Google fails to verify ARC

[gizahNL]

Wanted to write on mailing lists, unfortunately they are non-existent? (as per: http://www.trusteddomain.org/mailman/listinfo/ )

Using same key to sign as used to sign dkim headers google fails signature verification.

Build on FreeBSD 10.3:

openarc -V                                                                               <[759][17:11]]
openarc: OpenARC Filter v0.1.0
    Compiled with OpenSSL 1.0.1s-freebsd  1 Mar 2016
    SMFI_VERSION 0x1000001
    libmilter version 1.0.1
    libopenarc 0.1.0:

Using postfix, milters after Amavisd.

OpenARC config used:

cat /usr/local/etc/openarc/openarc.conf                                                  <[760][17:20]]
 AuthservID     heteigenwijsje.nl
Domain          heteigenwijsje.nl
KeyFile         /var/lib/dkim/heteigenwijsje.nl.pem
 Mode           sv
 PidFile        /var/run/openarc.pid
Selector        dkim
 SignatureAlgorithm rsa-sha256
Socket          inet:8899@localhost
 SoftwareHeader yes
Syslog          Yes
 UserID     vscan:vscan

E-mail headers (replace with zzzomeone in case of gmail and gijsje in heteigenwijsje case):

Delivered-To: <PRIVATE>@gmail.com
Received: by 10.28.28.136 with SMTP id c130csp768192wmc;
        Wed, 11 Oct 2017 08:02:42 -0700 (PDT)
X-Google-Smtp-Source: AOwi7QBd5q+jBZiZUwQwL4vDRWwgAw3BQf1REX91IrEIEJZ7s0HrgXCjc+x9C6l/Iy1HbH+VDpRt
X-Received: by 10.80.139.164 with SMTP id m33mr4924985edm.289.1507734162668;
        Wed, 11 Oct 2017 08:02:42 -0700 (PDT)
Return-Path: <<PRIVATE>@heteigenwijsje.nl>
Received: from smtp.heteigenwijsje.nl (smtp.heteigenwijsje.nl. [80.127.116.100])
        by mx.google.com with ESMTPS id 1si517428edw.461.2017.10.11.08.02.42
        for <<PRIVATE>@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 11 Oct 2017 08:02:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of <PRIVATE>@heteigenwijsje.nl designates 80.127.116.100 as permitted sender) client-ip=80.127.116.100;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@heteigenwijsje.nl header.s=dkim header.b=o/sOgCmP;
       arc=fail (signature failed);
       spf=pass (google.com: domain of <PRIVATE>@heteigenwijsje.nl designates 80.127.116.100 as permitted sender) smtp.mailfrom=<PRIVATE>@heteigenwijsje.nl;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=heteigenwijsje.nl
Received: from mailserv.heteigenwijsje.nl (localhost [127.0.0.1]) by smtp.heteigenwijsje.nl (Postfix) with ESMTP id 63DAA34794 for <<PRIVATE>@gmail.com>; Wed, 11 Oct 2017 17:02:40 +0200 (CEST)
ARC-Filter: OpenARC Filter v0.1.0 smtp.heteigenwijsje.nl 63DAA34794
Authentication-Results: heteigenwijsje.nl; arc=none header.d=heteigenwijsje.nl
ARC-Seal: i=1; a=rsa-sha256; d=heteigenwijsje.nl; s=dkim; t=1507734160; cv=none; b=dY5tKxOhqF/8KUsb3Bo7REygUiejdMtF+iC24oBjojTN2A6VHKyWw/o2jto9jhKnjimSmpYdNhdc2rGP7S+F1InghCkPGufk2iiZ/rrv/iKNgNc0LlJRQdudn0P+B/ZWat2HnGHn8CMqvIpbKpidcXYOmj51IPYwQSE5tmwCNmM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=heteigenwijsje.nl; s=dkim; t=1507734160; c=relaxed/simple; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; h=DKIM-Signature:X-Virus-Scanned:Received:Received:To:From:Subject:
     Message-ID:Date:User-Agent:MIME-Version:Content-Type:
     Content-Transfer-Encoding:Content-Language; b=TRFkzksm2fVytyzdFNm4Up78OtNBDPf0sgNWo1pgkZECKwH+tsAXuj730I4ghUVEAv7WkTpV7BQBI3PoQqLwiX9ljUJOHDMcYFR+AQAxxE4+MHPVHV/xzyqWwzXxIH2TafWEYqVN9Wbcq3lk/Bmru+JG1SAhqefhh4w1U5OHeiM=
ARC-Authentication-Results: i=1; heteigenwijsje.nl; none
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=heteigenwijsje.nl; s=dkim; t=1507734160; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; h=To:From:Subject:Date; b=o/sOgCmPW6NaUTLVY7GV1AD6+hT4PNzeSWU6piwJJBEcD242lA0VAHBkvPwoa0kMK
     N8DIWqhmiO9X7wWdespboQi8nzRFVZ6mYybDecWeR/SIg0cls7bZYzjYl8yAKOXxso
     WnoKzyGThXM+tiexss4HEkHTSXtl4Yo9OuDRYsHY=
X-Virus-Scanned: amavisd-new at mailserv.heteigenwijsje.nl
Received: from smtp.heteigenwijsje.nl ([127.0.0.1]) by mailserv.heteigenwijsje.nl (mailserv.heteigenwijsje.nl [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id N7iioL2bFyX7 for <<PRIVATE>@gmail.com>; Wed, 11 Oct 2017 17:02:30 +0200 (CEST)
Received: from [IPv6:2001:984:a1fc:1:bc4f:29a2:28ba:ef40] (unknown [IPv6:2001:984:a1fc:1:bc4f:29a2:28ba:ef40]) by smtp.heteigenwijsje.nl (Postfix) with ESMTPSA id 742DB34789 for <<PRIVATE>@gmail.com>; Wed, 11 Oct 2017 17:02:30 +0200 (CEST)
To: <PRIVATE>@gmail.com
From: Gijs Peskens <<PRIVATE>@heteigenwijsje.nl>
Subject: test123
Message-ID: <fbe3955d-5fe5-e2bd-f9e6-bfdd2e28b2f1@heteigenwijsje.nl>
Date: Wed, 11 Oct 2017 17:02:30 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Language: en-US

test

[kurta]

On Wed, Oct 11, 2017 at 3:28 PM, gizahNL notifications@github.com wrote:

Wanted to write on mailing lists, unfortunately they are non-existent? (as per: http://www.trusteddomain.org/mailman/listinfo/ )

Using your sample message and running it through dkimpy shows that the signatures do not validate:

DEBUG:dkimpy:ams sig[1]: {'a': 'rsa-sha256', 'c': 'relaxed/simple', 'b': 'TRFkzksm2fVytyzdFNm4Up78OtNBDPf0sgNWo1pgkZECKwH+tsAXuj730I4ghUVEAv7WkTpV7BQBI3PoQqLwiX9ljUJOHDMcYFR+AQAxxE4+MHPVHV/xzyqWwzXxIH2TafWEYqVN9Wbcq3lk/Bmru+JG1SAhqefhh4w1U5OHeiM=', 'd': 'heteigenwijsje.nl', 'i': '1', 'h': 'DKIM-Signature:X-Virus-Scanned:Received:Received:To:From:Subject: Message-ID:Date:User-Agent:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-Language', 'bh': 'g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=', 's': 'dkim', 't': '1507734160'} DEBUG:dkimpy:body hashed: 'test\r\n' DEBUG:dkimpy:bh: g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs= DEBUG:dkimpy:signed for ARC-Message-Signature: 'dkim-signature:v=1; a=rsa-sha256; c=simple/simple; d=heteigenwijsje.nl; s=dkim; t=1507734160; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; h=To:From:Subject:Date; b=o/sOgCmPW6NaUTLVY7GV1AD6+hT4PNzeSWU6piwJJBEcD242lA0VAHBkvPwoa0kMK N8DIWqhmiO9X7wWdespboQi8nzRFVZ6mYybDecWeR/SIg0cls7bZYzjYl8yAKOXxso WnoKzyGThXM+tiexss4HEkHTSXtl4Yo9OuDRYsHY=\r\nx-virus-scanned:amavisd-new at mailserv.heteigenwijsje.nl\r\nreceived:from [IPv6:2001:984:a1fc:1:bc4f:29a2:28ba:ef40] (unknown [IPv6:2001:984:a1fc:1:bc4f:29a2:28ba:ef40]) by smtp.heteigenwijsje.nl (Postfix) with ESMTPSA id 742DB34789 for <PRIVATE>@gmail.com; Wed, 11 Oct 2017 17:02:30 +0200 (CEST)\r\nreceived:from smtp.heteigenwijsje.nl ([127.0.0.1]) by mailserv.heteigenwijsje.nl (mailserv.heteigenwijsje.nl [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id N7iioL2bFyX7 for < zzzomeone@gmail.com>; Wed, 11 Oct 2017 17:02:30 +0200 (CEST)\r\nto:@gmail.com\r\nfrom:Gijs Peskens <@ heteigenwijsje.nl>\r\nsubject:test123\r\nmessage-id:< fbe3955d-5fe5-e2bd-f9e6-bfdd2e28b2f1@heteigenwijsje.nl>\r\ndate:Wed, 11 Oct 2017 17:02:30 +0200\r\nuser-agent:Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0\r\nmime-version:1.0\r\ncontent-type:text/plain; charset=utf-8\r\ncontent-transfer-encoding:7bit\r\ncontent-language:en-US\r\narc-message-signature:i=1; a=rsa-sha256; d=heteigenwijsje.nl; s=dkim; t=1507734160; c=relaxed/simple; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; h=DKIM-Signature:X-Virus-Scanned:Received:Received:To:From:Subject: Message-ID:Date:User-Agent:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-Language; b=' DEBUG:dkimpy:ARC-Message-Signature valid: False DEBUG:dkimpy:ams valid: False DEBUG:dkimpy:as sig[1]: {'a': 'rsa-sha256', 'b': 'dY5tKxOhqF/8KUsb3Bo7REygUiejdMtF+iC24oBjojTN2A6VHKyWw/o2jto9jhKnjimSmpYdNhdc2rGP7S+F1InghCkPGufk2iiZ/rrv/iKNgNc0LlJRQdudn0P+B/ZWat2HnGHn8CMqvIpbKpidcXYOmj51IPYwQSE5tmwCNmM=', 'd': 'heteigenwijsje.nl', 'i': '1', 's': 'dkim', 't': '1507734160', 'cv': 'none'} DEBUG:dkimpy:signed for ARC-Seal: 'arc-authentication-results:i=1; heteigenwijsje.nl; none\r\narc-message-signature:i=1; a=rsa-sha256; d= heteigenwijsje.nl; s=dkim; t=1507734160; c=relaxed/simple; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; h=DKIM-Signature:X-Virus-Scanned:Received:Received:To:From:Subject: Message-ID:Date:User-Agent:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-Language; b=TRFkzksm2fVytyzdFNm4Up78OtNBDPf0sgNWo1pgkZECKwH+tsAXuj730I4ghUVEAv7WkTpV7BQBI3PoQqLwiX9ljUJOHDMcYFR+AQAxxE4+MHPVHV/xzyqWwzXxIH2TafWEYqVN9Wbcq3lk/Bmru+JG1SAhqefhh4w1U5OHeiM=\r\narc-seal:i=1; a=rsa-sha256; d=heteigenwijsje.nl; s=dkim; t=1507734160; cv=none; b=' DEBUG:dkimpy:ARC-Seal valid: False DEBUG:dkimpy:as valid: False arc verification: cv=fail Most recent ARC-Message-Signature did not validate [{'as-domain': 'heteigenwijsje.nl', 'ams-selector': 'dkim', 'as-valid': False, 'instance': 1, 'ams-valid': False, 'as-selector': 'dkim', 'ams-domain': 'heteigenwijsje.nl', 'aar-value': 'i=1; heteigenwijsje.nl; none\r\n', 'cv': 'none'}]

--Kurt

[gizahNL]

You're right and I've been quite the idiot... Included an outdated file into the config because I copied from an outdated config....

Can confirm that using the right file now leads to correct validation by google if this is of any value ;)

[andreasschulze]

there /are/ mailing-lists: https://openarc.org

[gizahNL]

I wasn't aware, guess the README is outdated then ;)

Mailing lists discussing and supporting the ARC software found in this
package are maintained via a list server at trusteddomain.org.  Visit
http://www.trusteddomain.org to subscribe or browse archives.  The available
lists are:

[xpunkt]

<PRIVATE>@gmail.com hmm imho valid email, but possible not your own :(

use example.org domain, not just random gmail.com

[mdomsch]

I had to use this in my openarc.conf file: SignHeaders to,subject,message-id,date,from,mime-version,dkim-signature,arc-authentication-results

so that only those headers were included in the signature calculation. Then gmail validates the arc signature properly.

[kurta]

+Brandon

That's good info but not a bug in openARC 😀

--Kurt

On Sun, Aug 19, 2018, 22:00 Matt Domsch notifications@github.com wrote:

I had to use this in my openarc.conf file: SignHeaders to,subject,message-id,date,from,mime-version,dkim-signature,arc-authentication-results

so that only those headers were included in the signature calculation. Then gmail validates the arc signature properly.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenARC/issues/66#issuecomment-414197777, or mute the thread https://github.com/notifications/unsubscribe-auth/AA1NyWxq3LuO-IXqF-enrNQZyybS8XOpks5uSkJ8gaJpZM4P1rR2 .

[blong42]

Another user signing on origination, also he posted on arc-discuss. openarc shouldn't allow arc-auth-res to be signed on the ams.

it would be good to know which header being signed breaks things on the Gmail side.

Running through dkimpy or anything isn't going to help if you redact data that's in the signature.

[mdomsch]

The openarc.conf manpage says it will add all SHOULD headers per the RFC. Without a SignHeaders config line, it does not. Either the manpage is wrong or the code is wrong.

On Tue, Aug 21, 2018, 7:48 PM kurta notifications@github.com wrote:

+Brandon

That's good info but not a bug in openARC 😀

--Kurt

On Sun, Aug 19, 2018, 22:00 Matt Domsch notifications@github.com wrote:

I had to use this in my openarc.conf file: SignHeaders

to,subject,message-id,date,from,mime-version,dkim-signature,arc-authentication-results

so that only those headers were included in the signature calculation. Then gmail validates the arc signature properly.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub < https://github.com/trusteddomainproject/OpenARC/issues/66#issuecomment-414197777 , or mute the thread < https://github.com/notifications/unsubscribe-auth/AA1NyWxq3LuO-IXqF-enrNQZyybS8XOpks5uSkJ8gaJpZM4P1rR2

.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenARC/issues/66#issuecomment-414868703, or mute the thread https://github.com/notifications/unsubscribe-auth/AAqDqrLYx4ly88GhY57rdzBnvnwUhy5xks5uTKokgaJpZM4P1rR2 .

[kurta]

If it is signing Received headers (as implied in the arc-discuss thread) then I would suggest that the bug is how it behaves in the absence of explicit header signing configuration.

I'm not aware of anyone or any spec that suggests such behavior to be advisable.

--Kurt

On Tue, Aug 21, 2018, 18:04 Matt Domsch notifications@github.com wrote:

The openarc.conf manpage says it will add all SHOULD headers per the RFC. Without a SignHeaders config line, it does not. Either the manpage is wrong or the code is wrong.

On Tue, Aug 21, 2018, 7:48 PM kurta notifications@github.com wrote:

+Brandon

That's good info but not a bug in openARC 😀

--Kurt

On Sun, Aug 19, 2018, 22:00 Matt Domsch notifications@github.com wrote:

I had to use this in my openarc.conf file: SignHeaders

to,subject,message-id,date,from,mime-version,dkim-signature,arc-authentication-results

so that only those headers were included in the signature calculation. Then gmail validates the arc signature properly.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub <

https://github.com/trusteddomainproject/OpenARC/issues/66#issuecomment-414197777

, or mute the thread <

https://github.com/notifications/unsubscribe-auth/AA1NyWxq3LuO-IXqF-enrNQZyybS8XOpks5uSkJ8gaJpZM4P1rR2

.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub < https://github.com/trusteddomainproject/OpenARC/issues/66#issuecomment-414868703 , or mute the thread < https://github.com/notifications/unsubscribe-auth/AAqDqrLYx4ly88GhY57rdzBnvnwUhy5xks5uTKokgaJpZM4P1rR2

.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenARC/issues/66#issuecomment-414871753, or mute the thread https://github.com/notifications/unsubscribe-auth/AA1NycBv10i_6rA47FEqYu5PPVxRthg9ks5uTK4MgaJpZM4P1rR2 .

[mskucherawy]

The code should follow the RFC, and I'll fix that, but that doesn't mean this should be failing. The same header field canonicalization code is applied regardless of which specific headers are being covered.

I'm going to see if I can work with our contact at Gmail to figure out which side has something wrong.

[mskucherawy]

Just to be clear: The code that does selection of header fields to sign should follow the RFC, but currently doesn't. I'll fix that. But apart from that, it shouldn't matter what header fields are getting signed, because they all get handled the same way.

[mskucherawy]

@mdomsch: Can you still reproduce this problem with Beta1? I sent a sample message, key, and signed message to a contact inside GMail and he said his results matched ours.

[mdomsch]

Beta1 lacks the patch from PR#100 and it's not a clean cherry-pick. Can I use develop HEAD at 824f49bf558f1f34712217a6687fc9e82c0938a5 instead?

On Fri, Sep 28, 2018 at 11:58 AM Murray S. Kucherawy < notifications@github.com> wrote:

@mdomsch https://github.com/mdomsch: Can you still reproduce this problem with Beta1? I sent a sample message, key, and signed message to a contact inside GMail and he said his results matched ours.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenARC/issues/66#issuecomment-425499899, or mute the thread https://github.com/notifications/unsubscribe-auth/AAqDqqvmnkeDi7jWR12VZ08eSPZ6rePUks5uflTwgaJpZM4P1rR2 .

[mskucherawy]

Just to be clear: The code that does selection of header fields to sign should follow the RFC, but currently doesn't. I'll fix that. But apart from that, it shouldn't matter what header fields are getting signed, because they all get handled the same way.

[gene-git]

I'm still seeing this problem with Google Failing ARC while echo@openarc.org says all is fine.

Code Used: Develop branch 20190808 commit 56b22d8 Problem persists with or without SigningHeaders in config file (as above) - headers which get signed are actually same either way.

[gene-git]

Google Header has: Authentication-Results: mx.google.com; ... arc=fail (test pass); ..

dkim, dmarc and spf all pass ok according to google. Just ARC has the fail.

[gene-git]

User error - google does this in test mode - removing test mode and works fine.