search

trusteddomainproject / OpenARC

Open source ARC implementation
BSD 2-Clause "Simplified" License
135 stars 45 forks source link

ARC-Authentication-Results, openarc not working correctly, RHEL7 #164

Open wol4arishe opened 1 year ago

wol4arishe commented 1 year ago

Dear all,

Installed openarc RPM on RHEL7. Sent test mail from gmail.com. Unfortunately ARC-Authentication-Results shows wrong result. No errors in logs. If you have ideas - pls help !

rpm -qa|grep openarc

openarc-1.0.0-0.1.Beta0.el7.x86_64 libopenarc-1.0.0-0.1.Beta0.el7.x86_64

Headers:

Authentication-Results: lsa-mx2.dmz.baltic.seb.net; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: lsa-mx2.dmz.baltic.seb.net; spf=pass smtp.mailfrom=gmail.com Authentication-Results: lsa-mx2.dmz.baltic.seb.net; arc=none smtp.client-ip=209.85.221.52 ARC-Seal: i=1; a=rsa-sha256; d=seb.ee; s=sebmail; t=1686037177; cv=none; b=I1htSuVMrX5iemDLKOg1ydh5nSDSVCQ7tjxFsjrDzt9HDfTKIkkPLFiahysFGkL9kvE7bmf+01PhSEGPUUcNLWMMlCMoawJbn1/GSh68+69KRw+vRHTq2LoHiCSllB9ezZ+8b1wnQxP/WH14j7VAOSrf1yk5CabccE04hf6j0f0= ARC-Message-Signature: i=1; a=rsa-sha256; d=seb.ee; s=sebmail; t=1686037177; c=relaxed/simple; bh=9toZLEb80E64FHGFPxjhWaXZy/evVVoz/Y6G/YoH1Ds=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=idXx7z1WiHIRboZUsXPDxFwPCXK8/so98c7qFP6AOavnBJL4lCFau6s0It7k77pmP7eXSuvgNXD2Khxde0wgIK41zX92ukZgHzzn84Xe/Ofc6xpNeo5D3DGIRAemGHHOGeaaVZ63PauvaIkm6bHfi9/lGFgjMLTLSHJ+RV6BRGw= ARC-Authentication-Results: i=1; hostname.domain.net; arc=none smtp.client-ip=209.85.221.52

Config:

cat /etc/openarc.conf

See openarc.conf(5) or /usr/share/doc/openarc-1.0.0/openarc.conf.sample for more

PidFile /var/run/openarc/openarc.pid Syslog yes

Umask 002

UserID openarc:openarc Socket inet:8894@localhost

After setting Mode to "sv", running

opendkim-genkey -D /etc/openarc -s key -d phx2.fedoraproject.org

and putting /etc/openarc

Mode sv Canonicalization relaxed/simple

Canonicalization relaxed/relaxed

Domain xxx.ee

...Selector outmail

Selector sebmail

...KeyFile /etc/openarc/xxx.ee/default.private

KeyFile /etc/openarc/xxx.ee/sebmail.private SignatureAlgorithm rsa-sha256

SignHeaders to,subject,message-id,date,from,mime-version,dkim-signature,arc-authentication-results MilterDebug 6

Kind regards, Arturs Kornejevs

xpunkt commented 1 year ago

wol4arishe skrev den 2023-06-06 09:51:

SignHeaders to,subject,message-id,date,from,mime-version,dkim-signature,arc-authentication-results

remove dkim-signature and arc-authentication-results

dont sign headers that can be added later

and lastly dont dkim sign after arc-sign/arc-seal

orders does matter

wol4arishe commented 1 year ago

@xpunkt Many thx for support!

Removed dkim-signature and arc-authentication-results as You recommended. Unfortunately result is the same.

Authentication-Results: lsa-mx2.dmz.baltic.seb.net; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: lsa-mx2.dmz.baltic.seb.net; spf=pass smtp.mailfrom=gmail.com Authentication-Results: lsa-mx2.dmz.baltic.seb.net; arc=none smtp.client-ip=209.85.128.50 ARC-Seal: i=1; a=rsa-sha256; d=seb.ee; s=sebmail; t=1686054843; cv=none; b=PNKP38w++mBvv05iI5YVyuKNNHpUuyOEE4VTnWuxo/h8+mY8XJy1wGrBeEovSFOyXVatuCNvekiffXAec6Yv5Q4DPCEvTni6ho6UVApKXLG80gbYwtlZx09yR6s4DbBbcNw6I9d4VxBN4ya3Y/ElQk+HdMdSWjssOwAPIhYDwjM= ARC-Message-Signature: i=1; a=rsa-sha256; d=seb.ee; s=sebmail; t=1686054843; c=relaxed/simple; bh=xl1eDZXXrgNYbI0T/nO7Dvx7tNOWFe7hyMlVtnZjgqo=; h=MIME-Version:From:Date:Message-ID:Subject:To; b=efvxtYpDHsdqnuMEZ5MPSx34J6r8G5sCr8jfiiV0jPUTM8Dwxz9GhQVdKMCs2VP76uM3GFCXBmjQPuGXpj1E7Kna6qSmsB0axPjdYbNIqH++seW8T7K+oJL6U65ovP5P4MI1yvYXJX7TYTGYo9b3dpRcF7SE4T0JqJeRjEGE/3U= ARC-Authentication-Results: i=1; lsa-mx2.dmz.baltic.seb.net; arc=none smtp.client-ip=209.85.128.50

Maybe problem related to DKIM, DMARC, OpenARC Milter sequence in Postfix /etc/postfix/main.cf ? Currently OpenARC configured after DKIM and before DMARC:

8891 = opendkim, 8893 = opendmarc, 8894 = openarc

smtpd_milters = inet:localhost:8891, inet:127.0.0.1:8894, inet:127.0.0.1:8893

Kind regards, Arturs Kornejevs

futatuki commented 2 months ago

smtpd_milters = inet:localhost:8891, inet:127.0.0.1:8894, inet:127.0.0.1:8893

In the EOM(end of message) and EOH(end of header) milter protocol stage[1], postfix calls milters as the order described in smtpd_milters setting[2]. So the former milters cannot get the headers added by the latter milters.

[1] libmilter/docs/overview.html in sendmail source (e.g. https://fossies.org/linux/sendmail/libmilter/docs/overview.html) [2] Postfix before-queue Milter support https://www.postfix.org/MILTER_README.html

xpunkt commented 2 months ago

is lsa-mx2.dmz.baltic.seb.net trusted in all milters ?

is all local ips trusted in all milters ?

is all wan ips known by all millters ?

best order of your milters is correct, but trustness migt fail in opendmarc, this is not a bug then, its a config error so

more help i need sample email with i test in spamassassin with authres, i don't trust rspamd :=)

futatuki commented 2 months ago

The order should be opendkim -> opendmarc (because it depends on AR from opendkim) -> openarc(for AAR, depends on AR from opendkim and AR from opendmarc).

However the order described above is opendkim -> openarc -> opendmarc, thus openarc cannot get the results of opendmarc.