messages from o365: arc=fail

[andreasschulze]

running HEAD of branch develop:

openarc: OpenARC Filter v1.0.0
        Compiled with OpenSSL 1.1.1i  8 Dec 2020
        SMFI_VERSION 0x1000001
        libmilter version 1.0.1
        libopenarc 1.0.0:

the Milter is run with "Mode v" on an MX. Every message from o365 is marked with 'arc=fail'. May be an issue

• my very simple setup
• at Microsoft
• or OpenARC

Any ideas?

relevant header:

Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2081.outbound.protection.outlook.com [40.107.20.81])
 (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK))
 by mta.receiver.example (Postfix) with ESMTPS id 4DGqjf5XCDz1Gb4
 for <XXXX@receiver.example>; Thu, 14 Jan 2021 17:37:41 +0100 (CET)
Authentication-Results: mta.receiver.example; dmarc=none (p=none dis=none) header.from=stst.de
Authentication-Results: mta.receiver.example; spf=pass smtp.mailfrom=XXXX@stst.de
Authentication-Results: mta.receiver.example; arc=fail smtp.remote-ip=40.107.20.81
Authentication-Results: mta.receiver.example;
 dkim=pass (1024-bit key; unprotected) header.d=swste.onmicrosoft.com header.i=@swste.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-swste-onmicrosoft-com header.b=RtaNHNfD
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=DlNJoRG+zriTs4AG930U8Fzgo9ny4wzi9jEn/MhHUgr9LxfA2xtIkQJHu5HT/KE05325Cu8pqAaSXXJq7VAMxuAlCsVtIdIQHUwmnQkatuaOrs5co25fCU3tVY5OhbknKZ/YuykC73mQJArU5vZ5sotAIaHuQzHK8JAyD94OyLLtqkS/v5hBgzNoyLTGkkDcqMyTtWowhqgLO6IZ9WUjvEbqHG5s39DHSbKr01oh7OjJZTWaHlan5IdlW1E4BrWFXc2l0phxBh5hlmjI26tjhlgv9LlJpgbykJBye8tZmZIprgimJnz7Yn6ZqC0kjXr5/rvJHhzgks0apBAQRzc74Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=NWXmsPYtWK4+7WJuscr8l/Em3YKe7GnMl82R1b0lgx4=;
 b=Mo/4V2aVEnAA8DPO3xhNtwuQ3iOvQTEcNjeEo1VO0/A5W5zjp+bKQQjDQUWX/g6XJNcS8kDXURISmG1dWxM7A/o+FjisZqN9mNSO7msB8Zyz3czZws3CBo3aWJpoiP+mJFZsuU66x9YvsMa37TtUAAUDdVuEaVvkda9j5KL9Ib0odfTt5xokOSYc1hy55hJHRUTuV9zH3yLe5DidrJaC/Zy+wIDstI0RTPuzwDExbyzuAYHUPblldk5i1J8kTmKyynefcRKPixplFdtgPVqOQRstsRQfHR0pYVZ3j8P2kk35gC5E0wWhxU0EiKh2bqnNtks9sRixmAtjbeJFdt47EA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=stst.de; dmarc=pass action=none header.from=stst.de; dkim=pass
 header.d=stst.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=swste.onmicrosoft.com;
 s=selector2-swste-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=NWXmsPYtWK4+7WJuscr8l/Em3YKe7GnMl82R1b0lgx4=;
 b=RtaNHNfDVCe3Vbviiw28oeuW/NNd1GWADEL4d8nmHtSasoM3saL//z4tG7oFtzOs1uVI71jUhRoAmBP/u5KzVLv+j1N5P6K1jLbmCG5kLzWpDIFeeq1/a6sd+pnsnQ3VEpW34BPfXf1X9++kW16EzPZXhbZ29ugOOTScKOyobWk=

[flowerysong]

This is a known bug. It is fixed by https://github.com/trusteddomainproject/OpenARC/pull/121

[andreasschulze]

thanks, I could confirm this solution #121 solve this problem. Messages from o365 now are marked with arc=pass

[andreasschulze]

but messages sealed by OpenARC itself at an other host still generate arc=fail

[andreasschulze]

or I'm creating the seal in a wrong way...

[abeverley]

but messages sealed by OpenARC itself at an other host still generate arc=fail

I've found that OpenARC does not verify correctly when the public key has a hash algorithm specified (h=). I found this when trying to verify my own messages. Could that be the problem you are experiencing?

The problem, as far as I can tell, is that msg->arc_hashtype is never set, which means that in arc_key_hashok() it never matches (or only matches the default value 0 which is SHA1).