-----BEGIN PGP SIGNED MESSAGE-----
On Thu, Oct 04, 2007 at 09:35:50PM +0200, Tony Earnshaw wrote:
>> While putting together a system that can both sign and verify,
>> originally I had it set to do both in the same daemon process. After
>> asking about it somewhere (in the #sendmail IRC channel IIRC), I decided
>> to split it into a verify process at the beginning of the milter chain
>> (only preceded by clamav milter) and a sign process at the end of the
>> milter chain. I ended up figuring out how to do it with not too much
>> difficulty, but it might be worth adding a section "Here is how some
>> have implemented split signing/verifying".
>You're obviously not running a Red Hat derivative OS with my rpm,
>because if yu were, you would not have this problem.
Correct, this is on a Gentoo machine. However, I wasn't looking for any
procedure bound to an architecture. I was suggesting a Best Practices.
Just because _we_ don't need it, doesn't mean it wouldn't be nice for
first time sysadmins to encounter as they're wading through the dkim
process for the first time.
I do it both the same on my RedHat and Gentoo machines. Set a single
variable in /etc/sysconfig/dkim-milter or /etc/conf.d/dkim-milter. That
variable contains space separated dkim-milter config files. The init
script loops through the names and starts dkim-filter one at a time with
each config file. May be easier to just setup a dedicated sign and
dedicated verify variable, but if one wanted to split up configs even
further, say per domain, each one doing split sign/verify, then the loop
becomes a bit more attractive.
when you shoot yourself in the foot, just because you are so neurally
broken that the signal takes years to register in your brain, it does
not mean that your foot does not have a hole in it. --Randy Bush
Linux kernel 2.6.17-6mdv 8 users, load average: 0.04, 0.14, 0.15
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
-----END PGP SIGNATURE-----