Gmane -- Mail To News And Back Again

From: Kyle Wheeler <kyle-qmail <at> memoryhole.net>
Subject: DomainKey Shell Scripts
Newsgroups: gmane.mail.qmail.general
Date: 2007-04-05 04:36:08 GMT (1 year, 22 weeks, 1 day, 16 hours and 32 minutes ago)
Hello,

I whipped up some shell scripts to do DomainKey verification and 
signing, using the dktest program that comes with libdomainkeys. The 
verifier is a qmail-queue wrapper, and the signer is a qmail-remote 
wrapper. They aren't *optimal*, because they use temporary files, 
rather than operating on just pipes. If you use `seek0`, you can avoid 
that, but I figured being general was better than adding more 
dependencies.

I've tested these scripts briefly, and they seem to work well. YMMV.

They do *not* block email based on DomainKey signature status; just 
tag. For blocking and/or using policy information, you'll have to 
modify them (for the sake of the rest of us, please post such 
modifications).

The first one is dkverifier.sh:

     #!/bin/sh
     [ "$DKQUEUE" ] || DKQUEUE=/var/qmail/bin/qmail-queue
     if printenv | grep -q '^DKVERIFY=' ; then
         tmp=`mktemp -t dk.verify.XXXXXXXXXXXXXXX`
         cat - >"$tmp"
         ( /usr/local/bin/dktest -v <"$tmp" 2>/dev/null | \
             /bin/awk 'NR>1'; /bin/cat "$tmp" ) | \
             $DKQUEUE
         retval=$?
         rm "$tmp"
         exit $retval
     else
         exec $DKQUEUE
     fi

The second one is a qmail-remote wrapper; it assumes that you've moved 
qmail-remote to qmail-remote.orig, and that this script is stored in 
/var/qmail/bin/qmail-remote. To set the environment variables to 
control this, add them to your qmail-send run script. The script is a 
little simplistic; it assumes all domains will be signed with the same 
key:

     #!/bin/sh
     [ "$DOMAIN" ] || DOMAIN=`head -n 1 /var/qmail/control/me`
     [ "$DKREMOTE" ] || DKREMOTE=/var/qmail/bin/qmail-remote.orig
     [ "$DKSIGN" ] || DKSIGN="/etc/domainkeys/$DOMAIN/default"
     tmp=`mktemp -t dk.sign.XXXXXXXXXXXXXXX`
     cat - >"$tmp"
     ( /usr/local/bin/dktest -s "$DKSIGN" -c nofws -h <"$tmp" \
         2>/dev/null | \
         /bin/sed 's/; d=.*;/; d='"$DOMAIN"';/'; \
         /bin/cat "$tmp" ) | \
         "$DKREMOTE" "$@"
     retval=$?
     rm "$tmp"
     exit $retval

We can add a little more intelligence to they key choice, at the 
expense of making it a little less readable (and bash-dependent).
Like so:

     #!/bin/bash
     [ "$DKSIGN" ] || DKSIGN="/etc/domainkeys/%/default"
     [ "$DKREMOTE" ] || DKREMOTE=/var/qmail/bin/qmail-remote.orig
     if [[ $DKSIGN == *%* ]] ; then
         DOMAIN=${2##*@}
         DKSIGN="${DKSIGN%%%*}${DOMAIN}${DKSIGN#*%}"
     fi
     if [ -f "$DKSIGN" ] ; then
         tmp=`mktemp -t dk.sign.XXXXXXXXXXXXXXX`
         cat - >"$tmp"
         ( /usr/local/bin/dktest -s "$DKSIGN" -c nofws -h <"$tmp" \
             2>/dev/null | \
             /bin/sed 's/; d=.*;/; d='"$DOMAIN"';/'; \
             /bin/cat "$tmp" ) | \
             "$DKREMOTE" "$@"
         retval=$?
         rm "$tmp"
         exit $retval
     else
         exec "$DKREMOTE" "$@"
     fi

I hope that helps someone. :)

~Kyle
-- 
Those who do not understand Unix are condemned to reinvent it, poorly.
                                                       -- Henry Spencer