wm: doc

ref: aaeb28aa8e5cf5a9fb58b4525d724ad4661f5abd
dir: /dkim.ms/

View raw version
upas/dkim can help sign outgoing email.

The filter(1) man page states:

.P1
          upas/dkim [ -d domain ] [ -s selector ]

          Dkim Takes a mail message as standard input, and signs a
          selection of headers and the body of the message.  The -d
          flag specifies the domain, and the -s flag specifies the
          selector. If the selector is not specified, it defaults to
          dkim. The keyspec searched for the signing key is:

              proto=rsa service=dkim role=sign hash=sha256 domain=$domain
.P2

First, we create the dkim key, then load it into factotum:

.P1
; ramfs -p
; cd /tmp
; auth/rsagen -b 2048 -t 'service=dkim role=sign hash=sha256 domain=example.com owner=*' > dkim.key
; cat dkim.key > /mnt/factotum/ctl
.P2

Next we generate the public key in ASN.1 notation:

.P1
pubkey=`{
                auth/rsa2asn1 -f spki < dkim.key  | \
                auth/pemencode DKIMKEY | \
                grep -v 'DKIMKEY' | \
                ssam 'x/\n/d'
        }
.P2

Next, we add the DNS records to /lib/ndb/local:

.P1
domain=example.com
ipaddr=198.51.100.2
echo 'dom=dkim._domainkey.'$domain' soa=
        ip='$ipaddr'
        refresh=300 ttl=300
        ns=ns1.'$domain'
        txt="k=rsa; t=s; p='$pubkey" \
        >> /lib/ndb/local
.P2

Replace example.com with your actual domain, and replace 198.51.100.2 with your actual IP address.

Next, in line 4 of /mail/lib/qmail, replace upas/vf with a call to upas/dkim:

.P1
ssam '4s_upas/vf_upas/dkim -d example.com_' /mail/lib/qmail
.P2

Note that emails must be properly RFC formatted in order for dkim signing to be valid.

This guide was written thanks to ori@eigenstate.org's instructions (https://inbox.vuxu.org/9front/C4455EEBFA462747FC56BA7BB611E5F6@eigenstate.org)