Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  QMAIL-DK (8)


qmail-dk - sign/verify and queue a mail message for delivery






qmail-dk has the same interface as qmail-queue except that it inserts an appropriate DomainKeys header before it queues the message. There are two separate ways to invoke qmail-dk. For one way, you can patch qmail with the patch and set QMAILQUEUE to point to qmail-dk in the environment when you send or receive email. For another way, you can rename qmail-queue to qmail-queue.orig, and set DKQUEUE=bin/qmail-queue.orig.

qmail-dk has been patched with qmail-dk-0.54-auth.patch, which sets up a bit of automatic behavior. If RELAYCLIENT is found in the environment, qmail-dk imports the DKSIGN environment variable and tries to sign the mail. If RELAYCLIENT is not found in the environment, DKVERIFY is imported, and we attempt to verify the mail.

qmail-dk supports DomainKey signing and verification. It uses the libdomainkey and OpenSSL libraries. To sign a message, set the DKSIGN environment variable to the pathname to the private key that will be used to sign the message. If there is a % character in the environment variable, it is removed and replaced by the domain name in the From: header. If, after substituting the %, that file does not exist, the message will not be signed. If there is no % and the file does not exist, the message will be rejected with error 32. The selector will be taken from the basename of the file. The private key should be created by dknewkey, which comes with libdomainkey.

To verify a message, set the DKVERIFY environment variable to a desired set of letters. Precisely, if you want a libdomainkey return status to generate an error, include that letter, where A is the first return status (DK_STAT_OK), B is the second (DK_STAT_BADSIG), etc. The letter should be uppercase if you want a permanent error to be returned (exit code 13), and lowercase if you want a temporary error to be returned (exit code 82).

For example, if you want to permanently reject messages that have a signature that has been revoked, include the letter ’K’ in the DKVERIFY environment variable. A conservative set of letters is DEGIJKfh. Reject permanently BADSIG, NOKEY, BADKEY, SYNTAX, ARGS, REVOKED, and INTERNAL errors, and temporarily CANTVRFY and NORESOURCE. Add in B if you want to reject messages that have a signature that doesn’t verify (presumably because the message is a forgery or has been damaged in transit. Note that qmail-dk always inserts the DomainKey-Status header, so that messages can be rejected at delivery time, or in the mail reader.

Typically, you would sign messages generated on-host by setting DKSIGN in the environment before running an email program. DKSIGN will be carried through qmail’s sendmail emulation through qmail-inject to qmail-dk. You would also set it for qmail-smtpd at the same time RELAYCLIENT is set, most often in the tcpserver cdb file. If a host is authorized to relay, you probably want to sign messages sent by that host. DKVERIFY should be set for all other hosts.

If neither DKSIGN nor DKVERIFY are set, then DKSIGN will be set to /etc/domainkeys/%/default. If such a private key exists, it will be used to sign the domain.

qmail-dk will ordinarily spawn qmail-queue, but if DKQUEUE is set in the environment, the program that it points to will be executed instead. If DKQUEUE is not set, and qmail-dk has been invoked as qmail-queue then qmail-queue.orig is spawned instead.


qmail-dk returns the same exit codes as qmail-queue with these additions:
32 The private key file does not exist.
57 Trouble waiting for qmail-queue to exit.
58 Unable to vfork.
59 Unable to create a pipe to qmail-queue.


addresses(5), envelopes(5), qmail-header(5), qmail-inject(8), qmail-qmqpc(8), qmail-queue(8), qmail-send(8), qmail-smtpd(8)
Search for    or go to Top of page |  Section 8 |  Main Index

QMAIL-DK (8) -->

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.