SYNOPSIS
qmail-dkim [ -h -v -V -s[ecckey] -b[1|2|3] -c[s|t|u] -d domain -i
identity -l -q -t -x expire_time -y selector -Y selector2 -z[1|2|3|4|5]
] in_message RSA_private_key out_message Ed25519_private_key
DESCRIPTION
qmail-dkim is the implementation of libdkim for s/qmail providing API
compatibility and supporting RSA and Ed25519 DKIM signatures in single
or hybrid mode. In hybrid mode, two private keys and two selectors
need to be provided. qmail-dkim supports distinct operations:
qmail-dkim -s in_message RSA_private_key out_message
DKIM signes in_message with the given private_key and returns
out_message.
qmail-dkim -s in_message RSA_private_key out_message Ed255_private_key
signs in_message with both a RSA RSA_private_key and a
Ed25519_private_key. Here, the RSA default selector is default
and the Ed25519 default selector is eddy; both subject of change.
qmail-dkim -v in_message
verifies the in_message.
DKIM FORMATS
DKIM needs a common understanding of the attributes subject for signing
and verification. The following attributes can be set:
-c is the 'canonicalization', thus how a validiation client should
deal with signature verification of the message headers and/or
body. Here, the choices are given via an appended character: r
relax on header, s simple (strict) on message body, t
relax/simple, or eventually u simple relaxed. Finally, the hash
function to be used in the signature can be given as
-z following either with 1 using sha1, or 2 using sha256, or finally
as default 3 providing both signature values in the mail header.
4 telling qmail-dkim to use the Ed25519 signature scheme. 5
allows qmail-dkim to attach both a RSA-SHA256 as well as a Ed25519
signature to the message, which considered to be a hybrid mode.
DKIM SIGNING
qmail-dkim will include (several) message headers detailing the DKIM
signature with at least the following fields:
a =<signature type>
c =<used canoncicalization>
s =<selector>
d =<identity>
-y selector
it is used for the DNS TXT lookup of the public key; supporting
mainly key roll-over. The first selector is used for RSA
signatures.
-Y selector2
Same as -y but now for Ed25519 signatures.
-I identifier
giving an additional hint about the agent or identifier
responsible for the signing like 'postmaster@domain'; defaults to
domain.
-t expire_time
given in seconds, tells how log the signature is valid. It
defaults to 604800 secconds (seven days).
Further, some more option fields can be displayed in the header:
-l include a body length tag.
-q include the query method tag.
DKIM VERIFICATION
qmail-dkim as invoked by qmail-dkverify extracting the received DKIM
header fields, and following the signature verification procedure as
given here, while fetching the signer's public key using a DNS TXT
lookup. Now, the respective header lines, and/or the message body will
be hashed and compared against the values taken from the signatures.
The results will be indicated by either return code 0 in case of
success, 1 in case of mismatch, or -1 if other failures were
encountered.
Given the call argument
-v qmail-dkim will provide the DKIM results pass or fail including
verbose reasons on the commmand line. This is the legacy mode.
Rather, invoking qmail-dkim with argument
-V it communicates the results over a file interface to be picked up by
qmail-dkverify.
SEE ALSO
qmail-queue(8), qmail-remote(8), qmail-dksign(8), qmail-dkverify(8),
qmail-send(8), qmail-log(8).
Man(1) output converted with
man2html