This is a partial lynx dump of http://www.tana.it/sw/zdkimfilter/

   home [1]old [2]db
   documentation:[3]zdkimfilter [4]zdkimsign [5]redact [6]zaggregate
   [7]zfilter_db [8]zdkimfilter.conf [9]zdkimgenkey

                                  ZDKIMFILTER
                        "z" DKIM filter for Courier-MTA

Packages and installation

   Gentoo: Daniel Black and Hanno Böck added this to [10]gentoo linux.

   RPM: Zenon Panoussis contributed an RPM .spec, available [11]here. It
   is included in recent tarballs. See [12]his message for details

   Debian: Viktor Szépe created the setup, and the debian subdirectory is
   included in the tarball since version 1.6. That way, tarball users can
   build a Debian package instead of a local installation obtained by
   ./configure. An experimental Debian binary package built on AMD (Ryzen)
   by [13]dpkg-buildpackage -us -uc can be found [14]here.

   Basic installation: Even if you're not using Debian, the [15]postinst
   script can be read as a guide for post-installation instructions. Some
   useful Courier settings are as follows:
   BOFHSPFHELO, BOFHSPFMAILFROM, and BOFHSPFFROM (suit your taste, but
   enable SPF evaluation),
   ALLOW_EXCLUSIVE in esmtpd, and then trust_a_r in zdkimfilter.conf,
   MIME=none in esmtpd to prevent rewriting incoming mail (this hasn't its
   prepared stanza),
   opt MIME=none in bofh to prevent rewriting local sendmail (this hasn't
   its prepared stanza),
   MIME=some in esmtpd-msa to allow rewriting submitted mail (this hasn't
   its prepared stanza),
   NOADDRREWRITE=2 in esmtpd (not needed in newer Courier versions).
   A couple of tweaks to handle DMARC quarantine and From: demunging are
   documented in the [16]man page.

   Complete installation requires a database. The examples included in the
   distribution are based on MariaDB and explained in the [17]DB page.
   This work can be customized at will, which is why they're called
   examples. An utility to browse the database is still missing; maybe
   next version will feature something to tweak per-domain options. Other
   "obvious" settings, such as managing bounces of sent-out reports, are
   not even mentioned. Finally, in order to complete DMARC installation,
   you need to parse aggregate reports received from your targets and
   possibly feed the database. You may want to consider transforming
   aggregate reports to more readable HTML using [18]dmarc-xls.

Requirements

     * courier is required to configure and run the filter. Side
       executables such as zdkimverify can run on the command line
       independently of the MTA.
     * libgnutls or openssl,*
     * libopendbx, used with MariaDB (not MySQL)†
     * libnettle,
     * libresolv,
     * libidn2,
     * libunistring,
     * zlib,
     * uuid,
     * the pkg-config utility,
     * libtool (a buggy requirement that will be removed from future
       versions; for v.1.5, libtool-bin is necessary to configure the
       package)
     * In addition, the Public Suffix List is used for DMARC, if
       configured.

   (*) Versions older than 3.0 require libopendkim

   (†) With [19]OpenDBX it is possible to deploy several DBMS by editing
   the queries in the coniguration files. The reference configuration,
   however, works with MariaDB. MySQL is not compatible as it misses the
   INET6 data type.

DMARC

   The complete installation automates sending DMARC aggregate reports.

   As is well known, forwarding modified messages may require to rewrite
   From:. That is one of the means for [20]mitigating DMARC damage to
   third party mail. This filter attempts to [21]recognize transformations
   typical of mailing lists, and adds auxiliary header fields to ease such
   recognition. This feature seems to work if authors avoid signing list
   specific fields, such as MIME-Version:, Content-Type: and
   Content-Transfer-Encoding:.

   For sending, there is a Python script to forward mail safely, shielding
   from strict DMARC policies. Designed for .courier files, the script
   does a Mailman style mitigation —possibly munge From: and save the
   original value in the Reply-To:. [22]dmarc_shield3.py is published by
   Lindsay Haisley.

   For receiving, zdkimfilter tries to revert that munging and verify the
   original author domain's signature. If it succeeds, it sets the header
   so that a Maildrop instruction can restore the original value of From:
   after any external forwarding (see [23]zdkimfilter(8) man page).

ARC

   Since version 3.12, zdkimfilter verifies ARC set chains. [24]zarcseal
   is a new alias for the zdkimsign wrapper, to be used on forwarding. It
   trusts existing Authentication-Results: and transforms it into a signed
   ARC-Authentication-Results: which may be evaluated by external
   receivers.

   There is more to be done to unleash ARC's potential to dismiss From:
   munging in mailing list. We need a mailing list willing to experiment
   new settings in order to put ideas into practice.

MLM transformation experiment

   Since version 3, zdkimfilter tries to recognize the original signature
   of messages transformed by a mailing list. When the transformation is
   successfully reverted, the munged From: can be replaced with the
   original as described in the [25]man page.

   A description of how and when transformation reverting works is drafted
   [26]here.

License

   [27]GPLv3

   As far as software copyright is concerned, zdkimfilter is free
   software: you can redistribute it and/or modify it under the terms of
   the GNU [28]General Public Licence as published by the Free Software
   Foundation, either version 3 of the License, or (at your option) any
   later version.

   zdkimfilter is distributed in the hope that it will be useful, but
   WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the [29]GNU
   General Public Licence for more details.

   As an additional permission under GNU GPLv3 section 7,

     If you modify zdkimfilter, or any covered part of it, by linking or
     combining it with OpenSSL, OpenDKIM, Sendmail, or any software
     developed by The Trusted Domain Project or Sendmail Inc., containing
     parts covered by the applicable licence, the licensor of zdkimfilter
     grants you additional permission to convey the resulting work.

   Copyright (C) 2012-2025 Alessandro Vesely

References

   1. http://www.tana.it/sw/zdkimfilter/all.shtml
   2. http://www.tana.it/sw/zdkimfilter/database.html
   3. http://www.tana.it/sw/zdkimfilter/zdkimfilter.html
   4. http://www.tana.it/sw/zdkimfilter/zdkimsign.html
   5. http://www.tana.it/sw/zdkimfilter/redact.html
   6. http://www.tana.it/sw/zdkimfilter/zaggregate.html
   7. http://www.tana.it/sw/zdkimfilter/zfilter_db.html
   8. http://www.tana.it/sw/zdkimfilter/zdkimfilter.conf.html
   9. http://www.tana.it/sw/zdkimfilter/zdkimgenkey.html
  10. https://gitweb.gentoo.org/repo/gentoo.git/tree/mail-filter/zdkimfilter
  11. http://www.tana.it/svn/zdkimfilter/trunk/zdkimfilter.spec
  12. https://sourceforge.net/p/courier/mailman/message/37610745/
  13. https://www.debian.org/doc/manuals/maint-guide/build.en.html#completebuild
  14. http://www.tana.it/sw/zdkimfilter/zdkimfilter_3.21_amd64.deb
  15. https://www.tana.it/svn/zdkimfilter/trunk/debian/postinst
  16. http://www.tana.it/sw/zdkimfilter/zdkimfilter.html#dmarcand
  17. http://www.tana.it/sw/zdkimfilter/database.html
  18. http://www.tana.it/sw/dmarc-xsl/
  19. https://www.linuxnetworks.de/doc/index.php/OpenDBX
  20. https://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail
  21. http://www.tana.it/sw/zdkimfilter/zdkimfilter.html#mlmtrans
  22. https://dev.fmp.com/contrib/dmarc_shield3.py
  23. http://www.tana.it/sw/zdkimfilter/zdkimfilter.html#mlmtrans
  24. http://www.tana.it/sw/zdkimfilter/zdkimsign.html
  25. http://www.tana.it/sw/zdkimfilter/zdkimfilter.html#mlmtrans
  26. https://datatracker.ietf.org/doc/html/draft-vesely-dmarc-mlm-transform
  27. http://www.gnu.org/licenses/gpl.html
  28. http://www.gnu.org/licenses/gpl.html
  29. http://www.gnu.org/licenses/gpl.html
