{"id":1636,"date":"2019-11-19T14:42:50","date_gmt":"2019-11-19T06:42:50","guid":{"rendered":"https:\/\/www.computersolutions.cn\/blog\/?p=1636"},"modified":"2019-11-19T14:42:50","modified_gmt":"2019-11-19T06:42:50","slug":"qmail-dkim-settings","status":"publish","type":"post","link":"https:\/\/www.computersolutions.cn\/blog\/2019\/11\/qmail-dkim-settings\/","title":{"rendered":"qmail-dkim settings"},"content":{"rendered":"

As I can never find this online, and man -l \/var\/qmail\/man\/man8\/qmail-dkim.8 is a pain, I’ve posted the DKIM settings below.<\/p>\n

—<\/p>\n

The complete set of letters with the corresponding return status is given below<\/p>\n

A – DKIM_SUCCESS – Function executed successfully
\nB – DKIM_FINISHED_BODY – process result: no more message
\nbody is needed
\nC – DKIM_PARTIAL_SUCCESS – verify result: at least one
\nbut not all signatures verified
\nD – DKIM_NEUTRAL – verify result: no signatures
\nverified but message is
\nnot suspicious
\nE – DKIM_SUCCESS_BUT_EXTRA – signature result: signature
\nverified but it did not
\ninclude all of the body
\nF – DKIM_3PS_SIGNATURE – 3rd-party signature
\nG – DKIM_FAIL – Function failed to execute
\nH – DKIM_BAD_SYNTAX – signature error: DKIM-Signature
\ncould not parse or has bad
\ntags\/values
\nI – DKIM_SIGNATURE_BAD – signature error: RSA verify
\nfailed
\nJ – DKIM_SIGNATURE_BAD_BUT_TESTING – signature error: RSA verify
\nfailed but testing
\nK – DKIM_SIGNATURE_EXPIRED – signature error: x= is old
\nL – DKIM_SELECTOR_INVALID – signature error: selector doesn’t
\nparse or contains invalid values
\nM – DKIM_SELECTOR_GRANULARITY_MISMATCH – signature error: selector
\ng= doesn’t match i=
\nN – DKIM_SELECTOR_KEY_REVOKED – signature error: selector
\np= empty
\nO – DKIM_SELECTOR_DOMAIN_NAME_TOO_LONG – signature error: selector domain
\nname too long to request
\nP – DKIM_SELECTOR_DNS_TEMP_FAILURE – signature error: temporary dns
\nfailure requesting selector
\nQ – DKIM_SELECTOR_DNS_PERM_FAILURE – signature error: permanent dns
\nfailure requesting selector
\nR – DKIM_SELECTOR_PUBLIC_KEY_INVALID – signature error: selector
\np= value invalid or wrong format
\nS – DKIM_NO_SIGNATURES – no signatures
\nT – DKIM_NO_VALID_SIGNATURES – no valid signatures
\nU – DKIM_BODY_HASH_MISMATCH – sigature verify error: message
\nbody does not hash to bh value
\nV – DKIM_SELECTOR_ALGORITHM_MISMATCH – signature error: selector
\nh= doesn’t match signature a=
\nW – DKIM_STAT_INCOMPAT – signature error: incompatible v=
\nX – DKIM_UNSIGNED_FROM – signature error: not all message’s
\nFrom headers in signature<\/p>\n

For example, if you want to permanently reject messages that have a signature that is expired, include the letter ‘K’ in the DKIMVERIFY environment variable. A conservative set of letters is FGHIKLMNOQR\u2010
\nTUVWjp. Reject permanently 3PS, FAILURE, SYNTAX, SIGNATURE_BAD, SIGNATURE_EXPIRED, SELECTOR_INVALID, GRANULARITY_MISMATCH, SELECTOR_KEY_REVOKED, DOMAIN_NAME_TOO_LONG, SELECTOR_PUBLIC_KEY_INVALID,
\nNO_VALID_SIGNATURES and BODY_HASH_MISMATCH errors, and temporarily SIGNATURE_BAD_BUT_TESTING and DNS_TEMP_FAILURE . Add in S if you want to reject messages that do not have a DKIM signature. You can use
\nthe control files signaturedomains and nosignature domains (See Below) to further fine tune the action to be taken when a mail arrives with no DKIM signature. Note that qmail-dkim always inserts the
\nDKIM-Status header, so that messages can be rejected later at delivery time, or in the mail reader. In that case you may set DKIMVERIFY to an empty string. If you want to check all message’s From header
\nin signature set the UNSIGNED_FROM environment variable to an empty string. If you want to check messages without signed subject header, set UNSIGNED_SUBJECT environment variable. If you want to honor
\nbody lengh tag (l=), set HONOR_BODYLENGTHTAG environment variable.<\/p>\n

qmail-dkim supports signing practice which can be additonall checked when a signature verifcation fails –<\/p>\n

SSP – Sender Signing Practice<\/p>\n

and<\/p>\n

ADSP – Author Domain Signing Practice.<\/p>\n

When a signature fails to verify for a message, you can use SSP\/ADSP to determine if the message is suspicious or not. To verify a message against SSP\/ADSP, set the DKIMPRACTICE environment variable to
\nthe desired set of letters allowed for DKIMVERIFY environment variable. SSP\/ADSP should be used only when signature verification fails. SSP\/ADSP should be invoked only when libdkim returns the error
\ncodes (F,G,H,I,J,K,L,M,N,P,Q,R,S,T,U,V,W,X) for signature verification. In case you want to test against SSP\/ADSP only for DKIM_NO_SIGNATURE and DKIM_NO_VALID_SIGNATURE set the environment variable DKIM\u2010
\nPRACTICE=”ST”. If you want automatic behaviour, set DKIMPRACTICE to an empty string. In this case ADSP\/SSP will be used when return code matches “FGHIJKLMNPQRSTUVWX”. qmail-dkim uses ADSP as the default
\nsigning practice. You can override this by setting the SIGN_PRACTICE to ssp, adsp, local (lowercase). if you set SIGN_PRACTICE to local, qmail-dkim will check the domain against the control file signa\u2010
\nturedomains (See Below). If the domain is found listed in signaturedomains qmail-dkim will bypass ADSP\/SSP and return DKIM_FAIL if signature fails to verify. Setting SIGN_PRACTICE to anything else will
\ncause qmail-dkim to disable Signing Practice.<\/p>\n","protected":false},"excerpt":{"rendered":"

As I can never find this online, and man -l \/var\/qmail\/man\/man8\/qmail-dkim.8 is a pain, I’ve posted the DKIM settings below. — The complete set of letters with the corresponding return status is given below A – DKIM_SUCCESS – Function executed successfully B – DKIM_FINISHED_BODY – process result: no more message body is needed C – […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1636","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/1636","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/comments?post=1636"}],"version-history":[{"count":3,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/1636\/revisions"}],"predecessor-version":[{"id":1639,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/1636\/revisions\/1639"}],"wp:attachment":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/media?parent=1636"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/categories?post=1636"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/tags?post=1636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}