Provided by: dkimproxy_1.4.1-3_all 
NAME
dkimproxy.out - SMTP proxy for adding DKIM signatures to email
DESCRIPTION
dkimproxy.out listens on the IP address and TCP port specified by its first argument (the "listen" port),
and sends the traffic it receives onto the second argument (the "relay" port), with messages getting
modified to have a DKIM or DomainKeys signature.
SYNOPSIS
dkimproxy.out [options] --keyfile=FILENAME --selector=SELECTOR --domain=DOMAIN
LISTENADDR:PORT RELAYADDR:PORT
smtp options:
--conf_file=FILENAME
--listen=LISTENADDR:PORT
--relay=RELAYADDR:PORT
--reject-error
signing options:
--signature=dkim|domainkeys
--keyfile=FILENAME
--selector=SELECTOR
--method=simple|nowsp|relaxed|nofws
--domain=DOMAIN
daemon options:
--daemonize
--user=USER
--group=GROUP
--pidfile=PIDFILE
--min_servers=NUM
dkimproxy.out --help
to see a full description of the various options
OPTIONS
--daemonize
If specified, the server will run in the background.
--domain=DOMAIN
Use this argument to specify what domain(s) you can sign for. You may specify multiple domains by
separating them with commas. If a single domain is specified, DKIMproxy will always use that domain to
sign, if it can. If multiple domains are specified, DKIMproxy will try to match the domain to the
message's sender, and only generate a signature that will match the sender's domain.
--group=GROUP
If specified, the daemonized process will setgid() to the specified GROUP.
--keyfile=FILENAME
This is a required argument. Use it to specify the filename containing the private key used in signing
outgoing messages. For messages to verify, you will need to publish the corresponding public key in DNS,
using the selector name specified by C<--selector>, under the domain(s) specified in C<--domain>.
--method=simple|nowsp|relaxed|nofws
This option specifies the canonicalization algorithm to use for signing messages. For DKIM signatures,
the options are C<simple>, C<nowsp>, or C<relaxed>; the default is C<relaxed>. For DomainKeys signatures,
the options are C<simple> and C<nofws>; the default is C<nofws>.
--pidfile=PIDFILE
Creates a PID file (a file containing the PID of the process) for the daemonized process. This makes it
possible to check the status of the process, and to cleanly shut it down.
--reject-error
This option specifies what to do if an error occurs during signing of a message. If this option is
specified, the message will be rejected with an SMTP error code. This will result in the MTA sending the
message to try again later, or bounce it back to the sender (depending on the exact error code used). If
this option is not specified, the message will be allowed to pass through without having a signature
added.
--selector=SELECTOR
This is a required argument. Use it to specify the name of the key selector.
--sender_map=FILENAME
If specified, the named file provides signature parameters depending on what sender is found in the
message. See the section below titled L</"SENDER MAP FILE">.
--signature=dkim|domainkeys
This specifies what type of signature to add. Use C<dkim> to sign with IETF standardized DKIM signatures.
Use C<domainkeys> to sign with the older, but more common, Yahoo! DomainKeys signatures. The default is
C<dkim>.
This parameter can be specified more than once to add more than one signature to the message. In
addition, per signature parameters can be specified by enclosing the comma separated options in
parenthesis after the signature type, e.g.
--signature=dkim(c=relaxed,key=private.key)
The syntax for specifying per signature options is described in more detail in the section below titled
L</"SENDER MAP FILE">.
--user=USER
If specified, the daemonized process will setuid() to USER after completing any necessary privileged
operations, but before accepting connections.
--min_servers=NUM
Number of process that DKIMproxy shall spawn and get ready for signing.
EXAMPLE
For example, if dkimproxy.out is started with:
dkimproxy.out --keyfile=private.key --selector=postfix --domain=example.org 127.0.0.1:10027
127.0.0.1:10028
the proxy will listen on port 10027 and send the signed messages to some other SMTP service on port
10028.
CONFIGURATION FILE
Parameters can be stored in a separate file instead of specifying them all on the command line. Use the
C<conf_file> option to specify the path to the configuration file, e.g.
dkimproxy.out --conf_file=/etc/dkimproxy_out.conf
The format of the configuration file is one option per line: name of the option, space, then the value of
the option. E.g.
# this is an example config file
domain example.org,example.com
keyfile private.key
selector postfix
signature dkim
is equivalent to
dkimproxy.out --domain=example.org,example.com --keyfile=private.key --selector=postfix
--signature=dkim
SENDER MAP FILE
If you want to use different signature properties depending on the sender of the message being signed,
use a "sender map file". This is a lookup file containing sender email addresses on the left and
signature properties on the right. E.g.
# sign my mail with a EXAMPLE.COM dkim signature
jason@long.name dkim(d=example.com)
# sign WIDGET.EXAMPLE mail with a default domainkeys signature
widget.example domainkeys
# sign EXAMPLE.ORG mail with both a domainkeys and dkim signature
example.org dkim(c=relaxed,a=rsa-sha256), domainkeys(c=nofws)
Right hand values in a sender map file is a comma separated list of signature types. Each signature type
may have a comma separated list of parameters enclosed in parenthesis. The following signature parameters
are recognized:
key
the private key file to use
a
the algorithm to use
c
the canonicalization method to use
d
the domain to use, default is to use the domain matched
s
the selector to use
SEE ALSO
dkimproxy.in(8), dkim_responder(8), dkimsign(8), dkimverify(8)
dkimproxy.out(8)