| Current File : //var/qmail/man/cat8/qmail-dk.0 |
Maintenance Procedures qmail-dk(8)
N�N�N�NA�A�A�AM�M�M�ME�E�E�E
qmail-dk - sign/verify and queue a mail message for delivery
S�S�S�SY�Y�Y�YN�N�N�NO�O�O�OP�P�P�PS�S�S�SI�I�I�IS�S�S�S
q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l-�-�-�-d�d�d�dk�k�k�k
D�D�D�DE�E�E�ES�S�S�SC�C�C�CR�R�R�RI�I�I�IP�P�P�PT�T�T�TI�I�I�IO�O�O�ON�N�N�N
q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l-�-�-�-d�d�d�dk�k�k�k has the same interface as q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l-�-�-�-q�q�q�qu�u�u�ue�e�e�eu�u�u�ue�e�e�e except that
it inserts an appropriate DomainKeys header before it queues
the message. There are two separate ways to invoke q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l-�-�-�-
d�d�d�dk�k�k�k. For one way, you can patch qmail with the
http://qmail.org/qmailqueue patch and set QMAILQUEUE to
point to qmail-dk in the environment when you send or
receive email. For another way, you can rename qmail-queue
to qmail-queue.orig, and set DKQUEUE=bin/qmail-queue.orig.
q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l-�-�-�-d�d�d�dk�k�k�k supports DomainKey signing and verification. It
uses the libdomainkey and OpenSSL libraries. To sign a mes-
sage, set the D�D�D�DK�K�K�KS�S�S�SI�I�I�IG�G�G�GN�N�N�N environment variable to the pathname to
the private key that will be used to sign the message. If
there is a % character in the environment variable, it is
removed and replaced by the domain name in the From: header.
If, after substituting the %, that file does not exist, the
message will not be signed. If there is no % and the file
does not exist, the message will be rejected with error 32.
The selector will be taken from the basename of the file.
The private key should be created by d�d�d�dk�k�k�kn�n�n�ne�e�e�ew�w�w�wk�k�k�ke�e�e�ey�y�y�y, which comes
with libdomainkey.
To verify a message, set the D�D�D�DK�K�K�KV�V�V�VE�E�E�ER�R�R�RI�I�I�IF�F�F�FY�Y�Y�Y environment variable
to a desired set of letters. Precisely, if you want a lib-
domainkey return status to generate an error, include that
letter, where A is the first return status (DK_STAT_OK), B
is the second (DK_STAT_BADSIG), etc. The letter should be
uppercase if you want a permanent error to be returned (exit
code 13), and lowercase if you want a temporary error to be
returned (exit code 82).
For example, if you want to permanently reject messages that
have a signature that has been revoked, include the letter
'K' in the D�D�D�DK�K�K�KV�V�V�VE�E�E�ER�R�R�RI�I�I�IF�F�F�FY�Y�Y�Y environment variable. A conservative
set of letters is D�D�D�DE�E�E�EG�G�G�GI�I�I�IJ�J�J�JK�K�K�Kf�f�f�fh�h�h�h. Reject permanently BADSIG,
NOKEY, BADKEY, SYNTAX, ARGS, REVOKED, and INTERNAL errors,
and temporarily CANTVRFY and NORESOURCE. Add in B�B�B�B if you
want to reject messages that have a signature that doesn't
verify (presumably because the message is a forgery or has
been damaged in transit. Note that q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l-�-�-�-d�d�d�dk�k�k�k always inserts
the D�D�D�Do�o�o�om�m�m�ma�a�a�ai�i�i�in�n�n�nK�K�K�Ke�e�e�ey�y�y�y-�-�-�-S�S�S�St�t�t�ta�a�a�at�t�t�tu�u�u�us�s�s�s header, so that messages can be
rejected at delivery time, or in the mail reader.
Typically, you would sign messages generated on-host by set-
ting D�D�D�DK�K�K�KS�S�S�SI�I�I�IG�G�G�GN�N�N�N in the environment before running an email
SunOS 5.11 Last change: 1
Maintenance Procedures qmail-dk(8)
program. DKSIGN will be carried through qmail's sendmail
emulation through q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l-�-�-�-i�i�i�in�n�n�nj�j�j�je�e�e�ec�c�c�ct�t�t�t to q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l-�-�-�-d�d�d�dk�k�k�k. You would also
set it for q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l-�-�-�-s�s�s�sm�m�m�mt�t�t�tp�p�p�pd�d�d�d at the same time R�R�R�RE�E�E�EL�L�L�LA�A�A�AY�Y�Y�YC�C�C�CL�L�L�LI�I�I�IE�E�E�EN�N�N�NT�T�T�T is set,
most often in the tcpserver cdb file. If a host is author-
ized to relay, you probably want to sign messages sent by
that host. D�D�D�DK�K�K�KV�V�V�VE�E�E�ER�R�R�RI�I�I�IF�F�F�FY�Y�Y�Y should be set for all other hosts.
If neither D�D�D�DK�K�K�KS�S�S�SI�I�I�IG�G�G�GN�N�N�N nor D�D�D�DK�K�K�KV�V�V�VE�E�E�ER�R�R�RI�I�I�IF�F�F�FY�Y�Y�Y are set, then D�D�D�DK�K�K�KS�S�S�SI�I�I�IG�G�G�GN�N�N�N will be
set to /etc/domainkeys/%/default. If such a private key
exists, it will be used to sign the domain.
q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l-�-�-�-d�d�d�dk�k�k�k will ordinarily spawn qmail-queue, but if DKQUEUE
is set in the environment, the program that it points to
will be executed instead. If DKQUEUE is not set, and
q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l-�-�-�-d�d�d�dk�k�k�k has been invoked as q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l-�-�-�-q�q�q�qu�u�u�ue�e�e�eu�u�u�ue�e�e�e then q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l-�-�-�-
q�q�q�qu�u�u�ue�e�e�eu�u�u�ue�e�e�e.�.�.�.o�o�o�or�r�r�ri�i�i�ig�g�g�g is spawned instead.
E�E�E�EX�X�X�XI�I�I�IT�T�T�T C�C�C�CO�O�O�OD�D�D�DE�E�E�ES�S�S�S
q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l-�-�-�-d�d�d�dk�k�k�k returns the same exit codes as qmail-queue with
these additions:
3�3�3�32�2�2�2 The private key file does not exist.
5�5�5�57�7�7�7 Trouble waiting for qmail-queue to exit.
5�5�5�58�8�8�8 Unable to vfork.
5�5�5�59�9�9�9 Unable to create a pipe to qmail-queue.
S�S�S�SE�E�E�EE�E�E�E A�A�A�AL�L�L�LS�S�S�SO�O�O�O
addresses(5), envelopes(5), qmail-header(5), qmail-
inject(8), qmail-qmqpc(8), qmail-queue(8), qmail-send(8),
qmail-smtpd(8)
SunOS 5.11 Last change: 2