qmail-dk has the same interface as
qmail-queue except that it inserts an appropriate DomainKeys header before it
queues the message. There are two separate ways to invoke
qmail-dk. For one way, you can patch qmail with the http://qmail.org/qmailqueue
patch and set QMAILQUEUE to point to qmail-dk in the environment when
you send or receive email.
For another way, you can rename qmail-queue to qmail-queue.orig, and set DKQUEUE=bin/qmail-queue.orig.
qmail-dk has been patched with
qmail-dk-0.54-auth.patch, which sets up a bit of automatic behavior. If RELAYCLIENT is found in
the environment, qmail-dk imports the DKSIGN environment variable and
tries to sign the mail. If RELAYCLIENT is not found in the environment,
DKVERIFY is imported, and we attempt to verify the mail.
qmail-dk supports DomainKey signing and verification. It uses the libdomainkey
and OpenSSL libraries. To sign a message, set the
DKSIGN environment variable to the pathname to the private key that will be
used to sign the message. If there is a % character in the environment
variable, it is removed and replaced by the domain name in the From: header.
If, after substituting the %, that file does not exist, the message will not be signed.
If there is no % and the file does not exist, the message will be rejected with error 32.
The selector will be taken from the
basename of the file. The private key should be created by
dknewkey, which comes with libdomainkey.
To verify a message, set the
DKVERIFY environment variable to a desired set of letters. Precisely, if you
want a libdomainkey return status to generate an error, include that
letter, where A is the first return status (DK_STAT_OK), B is the
second (DK_STAT_BADSIG), etc. The letter should be uppercase if you
want a permanent error to be returned (exit code 13), and lowercase if
you want a temporary error to be returned (exit code 82).
For example, if you want to permanently reject messages that have a
signature that has been revoked, include the letter K in the
DKVERIFY environment variable. A conservative set of letters is
DEGIJKfh. Reject permanently BADSIG, NOKEY, BADKEY, SYNTAX, ARGS, REVOKED, and
INTERNAL errors, and temporarily CANTVRFY and NORESOURCE. Add in
B if you want to reject messages that have a signature that doesnt
verify (presumably because the message is a forgery or has been
damaged in transit. Note that
qmail-dk always inserts the
DomainKey-Status header, so that messages can be
rejected at delivery time, or in the mail reader.
Typically, you would sign messages generated on-host by setting
DKSIGN in the environment before running an email program. DKSIGN will be carried
through qmails sendmail emulation through
qmail-dk. You would also set it for
qmail-smtpd at the same time
RELAYCLIENT is set, most often in the tcpserver cdb file. If a host is authorized
to relay, you probably want to sign messages sent by that host.
DKVERIFY should be set for all other hosts.
DKVERIFY are set, then
DKSIGN will be set to /etc/domainkeys/%/default. If such a private key exists, it will be used to sign the domain.
qmail-dk will ordinarily spawn qmail-queue, but if DKQUEUE is set in the environment,
the program that it points to will be executed instead. If DKQUEUE is not set, and
qmail-dk has been invoked as
qmail-queue.orig is spawned instead.