qmail-dkim - libdkim implementation for s/qmail
qmail-dkim [ -h -v -V -s[ecckey] -b[1|2|3] -c[s|t|u] -d domain -i identity -l -q -t -x expire_time -y selector -Y selector2 -z[1|2|3|4|5] ] in_message RSA_private_key out_message Ed25519_private_key
qmail-dkim
is the implementation of libdkim for s/qmail
providing API compatibility and supporting RSA and Ed25519
DKIM signatures in single or hybrid mode. In hybrid mode,
two private keys and two selectors need to be
provided. qmail-dkim supports distinct operations:
qmail-dkim -s in_message RSA_private_key
out_message
DKIM signes in_message with the given private_key and returns out_message.
qmail-dkim -s in_message RSA_private_key out_message Ed255_private_key
signs in_message with both a RSA RSA_private_key and a Ed25519_private_key. Here, the RSA default selector is default and the Ed25519 default selector is eddy; both subject of change.
qmail-dkim -v in_message
verifies the in_message.
DKIM needs a common understanding of the attributes subject for signing and verification. The following attributes can be set:
|
-c |
is the ’canonicalization’, thus how a validiation client should deal with signature verification of the message headers and/or body. Here, the choices are given via an appended character: r relax on header, s simple (strict) on message body, t relax/simple, or eventually u simple relaxed. Finally, the hash function to be used in the signature can be given as | ||
|
-z |
following either with 1 using sha1, or 2 using sha256, or finally as default 3 providing both signature values in the mail header. 4 telling qmail-dkim to use the Ed25519 signature scheme. 5 allows qmail-dkim to attach both a RSA-SHA256 as well as a Ed25519 signature to the message, which considered to be a hybrid mode. |
qmail-dkim will include (several) message headers detailing the DKIM signature with at least the following fields:
|
a |
=<signature type> | ||
|
c |
=<used canoncicalization> | ||
|
s |
=<selector> | ||
|
d |
=<identity> | ||
|
i |
=<identifier> | ||
|
h |
=<included header1:header2:...> | ||
|
bh |
=<hash of the canonicalized body until its upper limit length; if given> | ||
|
b |
=<base64 encoded signature> |
Additional
settings can be achieved using the following options:
-d domain
is the signer’s domain name and together with the prepended
-y selector
it is used for the DNS TXT lookup of the public key; supporting mainly key roll-over. The first selector is used for RSA signatures.
-Y selector2
Same as -y but now for Ed25519 signatures.
-I identifier
giving an additional hint about the agent or identifier responsible for the signing like ’postmaster@domain’; defaults to domain.
-t expire_time
given in seconds, tells how log the signature is valid. It defaults to 604800 secconds (seven days).
Further, some more option fields can be displayed in the header:
|
-l |
include a body length tag. |
|||
|
-q |
include the query method tag. |
qmail-dkim as invoked by qmail-dkverify extracting the received DKIM header fields, and following the signature verification procedure as given here, while fetching the signer’s public key using a DNS TXT lookup. Now, the respective header lines, and/or the message body will be hashed and compared against the values taken from the signatures.
The results will be indicated by either return code 0 in case of success, 1 in case of mismatch, or -1 if other failures were encountered.
Given the call argument
|
-v |
qmail-dkim will provide the DKIM results pass or fail including verbose reasons on the commmand line. This is the legacy mode. |
Rather, invoking qmail-dkim with argument
|
-V |
it communicates the results over a file interface to be picked up by qmail-dkverify. |
qmail-queue(8), qmail-remote(8), qmail-dksign(8), qmail-dkverify(8), qmail-send(8), qmail-log(8).