zdkimsign - a wrapper around zdkimfilter
zdkimsign [option [option-arg]] message-file ...
is a wrapper around the zdkimfilter executable. It provides for
offline signing of messages, and a few other utilities. It searches for the
zdkimfilter executable in the build-time configured path, and either in the
directory used for calling it, if any, or in the PATH.
That way it can work
when the package is built but not yet installed.
Normally, zdkimsign uses the --no-db option of zdkimfilter, so as to avoid
having the messages signed this way logged to the database. However, the
--db-filter option allows logging. Using it may require to choose a
temporary directory carefully: To have zdkimfilter sign the files, zdkimsign
writes a minimal ctlfile in the temporary directory. The inode number for
database keys is that of the ctlfile. To ensure uniqueness, if used as a key,
it is necessary that the ctlfile gets created in the same disk partition where
Courier writes received mail files.
zdkimsign creates the ctlfile in the directory specified by the -t option, if
any; otherwise, in the one specified by the tmp configuration option, if
present; otherwise in /tmp.
- -f config-filename
Specify a different configuration file. That way it is possible to configure
for signing different header fields, or using different keys. zdkimsign only
reads the tmp and default_domain configuration options, but forwards this
command line option to the invoked zdkimfilter.
- -t tmp-directory
The directory used for temporary files.
Log to syslog (LOG_MAIL facility) rather than stderr.
Use standard I/O, that is read a mail file on stdin and rewrite it to stdout.
This option implies --syslog, but the filter response is echoed on stderr in
case of error.
I/O behavior is obtained by passing the --no-fork option to zdkimfilter.
That way, the message-file arguments get silently ignored.
This option implies --filter, and enables database logging. To do that, the
ctlfile includes the full list of recipients and a Courier's style id with the
inode number of the ctlfile itself.
See the description above for the relationship between key uniqueness and the
- --domain domain
Use this as the signing domain. If the domain argument contains a "@",
then the whole string is set as the authenticated user and, if not overridden by
the next option, to the envelope sender. Otherwise, if no "@", the ctlfile
will have postmaster@domain. This may or may not result in a signature by
such domain, according to the other configuration options.
- --sender sender
This sets the envelope sender in the ctlfile. The value is only relevant for
--db-filter, since the ctlfile is used for signing only. If this option is
not specified, domain is used as envelope sender as well, if it contains a
Have zdkimfilter check and print the configuration file.
Print usage and exit.
Have zdkimfilter print the version. zdkimsign just prints which executable
it is about to run.
Act as if invoked as zdkimverify. The latter is a symbolic link to
zdkimsign. The behavior is similar, invoking zdkimfilter, but the
temporary ctlfile is written so as to trigger verification.
Unless --filter is also specified, zdkimverify passes the
--no-write option to zdkimfilter, so as to not modify the
target mail file. Authentication-Results are output on stdout,
log lines to stderr.
The build-time configured path of the zdkimfilter executable.
Default configuration file.
If this variable is set, the zdkimfilter child uses it for storing the client's
"ip" variable to the database.
Alessandro Vesely <firstname.lastname@example.org>
Explains how to set up private keys for signing, and choice of domain.
Explains configuration options, including key_choice_header and
Copyright © 2012-2021 Alessandro Vesely