ZDKIMFILTER
"z" DKIM filter for Courier-MTA
Download
Packages and installation
Gentoo: Daniel Black and Hanno Böck added this to gentoo linux.
RPM: Zenon Panoussis contributed an RPM .spec, available here.
It is included in recent tarballs. See his message for details
Debian: Viktor Szépe created the setup, and
the debian subdirectory is included in the tarball
since version 1.6.
That way, tarball users can build a Debian package instead of a
local installation obtained by ./configure.
An experimental Debian binary package built on AMD (Ryzen) by
dpkg-buildpackage -us -uc
can be found here.
Basic installation: Even if you're not using Debian, the
postinst
script can be read as a guide for post-installation instructions.
Some useful Courier settings are as follows:
BOFHSPFHELO, BOFHSPFMAILFROM, and BOFHSPFFROM (suit your taste, but enable SPF evaluation),
ALLOW_EXCLUSIVE in esmtpd, and then trust_a_r in zdkimfilter.conf,
MIME=none in esmtpd to prevent rewriting incoming mail (this hasn't its prepared stanza),
opt MIME=none in bofh to prevent rewriting local sendmail (this hasn't its prepared stanza),
MIME=some in esmtpd-msa to allow rewriting submitted mail (this hasn't its prepared stanza),
NOADDRREWRITE=2 in esmtpd (not needed in newer Courier versions).
A couple of tweaks to handle DMARC quarantine and From: demunging are
documented in the man page.
Complete installation requires a database. The examples included in the distribution are based on MariaDB and explained in the DB page. This work can be customized at will, which is why they're called examples. An utility to browse the database is still missing; maybe next version will feature something to tweak per-domain options. Other "obvious" settings, such as managing bounces of sent-out reports, are not even mentioned. Finally, in order to complete DMARC installation, you need to parse aggregate reports received from your targets and possibly feed the database. You may want to consider transforming aggregate reports to more readable HTML using dmarc-xls.
Requirements
- courier is required to configure and run the filter. Side executables such as zdkimverify can run on the command line independently of the MTA.
- libgnutls or openssl,*
- libopendbx, used with MariaDB (not MySQL)†
- libnettle,
- libresolv,
- libidn2,
- libunistring,
- zlib,
- uuid,
- the pkg-config utility,
- libtool (a buggy requirement that will be removed from future versions; for v.1.5, libtool-bin is necessary to configure the package)
- In addition, the Public Suffix List is used for DMARC, if configured.
(*) Versions older than 3.0 require libopendkim
(†) With OpenDBX it is possible to deploy several DBMS by editing the queries in the coniguration files. The reference configuration, however, works with MariaDB. MySQL is not compatible as it misses the INET6 data type.
DMARC
The complete installation automates sending DMARC aggregate reports.
As is well known, forwarding modified messages may require to rewrite From:.
That is one of the means for
mitigating DMARC damage to third party mail. This filter attempts to
recognize transformations
typical of mailing lists, and adds auxiliary header fields
to ease such recognition. This feature seems to work if authors avoid
signing list specific fields, such as MIME-Version:, Content-Type: and
Content-Transfer-Encoding:.
For sending, there is a Python script to forward mail safely, shielding
from strict DMARC policies. Designed for .courier files, the script does
a Mailman style mitigation —possibly munge From: and save the original value in the Reply-To:.
dmarc_shield3.py is published by Lindsay Haisley.
For receiving, zdkimfilter tries to revert that munging and verify the
original author domain's signature. If it succeeds, it sets the header
so that a Maildrop instruction can restore the original value of From:
after any external forwarding
(see zdkimfilter(8) man page).
ARC
Since version 3.12, zdkimfilter verifies ARC set chains.
zarcseal is a new alias for the zdkimsign
wrapper, to be used on forwarding. It trusts existing Authentication-Results:
and transforms it into a signed ARC-Authentication-Results:
which may be evaluated by external receivers.
There is more to be done to unleash ARC's potential to dismiss
From: munging in mailing list. We need a mailing list willing to
experiment new settings in order to put ideas into practice.
MLM transformation experiment
Since version 3, zdkimfilter tries to recognize the original signature
of messages transformed by a mailing list. When the transformation is
successfully reverted, the munged From: can be replaced with the original
as described in the man page.
A description of how and when transformation reverting works is drafted
here.
License
As far as software copyright is concerned,
zdkimfilter is free software: you can redistribute it and/or modify
it under the terms of the GNU
General Public Licence
as published by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
zdkimfilter is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public Licence
for more details.
As an additional permission under GNU GPLv3 section 7,
If you modify zdkimfilter, or any covered part of it, by linking or combining
it with OpenSSL, OpenDKIM, Sendmail, or any software developed by The Trusted
Domain Project or Sendmail Inc., containing parts covered by the applicable
licence, the licensor of zdkimfilter grants you additional permission to convey
the resulting work.
Copyright (C) 2012-2025 Alessandro Vesely