Database changes:
================
The table msg_ref has an additional flag "dnswl" in colum auth.  The diff is:

--- odbx_example-1.1.sql	2012-12-01 10:58:36.000000000 +0100
+++ odbx_example.sql	2013-03-21 12:31:36.000000000 +0100
@@ -30,7 +30,7 @@
   message_in INT UNSIGNED NOT NULL COMMENT 'Foreign key to message_in',
   domain INT UNSIGNED NOT NULL COMMENT 'Foreign key to domain',
   reputation INT NOT NULL,
-  auth SET ('author', 'spf_helo', 'spf', 'dkim', 'vbr', 'rep', 'rep_s') NOT NULL,
+  auth SET ('author', 'spf_helo', 'spf', 'dkim', 'vbr', 'rep', 'rep_s', 'dnswl') NOT NULL,
   vbr ENUM ('spamhaus', 'who_else') NOT NULL,
   INDEX by_dom_msg(domain, message_in)
 )
@@ -115,7 +115,7 @@
 CREATE PROCEDURE recv_from_domain (
 	IN m_mi INT UNSIGNED,
 	IN m_domain VARCHAR(63),
-	IN m_auth SET ('author', 'spf_helo', 'spf', 'dkim', 'vbr', 'rep', 'rep_s'),
+	IN m_auth SET ('author', 'spf_helo', 'spf', 'dkim', 'vbr', 'rep', 'rep_s', 'dnswl'),
 	IN m_vbr VARCHAR(63),
 	IN m_rep INT)
 	MODIFIES SQL DATA

The first hunk can be done in mysql by:

   ALTER TABLE msg_ref MODIFY COLUMN auth SET \
    ('author', 'spf_helo', 'spf', 'dkim', 'vbr', 'rep', 'rep_s', 'dnswl') \
     NOT NULL;

The second hunk, unless you use mysql-admin, requires SHOW CREATE PROCEDURE,
DROP PROCEDURE, and then CREATE PROCEDURE anew.


Config file changes:
===================
New options: trust_a_r and trusted_dnswl.  They have to be set according to the
ALLOW_EXCLUSIVE and BLACKLISTS settings in Courier esmtpd.  With that setup, it
is possible to whitelist SPF and ADSP.  In addition, the TXT record contains a
domain name that can be used for abuse reporting.  To use dnswl.org, I suggest
the following setup:

Courier esmtpd: (don't override BLOCK, get TXT records too --trailing comma)
BLACKLISTS="-allow=list.dnswl.org,DNSWL, -block=...
ALLOW_EXCLUSIVE=1

Courier bofh: (add allowok where relevant)
opt BOFHSPFMAILFROM=allowok,pass,none,neutral,softfail,unknown,error

zdkimfilter.conf: (trusted_dnswl has a default, just add trust_a_r)
trust_a_r

See the zdkimfilter.conf and couriertcpd man pages for details.


Another new option: add_auth_pass.  Internal mail is signed but not verified,
but with this new option one can still have an Authentication-Results, for
example to color unauthenticated messages:

   if (!/^Authentication-Results:.*=pass\b/:h)
   {
      KEYWORDS='nopass';
   }


Bug fixes:
=========
Database logging used to add entries in msg_ref with an empty auth column, for
example due to an unverified signature.  Now they are skipped.

dkimsign missed a --sender option, to allow specifying an envelope sender, for
database logging purposes.  Added.

