relay/cmdeploy/src/cmdeploy/opendkim/opendkim.conf

# OpenDKIM configuration.

Syslog			yes
SyslogSuccess		yes
#LogWhy			no

# Common signing and verification parameters. In Debian, the "From" header is
# oversigned, because it is often the identity key used by reputation systems
# and thus somewhat security sensitive.
Canonicalization	relaxed/simple
OversignHeaders		From

On-BadSignature         reject
On-KeyNotFound          reject
On-NoSignature          reject

# Signing domain, selector, and key (required). For example, perform signing
# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
# using the private key stored in /etc/dkimkeys/example.private. More granular
# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
Domain			{{ config.domain_name }}
Selector		{{ config.opendkim_selector }}
KeyFile		  /etc/dkimkeys/{{ config.opendkim_selector }}.private
KeyTable          /etc/dkimkeys/KeyTable
SigningTable      refile:/etc/dkimkeys/SigningTable

# Sign Autocrypt header in addition to the default specified in RFC 6376.
SignHeaders *,+autocrypt

# Script to ignore signatures that do not correspond to the From: domain.
ScreenPolicyScript /etc/opendkim/screen.lua

# Script to reject mails without a valid DKIM signature.
FinalPolicyScript /etc/opendkim/final.lua

# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
# using a local socket with MTAs that access the socket as a non-privileged
# user (for example, Postfix). You may need to add user "postfix" to group
# "opendkim" in that case.
UserID			opendkim
UMask			007

Socket			local:/var/spool/postfix/opendkim/opendkim.sock

PidFile			/run/opendkim/opendkim.pid

# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
# by the package dns-root-data.
TrustAnchorFile		/usr/share/dns/root.key