home old db
documentation:zdkimfilter zdkimsign redact zaggregate zfilter_db zdkimfilter.conf zdkimgenkey




zdkimsign - a wrapper around zdkimfilter  


zdkimsign [option [option-arg]] message-file ...
zdkimverify [option [option-arg]] message-file ...


zdkimsign is a wrapper around the zdkimfilter executable. It provides for offline signing of messages, and a few other utilities. It searches for the zdkimfilter executable in the build-time configured path, and either in the directory used for calling it, if any, or in the PATH. That way it can work when the package is built but not yet installed.

Normally, zdkimsign uses the --no-db option of zdkimfilter, so as to avoid having the messages signed this way logged to the database. However, the --db-filter option allows logging. Using it may require to choose a temporary directory carefully: To have zdkimfilter sign the files, zdkimsign writes a minimal ctlfile in the temporary directory. The inode number for database keys is that of the ctlfile. To ensure uniqueness, if used as a key, it is necessary that the ctlfile gets created in the same disk partition where Courier writes received mail files.

zdkimsign creates the ctlfile in the directory specified by the -t option, if any; otherwise, in the one specified by the tmp configuration option, if present; otherwise in /tmp.  


-f config-filename
Specify a different configuration file. That way it is possible to configure for signing different header fields, or using different keys. zdkimsign only reads the tmp and default_domain configuration options, but forwards this command line option to the invoked zdkimfilter.
-o filename
Save intermediate verification debug files. When retrying DKIM authentication by undoing a MLM transformation, the retried message or part of it is saved to the filename, if given.

This option uses by zdkimfilter's --save-files option.

If the executable is compiled with debugging support, this option dumps the canonicalization results to files named "dkim.*.*".

All files are created in the /tmp directory, possibly overridden by the corresponding configuration parameter.

-t tmp-directory
The directory used for temporary files.
Log to syslog (LOG_MAIL facility) rather than stderr.
Use standard I/O, that is read a mail file on stdin and rewrite it to stdout. This option implies --syslog, but the filter response is echoed on stderr in case of error.

I/O behavior is obtained by passing the --no-fork option to zdkimfilter. That way, the message-file arguments get silently ignored.

This option implies --filter, and enables database logging. To do that, the ctlfile includes the full list of recipients and a Courier's style id with the inode number of the ctlfile itself.

See the description above for the relationship between key uniqueness and the temporary directory.

--domain domain
Use this as the signing domain. If the domain argument contains a "@", then the whole string is set as the authenticated user and, if not overridden by the next option, to the envelope sender. Otherwise, if no "@", the ctlfile will have postmaster@domain. This may or may not result in a signature by such domain, according to the other configuration options.
--sender sender
This sets the envelope sender in the ctlfile. The value is only relevant for --db-filter, since the ctlfile is used for signing only. If this option is not specified, domain is used as envelope sender as well, if it contains a "@".
Have zdkimfilter check and print the configuration file.
Print usage and exit.
Have zdkimfilter print the version. zdkimsign just prints which executable it is about to run.
Act as if invoked as zdkimverify. The latter is a symbolic link to zdkimsign. The behavior is similar, invoking zdkimfilter, but the temporary ctlfile is written so as to trigger verification.

Unless --filter is also specified, zdkimverify passes the --no-write option to zdkimfilter, so as to not modify the target mail file. Authentication-Results are output on stdout, log lines to stderr.



The build-time configured path of the zdkimfilter executable.
Default configuration file.


If this variable is set, the zdkimfilter child uses it for storing the client's "ip" variable to the database.


Alessandro Vesely <vesely@tana.it>  


Explains how to set up private keys for signing, and choice of domain.
Explains configuration options, including key_choice_header and default_domain.

Copyright © 2012-2021 Alessandro Vesely