The output of the script consists of two files in the /local/courier/etc/path/filters/keys directory. File names are based on the selector name, given as option.
To start using a key, link it to a domain name by using symbolic links.
zdkimfilter looks for a file having the same name as the domain, in a directory configured using the domain_keys configuration option. By default, this is /local/courier/etc/path/filters/keys. The file should be a soft link to the actual key created using this script.
The soft link and its target can be in different directories. The basename of the linked-to file contains the selector. If the basename starts with the same string as the domain name, then that initial part and an optional dot are discarded. In addition, an extension of ".private" or ".pem" is also discarded. For example, the following will all result in assigning selector sel as the key for example.com:
example.com -> ../anywhere/sel.private example.com -> ../anywhere/sel example.com -> ../anywhere/example.com.sel example.com -> ../anywhere/example.comsel example.com -> ../anywhere/example.com.sel.private example.com -> ../anywhere/example.comsel.private example.com -> ../anywhere/example.com.sel.pem example.com -> ../anywhere/example.comsel.pem example.com -> ../anywhere/sel.pem
The public key must be published on the DNS in order to make it possible for remote receivers to verify the signatures. Domain owners should change selector on a regular basis, or whenever they think the private key might have been compromised. The soft link that enables signing with a given private key should be set after publishing the corresponding public key. The file existence is going to be effective on the next message. It is not necessary to restart zdkimfilter for that to take effect.
The DKIM standard provides for other tags, for example <t=y> to signal test mode. See the IANA page for a complete list:
Additional tags, can be added manually at publication time, like the domain name itself. They don't affect the key.
Signers MUST use RSA keys of at least 1024 bits for all keys. Signers SHOULD use RSA keys of at least 2048 bits. Verifiers MUST be able to validate signatures with keys ranging from 1024 bits to 4096 bits, and they MAY be able to validate signatures with larger keys.
Copyright © 2012-2021 Alessandro Vesely