Default opendkim.conf options

From: Steve Jenkins <stevejenkins_at_gmail.com>
Date: Fri, 22 Jul 2011 18:02:01 -0700

I'm making good progress on the RedHat packaging for OpenDKIM, and
using the built-in .spec file from /contrib as a starting point. Now
I'm to the point where I need to make some final decisions about the
default configuration of OpenDKIM in a RedHat environment. Here's the
default opendkim.conf suggested by Murray's original .spec file:

## Basic OpenDKIM config file for verification only
## See opendkim.conf(5) or
%{_docdir}/%{name}-%{version}/opendkim.conf.sample for more
PidFile %{_localstatedir}/run/opendkim/opendkim.pid
Mode v
Syslog yes
#Umask 002
#UserID opendkim:mail
#Socket local:%{_localstatedir}/run/opendkim/opendkim.socket
Socket inet:8891_at_localhost

## After setting Mode to "sv", running
## opendkim-genkey -D %{_sysconfdir}/opendkim -s key -d `hostname --domain`
## and putting %{_sysconfdir}/opendkim
#Canonicalization relaxed/simple
#Domain example.com # change to domain
#Selector key
#KeyFile %{_sysconfdir}/opendkim/key.private

1) I'm really tempted to make the default Mode sv, but since someone
could potentially install this RPM on a production machine, there's
the possibility they'd be sending out signed mail before they have a
chance to update their DNS zone file with their public key, meaning
anyone who is verifying on the receiving could refuse delivery. I'd
love some opinions here - is v the best default mode?

2) I'm wondering why the default group in UserID is "mail." Since
we're creating the opendkim user AND group, any good reason to not
have UserID be opendkim:opendkim? Also, can I just comment this line
in the default conf?

3) I almost want to remove the commented Socket line altogether, and
just leave the uncommented "inet:8891" line so that it's not
confusing. Anyone who knows enough to know that they want something
different can easily read the docs and make this change themselves.
Also, is 8891 the preferred port for a reason? I'm using 20209 on my
RedHat boxes (not sure I can remember why).

4) I'm OK leaving the Domain, Selector, and KeyFile lines commented,
but I'm wondering about including a commented KeyTable line, too. I
think quite a few people may want to sign for multiple domains.

5) Should there be a default trusted-hosts file created on install
with 127.0.0.1 in it? If so, I'll put that in the default conf file
(and reference it for ExternalIgnoreList and InternalHosts).

6) Should "X-Header Yes" be added by default? I think it would help
with troubleshooting, and OpenDKIM evangelizing. :)

7) I use AutoRestart in my personal conf file, but is that potentially
problematic for new users? Is it worth including in the default? Maybe
just included and commented out?

8) Should there be any ADSPAction or ADSPNoSuchDomain options in the default?

9) Should we set some liberal default "On-" options such as:

On-Default accept
On-BadSignature accept
On-DNSError tempfail
On-InternalError accept
On-NoSignature accept
On-Security tempfail

10) I'm going to compile with --enable-stats, so I'll put a
"Statistics" option in the conf file, but commented. The README will
explain how to enable it. Murray - do you want the README to just say
to email you? Or do you want to set up some semi-automated method on
your website?

Thanks for any input!

SteveJ
Received on Sat Jul 23 2011 - 01:02:15 PST