1dkim-filter(8)              System Manager's Manual             dkim-filter(8)
2
3
4

NAME

6       dkim-filter - DKIM filter for sendmail
7

SYNOPSIS

9       dkim-filter  -p socketspec [-a peerlist] [-A] [-b modes] [-c canon] [-C
10       config] [-d domains] [-D] [-f] [-F time] [-i ilist]  [-I  eilist]  [-h]
11       [-k keyfile] [-K] [-l] [-L min] [-m mtas] [-M macro[=value][,...]] [-n]
12       [-o hdrlist] [-P pidfile] [-q] [-r] [-R] [-s selector] [-S signalg] [-t
13       testfile]  [-T  secs] [-u userid[:group]] [-U popdb] [-v] [-V] [-W] [-x
14       configfile]
15

DESCRIPTION

17       dkim-filter implements the DKIM standard for signing and  verifying  e-
18       mail messages on a per-domain basis.
19
20       dkim-filter  uses  the milter interface, originally distributed as part
21       of version 8.11 of sendmail(8), to provide DKIM signing and/or  verify‐
22       ing service for mail transiting a milter-aware MTA.
23
24       Most,  if not all, of the command line options listed below can also be
25       set using a configuration file.  See the -x option for details.
26

OPTIONS

28       -a peerlist
29              Identifies a file of "peers" which identifies clients whose con‐
30              nections  should  be accepted without processing by this filter.
31              The peerlist should contain on each line a hostname, domain name
32              (e.g. ".example.com"), IP address, an IPv6 address (including an
33              IPv4 mapped address), or a  CIDR-style  IP  specification  (e.g.
34              "192.168.1.0/24").  An entry beginning with a bang ("!") charac‐
35              ter means "not", allowing exclusions of specific hosts that  are
36              otherwise  members of larger sets.  The order of entries in this
37              file is therefore significant.
38
39       -A     Automatically re-start on failures.  Use with  caution;  if  the
40              filter  fails  instantly after it starts, this can cause a tight
41              fork(2) loop.  This can be mitigated using some  values  in  the
42              configuration   file   to   limit   restarting.   See  dkim-fil‐
43              ter.conf(5).
44
45       -b modes
46              Selects operating modes.  modes is a concatenation of characters
47              that  indicate  which  mode(s)  of operation are desired.  Valid
48              modes are s (signer) and v (verifier).  The default is sv except
49              in test mode (see -t below) in which case the default is v.
50
51       -c canon
52              Selects  the  canonicalization method(s) to be used when signing
53              messages.  When verifying, the message's DKIM-Signature:  header
54              specifies  the  canonicalization  method.  The recognized values
55              are relaxed and simple as defined  by  the  DKIM  specification.
56              The  default  is  simple.   The  value may include two different
57              canonicalizations separated by a slash ("/") character, in which
58              case  the first will be applied to the headers and the second to
59              the body.
60
61       -C config
62              Configuration  control.   See  the  CONFIGURATION  section   for
63              details.
64
65       -d domain [,...]
66              A comma-separated list of domains whose mail should be signed by
67              this filter.  Mail from other domains will  be  verified  rather
68              than being signed.
69
70              The  value  of  this parameter may also be a filename from which
71              domain names will be read.  The "#" character in such a file  is
72              assumed  to  indicate  a comment.  An absolute path must be used
73              (i.e. the first character must be a "/").
74
75              In either case, the domain name(s) may contain the special char‐
76              acter "*" which is treated as a wildcard character matching zero
77              or more characters in a domain name.
78
79              Matching is case-insensitive.
80
81              This parameter is not required if -K is in use;  in  that  case,
82              the  list  of  signed domains is implied by the lines in the key
83              file.
84
85       -D     Sign subdomains of those listed by the -d option as well as  the
86              actual domains.
87
88       -f     Normally  dkim-filter  forks  and exits immediately, leaving the
89              service running in the background.  This  flag  suppresses  that
90              behaviour so that it runs in the foreground.
91
92       -F time
93              Specifies  a  fixed  time  to  use  when  generating signatures.
94              Ignored unless also used in conjunction  with  -t  (see  below).
95              The  time  must  be  expressed in the usual UNIX time_t (seconds
96              since epoch) format.
97
98       -h     Causes dkim-filter to add a header indicating  the  presence  of
99              this  filter in the path of the message from injection to deliv‐
100              ery.  The product's name, version, and the job ID  are  included
101              in the header's contents.
102
103       -i ilist
104              Identifies  a file of internal hosts whose mail should be signed
105              rather than verified.  Entries in this file follow the same form
106              as  those of the -a option above.  If not specified, the default
107              of "127.0.0.1" is applied.  Naturally, providing  a  value  here
108              overrides  the  default,  so  if  mail  from 127.0.0.1 should be
109              signed, the list  provided  here  should  include  that  address
110              explicitly.
111
112       -I eilist
113              Identifies  a  file  of  "external"  hosts  which  may send mail
114              through the server as one of the signing domains without creden‐
115              tials  as  such.  Basically suppresses the "external host (host‐
116              name) tried to send mail as (domain)" log messages.  Entries  in
117              the  eilist  file  should be of the same form as those of the -a
118              option above.  The list is empty by default.
119
120       -K     Requests multiple-key processing.  See also -k below.
121
122       -k keyfile
123              Without -K, gives the location of a PEM-formatted private key to
124              be  used  for signing all messages.  With -K, gives the location
125              of a file listing rules for signing with multiple keys.
126
127              In the latter mode, the keyfile should contain a set of lines of
128              the form sender-pattern:signing-domain:keypath where sender-pat‐
129              tern is a pattern to match against  message  senders  (with  the
130              special character "*" interpreted as "zero or more characters"),
131              signing-domain is the domain to announce as the  signing  domain
132              when  generating signatures, and keypath is the path to the PEM-
133              formatted private key to be  used  for  signing  messages  which
134              match  the  sender-pattern.   The selector used in the signature
135              will be the filename portion of keypath.
136
137              If the file referenced by keypath cannot be opened,  the  filter
138              will  try  again  by appending ".pem" and then ".private" before
139              giving up.
140
141       -l     Log via calls to syslog(3) any interesting activity.
142
143       -L min[%+]
144              Instructs the verification code to fail  messages  for  which  a
145              partial  signature  was received.  There are three possible for‐
146              mats: min indicating at least min bytes of the message  must  be
147              signed  (or  if  the  message is smaller than min then all of it
148              must be signed); min% requiring that at least min percent of the
149              received  message  must be signed; and min+ meaning there may be
150              no more than min bytes of unsigned data appended to the  message
151              for it to be considered valid.
152
153       -m mta[,...]
154              A  comma-separated  list of MTA names (a la the sendmail(8) Dae‐
155              monPortOptions Name parameter) whose mail should  be  signed  by
156              this filter.  If not set, the MTA name is not used when deciding
157              whether or not a message should be signed.
158
159       -M macro[=value][,...]
160              Defines a set of MTA-provided macros which should be checked  to
161              see  if  the  sender  has been determined to be a local user and
162              therefore whether or not the message should  be  signed.   If  a
163              value  is specified, the value of the macro must match the value
164              specified (matching is case-insensitive),  otherwise  the  macro
165              must  be  defined but may contain any value.  Multiple tests may
166              be specified, separated by commas.  The set is empty by default,
167              meaning  macros are not used when deciding whether or not a mes‐
168              sage should be signed.
169
170              The general format of the string is test1[,test2[,...]]  where a
171              "test"  is  of the form macro[=value1[|value2[|...]]]; if one or
172              more value is defined then the macro must be set to one  of  the
173              listed  values,  otherwise the macro must be set but can contain
174              any value.
175
176       -n     Parse the configuration file and command line arguments, report‐
177              ing  any  errors found, and then exit.  The exit value will be 0
178              if the filter would start up without complaint, or non-zero oth‐
179              erwise.
180
181       -o hdrlist
182              Specifies  a list of headers which should be omitted when gener‐
183              ating signatures.  hdrlist should be a comma-separated  list  of
184              header names.  If an entry in the list names any header which is
185              mandated by the DKIM specification, the entry is ignored.  A set
186              of  headers  is listed in the DKIM specification as "SHOULD NOT"
187              be signed; the default list for this  parameter  contains  those
188              headers (Return-Path, Received, Comments, Keywords, Bcc, Resent-
189              Bcc and DKIM-Signature).  To omit no  headers,  simply  use  the
190              string "-" (or any string which will match no headers).
191
192       -p socketspec
193              Specifies the socket that should be established by the filter to
194              receive connections from sendmail(8) in order  to  provide  ser‐
195              vice.   socketspec is in one of two forms: local:path which cre‐
196              ates  a  UNIX  domain  socket  at   the   specified   path,   or
197              inet:port[@host]  which  creates  a  TCP socket on the specified
198              port.  If the host is not given as either a hostname  or  an  IP
199              address,  the  socket  will  be listening on all interfaces.  If
200              neither socket type is specified, local is assumed, meaning  the
201              parameter is interpreted as a path at which the socket should be
202              created.  This parameter is mandatory.
203
204       -P pidfile
205              Writes the process ID of the filter, once started, to the  file‐
206              name given.
207
208       -q     Requests that messages which fail verification be quarantined by
209              the MTA.  (Requires a sufficiently recent version of the  milter
210              library.)
211
212       -r     Checks  all  messages  for  compliance with RFC2822 header count
213              requirements.  Non-compliant messages are rejected.
214
215       -R     When a signature verification fails and the signing site  adver‐
216              tises  a  reporting  address  (i.e.   r=user@host  in its policy
217              record), send a structured report  to  that  address  containing
218              details needed to reproduce the problem.
219
220       -s selector
221              Defines  the  name  of the selector to be used when signing mes‐
222              sages.  See the DKIM specification for details.
223
224       -S signalg
225              Selects the signing algorithm to use when generating signatures.
226              If  the  filter  was  compiled against version 0.9.8 or later of
227              OpenSSL then both rsa-sha1 and rsa-sha256 are available and  the
228              latter  is the default.  Otherwise, only the former is available
229              and it is (obviously) the default.
230
231       -t testfile
232              Evaluates (verifies) an RFC2822-formatted message found in test‐
233              file and exits.  The value of testfile may be "-" if the message
234              should be read from standard input.
235
236       -T secs
237              Sets the DNS timeout in seconds.  A value of 0 causes  an  infi‐
238              nite  wait.   The  default is 5.  Ignored if not using the asyn‐
239              chronous resolver package.  See also the NOTES section below.
240
241       -u userid[:group]
242              Attempts to be come the specified userid before starting  opera‐
243              tions.   The process will be assigned all of the groups and pri‐
244              mary group ID of the named userid unless an alternate  group  is
245              specified.
246
247       -U popdb
248              Requests  that  the filter consult a POP authentication database
249              for IP addresses that should be allowed for signing.  The filter
250              must be specially compiled to enable this feature, since it adds
251              a library dependency.
252
253       -v     Increase verbose output during test mode (see -t above).  May be
254              specified  more  than once to request increasing amounts of out‐
255              put.
256
257       -V     Print the version number and supported canonicalization and sig‐
258              nature algorithms, and then exit without doing anything else.
259
260       -W     If  logging is enabled (see -l above), issues very detailed log‐
261              ging about the logic behind the filter's decision to either sign
262              a  message  or verify it.  The "W" stands for "Why?!"  since the
263              logic behind the decision is non-trivial and can be confusing to
264              administrators  not  familiar with its operation.  A description
265              of how the decision is made can be found in the  OPERATION  sec‐
266              tion  of  this  document.   This  causes a large increase in the
267              amount of log data generated for each message, so it  should  be
268              limited to debugging use and not enabled for general operation.
269
270       -x configfile
271              Read  the named configuration file.  See the dkim-filter.conf(5)
272              man page for details.  Values  in  the  configuration  file  are
273              overridden  when  their  equivalents are provided on the command
274              line until a configuration reload occurs.  The OPERATION section
275              describes how reloads are triggered.
276

ACTION CONFIGURATION

278       The value of the -C switch is a comma-separated list of settings of the
279       form result=action which defines what the filter should  do  with  mes‐
280       sages  that produce certain results.  Each result and each action has a
281       full name and an abbreviated name.  Either  is  accepted.   Below,  the
282       abbreviated name appears in parentheses.
283
284       results
285              badsignature  (bad)  the  signature found in the message did not
286              verify successfully against the message; dnserror (dns) an error
287              was  encountered  attempting  to  retrieve a public key from the
288              nameserver; internal (int) an internal error occurred;  nosigna‐
289              ture  (no)  no  signature  was  present on the message; security
290              (sec) the  message  tripped  internal  security  concerns  (e.g.
291              unusually  large header blocks).  There is also a special result
292              called default (def) whose action is  copied  onto  all  of  the
293              other results.
294
295       action accept  (a) accept the message; discard (d) discard the message;
296              tempfail (t) temp-fail the message; reject (r) reject  the  mes‐
297              sage.
298
299       In  the interests of minimal initial impact, the defaults for badsigna‐
300       ture and nosignature are accept, and the  default  for  the  others  is
301       tempfail.
302
303       Results  and  actions  are  processed  in  order, so use of the default
304       action can be overridden by later specifications.  For  example,  using
305       "def=a,int=t"  sets  all result actions to "accept" except for internal
306       errors which will generate a temporary failure.
307

OPERATION

309       A message will be verified unless it conforms to the signing  criteria,
310       which  are:  (1) the domain on the From: address or Sender: address (if
311       present) must be listed by the -d command line  switch  or  the  Domain
312       configuration  file  setting,  and (2) (a) the client connecting to the
313       MTA must have authenticated, or (b) the client connecting  to  the  MTA
314       must be listed in the file referenced by the -i command line switch (or
315       be in the default list for that option), or (c) the client must be con‐
316       nected to a daemon port named by the -m command line switch, or (d) the
317       MTA must have set one or more macros matching the criteria set  by  the
318       -M command line switch.
319
320       When  signing  a message, a DKIM-Signature: header will be prepended to
321       the message.  The signature is computed using the private key provided.
322       You  must  be running a version of sendmail(8) recent enough to be able
323       to do header prepend operations (8.13.0 or later).
324
325       When verifying a message, an  Authentication-Results:  header  will  be
326       prepended to indicate the presence of a signature and whether or not it
327       could be validated against the body of the message using the public key
328       advertised by the sender's nameserver.  The value of this header can be
329       used by mail user agents to sort or  discard  messages  that  were  not
330       signed or could not be verified.
331
332       Upon  receiving SIGUSR1, if the filter was started with a configuration
333       file, it will be re-read and the new values used.  Note that  any  com‐
334       mand  line overrides provided at startup time will be lost when this is
335       done.  Also, the following configuration file values (and their  corre‐
336       sponding  command  line  items,  if  any) are not reloaded through this
337       process: AutoRestart  (-A),  AutoRestartCount,  AutoRestartRate,  Back‐
338       ground,   MilterDebug,   PidFile   (-P),  POPDBFile,  Quarantine  (-q),
339       QueryCache, Socket (-p), StrictTestMode, TestPublicKeys, UMask,  UserID
340       (-u).   The  filter does not automatically check the configuration file
341       for changes and reload.
342

ENVIRONMENT

344       The following environment variable(s) can be used to adjust the  behav‐
345       iour of this filter:
346
347       DKIM_TMPDIR
348              The directory to use when creating temporary files.  The default
349              is /var/tmp.
350

NOTES

352       When using DNS timeouts (see the -T option above), be sure not to use a
353       timeout  that  is  larger  than  the timeout being used for interaction
354       between sendmail and the filter.  Otherwise, the MTA could abort a mes‐
355       sage  while waiting for a reply from the filter, which in turn is still
356       waiting for a DNS reply.
357
358       The POP authentication database is expected to be a Sleepycat  DB  file
359       (formerly  known  as a Berkeley DB) in hash format with keys containing
360       the IP address in text form without a terminating NULL.  The values  of
361       these records are not checked; only the existence of such records is of
362       interest.  The filter will attempt to establish a shared  lock  on  the
363       database  before  reading  from  it, so any programs which write to the
364       database should keep their lock use to a minimum or  else  this  filter
365       will appear to hang while waiting for the lock operation to complete.
366
367       Features  that  involve  specification of IPv4 addresses or CIDR blocks
368       will use the inet_addr(3) function to parse  that  information.   Users
369       should  be  familiar with the way that function handles the non-trivial
370       cases (for example,  "1.2.3/24"  and  "1.2.3.0/24"  are  not  the  same
371       thing).
372

HISTORY

374       DKIM  is an amalgam of Yahoo!'s DomainKeys proposal, and Cisco's Inter‐
375       net Identified Mail (IIM) proposal.
376

VERSION

378       This man page covers version 2.8.0 of dkim-filter.
379
381       Copyright (c) 2005-2008, Sendmail, Inc. and its suppliers.  All  rights
382       reserved.
383

SEE ALSO

385       dkim-filter.conf(5), sendmail(8)
386
387       Sendmail Operations Guide
388
389       RFC2821 - Simple Mail Transfer Protocol
390
391       RFC2822 - Internet Messages
392
393       RFC4871 - DomainKeys Identified Mail
394
395       RFC5451  -  Message  Header Field for Indicating Message Authentication
396       Status
397
398
399
400                                Sendmail, Inc.                  dkim-filter(8)
Impressum