This is a collection of pure Go tools I've written to DKIM sign messages and verify them on my 9front mail server. They should be fairly easy to incorporate into any pipeline that can pass messages along stdin and read them from stdout.
The tool dkimverify
will verify that a message has a valid
signature.
It can either read a message from stdin, or have (optionally many) filenames passed as arguments. If all messages have valid signatures, it will exit with a success status, otherwise it will exit with an exit code of the number of messages that failed validation. For each one, it will print the reason for the failure to stderr.
The -hd
parameter takes a string argument and instead of printing to
stderr, will print an SMTP header of that name with a value of "Pass"
or "Fail" to stdout. Temporary failures or no DKIM signature present
in a message will print nothing. -hdprefix
or hdsuffix
can be
used to add a prefix or suffix to the header value.
The dkimverify tool can be used without any special configuration.
Signing is slightly more complicated by necessity. The tool
dkimkeygen
will create 2 files in the directory it's run in:
dns.txt
and private.pem
. The contents of the dns.txt need to be
added to your domain's DNS as a TXT record at
selector._domainkey.example.com
so that the DKIM signatures added by
dkimsign
can be validated. (the "selector" part can be anything you
want, but needs to match what's passed to dkimsign
) private.pem
is
the corresponding private key.
dkimsign
reads a message from stdin and writes a signed version of
that message to stdout according to the parameters passed. The
incoming message can have any line ending, but they'll be converted to
"\r\n" line endings on output (unless -n
is passed, in which case
they'll be printed as "\n"). If "-hd" is passed to dkimsign
, the
header will be printed to stdout but not the message body. The -key
parameter is the private key and should be the path to the
private.pem
generated by dkimkeygen. -s
is the selector and
should match the selector part of the domain name. -d
is the domain
name.
The following is an example /mail/lib/remotemail
that should add
valid DKIM Signatures on a Plan 9 server. Note that since it requires
the sender to have access to private.pem it should probably only be
used in a single-user environment.
#!/bin/rc
shift
sender=$1
shift
addr=$1
shift
# The first smtp with -f causes SMTP to add any headers it wants and
# fully qualify the addresses, printing to stdout instead of sending.
# dkimsign signs From, Date, Subject, and To headers (and the body)
# with relaxed encoding (the default). It prints the signed message
# to stdout with \n line endings ("-n") and undoes the dot-stuffing
# added by smtp -f ("-u") both for generating the signature and for
# printing it. It uses the selector 19700101._domainkey.example.com and
# signs using the private key at /sys/lib/dkim/private.pem (which
# should correspond to the selector)
# The second smtp (without -f) then sends the mail for real.
exec /bin/upas/smtp -f -h example.com .example.com $addr $sender $* | /bin/dkimsign -h From:Date:Subject:To -u -s 19700101 -n -d example.com -key /sys/lib/dkim/private.pem | /bin/upas/smtp -s -h example.com .example.com $addr $sender $*