OpenDKIM v2.7.0 released

From: Murray S. Kucherawy <>
Date: Wed, 24 Oct 2012 13:48:33 -0700 (PDT)

The Trusted Domain Project announces availability of OpenDKIM v2.7.0, now
available for download from SourceForge.

This is a major release, with some new features and some bug fixes. None
of the fixes or features are critical, so upgrading is not mandatory unless
one of these changes resolves a current issue.

Among the major changes in this release:

o SECURITY: The library will now decline to generate a signature, or pass even
  a valid signature, if the signing key is compirsed of too few bits, thus
  being insecure. The default is 1024. This can be controlled through the
  API, and the setting can also be adjusted in the filter via the new
  "MinimumKeyBits" setting.

o Support for libar (the provided asynchronous resolver library) has been
  discontinued. Instead, use either libunbound or a thread-safe version
  of the BIND resolver.

o Per RFC6648, "X-" header fields are now discouraged. Accordingly,
  we no longer generate (or expect) any. This also means the "X-Header"
  configuration file item has been renamed to "SoftwareHeader". Configuration
  files referring to the old name will need to be updated.

o All copyrights have been updated to reflect that The Trusted Domain Project
  is the copyright holder. The OpenDKIM Project is now an initiative of that

o A third experimental domain reputation system has been added. Look in the
  new reprrd/ directory for more information.

The full RELEASE_NOTES for this version:

2.7.0 2012/10/24
        Feature request #SF2964375: Reject configuration files that have
                a SigningTable referencing a missing or malformed KeyTable
        Feature request #SF3544764: Support for libar has been discontinued.
                For asynchronous and/or thread-safe resolver service,
                use libunbound or a suitable version of BIND.
        Feature request #SF3545658: Replace "ResolvConf" with "Nameservers"
                and add support for NS list overrides for versions of bind
                that have res_setservers(). Also rename "UnboundConfigFile"
                to "ResolverConfiguration", and make "TrustAnchorFile"
                generally available.
        Feature request #SF3547124: Skip reputation checks on passing
                signatures whose keys had a "t=y" value.
        Feature request #SF3555842: Add "ReputationTest" setting. Requested
                by Andreas Schulze.
        Feature request #SF3556439: Update opendkim-atpszone per RFC6541.
        Feature request #SF3559744: Add library option DKIM_OPTS_MINKEYBITS
                allowing one to specify a minimum number of key bits for
                acceptable keys and signatures. This is exposed through new
                configuration file option "MinimumKeyBits". The default
                is 1024.
        Fix bug #SF3536414: Activate _FFR_OVERSIGN, and remove
        Fix bug #SF3536655: Rename "X-Header" to "SoftwareHeader", and rename
                all header fields added that start "X-" to remove that prefix,
                per RFC6648. The old name will be accepted through the end
                of the 2.7.x line.
        Fix bug #SF3538896: Remove antiquated CVS Id: tags, which cleans up
                some (harmless) build warnings. Suggested by Andreas Schulze.
        Fix bug #SF3548741: Add "ReputationTimeout" for use inside
                _FFR_REPUTATION, rather than using the built-in default
                or a hard-coded one.
        Fix bug #SF3549307: Remove _FFR_REPUTATION_CACHE, as it is redundant
                to caching code that's part of _FFR_REPUTATION already.
        Fix bug #SF3555844: Get repute client code in sync with repute.php
                (and the current REPUTE WG drafts). Problem noted by
                Andreas Schulze.
        Fix bounds checking in the dstring printf functions.
        Fix loop structure in the C side of odkim.get_rcpt(). Problem
                noted by Todd Lyons.
        Change all temporary directory defaults from /var/tmp to /tmp.
        Activate _FFR_LUA_GLOBALS.
        Request the milter permissions required to get _FFR_REDIRECT working.
                Patch from Andreas Schulze.
        Add _FFR_REPRRD, which is a second approach to DKIM-based reputation
                using round robin databases and Holt-Winters foreacasting
                using rrdtool (see Still
        Patch #SF3555843: With sufficient verbosity, report the default
                configuration file path. Patch from Andreas Schulze.
        BUILD: Fix bug #SF3531658: Move the strlcat() and strlcpy()
                implementations to their own library so that programs don't
                drag in crypto and other dependencies they don't need.
                Also clean up several other unnecessary dependencies imposed
                by imprecise use of autoconf. Problem noted by Andreas
        BUILD: Patch #SF3555845: Add support for older versions of libcurl.
                Based on a patch by Andreas Schulze.
        BUILD: Install non-user things in sbin instead of bin. Suggested
                by Andreas Schulze.
        LIBOPENDKIM: Feature request #SF3565006: Add dkim_add_querymethod()
                and dkim_sig_seterror(), define DKIM_CBSTAT_DEFAULT, and
                remove an assertion in dkim_get_key_dns(), which together
                allow for applications to develop non-standard key retrieval
                mechanisms. Suggestion and patches from Ken Murchison.
        LIBOPENDKIM: Fix bug #SF3559080: Log correct domains and selectors
                with SSL errors.
        LIBOPENDKIM: Add DNS functions dkim_dns_config(), dkim_dns_init(),
                dkim_dns_nslist(), dkim_dns_set_init(), dkim_dns_set_close(),
                dkim_dns_set_nslist(), dkim_dns_set_config(),
                dkim_dns_set_trustanchor(), dkim_dns_trustanchor().
        LIBOPENDKIM: Patch #SF3562496: Add DKIM_OPTS_REQUIREDHDRS to allow
                alteration of the mandatory header field set. Patch from
                Ken Murchison.
        LIBOPENDKIM: If "q=" is present and method "dns" is specified, it
                must be followed by "/txt", per RFC6376.
        LIBOPENDKIM: For dkim_add_xtag(), copy the provided values so the
                caller doesn't have to keep them around.
        LIBOPENDKIM: Allow dual signing of a single body with dkim_resign().
                Suggested by Ken Murchison.
        STATS: Fix bug #SF3555847: Add "--nocircles" to opendkim-gengraphs
                to allow operation with versions of gnuplot that don't know
                what "with circles" means. Problem noted by Andreas
        STATS: Patch #SF3555841: Temporary table SQL correction. Patch from
                Andreas Schulze.
        TOOLS: Feature request #SF3553918: Add "-u" flag to opendkim-atpszone
                and opendkim-genzone enabling them to produce output suitable
                for use as input to nsupdate(8). Based on a suggestion by
                Dave Crocker.
        TOOLS: Feature request #SF3558818: Teach opendkim-testkey about the new
                "ResolverConfiguration" setting. Based on a problem report
                from Patrick Ben Koetter.
        TOOLS: Fix bug #SF3565013: Replace opendkim-genkey with a perl script
                that knows how to do splitting of character-strings in DNS
                TXT records. Problem reported by Todd Lyons.
        TOOLS: Fix bug #SF3568846: Add "-t" to opendkim-testmsg to allow
                override of the directory where temporary files go. Also,
                clean up temporary files after creating them.
        TOOLS: Add opendkim-rephistory.

Please use the mailing lists at to report problems.
Bug reports and feature requests can be made through the project trackers,
which can be found via

The Trusted Domain Project
Received on Wed Oct 24 2012 - 20:48:49 PST

This archive was generated by hypermail 2.3.0 : Tue Oct 30 2012 - 00:08:27 PST