ZDKIMSIGN(1)

zdkimsign - a wrapper around zdkimfilter  

zdkimsign [option [option-arg]] message-file ...  

zdkimsign is a wrapper around the zdkimfilter executable. It provides for offline signing of messages, and a few other utilities. It searches for the zdkimfilter executable in the build-time configured path, and either in the directory used for calling it, if any, or in the PATH. That way it can work when the package is built but not yet installed.

Normally, zdkimsign uses the --no-db option of zdkimfilter, so as to avoid having the messages signed this way logged to the database. However, the --db-filter option allows logging. Using it may require to choose a temporary directory carefully: To have zdkimfilter sign the files, zdkimsign writes a minimal ctlfile in the temporary directory. The inode number for database keys is that of the ctlfile. To ensure uniqueness, if used as a key, it is necessary that the ctlfile gets created in the same disk partition where Courier writes received mail files.

zdkimsign creates the ctlfile in the directory specified by the -t option, if any; otherwise, in the one specified by the tmp configuration option, if present; otherwise in /tmp.  

-f config-filename

Specify a different configuration file. That way it is possible to configure for signing different header fields, or using different keys. zdkimsign only reads the tmp and default_domain configuration options, but forwards this command line option to the invoked zdkimfilter.

-t tmp-directory

The directory used for temporary files.

--syslog

Log to syslog (LOG_MAIL facility) rather than stderr.

--filter

Use standard I/O, that is read a mail file on stdin and rewrite it to stdout. This option implies --syslog, but the filter response is echoed on stderr in case of error.

I/O behavior is obtained by passing the --no-fork option to zdkimfilter. That way, the message-file arguments get silently ignored.

--db-filter

This option implies --filter, and enables database logging. To do that, the ctlfile includes the full list of recipients and a Courier's style id with the inode number of the ctlfile itself.

See the description above for the relationship between key uniqueness and the temporary directory.

--domain domain

Use this as the signing domain. If the domain argument contains a "@", then the whole string is set as the authenticated user and, if not overridden by the next option, to the envelope sender. Otherwise, if no "@", the ctlfile will have postmaster@domain. This may or may not result in a signature by such domain, according to the other configuration options.

--sender sender

This sets the envelope sender in the ctlfile. The value is only relevant for --db-filter, since the ctlfile is used for signing only. If this option is not specified, domain is used as envelope sender as well, if it contains a "@".

--config

Have zdkimfilter check and print the configuration file.

--help

Print usage and exit.

--version

Have zdkimfilter print the version. zdkimsign just prints which executable it is about to run.

--verify

Act as if invoked as zdkimverify. The latter is a symbolic link to zdkimsign. The behavior is similar, invoking zdkimfilter, but the temporary ctlfile is written so as to trigger verification.

Unless --filter is also specified, zdkimverify passes the --no-write option to zdkimfilter, so as to not modify the target mail file. Authentication-Results are output on stdout, log lines to stderr.

 

/local/libexec/usr/path/filters/zdkimfilter

The build-time configured path of the zdkimfilter executable.

/local/courier/etc/path/filters/zdkimfilter.conf

Default configuration file.

 

REMOTE_ADDR

If this variable is set, the zdkimfilter child uses it for storing the client's "ip" variable to the database.

 

Alessandro Vesely <vesely@tana.it>  

zdkimfilter(8)

Explains how to set up private keys for signing, and choice of domain.

zdkimfilter.conf(5)

Explains configuration options, including key_choice_header and default_domain.