Support

Blog

As I can never find this online, and man -l /var/qmail/man/man8/qmail-dkim.8 is a pain, I’ve posted the DKIM settings below.

The complete set of letters with the corresponding return status is given below

A – DKIM_SUCCESS – Function executed successfully
B – DKIM_FINISHED_BODY – process result: no more message
body is needed
C – DKIM_PARTIAL_SUCCESS – verify result: at least one
but not all signatures verified
D – DKIM_NEUTRAL – verify result: no signatures
verified but message is
not suspicious
E – DKIM_SUCCESS_BUT_EXTRA – signature result: signature
verified but it did not
include all of the body
F – DKIM_3PS_SIGNATURE – 3rd-party signature
G – DKIM_FAIL – Function failed to execute
H – DKIM_BAD_SYNTAX – signature error: DKIM-Signature
could not parse or has bad
tags/values
I – DKIM_SIGNATURE_BAD – signature error: RSA verify
failed
J – DKIM_SIGNATURE_BAD_BUT_TESTING – signature error: RSA verify
failed but testing
K – DKIM_SIGNATURE_EXPIRED – signature error: x= is old
L – DKIM_SELECTOR_INVALID – signature error: selector doesn’t
parse or contains invalid values
M – DKIM_SELECTOR_GRANULARITY_MISMATCH – signature error: selector
g= doesn’t match i=
N – DKIM_SELECTOR_KEY_REVOKED – signature error: selector
p= empty
O – DKIM_SELECTOR_DOMAIN_NAME_TOO_LONG – signature error: selector domain
name too long to request
P – DKIM_SELECTOR_DNS_TEMP_FAILURE – signature error: temporary dns
failure requesting selector
Q – DKIM_SELECTOR_DNS_PERM_FAILURE – signature error: permanent dns
failure requesting selector
R – DKIM_SELECTOR_PUBLIC_KEY_INVALID – signature error: selector
p= value invalid or wrong format
S – DKIM_NO_SIGNATURES – no signatures
T – DKIM_NO_VALID_SIGNATURES – no valid signatures
U – DKIM_BODY_HASH_MISMATCH – sigature verify error: message
body does not hash to bh value
V – DKIM_SELECTOR_ALGORITHM_MISMATCH – signature error: selector
h= doesn’t match signature a=
W – DKIM_STAT_INCOMPAT – signature error: incompatible v=
X – DKIM_UNSIGNED_FROM – signature error: not all message’s
From headers in signature

For example, if you want to permanently reject messages that have a signature that is expired, include the letter ‘K’ in the DKIMVERIFY environment variable. A conservative set of letters is FGHIKLMNOQR‐
TUVWjp. Reject permanently 3PS, FAILURE, SYNTAX, SIGNATURE_BAD, SIGNATURE_EXPIRED, SELECTOR_INVALID, GRANULARITY_MISMATCH, SELECTOR_KEY_REVOKED, DOMAIN_NAME_TOO_LONG, SELECTOR_PUBLIC_KEY_INVALID,
NO_VALID_SIGNATURES and BODY_HASH_MISMATCH errors, and temporarily SIGNATURE_BAD_BUT_TESTING and DNS_TEMP_FAILURE . Add in S if you want to reject messages that do not have a DKIM signature. You can use
the control files signaturedomains and nosignature domains (See Below) to further fine tune the action to be taken when a mail arrives with no DKIM signature. Note that qmail-dkim always inserts the
DKIM-Status header, so that messages can be rejected later at delivery time, or in the mail reader. In that case you may set DKIMVERIFY to an empty string. If you want to check all message’s From header
in signature set the UNSIGNED_FROM environment variable to an empty string. If you want to check messages without signed subject header, set UNSIGNED_SUBJECT environment variable. If you want to honor
body lengh tag (l=), set HONOR_BODYLENGTHTAG environment variable.

qmail-dkim supports signing practice which can be additonall checked when a signature verifcation fails –

SSP – Sender Signing Practice

and

ADSP – Author Domain Signing Practice.

When a signature fails to verify for a message, you can use SSP/ADSP to determine if the message is suspicious or not. To verify a message against SSP/ADSP, set the DKIMPRACTICE environment variable to
the desired set of letters allowed for DKIMVERIFY environment variable. SSP/ADSP should be used only when signature verification fails. SSP/ADSP should be invoked only when libdkim returns the error
codes (F,G,H,I,J,K,L,M,N,P,Q,R,S,T,U,V,W,X) for signature verification. In case you want to test against SSP/ADSP only for DKIM_NO_SIGNATURE and DKIM_NO_VALID_SIGNATURE set the environment variable DKIM‐
PRACTICE=”ST”. If you want automatic behaviour, set DKIMPRACTICE to an empty string. In this case ADSP/SSP will be used when return code matches “FGHIJKLMNPQRSTUVWX”. qmail-dkim uses ADSP as the default
signing practice. You can override this by setting the SIGN_PRACTICE to ssp, adsp, local (lowercase). if you set SIGN_PRACTICE to local, qmail-dkim will check the domain against the control file signa‐
turedomains (See Below). If the domain is found listed in signaturedomains qmail-dkim will bypass ADSP/SSP and return DKIM_FAIL if signature fails to verify. Setting SIGN_PRACTICE to anything else will
cause qmail-dkim to disable Signing Practice.

Archives

Categories

Tags

PHOTOSTREAM