

Maintenance Procedures                                qmail-dk(8)


NNNNAAAAMMMMEEEE
     qmail-dk - sign/verify and queue a mail message for delivery

SSSSYYYYNNNNOOOOPPPPSSSSIIIISSSS
     qqqqmmmmaaaaiiiillll----ddddkkkk

DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN
     qqqqmmmmaaaaiiiillll----ddddkkkk has the same interface as qqqqmmmmaaaaiiiillll----qqqquuuueeeeuuuueeee  except  that
     it inserts an appropriate DomainKeys header before it queues
     the message.  There are two separate ways to  invoke  qqqqmmmmaaaaiiiillll----
     ddddkkkk.    For   one   way,   you   can  patch  qmail  with  the
     http://qmail.org/qmailqueue  patch  and  set  QMAILQUEUE  to
     point  to  qmail-dk  in  the  environment  when  you send or
     receive email.  For another way, you can rename  qmail-queue
     to qmail-queue.orig, and set DKQUEUE=bin/qmail-queue.orig.

     qqqqmmmmaaaaiiiillll----ddddkkkk supports DomainKey signing  and  verification.   It
     uses the libdomainkey and OpenSSL libraries.  To sign a mes-
     sage, set the DDDDKKKKSSSSIIIIGGGGNNNN environment variable to the pathname to
     the  private  key that will be used to sign the message.  If
     there is a % character in the environment  variable,  it  is
     removed and replaced by the domain name in the From: header.
     If, after substituting the %, that file does not exist,  the
     message  will  not be signed.  If there is no % and the file
     does not exist, the message will be rejected with error  32.
     The  selector  will  be taken from the basename of the file.
     The private key should be created by ddddkkkknnnneeeewwwwkkkkeeeeyyyy,  which  comes
     with libdomainkey.

     To verify a message, set the DDDDKKKKVVVVEEEERRRRIIIIFFFFYYYY  environment  variable
     to  a desired set of letters.  Precisely, if you want a lib-
     domainkey return status to generate an error,  include  that
     letter,  where  A is the first return status (DK_STAT_OK), B
     is the second (DK_STAT_BADSIG), etc.  The letter  should  be
     uppercase if you want a permanent error to be returned (exit
     code 13), and lowercase if you want a temporary error to  be
     returned (exit code 82).

     For example, if you want to permanently reject messages that
     have  a  signature that has been revoked, include the letter
     'K' in the DDDDKKKKVVVVEEEERRRRIIIIFFFFYYYY environment  variable.   A  conservative
     set  of  letters  is  DDDDEEEEGGGGIIIIJJJJKKKKffffhhhh.   Reject permanently BADSIG,
     NOKEY, BADKEY, SYNTAX, ARGS, REVOKED, and  INTERNAL  errors,
     and  temporarily  CANTVRFY  and NORESOURCE.  Add in BBBB if you
     want to reject messages that have a signature  that  doesn't
     verify  (presumably  because the message is a forgery or has
     been damaged in transit.  Note that qqqqmmmmaaaaiiiillll----ddddkkkk always  inserts
     the   DDDDoooommmmaaaaiiiinnnnKKKKeeeeyyyy----SSSSttttaaaattttuuuussss  header,  so  that  messages  can  be
     rejected at delivery time, or in the mail reader.

     Typically, you would sign messages generated on-host by set-
     ting  DDDDKKKKSSSSIIIIGGGGNNNN  in  the  environment  before  running an email


SunOS 5.11                Last change:                          1


Maintenance Procedures                                qmail-dk(8)


     program.  DKSIGN will be carried  through  qmail's  sendmail
     emulation  through qqqqmmmmaaaaiiiillll----iiiinnnnjjjjeeeecccctttt to qqqqmmmmaaaaiiiillll----ddddkkkk.  You would also
     set it for qqqqmmmmaaaaiiiillll----ssssmmmmttttppppdddd at the same time RRRREEEELLLLAAAAYYYYCCCCLLLLIIIIEEEENNNNTTTT is  set,
     most  often in the tcpserver cdb file.  If a host is author-
     ized to relay, you probably want to sign  messages  sent  by
     that host.  DDDDKKKKVVVVEEEERRRRIIIIFFFFYYYY should be set for all other hosts.

     If neither DDDDKKKKSSSSIIIIGGGGNNNN nor DDDDKKKKVVVVEEEERRRRIIIIFFFFYYYY are set, then DDDDKKKKSSSSIIIIGGGGNNNN will  be
     set  to  /etc/domainkeys/%/default.   If  such a private key
     exists, it will be used to sign the domain.

     qqqqmmmmaaaaiiiillll----ddddkkkk will ordinarily spawn qmail-queue, but  if  DKQUEUE
     is  set  in  the  environment, the program that it points to
     will be executed  instead.   If  DKQUEUE  is  not  set,  and
     qqqqmmmmaaaaiiiillll----ddddkkkk   has  been  invoked  as  qqqqmmmmaaaaiiiillll----qqqquuuueeeeuuuueeee  then  qqqqmmmmaaaaiiiillll----
     qqqquuuueeeeuuuueeee....oooorrrriiiigggg is spawned instead.


EEEEXXXXIIIITTTT CCCCOOOODDDDEEEESSSS
     qqqqmmmmaaaaiiiillll----ddddkkkk returns the same exit  codes  as  qmail-queue  with
     these additions:

     33332222   The private key file does not exist.

     55557777   Trouble waiting for qmail-queue to exit.

     55558888   Unable to vfork.

     55559999   Unable to create a pipe to qmail-queue.

SSSSEEEEEEEE AAAALLLLSSSSOOOO
     addresses(5),    envelopes(5),    qmail-header(5),    qmail-
     inject(8),  qmail-qmqpc(8),  qmail-queue(8),  qmail-send(8),
     qmail-smtpd(8)


SunOS 5.11                Last change:                          2