Provided by: dkimpy-milter_1.2.3-1_all 
NAME
dkimpy - DKIM signing and verifying filter for MTAs
SYNOPSIS
dkimpy-milter [configfile]
DESCRIPTION
dkimpy-milter implements the DKIM standard for signing and verifying e-mail messages on a per-domain
basis.
dkimpy-milter uses the milter interface, originally distributed as part of version 8.11 of sendmail(8),
to provide DKIM signing and/or verifying service for mail transiting a milter-aware MTA.
DATA SETS
Many of the configuration file parameters will refer to a "dataset" as their values. This refers to a
string that either contains the list of desirable values, or to a file that contains them, or a database
containing the data.
Some data sets require that the value contain more than one entry. How this is done depends on which
data set type is used. Not all these datasets are currently used by dkimpy-milter. See dkimpy-
milter.conf(5) for details about specific options and which dataset types they use.
In particular:
a) If the string begins with "file:", then the remainder of the string is presumed to refer to a flat
file that contains elements of the data set, one per line. If a line contains whitespace-
separated values, then the line is presumed to define a key and its corresponding value. Blank
lines are ignored, and the hash ("#") character denotes the start of a comment. If a value
contains multiple entries, the entries should be separated by colons.
b) If the string begins with "refile:", then the remainder of the string is presumed to specify a
file that contains a set of patterns, one per line, and their associated values. The pattern is
taken as the start of the line to the first whitespace, and the portion after that whitespace is
taken as the value to be used when that pattern is matched. Patterns are simple wildcard
patterns, matching all text except that the asterisk ("*") character is considered a wildcard. If
a value contains multiple entries, the entries should be separated by colons.
i) If the string contains none of these prefixes but starts with a slash ("/") character, or "./" or
"../", it is presumed to be a flat file as described above. Note: In OpenDKIM "./" and "../" only
apply to KeyTable, but for dkimpy-milter it is generally applicable and KeyTable specification is
not a special case.
j) If the string begins with "csl:", the string is treated as a comma-separated list as described in
m) below.
l) If the string begins with "mdb:", it refers to a directory that contains a memory database, as
provided by libmdb from OpenLDAP. [Not implemented yet]
m) In any other case, the string is presumed to be a comma-separated list. Elements in the list are
either simple data elements that are part of the set or, in the case of an entry of the form
"x=y", are stored as key-value pairs as described above.
OPTIONS
See dkimpy-milter.conf (5) for information about available options. Unlike OpenDKIM, with the
exception of -P for the pidfile and specifying the configuration file to use, dkimpy-milter does
not support command line option switches.
When signing a message, a DKIM-Signature: header will be prepended to the message. The signature
is computed using the private key provided. You must be running a version of sendmail(8) recent
enough to be able to do header prepend operations (8.13.0 or later).
When verifying a message, an Authentication-Results: header will be prepended to indicate the
presence of a signature and whether or not it could be validated against the body of the message
using the public key advertised by the sender's nameserver. The value of this header can be used
by mail user agents to sort or discard messages that were not signed or could not be verified.
FILE PERMISSIONS
When the filter is started as the superuser and the UserID setting is used, the filter gives up its root
privileges by changing to the specified user after the following steps are taken: (1) the configuration
file (if any) is loaded; (2) if the KeyFile or KeyFileEd25519 settings are used, the keys are loaded into
memory; (3) all data sets in the configuration file are opened, and those that are based on flat files
are also read into memory; and (4) if ChangeRootDirectory is set, the process root is changed to that
directory. This means on configuration reload, the filter will not be accessing these files or the
configuration file as the superuser (and possibly from a different root), and any key files referenced by
the KeyTable will also be accessed by the new user.
Thus, keys referenced by the KeyTable must always be accessible for read by the unprivileged user. Also,
run-time reloads are not possible if any of the other files will not be readable by the unprivileged
user.
ENVIRONMENT
The following environment variable(s) can be used to adjust the behaviour of this filter:
DKIM_TMPDIR
The directory to use when creating temporary files. The default is /tmp.
NOTES
When using DNS timeouts be sure not to use a timeout that is larger than the timeout being used for
interaction between sendmail and the filter. Otherwise, the MTA could abort a message while waiting for
a reply from the filter, which in turn is still waiting for a DNS reply.
Features that involve specification of IPv4 addresses or CIDR blocks will use the inet_addr(3) function
to parse that information. Users should be familiar with the way that function handles the non-trivial
cases (for example, "192.0.2/24" and "192.0.2.0/24" are not the same thing).
EXIT STATUS
Filter exit status codes are selected according to sysexits(3).
HISTORY
DKIM is an amalgam of Yahoo!'s DomainKeys proposal, and Cisco's Internet Identified Mail (IIM) proposal.
VERSION
This man page covers version 1.1.0 of dkimpy-milter.
COPYRIGHT
Copyright (c) 2005-2008, Sendmail, Inc. and its suppliers. All rights reserved.
Copyright (c) 2009-2013, 2015, The Trusted Domain Project. All rights reserved.
Copyright (c) 2018, 2019 Scott Kitterman <scott@kitterman.com>
SEE ALSO
dkimpy-milter.conf(5), sendmail(8)
Sendmail Operations Guide
RFC5321 - Simple Mail Transfer Protocol
RFC5322 - Internet Messages
RFC6376 - DomainKeys Identified Mail
RFC7601 - Message Header Field for Indicating Message Authentication Status
RFC8301 - Cryptographic Algorithm and Key Usage Update to DomainKeys Identified Mail (DKIM)
RFC8463 - A New Cryptographic Signature Method for DomainKeys Identified Mail (DKIM)
dkimpyy-milter(8)