Jerry, It is easy to verify messages, because verification instructions are essentially built in to the message. Signing messages, however, is a little more complex. You can read the spec (http://www.ietf.org/rfc/rfc4870.txt), or check my descriptions below:
To verify a signed message: After the DomainKeyVerifier mailet has processed a message, a "DomainKey-Status" header is added to the message. This header contains the results of the verification, and will be one of the following values: good bad revoked bad format internal error no key no signature non participant Most of these only hint at the legitimacy of the email and are not a conclusive sign that the message may be valid or spam. However, you should be able to whitelist "good" ones, and immediately mark, "bad", or "revoked" ones as spam. You can check the official spec if you want the official definition of the status header. To sign a message: The DK verification process is done using public/private key encryption. This means that the message signature is created using a private key (that only you know), and can be verified by a public key (which is made available to anyone in the world). Each domain that will be sending signed email must have a DNS entry that contains a public key. Since organizations may not want to be limited to a single key, a "selector" must also be determined. The "selector" can be any arbitrary alphanumeric string of your choosing. The "selector" is combined with the domain name to determine the DNS name under which the public key is published. You must setup the DNS record at "_domainkey.SELECTORNAME.yourdomainname.com". After a DNS record is setup for each domain you wish to sign, you can configure the DomainKeySigner mailet. You mentioned that your server sends mail for over 50 different domains. As currently coded, you will need 50 different DomainKeySigner mailet instances in your configuration. However, if you're willing to change the source code yourself, you can save yourself some entries in the config.xml. If possible, I suggest that you use the same key to sign all the different domains. You still have to publish a DomainKey DNS record for each different domain, but the contents of the entries can be roughly the same. You will have to change the source code to use the domain specified by the "FROM" when signing the message, rather than by using the hard-coded configuration entry. Here is a more explicit definition of the DomainKeySigner mailet parameters: privateKeyFile - Required. The name of a file that contains the private key that will be used to sign this message. domain - Required. The domain name from which the message is sent. selector - Required. The name of the selector to be associated with the signature. canonicalization - Required. Accepted value are currently "simple" or "nofws". You should "nofws" if you're unsure. hashType - Required. Accepted values are currently "SHA1 or SHA256". signableHeaders - Optional. A comma-separated list of header names that will be signed. See the spec for details.. I'm sorry a simple turn-key solution is not available, but in the interest of stopping SPAM on the internet, I'll be happy to help you get this up and running. Please ask any more questions as they arise. Tom Brown On Fri, Oct 3, 2008 at 10:35 AM, Jerry M <[EMAIL PROTECTED]> wrote: > Tom, > > Thanks for the pointer to the source. Is there any documentation (i.e. > cookbook) on how to install and use this other than the info in this current > thread on the forum? I understand the basic concept. But your sample > config.xml entry in the post a couple of days ago was very generic, and I > still can't find the precise syntax for including the other mailet in > config.xml. > > A few questions... you list some syntax of > > <signableHeaders>comma,separated,list,of,headers,that,should,be,signed</signableHeaders> > > I'm completely new to this. How do I KNOW what headers need to be signed? > What is the default? Why would I have the choice of randomly selecting > headers for signing? > > Also, you show: > <domain>my.domain.here.com</domain> > > I host over 50 independent domains on my server. Do I need a mailet entry > in config.xml for EVERY domain name that I want to use this for? > > What I would really like is an example of a working config file entry as > well as the syntax. > > I appreciate the work you have done for implementing this. And I'm sure > there are many people who understand domainKeys that would have no problem > picking up your code and running with it, given their previous knowledge. > But there are those of us out here who can barely spell 'domainKey', but > need desperately to get this implemented. Any basic step by step examples > would be greatly appreciated. > > Thanks. > > Jerry > >>> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]