search

trusteddomainproject / OpenARC

Open source ARC implementation
BSD 2-Clause "Simplified" License
135 stars 45 forks source link

state none -- chain state forced to 0 due to prior result found #119

Closed lilmike closed 5 years ago

lilmike commented 5 years ago

Hi, When I test my openarc with postfix setup for forwarding mail by sending an email -- hotmail.com -> my mail server -> gmail.com, I get the following in the logs: chain state forced to 0 due to prior result found The header seems to have the validity set to none, and I'm not sure why. As far as I can tell the config is set up correctly and the dns records exist. All uncommented options in openarc.conf are below:

Domain mtmail.mwtd.net KeyFile /etc/openarc/mtmail.private Mode sv PidFile /var/run/openarc/openarc.pid Selector mtmail Socket inet:8892@localhost SoftwareHeader yes Syslog Yes

Thanks for any help, -Michael.

lilmike commented 5 years ago

To be clear, the problem I seem to be having is that cv=none and gmail is reporting spf=softfail for hotmail.com. I think it's validating the arc since it has an arc seal at the top of the message from gmail, but I can't figure out where the spf=softfail is coming from. Example message is below:

From ai5hf@hotmail.com Wed Jul 17 10:15:56 2019 Delivered-To: ai5hf.lilmike@gmail.com Received: by 2002:a2e:7f09:0:0:0:0:0 with SMTP id a9csp1202006ljd; Wed, 17 Jul 2019 10:15:56 -0700 (PDT) X-Google-Smtp-Source: APXvYqzb4lYYZZrNzIUUgeYGU/EHYcvcd+DSRh6kWSHEp0PmV3SRNGStHPI01G3/TM4q/Dl4v5+Q X-Received: by 2002:a17:90a:71ca:: with SMTP id m10mr46085736pjs.27.1563383756161; Wed, 17 Jul 2019 10:15:56 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1563383756; cv=pass; d=google.com; s=arc-20160816; b=p0+LPpMAjV9BeKquOZrXB6n5hSeCYOgv+jF/WyY4v2C2OvQQvwvdOWjLJVz2446pij r8DIEandUrnZrG5PCv0GZNLc5ouBVcnTfVfnDsKnfSb1TNOzSh1ioEor+qhqKxORLZ5P ExUs7rSc4kbYi543Ny779XBZbRs6Mfcg4tRYG+CTe82U7AAEIamxgXSa+Hr0HJOZUUQb FsPJcj/dzj2zLA2y5golSKpSJ14YEoRa+3hsZImWWRBpXJjTRbus+5Eg/uRVfEv7O9UW ZrhEBW5h4Y+t6m60AVzh+7+prYH4krtpjRyuyw9s3lEMf6kurSq9BTPkuveSwed8UKsa Tceg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:content-language:accept-language:message-id:date :thread-index:thread-topic:subject:to:from:dkim-signature :dmarc-filter:arc-filter; bh=80VYRslsZ1e1rlq34lmeYyaGa/H0IscT5OaWqqNglfI=; b=vuoSL0gja1MY+aGlhaHy/RRDLFP/ut5G3ct3SvXwNKkEgFr3Zd1E6IUbGziyoRODAo Zgcgl/7KZw6OZ0RGiwiCthZNQfKMLj/FD458JLW9IiflW6MyNc9z90FHBSNAEtq7UR6U JBwyKyx9/Y97MxsRshGlSg6pzNhnmQCQHAyMPNtzYj82DojjQGrYQiKNhF5xv3Vg6EdD KgJq4KDVtioyyBBARHwGI4PyszQ4VgEsM5jaCSfAKCmklhZq8DQksk6h2H2dOFuyJJlm v/dgMQHuqFHmcKwnnVHKd2x+ZDfrbGiGjbBipaX8f3T/K7YJelCHoaxlgvSk7KudtN9J gQmg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@hotmail.com header.s=selector1 header.b=p9BzXCZy; arc=pass (i=1 dmarc=pass fromdomain=hotmail.comspf=pass); spf=softfail (google.com: domain of transitioning ai5hf@hotmail.com does not designate 2605:2700:0:3:a800:ff:fe9a:608c as permitted sender) smtp.mailfrom=ai5hf@hotmail.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hotmail.com Return-Path: ai5hf@hotmail.com Received: from mtmail.mwtd.net (mtmail.mwtd.net. [2605:2700:0:3:a800:ff:fe9a:608c]) by mx.google.com with ESMTPS id c8si22925592pje.30.2019.07.17.10.15.55 for ai5hf.lilmike@gmail.com (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Wed, 17 Jul 2019 10:15:56 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning ai5hf@hotmail.com does not designate 2605:2700:0:3:a800:ff:fe9a:608c as permitted sender) client-ip=2605:2700:0:3:a800:ff:fe9a:608c; Authentication-Results: mx.google.com; dkim=pass header.i=@hotmail.com header.s=selector1 header.b=p9BzXCZy; arc=pass (i=1 dmarc=pass fromdomain=hotmail.comspf=pass); spf=softfail (google.com: domain of transitioning ai5hf@hotmail.com does not designate 2605:2700:0:3:a800:ff:fe9a:608c as permitted sender) smtp.mailfrom=ai5hf@hotmail.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hotmail.com Received: by mtmail.mwtd.net (Postfix, from userid 182) id A3C3A123CDE; Wed, 17 Jul 2019 17:15:54 +0000 (UTC) Authentication-Results: mtmail.mwtd.net; dkim=pass (2048-bit key) header.d=hotmail.com header.i=@hotmail.com header.b=p9BzXCZy X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mtmail.mwtd.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS,TVD_SPACE_RATIO autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Virus: No Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-oln040092009032.outbound.protection.outlook.com [40.92.9.32]) by mtmail.mwtd.net (Postfix) with ESMTPS id 520DA121948 for blah@forwardme.email; Wed, 17 Jul 2019 17:15:49 +0000 (UTC) ARC-Filter: OpenARC Filter v0.1.0 mtmail.mwtd.net 520DA121948 Authentication-Results: mtmail; arc=none ARC-Seal: i=1; a=rsa-sha256; d=mtmail.mwtd.net; s=mtmail; t=1563383753; cv=none; b=kJFaStyGN8C1ZdUeOX3uF2Yv+N3DqgihoGEnhYanaHX3vBXuxm5uhaONQ8pNntw7L1XeEB8iKFQiQ06f4BGWg5v2236uZnb72+HKxDx0yvwGN3UC+wBnKbZLRTfXBe0ZQLHhjf6ivLeXiixSsp8EX8dkwNJoPTpOmBZsbQQcRmMQmztFHQMzCTXLeK5FjTZqBebe7D4wSQXkeW3zFwM60BPiMmNACOWJomEfWdV5jrfA2+kG8nhNBuV4UKMKrK1V5QXddSMAm2+nqq+mP+VNd4Z1GlsFh77DYlHuLk8fWzpfDNHRmswVg+acTl++HCQUJ+v525bH/Hm49IL/usDOcODVQG4xay7ZMQSpJ576zRgindJ0P4rhQi8yhGUP9oE406sDqFsrTeNrx7mLW2ExlBthfR4sR+bpkhQU8eXG74fHaMIFDuMT4bzvLDHKQPDJV8Qyvxmh7paBQ+WevoS/P+fxOWaJbk0+n8+OaqoLu/6JEYBAx5o6YL0XA/hkXrWBkrxCTbxW6Bk3lTz9VSfpyeL+L1/v2oFVwtsIOgHNHhSyTlKsXUXjJBZcFj1rgmyS5mZC923c/T2WIsq/WZza0grpZd2aQHzo0O3Dsyb81MfRp+LygisaYoFnUEQZr8gl6ZZiJ11Qxp/sc7GwWsEah8eFj+Prr5Qr493qP3+CqjI= ARC-Message-Signature: i=1; a=rsa-sha256; d=mtmail.mwtd.net; s=mtmail; t=1563383753; c=relaxed/simple; bh=80VYRslsZ1e1rlq34lmeYyaGa/H0IscT5OaWqqNglfI=; h=DMARC-Filter:DKIM-Signature:Received:Received:Received:From:To: Subject:Thread-Topic:Thread-Index:Date:Message-ID:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: x-clientproxiedby:x-incomingtopheadermarker: x-ms-exchange-messagesentrepresentingtype:x-tmn: x-microsoft-original-message-id:x-ms-publictraffictype: x-incomingheadercount:x-eopattributedmessage:x-microsoft-antispam: x-ms-traffictypediagnostic:x-microsoft-antispam-message-info: Content-Type:MIME-Version:X-OriginatorOrg: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id: X-MS-Exchange-Transport-CrossTenantHeadersStamped; b=skmUWoQVGJ3olh0GmRMlijzuOG8FCL7l11odPcw00kK1HYD/KjXwx30eG5n8lLJV7L3NmkHyV2XPvCED+yvxemC7IlqvvFhqcvowv/H5NmwzbahGlYsMudHfg6RtJ3pdSrFJMYpjO9dkxyM5u5MiAJV4pUdnEEsnwQkmyx/WyOJBxuR18/ARCZNfSdf9TmXWC6yH7fqaxMWv0u1k+Bs2bd1bGo+bNoPRPp71NXRnJXh0Xnsbd8D90BoQyxQJJEvqMF9Z5il/5xymq8Hnld4QxJloL7gX0UbCAqYjpYKkUig08xtatQOV9pSWeVKrwSDMNaqMLNJ1GgNXxvI2XyJJo6OCOf96EOYG9DInQZ9q9GaTr0IlQZvZzDNnl4ZR3se7qMrOHwPUGB4oF3k4tZ8CGCc6xDa7h06j1sHTNgxnr+fiF168wW51Wvv4FgOtboi/a0Kw8umbOyqSiuxZrphOoU0TpEAXvq87hHChpRHp8VNe+PN/erbQf7YappjIqsdAdSjBpaiRSnGj/ezW3kJS+OiNtbsd+604NxdiaxyChdEMaG14PorbMubEDD6XmHGMt//rW3i86kV7HbmXBLEYTwY37VJjs1FrRCMyajsD4W1IR+Dxv1brc0+KoYho3QNPAaZAjwWEmgNfl/8yi0952ty/KxBevel/UbyYeQ4yepQ= ARC-Authentication-Results: i=1; mtmail; dmarc=pass (p=none dis=none) header.from=hotmail.comspf=pass smtp.mailfrom=ai5hf@hotmail.com; arc=none DMARC-Filter: OpenDMARC Filter v1.3.2 mtmail.mwtd.net 520DA121948 Authentication-Results: mtmail; dmarc=pass (p=none dis=none) header.from=hotmail.com Authentication-Results: mtmail; spf=pass smtp.mailfrom=ai5hf@hotmail.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=80VYRslsZ1e1rlq34lmeYyaGa/H0IscT5OaWqqNglfI=; b=p9BzXCZyu7NLdjms47cQnOjLC1AmIeUBZS2vLypwHPXTogB+xgYZcSW6FQ0DSO/wkITUfjvnpvPHEB5BofVfejcPBzgV06LsXd9RP5q7xAdwmvgqCqcR1GPiTdXJ8FS8m3opzGjw+07ZYl3KorQEkj4ks5/nxuSCZI4JuJxMsHolXdPYGhLn4wl9CHrqWtsHIKf699GCrbGS3A46JzUpawQmFxRdG2bN4iIqlZ9yX7dzPRPDdDtYUOgtkSd+zz3ee4qpL0tqUN9BJW3gAzOrVubcIMj3O+kNlAvFk5SauQHJVfGHnSyIYUg9LqoAiWB/L3EPvZTNaZi1lI8Bw/ohjA== Received: from CO1NAM04FT010.eop-NAM04.prod.protection.outlook.com (10.152.90.57) by CO1NAM04HT242.eop-NAM04.prod.protection.outlook.com (10.152.91.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2032.15; Wed, 17 Jul 2019 17:15:48 +0000 Received: from DM5PR2001MB0905.namprd20.prod.outlook.com (10.152.90.60) by CO1NAM04FT010.mail.protection.outlook.com (10.152.90.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2052.18 via Frontend Transport; Wed, 17 Jul 2019 17:15:48 +0000 Received: from DM5PR2001MB0905.namprd20.prod.outlook.com ([fe80::54ac:4258:7994:9b21]) by DM5PR2001MB0905.namprd20.prod.outlook.com ([fe80::54ac:4258:7994:9b21%9]) with mapi id 15.20.2073.015; Wed, 17 Jul 2019 17:15:48 +0000 From: Michael Taboada ai5hf@hotmail.com To: "blah@forwardme.email" blah@forwardme.email Subject: test Thread-Topic: test Thread-Index: AQHVPMNGFUtRfk2fZUqTHzBDOlIlcg== Date: Wed, 17 Jul 2019 17:15:48 +0000 Message-ID: DM5PR2001MB0905BFA69E8DE214BF54F485FCC90@DM5PR2001MB0905.namprd20.prod.outlook.com Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-clientproxiedby: CO2PR04CA0165.namprd04.prod.outlook.com (2603:10b6:104:4::19) To DM5PR2001MB0905.namprd20.prod.outlook.com (2603:10b6:3:e5::19) x-incomingtopheadermarker: OriginalChecksum:C45FC7FDFD0902BDAB8AE2F6ED14E672B514501D470EC73CF1D3F5CCC53B3DDE;UpperCasedChecksum:47CC99E37B4D8918ECE72120E677725F1205ED978453D9CBC86022F052D36094;SizeAsReceived:7155;Count:46 x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [a7V0wL5qV8AcJPnpiXc8+b6OxeuqGG9RXzJyQ2jcf6IRozQ2KkpzbJxwKek36Sus] x-microsoft-original-message-id: 20190717171544.GA3733@hotmail.com x-ms-publictraffictype: Email x-incomingheadercount: 46 x-eopattributedmessage: 0 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(5050001)(7020095)(20181119110)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031323274)(2017031324274)(2017031322404)(1601125500)(1603101475)(1701031045);SRVR:CO1NAM04HT242; x-ms-traffictypediagnostic: CO1NAM04HT242: x-microsoft-antispam-message-info: QR4cqaHYzIrkC7WxiYAZ7s++jiyWEiGfLTS0swljLwCP+v+M3zPAVZQnL8gOu6bbreNIJD69cQhSKP5CPLNhFoRreHmtcpw4fNG19YyzLeMynBNtSnfJi2I+nPES/IlRT9VT4AN6o0+kkW3ZjAY2ZsF5d9+zMtTS+R3jE6hfxdujicIsHxhe2hZBkBr6V5w+ Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="vkogqOf2sHV7VnPd" MIME-Version: 1.0 X-OriginatorOrg: hotmail.com X-MS-Exchange-CrossTenant-Network-Message-Id: ea579b40-1713-4f71-fbfe-08d70ada68cd X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jul 2019 17:15:48.0137 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1NAM04HT242 Status: RO Content-Length: 1061 Lines: 29

--vkogqOf2sHV7VnPd Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline

test! -Michael.

--vkogqOf2sHV7VnPd Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEebw5DohkzXEwXU3WBs0hl6buXtcFAl0vV8AACgkQBs0hl6bu XtcvhBAAgfjYkbN62Am1mVY2PqdwjbA6NG9UiVA5vlYchUdXLVa5Ul7O7vnBSI5F 7teb1N7u6lqAjtBzT1585Dw89AzfS/IHpslpxCU9ix/aZP8wCuXUwUU5eiHKrupo kHA8KEvs5EGmwraSLvE29rYoSGBtpAphHU4teH+BIDFlxWRkdvMyV4eZ/w0Fckdr h6Y2DjIBNmdRX3vpC725ju+unHTOlX5lc1pOeA06k3zc14f7KcFv/3n33AoZ9d9v XS9aRbIIGU6vWIHWQiIIm+liHufXR2yNJlgyWWLFP9DEA9OI4tfsD8qj0gGwxZPz krLAbJoZfhnfA0qg4hJeox4X1B3U7DM5W+wsfhM1A5Y8lQHpLXovZo/wLQrVanmI DXUIN2mwhKmDO+rvCOjuh3lJRV6tzsfw9JnQdvt0fD/0KxbKJB6SXIE8bD5MetJj LrGVGJlzsooMXUPRs/ZcMRwEh6j7/ZeZ5XgJKvYUdC3ThMNyQz5mQow4kRi2CiHS Y0wZS4o6Sa5UEj7e8NTQKG+UPSxopq8Dr8LU0mHajTaIebzjFFKyHMtCubSDE0x9 JWtJhVNDMiNGFTPUmyDBOYtXEhss2qSrJe1XLRcdu/V10Yf7TPDc8F8kI1BMTGi3 OR6aqOBZudxM/hUEwgl3ua7sVARBjoXACk7ZRSuewcSLp0xT80M= =sDqw -----END PGP SIGNATURE-----

--vkogqOf2sHV7VnPd--

-Michael.

flowerysong commented 5 years ago

To be clear, the problem I seem to be having is that cv=none

This is because signing is using the validation state from the first time you processed it:

Authentication-Results: mtmail; arc=none

This is based on the assumption that section 5 of RFC 7001 is reliably followed. Since you received this message from Google (which is a separate ADMD) you must remove old Authentication-Results headers with an authserv-id of mtmail before processing the message.

I'm not sure this is the most correct behaviour, but it is how it currently works.

and gmail is reporting spf=softfail for hotmail.com. I think it's validating the arc since it has an arc seal at the top of the message from gmail, but I can't figure out where the spf=softfail is coming from.

This, on the other hand, is completely correct and has nothing to do with OpenARC. spf=softfail is the SPF result from Google (your server is not listed in hotmail.com's SPF record.) ARC does not affect SPF evaluation.

ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@hotmail.com header.s=selector1 header.b=p9BzXCZy; arc=pass (i=1 dmarc=pass fromdomain=hotmail.com spf=pass); spf=softfail (google.com: domain of transitioning ai5hf@hotmail.com does not designate 2605:2700:0:3:a800:ff:fe9a:608c as permitted sender) smtp.mailfrom=ai5hf@hotmail.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hotmail.com

kurta commented 5 years ago

cv=none is the proper status at i=1 (the only other acceptable value would be 'fail')

The explanation of Google's SPF check is correct. The presence of the Authentication-Results header doesn't matter.

--Kurt

On Wed, Jul 17, 2019 at 12:04 PM flowerysong notifications@github.com wrote:

To be clear, the problem I seem to be having is that cv=none

This is because signing is using the validation state from the first time you processed it:

Authentication-Results: mtmail; arc=none

This is based on the assumption that section 5 of RFC 7001 https://tools.ietf.org/html/rfc7001#section-5 is reliably followed. Since you received this message from Google (which is a separate ADMD) you must remove old Authentication-Results headers with an authserv-id of mtmail before processing the message.

I'm not sure this is the most correct behaviour, but it is how it currently works.

and gmail is reporting spf=softfail for hotmail.com. I think it's validating the arc since it has an arc seal at the top of the message from gmail, but I can't figure out where the spf=softfail is coming from.

This, on the other hand, is completely correct and has nothing to do with OpenARC. spf=softfail is the SPF result from Google (your server is not listed in hotmail.com's SPF record.) ARC does not affect SPF evaluation.

ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@hotmail.com header.s=selector1 header.b=p9BzXCZy; arc=pass (i=1 dmarc=pass fromdomain=hotmail.com spf=pass); spf=softfail (google.com: domain of transitioning ai5hf@hotmail.com does not designate 2605:2700:0:3:a800:ff:fe9a:608c as permitted sender) smtp.mailfrom=ai5hf@hotmail.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hotmail.com

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenARC/issues/119?email_source=notifications&email_token=AAGU3SMA2SEDLENADGXDDDDP75ULLA5CNFSM4IESEV62YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2GIW5Q#issuecomment-512527222, or mute the thread https://github.com/notifications/unsubscribe-auth/AAGU3SPDGPFIL54BJOQKPGDP75ULLANCNFSM4IESEV6Q .

lilmike commented 5 years ago

Ah, ok, so I was misreading the information about ARC. Thanks for the help guys. -Michael.