatures or signatures
## which appear to have timestamps in the future, allowing for clock
## drift.
# ClockDrift 300
## Diagnostics { yes | no }
## default "no"
##
## Specifies whether or not signatures with header diagnostic tags should
## be generated.
# Diagnostics No
## DNSTimeout n
## default 10
##
## Specify the time in seconds to wait for replies from the nameserver when
## requesting keys or signing policies.
# DNSTimeout 10
## Domain dataset
## default (none)
##
## Specify for which domain(s) signing should be done. No default; must
## be specified for signing.
Domain {{#cfg.domains}} {{.}} {{/cfg.domains}}
## DomainKeysCompat { yes | no }
## default "no"
##
## When enabled, backward compatibility with DomainKeys (RFC4870) key
## records is enabled. Otherwise, such key records are considered to be
## syntactically invalid.
# DomainKeysCompat no
## DontSignMailTo dataset
## default (none)
##
## Gives a list of recipient addresses or address patterns whose mail should
## not be signed.
# DontSignMailTo addr1,addr2,...
## EnableCoredumps { yes | no }
## default "no"
##
## On systems which have support for such, requests that the kernel dump
## core even though the process may change user ID during its execution.
# EnableCoredumps no
## ExemptDomains dataset
## default (none)
##
## A data set of domain names that are checked against the message sender's
## domain. If a match is found, the message is ignored by the filter.
# ExemptDomains domain1,domain2,...
## ExternalIgnoreList filename
##
## Names a file from which a list of externally-trusted hosts is read.
## These are hosts which are allowed to send mail through you for signing.
## Automatically contains 127.0.0.1. See man page for file format.
# ExternalIgnoreList filename
## FixCRLF { yes | no }
##
## Requests that the library convert "naked" CR and LF characters to
## CRLFs during canonicalization. The default is "no".
# FixCRLF no
## IgnoreMalformedMail { yes | no }
## default "no"
##
## Silently passes malformed messages without alteration. This includes
## messages that fail the RequiredHeaders check, if enabled. The default is
## to pass those messages but add an Authentication-Results field indicating
## that they were malformed.
# IgnoreMalformedMail no
## InternalHosts dataset
## default "127.0.0.1"
##
## Names a file from which a list of internal hosts is read. These are
## hosts from which mail should be signed rather than verified.
## Automatically contains 127.0.0.1.
#
InternalHosts {{mynetworks_head}} {{#mynetworks_tail}} ,{{.}}{{/mynetworks_tail}}
# InternalHosts dataset
## KeepTemporaryFiles { yes | no }
## default "no"
##
## If set, causes temporary files generated during message signing or
## verifying to be left behind for debugging use. Not for normal operation;
## can fill your disks quite fast on busy systems.
# KeepTemporaryFiles no
## KeyFile filename
## default (none)
##
## Specifies the path to the private key to use when signing. Ignored if
## SigningTable and KeyTable are used. No default; must be specified for
## signing if SigningTable/KeyTable are not in use.
#KeyFile /var/db/dkim/example.private
KeyFile {{cfg.keyfile}}
#/var/db/dkim/example.private
## KeyTable dataset
## default (none)
##
## Defines a table that will be queried to convert key names to
## sets of data of the form (signing domain, signing selector, private key).
## The private key can either contain a PEM-formatted private key,
## a base64-encoded DER format private key, or a path to a file containing
## one of those.
# KeyTable dataset
## LogWhy { yes | no }
## default "no"
##
## If logging is enabled (see Syslog below), issues very detailed logging
## about the logic behind the filter's decision to either sign a message
## or verify it. The logic behind the decision is non-trivial and can be
## confusing to administrators not familiar with its operation. A
## description of how the decision is made can be found in the OPERATIONS
## section of the opendkim(8) man page. This causes a large increase
## in the amount of log data generated for each message, so it should be
## limited to debugging use and not enabled for general operation.
# LogWhy no
## MacroList macro[=value][,...]
##
## Gives a set of MTA-provided macros which should be checked to see
## if the sender has been determined to be a local user and therefore
## whether or not signing should be done. See opendkim.conf(5) for
## more information.
# MacroList foo=bar,baz=blivit
## MaximumHeaders n
##
## Disallow messages whose header blocks are bigger than "n" bytes.
## Intended to detect and block a denial-of-service attack. The default
## is 65536. A value of 0 disables this test.
# MaximumHeaders n
## MaximumSignaturesToVerify n
## (default 3)
##
## Verify no more than "n" signatures on an arriving message.
## A value of 0 means "no limit".
# MaximumSignaturesToVerify n
## MaximumSignedBytes n
##
## Don't sign more than "n" bytes of the message. The default is to
## sign the entire message. Setting this implies "BodyLengths".
# MaximumSignedBytes n
## MilterDebug n
##
## Request a debug level of "n" from the milter library. The default is 0.
# MilterDebug 0
## Minimum n[% | +]
## default 0
##
## Sets a minimum signing volume; one of the following formats:
## n at least n bytes (or the whole message, whichever is less)
## must be signed
## n% at least n% of the message must be signed
## n+ if a length limit was presented in the signature, no more than
## n bytes may have been added
# Minimum n
## MinimumKeyBits n
## default 1024
##
## Causes the library not to accept signatures matching keys made of fewer
## than the specified number of bits, even if they would otherwise pass
## DKIM signing.
# MinimumKeyBits 1024
## Mode [sv]
## default sv
##
## Indicates which mode(s) of operation should be provided. "s" means
## "sign", "v" means "verify".
# Mode sv
## MTA dataset
## default (none)
##
## Specifies a list of MTAs whos mail should always be signed rather than
## verified. The "mtaname" is extracted from the DaemonPortOptions line
## in effect.
# MTA name
## MultipleSignatures { yes | no }
## default no
##
## Allows multiple signatures to be added. If set to "true" and a SigningTable
## is in use, all SigningTable entries that match the candidate message will
## cause a signature to be added. Otherwise, only the first matching
## SigningTable entry will be added, or only the key defined by Domain,
## Selector and KeyFile will be added.
# MultipleSignatures no
## MustBeSigned dataset
## default (none)
##
## Defines a list of headers which, if present on a message, must be
## signed for the signature to be considered acceptable.
# MustBeSigned header1,header2,...
## Nameservers addr1[,addr2[,...]]
## default (none)
##
## Provides a comma-separated list of IP addresses that are to be used when
## doing DNS queries to retrieve DKIM keys, VBR records, etc.
## These override any local defaults built in to the resolver in use, which
## may be defined in /etc/resolv.conf or hard-coded into the software.
# Nameservers addr1,addr2,...
## NoHeaderB { yes | no }
## default "no"
##
## Suppresses addition of "header.b" tags on Authentication-Results
## header fields.
# NoHeaderB no
## OmitHeaders dataset
## default (none)
##
## Specifies a list of headers that should always be omitted when signing.
## Header names should be separated by commas.
# OmitHeaders header1,header2,...
## On-...
##
## Specifies what to do when certain error conditions are encountered.
##
## See opendkim.conf(5) for more information.
# On-Default
# On-BadSignature
# On-DNSError
# On-InternalError
# On-NoSignature
# On-Security
# On-SignatureError
## OversignHeaders dataset
## default (none)
##
## Specifies a set of header fields that should be included in all signature
## header lists (the "h=" tag) once more than the number of times they were
## actually present in the signed message. See opendkim.conf(5) for more
## information.
# OverSignHeaders header1,header2,...
## PeerList dataset
## default (none)
##
## Contains a list of IP addresses, CIDR blocks, hostnames or domain names
## whose mail should be neither signed nor verified by this filter. See man
## page for file format.
# PeerList filename
## PidFile filename
## default (none)
##
## Name of the file where the filter should write its pid before beginning
## normal operations.
# PidFile filename
PidFile {{cfg.pid_file}}
## POPDBFile dataset
## default (none)
##
## Names a database which should be checked for "POP before SMTP" records
## as a form of authentication of users who may be sending mail through
## the MTA for signing. Requires special compilation of the filter.
## See opendkim.conf(5) for more information.
# POPDBFile filename
## Quarantine { yes | no }
## default "no"
##
## Indicates whether or not the filter should arrange to quarantine mail
## which fails verification. Intended for diagnostic use only.
# Quarantine No
## QueryCache { yes | no }
## default "no"
##
## Instructs the DKIM library to maintain its own local cache of keys and
## policies retrieved from DNS, rather than relying on the nameserver for
## caching service. Useful if the nameserver being used by the filter is
## not local. The filter must be compiled with the QUERY_CACHE flag to enable
## this feature, since it adds a library dependency.
# QueryCache No
## RedirectFailuresTo address
## default (none)
##
## Redirects signed messages to the specified address if none of the
## signatures present failed to verify.
# RedirectFailuresTo postmaster@example.com
## RemoveARAll { yes | no }
## default "no"
##
## Remove all Authentication-Results: headers on all arriving mail.
# RemoveARAll No
## RemoveARFrom dataset
## default (none)
##
## Remove all Authentication-Results: headers on all arriving mail that
## claim to have been added by hosts listed in this parameter. The list
## should be comma-separated. Entire domains may be specified by preceding
## the dopmain name by a single dot (".") character.
# RemoveARFrom host1,host2,.domain1,.domain2,...
## RemoveOldSignatures { yes | no }
## default "no"
##
## Remove old signatures on messages, if any, when generating a signature.
# RemoveOldSignatures No
## ReportAddress addr
## default (executing user)@(hostname)
##
## Specifies the sending address to be used on From: headers of outgoing
## failure reports. By default, the e-mail address of the user executing
## the filter is used.
# ReportAddress "DKIM Error Postmaster" <postmaster@example.com>
## ReportBccAddress addr
## default (none)
##
## Specifies additional recipient address(es) to receive outgoing failure
## reports.
# ReportBccAddress postmaster@example.com, john@example.com
## RequiredHeaders { yes | no }
## default no
##
## Rejects messages which don't conform to RFC5322 header count requirements.
# RequiredHeaders No
## RequireSafeKeys { yes | no }
## default yes
##
## Refuses to use key files that appear to have unsafe permissions.
# RequireSafeKeys Yes
## ResignAll { yes | no }
## default no
##
## Where ResignMailTo triggers a re-signing action, this flag indicates
## whether or not all mail should be signed (if set) versus only verified
## mail being signed (if not set).
# ResignAll No
## ResignMailTo dataset
## default (none)
##
## Checks each message recipient against the specified dataset for a
## matching record. The full address is checked in each case, then the
## hostname, then each domain preceded by ".". If there is a match, the
## value returned is presumed to be the name of a key in the KeyTable
## (if defined) to be used to re-sign the message in addition to
## verifying it. If there is a match without a KeyTable, the default key
## is applied.
# ResignMailTo dataset
## ResolverConfiguration string
##
## Passes arbitrary configuration data to the resolver. For the stock UNIX
## resolver, this is ignored; for Unbound, it names a resolv.conf(5)-style
## file that should be read for configuration information.
# ResolverConfiguration string
## ResolverTracing { yes | no }
##
## Requests enabling of resolver trace features, if available. The effect
## of setting this flag depends on how trace features, if any, are implemented
## in the resolver in use. Currently only effective when used with the
## OpenDKIM asynchronous resolver.
# ResolverTracing no
## Selector name
##
## The name of the selector to use when signing. No default; must be
## specified for signing.
Selector {{cfg.selector}}
#my-selector-name
## SenderHeaders dataset
## default (none)
##
## Overrides the default list of headers that will be used to determine
## the sending domain when deciding whether to sign the message and with
## with which key(s). See opendkim.conf(5) for details.
# SenderHeaders From
## SendReports { yes | no }
## default "no"
##
## Specifies whether or not the filter should generate report mail back
## to senders when verification fails and an address for such a purpose
## is provided. See opendkim.conf(5) for details.
# SendReports No
## SignatureAlgorithm signalg
## default "rsa-sha256"
##
## Signature algorithm to use when generating signatures. Must be either
## "rsa-sha1" or "rsa-sha256".
# SignatureAlgorithm rsa-sha256
## SignatureTTL seconds
## default "0"
##
## Specifies the lifetime in seconds of signatures generated by the
## filter. A value of 0 means no expiration time is included in the
## signature.
# SignatureTTL 0
## SignHeaders dataset
## default (none)
##
## Specifies the list of headers which should be included when generating
## signatures. The string should be a comma-separated list of header names.
## See the opendkim.conf(5) man page for more information.
# SignHeaders header1,header2,...
## SigningTable dataset
## default (none)
##
## Defines a dataset that will be queried for the message sender's address
## to determine which private key(s) (if any) should be used to sign the
## message. The sender is determined from the value of the sender
## header fields as described with SenderHeaders above. The key for this
## lookup should be an address or address pattern that matches senders;
## see the opendkim.conf(5) man page for more information. The value
## of the lookup should return the name of a key found in the KeyTable
## that should be used to sign the message. If MultipleSignatures
## is set, all possible lookup keys will be attempted which may result
## in multiple signatures being applied.
# SigningTable filename
## SingleAuthResult { yes | no}