|
Unix VPS
Support
FAQ
Network
Miscellaneous
|
| qmail-dk(8) | FreeBSD System Manager's Manual | qmail-dk(8) |
NAME
qmail-dk - sign/verify and queue a mail message for deliverySYNOPSIS
qmail-dkDESCRIPTION
qmail-dk has the same interface as qmail-queue except that it inserts an appropriate DomainKeys header before it queues the message. There are two separate ways to invoke qmail-dk. For one way, you can patch qmail with the http://qmail.org/qmailqueue patch and set QMAILQUEUE to point to qmail-dk in the environment when you send or receive email. For another way, you can rename qmail-queue to qmail-queue.orig, and set DKQUEUE=bin/qmail-queue.orig.qmail-dk has been patched with qmail-dk-0.54-auth.patch, which sets up a bit of automatic behavior. If RELAYCLIENT is found in the environment, qmail-dk imports the DKSIGN environment variable and tries to sign the mail. If RELAYCLIENT is not found in the environment, DKVERIFY is imported, and we attempt to verify the mail.
qmail-dk supports DomainKey signing and verification. It uses the libdomainkey and OpenSSL libraries. To sign a message, set the DKSIGN environment variable to the pathname to the private key that will be used to sign the message. If there is a % character in the environment variable, it is removed and replaced by the domain name in the From: header. If, after substituting the %, that file does not exist, the message will not be signed. If there is no % and the file does not exist, the message will be rejected with error 32. The selector will be taken from the basename of the file. The private key should be created by dknewkey, which comes with libdomainkey.
To verify a message, set the DKVERIFY environment variable to a desired set of letters. Precisely, if you want a libdomainkey return status to generate an error, include that letter, where A is the first return status (DK_STAT_OK), B is the second (DK_STAT_BADSIG), etc. The letter should be uppercase if you want a permanent error to be returned (exit code 13), and lowercase if you want a temporary error to be returned (exit code 82).
For example, if you want to permanently reject messages that have a signature that has been revoked, include the letter 'K' in the DKVERIFY environment variable. A conservative set of letters is DEGIJKfh. Reject permanently BADSIG, NOKEY, BADKEY, SYNTAX, ARGS, REVOKED, and INTERNAL errors, and temporarily CANTVRFY and NORESOURCE. Add in B if you want to reject messages that have a signature that doesn't verify (presumably because the message is a forgery or has been damaged in transit. Note that qmail-dk always inserts the DomainKey-Status header, so that messages can be rejected at delivery time, or in the mail reader.
Typically, you would sign messages generated on-host by setting DKSIGN in the environment before running an email program. DKSIGN will be carried through qmail's sendmail emulation through qmail-inject to qmail-dk. You would also set it for qmail-smtpd at the same time RELAYCLIENT is set, most often in the tcpserver cdb file. If a host is authorized to relay, you probably want to sign messages sent by that host. DKVERIFY should be set for all other hosts.
If neither DKSIGN nor DKVERIFY are set, then DKSIGN will be set to /etc/domainkeys/%/default. If such a private key exists, it will be used to sign the domain.
qmail-dk will ordinarily spawn qmail-queue, but if DKQUEUE is set in the environment, the program that it points to will be executed instead. If DKQUEUE is not set, and qmail-dk has been invoked as qmail-queue then qmail-queue.orig is spawned instead.
EXIT CODES
qmail-dk returns the same exit codes as qmail-queue with these additions:- 32
- The private key file does not exist.
- 57
- Trouble waiting for qmail-queue to exit.
- 58
- Unable to vfork.
- 59
- Unable to create a pipe to qmail-queue.
SEE ALSO
addresses(5), envelopes(5), qmail-header(5), qmail-inject(8), qmail-qmqpc(8), qmail-queue(8), qmail-send(8), qmail-smtpd(8)
Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.