OpenARC is (according to Zoho) creating a bad signature on outbound email

[pcolmer]

I'm trying to get ARC set up on a Mailman 3 server. I'm using Postfix as the MTA and OpenDKIM for the DKIM piece. As ARC sealing needs to happen after signatures, I've installed OpenARC rather than using the functionality in Mailman 3 (since the latter would result in sealing before signatures).

I've been sending and receiving emails from a Zoho Mail mailbox, partly because that seems to give me clearer headers but the upshot is that Zoho claims that the ARC signature from OpenARC is invalid.

Delivered-To: philip.colmer@example.org
Received-SPF: pass (zohomail.com: domain of mm3.mailmanserver.org designates 1.2.3.4 as permitted sender) client-ip=1.2.3.4; envelope-from=test-bounces+philip.colmer=example.org@mm3.mailmanserver.org; helo=mm3.mailmanserver.org;
Authentication-Results: mx.zohomail.com;
    dkim=pass;
    spf=pass (zohomail.com: domain of mm3.mailmanserver.org designates 1.2.3.4 as permitted sender)  smtp.mailfrom=test-bounces+philip.colmer=example.org@mm3.mailmanserver.org;
    arc=fail (Bad Signature)
Return-Path: <test-bounces+philip.colmer=example.org@mm3.mailmanserver.org>
Received: from mm3.mailmanserver.org (mm3.mailmanserver.org [1.2.3.4]) by mx.zohomail.com
    with SMTPS id 1631693948316297.012328440533; Wed, 15 Sep 2021 01:19:08 -0700 (PDT)
Received: from ip-172-31-73-169.ec2.internal (localhost [127.0.0.1])
    by mm3.mailmanserver.org (Postfix) with ESMTP id 19513BE188
    for <philip.colmer@example.org>; Wed, 15 Sep 2021 08:19:07 +0000 (UTC)
Received: from sender4-op-o14.zoho.com (sender4-op-o14.zoho.com [5.6.7.8])
    by mm3.mailmanserver.org (Postfix) with ESMTPS id E359EBE180
    for <test@mm3.mailmanserver.org>; Wed, 15 Sep 2021 08:19:04 +0000 (UTC)
Received: from mail.zoho.com by mx.zohomail.com
    with SMTP id 1631693941000415.5911521326384; Wed, 15 Sep 2021 01:19:01 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; d=mm3.mailmanserver.org; s=mailman; t=1631693947;
    cv=pass; b=urGdgo09sdWNe34wp73i5U574X4dOX9FbdRDsl9qSnhUhdAVUoZz8tOvBzjfpsNdH/yR3Uda8xSYvUcPnnVhIuvi0Z/KsGcJZUa4WVDH6gulWpm1JyBbhCT/XJffpZt2ACYwBdk7yOyfLvQBbE5wl7GXRzo4TEkJjJW3s8jOvis=
ARC-Message-Signature: i=2; a=rsa-sha256; d=mm3.mailmanserver.org; s=mailman;
    t=1631693947; c=relaxed/relaxed;
    bh=va3kZuA+d2t6FVs1mZCgVTyums7zkMon0A4ipX0CjRc=;
    h=DKIM-Signature:Received:ARC-Message-Signature:
     ARC-Authentication-Results:DKIM-Signature:Received:Date:To:
     Message-Id:MIME-Version:Importance:User-Agent:X-Mailer:
     Message-ID-Hash:X-Message-ID-Hash:X-MailFrom:X-Mailman-Rule-Misses:
     X-Mailman-Version:Precedence:Subject:List-Id:Archived-At:
     List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
     List-Unsubscribe:From:Reply-To:Content-Type; b=JXx7yrXwqMPfjyY+eHexLBg/NoH8ChHg/bDDh5nvSQvWZailGF+uf1Z0nHGGe16nZ4IWpgEd8y6jXav3AoL2sogTGyqsCfNzUDV6b0YA/ZKaluRKevfzz3458K3mbx2Pck4Enzo38Lxpd096OYsYrz9yBM/fuG/jZcfTvqsFyOY=
ARC-Authentication-Results: i=2; mm3.mailmanserver.org; arc=pass smtp.remote-ip=5.6.7.8; dkim=pass (1024-bit key; unprotected) header.d=example.org header.i=philip.colmer@example.org header.a=rsa-sha256 header.s=zoho header.b=f3ZQXz+4; dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=mm3.mailmanserver.org; s=mailman; t=1631693947;
    bh=va3kZuA+d2t6FVs1mZCgVTyums7zkMon0A4ipX0CjRc=;
    h=Date:To:Subject:List-Id:List-Archive:List-Help:List-Owner:
     List-Post:List-Subscribe:List-Unsubscribe:From:Reply-To:From;
    b=aiW9f6bb5tv+I61oeBOQbf2Av4xwNwGffNZpf0jXgHaypvw5GS0VyLDZqyJf2EK0+
     PwE6yG3MnlaUv+nWEG+lmutLjr/OH2tR7Vf2V5EuK46nq/LqDtdAtPkc7DYrcj4oEE
     DecGuZa2Cb8HkjJJ2KQ/iQGtWpGKGDvx/lbGKhK8=
Authentication-Results: mm3.mailmanserver.org; arc=pass smtp.remote-ip=5.6.7.8
Authentication-Results: mm3.mailmanserver.org;
    dkim=pass (1024-bit key; unprotected) header.d=example.org header.i=philip.colmer@example.org header.a=rsa-sha256 header.s=zoho header.b=f3ZQXz+4;
    dkim-atps=neutral
ARC-Seal: i=1; a=rsa-sha256; t=1631693942; cv=none;
    d=zohomail.com; s=zohoarc;
    b=cSIi0RrTbaYtyudF892rd3lPdworO50hkn7coJDzqgn7fq1vZ4NOI/OQ/vSQPI9+vYEvwhBjsaLDtasQH5O16z6nfYtU6qemnzsrtfZyoUP1YGS/CG4QvalD5bmh6OXfHKjjYvx4yikTfrjLpdkf7EAJ9zlqHHJmhzeeFJPsGy0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc;
    t=1631693942; h=Content-Type:Date:From:MIME-Version:Message-ID:Subject:To;
    bh=m+YhmNhPpu9AVkALDlWzfYQa+CAFtWYFgPazJNTNIgQ=;
    b=gQgdcRXAhAvWQcaZxBw0qtXOifJktkmXRFX7bw3YqpCjfNx2b4NvrRyzB//HM/RQnZzsbVnF6Ztp/JGln8UEJ8qguiDrKVqjKn80vYplNrsiM4LKp7RHUofD/Q2eNZAwzYPb/+RsmqrDliosZPyGVVacwgWmPr+6+fH2W5ti4s8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
    dkim=pass  header.i=example.org;
    spf=pass  smtp.mailfrom=philip.colmer@example.org;
    dmarc=pass header.from=<philip.colmer@example.org>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1631693942;
    s=zoho; d=example.org; i=philip.colmer@example.org;
    h=Date:From:To:Message-Id:Subject:MIME-Version:Content-Type;
    bh=m+YhmNhPpu9AVkALDlWzfYQa+CAFtWYFgPazJNTNIgQ=;
    b=f3ZQXz+4pyuRnh69wXYyajlwG8z4Y5Yi2VxHpPsiQs9yjhdjm5yj2f0wJIfEjxYp
    muGW5LUl9rHemvHWCa4Uy/Km6w9eW1mInqvGrsLklLPEVD6pNze5TiZJ8XOpvpC0AsN
    3apBPPKiixGKwERJk1nTK9EyaEwrWSMwm7SluGj0=
Date: Wed, 15 Sep 2021 09:19:00 +0100
To: "test" <test@mm3.mailmanserver.org>
Message-Id: <17be889a8f0.c600de7c81990.1652874657010482339@example.org>
MIME-Version: 1.0
Importance: Medium
User-Agent: Zoho Mail
X-Mailer: Zoho Mail
Message-ID-Hash: PDMAYDKPKC2XYR5FXGPWHGP5DXMY7N4Y
X-Message-ID-Hash: PDMAYDKPKC2XYR5FXGPWHGP5DXMY7N4Y
X-MailFrom: philip.colmer@example.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.4
Precedence: list
Subject: [Test] And testing after upgrading OpenARC code
List-Id: <test.mm3.mailmanserver.org>
Archived-At: <>
List-Archive: <>
List-Help: <mailto:test-request@mm3.mailmanserver.org?subject=help>
List-Owner: <mailto:test-owner@mm3.mailmanserver.org>
List-Post: <mailto:test@mm3.mailmanserver.org>
List-Subscribe: <mailto:test-join@mm3.mailmanserver.org>
List-Unsubscribe: <mailto:test-leave@mm3.mailmanserver.org>
From: Philip Colmer via Test <test@mm3.mailmanserver.org>
Reply-To: Philip Colmer <philip.colmer@example.org>
Content-Type: multipart/mixed; boundary="===============3602031680822028497=="
X-ZohoMail-DKIM: pass (identity @mm3.mailmanserver.org)

I've changed domains and IP addresses.

In /etc/openarc.conf, I've defined:

AuthservID           mm3.mailmanserver.org
Canonicalization     relaxed/simple
Domain               mm3.mailmanserver.org
KeyFile              <path to file>
OversignHeaders      From
PidFile              <path to file>
Selector             mailman
Socket               <path to socket>
Syslog               yes

I mostly followed the instructions I found at https://weber.fi.eu.org/blog/Informatique/openarc_with_postfix_on_debian_10.html?lang=en so I'm not sure if items like OversignHeaders are correct or not.

Edited to add:

Reading the man page for openarc.conf, I read this part for "OversignHeaders": "Note that listing a field name here and not listing it in the SignHeaders list is likely to generate invalid signatures." Since I wasn't defining anything for "SignHeaders", I've commented out the definition for "OversignHeaders", restarted OpenARC and sent another test. Unfortunately, Zoho still reports a "Bad Signature".

Edited: I've switched to the develop branch of OpenARC and incorporated the changes from https://github.com/trusteddomainproject/OpenARC/pull/145, https://github.com/trusteddomainproject/OpenARC/pull/141 and https://github.com/trusteddomainproject/OpenARC/pull/121. I've updated the headers above to reflect a test performed after changing the OpenARC code. Unfortunately, Zoho still says the signature is bad.

Edited: I've tried explicitly setting SignHeaders (to SignHeaders to,subject,message-id,date,from,mime-version,dkim-signature,arc-authentication-results) but that didn't help either.

[rdemendoza]

+1

[abeverley]

I'm also finding the same with Outlook.com. I've tried all the patches I can find, and it's still showing an ARC fail.

[abeverley]

Just to add that I've also just tried with Zoho, and that appears to be showing valid ARC signatures. That's with my locally-patched version of OpenARC though, so it's possible I've applied something that fixes the original problem.

@pcolmer @rdemendoza - are you still having problems with Zoho?