[rpms/postsrsd] epel10: update config file

[David Beveridge <dave@bevhost.com>]

A new commit has been pushed.

Repo   : rpms/postsrsd
Branch : epel10
Commit : 297a0c260614b3e2215b4f796d6fd6401cbb8a5b
Author : David Beveridge <dave@bevhost.com>
Date   : 2026-06-14T13:22:31+10:00
Stats  : +88/-30 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/postsrsd/c/297a0c260614b3e2215b4f796d6fd6401cbb8a5b?branch=epel10

Log:
update config file

---
diff --git a/postsrsd.conf b/postsrsd.conf
index a112c4c..9ed4562 100644
--- a/postsrsd.conf
+++ b/postsrsd.conf
@@ -11,7 +11,10 @@
 # Example:
 #     domains = { "example.com", "example.org", "example.net" }
 #
-#domains = {}
+# Default:
+#     none
+#
+domains = {}
 
 # Local domains (file storage)
 # Instead of listing your local domains directly, you can also write them to a
@@ -23,8 +26,21 @@
 # Example:
 #     domains-file = "/etc/postsrsd.domains"
 #
+# Default:
+#     none
+#
 domains-file = "/etc/postsrsd.domains"
 
+# Watch domains file for changes
+# You can tell PostSRSd to automatically reconfigure itself whenever the domain
+# file changes. Alternatively, sending SIGHUP to the PostSRSd process will also
+# trigger a reload.
+#
+# Default:
+#     domains-file-watch = off
+#
+#domains-file-watch = off
+
 # Dedicated SRS rewrite domain.
 # The local domain which is used to create the ephemeral SRS envelope
 # addresses. It is recommended that you use a dedicated mail domain for SRS if
@@ -34,6 +50,9 @@ domains-file = "/etc/postsrsd.domains"
 # Example:
 #     srs-domain = "srs.example.com"
 #
+# Default:
+#     none
+#
 #srs-domain =
 
 # Socketmap lookup table for Postfix integration.
@@ -47,6 +66,9 @@ domains-file = "/etc/postsrsd.domains"
 #     socketmap = unix:/var/spool/postfix/srs
 #     socketmap = inet:localhost:10003
 #
+# Default:
+#     socketmap = unix:/var/spool/postfix/srs
+#
 socketmap = unix:/var/spool/postfix/srs
 
 # Socketmap connection keep-alive timeout.
@@ -54,10 +76,26 @@ socketmap = unix:/var/spool/postfix/srs
 # open for a while longer, in case Postfix has additional queries. PostSRSd
 # will close the connection after the configured time (in seconds) has expired.
 #
-# Examples:
+# Default:
 #     keep-alive = 30
 #
-keep-alive = 30
+#keep-alive = 30
+
+# Secret keys for signing and verifying SRS addresses.
+# Rewritten addresses are tagged with a truncated HMAC-SHA1 signature, to
+# prevent tampering and forged envelope addresses. You can have more than
+# one signing secret; each line of the secrets file is considered one secret
+# key. If an incoming signature matches any key, it is accepted. Outgoing
+# signatures will always be generated with the first configured secret.
+#
+# For security reasons, you should also make sure that the file is owned and
+# only accessible by root (chmod 600). PostSRSd reads this file before it
+# chroots and drops root privileges.
+#
+# Default:
+#     secrets-file = "/etc/postsrsd.secret"
+#
+secrets-file = "/etc/postsrsd.secret"
 
 # Milter endpoint for MTA integration.
 # PostSRSd can act as a milter to rewrite envelope addresses if it has been
@@ -68,6 +106,9 @@ keep-alive = 30
 #     milter = unix:/var/spool/postfix/srs_milter
 #     milter = inet:localhost:9997
 #
+# Default:
+#     none
+#
 #milter =
 
 # Original envelope sender handling.
@@ -87,7 +128,10 @@ keep-alive = 30
 #     original-envelope = embedded
 #     original-envelope = database
 #
-original-envelope = embedded
+# Default:
+#     original-envelope = embedded
+#
+#original-envelope = embedded
 
 # Database for envelope sender storage.
 # If you decide to store envelope senders in a database, this database will be
@@ -101,30 +145,20 @@ original-envelope = embedded
 #     envelope-database = "sqlite:./senders.db"
 #     envelope-database = "redis:localhost:6379"
 #
-#envelope-database = "sqlite:./senders.db"
-
-# Secret keys for signing and verifying SRS addresses.
-# Rewritten addresses are tagged with a truncated HMAC-SHA1 signature, to
-# prevent tampering and forged envelope addresses. You can have more than
-# one signing secret; each line of the secrets file is considered one secret
-# key. If an incoming signature matches any key, it is accepted. Outgoing
-# signatures will always be generated with the first configured secret.
-#
-# For security reasons, you should also make sure that the file is owned and
-# only accessible by root (chmod 600). PostSRSd reads this file before it
-# chroots and drops root privileges.
-#
-# Example:
-#     secrets-file = "/etc/postsrsd.secret"
+# Default:
+#     none
 #
-secrets-file = "/etc/postsrsd.secret"
+#envelope-database = "sqlite:./senders.db"
 
 # SRS tag separator
 # This is the character following the initial SRS0 or SRS1 tag of a generated
 # sender address. Valid separators are "=", "+", and "-". Unless you have a
 # very good reason, you should leave this setting at its default.
 #
-separator = "="
+# Default:
+#     separator = "="
+#
+#separator = "="
 
 # SRS hash signature length
 # Any SRS address will be signed with a truncated hash to prevent tampering and
@@ -136,7 +170,10 @@ separator = "="
 # WARNING: You can break your mail server (or worse, turn it into a spam relay)
 # if you mess up this setting.
 #
-hash-length = 4
+# Default:
+#     hash-length = 4
+#
+#hash-length = 4
 
 # SRS minimum acceptable hash signature length
 # This is the mininum signature length that PostSRSd considers valid. It is a
@@ -148,42 +185,62 @@ hash-length = 4
 # WARNING: You can break your mail server (or worse, turn it into a spam relay)
 # if you mess up this setting.
 #
-hash-minimum = 4
+# Default:
+#     hash-minimum = 4
+#
+#hash-minimum = 4
 
 # Always rewrite sender addresses
 # You can force PostSRSd to rewrite any sender address, even if it has been
 # rewritten already. You probably do not want to do this, though.
 #
-always-rewrite = off
+# Default:
+#     always-rewrite = off
+#
+#always-rewrite = off
 
 # Execute PostSRSd as unprivileged user
 # Drop root privileges and run as this user before entering the main loop and
 # handling untrusted input. To prevent PostSRSd from changing users, set this to
 # the empty string.
 #
-# Example:
+# Default:
 #     unprivileged-user = "nobody"
 #
-unprivileged-user = "nobody"
+#unprivileged-user = "nobody"
 
 # Execute PostSRSd in chroot jail
 # PostSRSd will jail itself in the given directory, which adds an additional
 # layer of protection against the exploitation of security bugs in PostSRSd. To
 # prevent PostSRSd from chrooting, set this to the empty string.
 #
-# Example:
+# Default:
 #     chroot-dir = "/var/lib/postsrsd"
 #
-chroot-dir = "/var/lib/postsrsd"
+#chroot-dir = "/var/lib/postsrsd"
 
 # Syslog
 # PostSRSd writes log messages to stderr. If you enable this option, PostSRSd
 # will also send all messages to the syslog mail facility.
 #
-syslog = off
+# Default:
+#     syslog = off
+#
+#syslog = off
 
 # Debug
 # This option makes PostSRSd more verbose in its logging, which can be useful
 # to hunt down configuration problems.
 #
-debug = off
+# Default:
+#     debug = off
+#
+#debug = off
+
+# Seccomp sandboxing
+# This option enables additional sandboxing while handling untrusted input.
+#
+# Default:
+#     seccomp = on
+#
+#seccomp = on

diff --git a/postsrsd.spec b/postsrsd.spec
index 8ef2981..097f5d7 100644
--- a/postsrsd.spec
+++ b/postsrsd.spec
@@ -110,6 +110,7 @@ fi
 * Sun Jun 14 2026 David Beveridge <dave@bevhost.com> - 2.1.0-1
 - Update to 2.1 with new features e.g. Reload configuration on SIGHUP
 - inotify support to watch domains-file for changes and reconfigure automatically.
+- update config file
 
 * Sun Jun 07 2026 David Beveridge <dave@bevhost.com> - 2.0.11-1
 - First working 2.x release