Section: User Contributed Perl Documentation (1)Updated: 2009-07-12Local indexUp
NAME
dkimproxy.out - SMTP proxy for adding DKIM signatures to email
SYNOPSIS
dkimproxy.out [options] --keyfile=FILENAME --selector=SELECTOR \
--domain=DOMAIN LISTENADDR:PORT RELAYADDR:PORT
smtp options:
--conf_file=FILENAME
--listen=LISTENADDR:PORT
--relay=RELAYADDR:PORT
--reject-error
signing options:
--signature=dkim|domainkeys
--keyfile=FILENAME
--selector=SELECTOR
--method=simple|nowsp|relaxed|nofws
--domain=DOMAIN
--identity=IDENTITY
daemon options:
--daemonize
--user=USER
--group=GROUP
--pidfile=PIDFILE
dkimproxy.out --help
to see a full description of the various options
DESCRIPTION
dkimproxy.out listens on the IP address and TCP port specified by its
first argument (the ``listen'' port), and sends the traffic it receives
onto the second argument (the ``relay'' port), with messages getting
modified to have a DKIM or DomainKeys signature.
OPTIONS
--daemonize
If specified, the server will run in the background.
--domain=DOMAIN
Use this argument to specify what domain(s) you can sign for. You may
specify multiple domains by separating them with commas. If a single
domain is specified, DKIMproxy will sign every message it sees with
that domain,
if it can. If multiple domains are specified, DKIMproxy will try to
match the domain to the message's sender, and only generate a signature
that will match the sender's domain.
--group=GROUP
If specified, the daemonized process will setgid() to the specified
GROUP.
--identity=IDENTITY
If specified, any DKIM signature created will have an i= argument
containing the value specified.
--keyfile=FILENAME
This is a required argument. Use it to specify the filename containing
the private key used in signing outgoing messages. For messages to
verify, you will need to publish the corresponding public key in
DNS, using the selector name specified by "--selector", under
the domain(s) specified in "--domain".
--method=simple|nowsp|relaxed|nofws
This option specifies the canonicalization algorithm to use for signing
messages. For DKIM signatures, the options are "simple", "nowsp", or
"relaxed"; the default is "relaxed". For DomainKeys signatures, the
options are "simple" and "nofws"; the default is "nofws".
--pidfile=PIDFILE
Creates a PID file (a file containing the PID of the process) for
the daemonized process. This makes it possible to check the status
of the process, and to cleanly shut it down.
--reject-error
This option specifies what to do if an error occurs during signing
of a message. If this option is specified, the message will be rejected
with an SMTP error code. This will result in the MTA sending the message
to try again later, or bounce it back to the sender (depending on the
exact error code used). If this option is not specified, the message
will be allowed to pass through without having a signature added.
The most common cause of an error when signing a message is if the
signature options are improperly configured.
--selector=SELECTOR
This is a required argument. Use it to specify the name of the key
selector.
--sender_map=FILENAME
If specified, the named file provides signature parameters depending
on what sender is found in the message. See the section below titled
``SENDER MAP FILE''.
--signature=dkim|domainkeys
This specifies what type of signature to add. Use "dkim" to sign with
IETF-standardized DKIM signatures. Use "domainkeys" to sign with
the older, but more common, Yahoo! DomainKeys signatures.
The default is "dkim".
This parameter can be specified more than once to add more than one
signature to the message. In addition, per-signature parameters can be
specified by enclosing the comma-separated options in parenthesis after
the signature type, e.g.
--signature=dkim(c=relaxed,key=private.key)
The syntax for specifying per-signature options is described in more
detail in the section below titled ``SENDER MAP FILE''.
--user=USER
If specified, the daemonized process will setuid() to USER after
completing any necessary privileged operations, but before accepting
connections.
the proxy will listen on port 10027 and send the signed messages to
some other SMTP service on port 10028.
CONFIGURATION FILE
Parameters can be stored in a separate file instead of specifying
them all on the command-line. Use the "conf_file" option to specify
the path to the configuration file, e.g.
dkimproxy.out --conf_file=/etc/dkimproxy_out.conf
The format of the configuration file is one option per line:
name of the option, space, then the value of the option. E.g.
# this is an example config file
domain example.org,example.com
keyfile private.key
selector postfix
signature dkim
If you want to use different signature properties depending on the
sender of the message being signed, use a ``sender map file''. This
is a lookup file containing sender email addresses on the left
and signature properties on the right. E.g.
# sign my mail with a EXAMPLE.COM dkim signature
jason@long.name dkim(d=example.com)
# sign WIDGET.EXAMPLE mail with a default domainkeys signature
widget.example domainkeys
# sign EXAMPLE.ORG mail with both a domainkeys and dkim signature
example.org dkim(c=relaxed,a=rsa-sha256), domainkeys(c=nofws)
Right-hand values in a sender map file is a comma-separated list of
signature types. Each signature type may have a comma-separated list
of parameters enclosed in parenthesis. The following signature
parameters are recognized:
key
the private key file to use
a
the algorithm to use
c
the canonicalization method to use
d
the domain to use, default is to use the domain matched
i
the identity to use, default is to not include an i= parameter