A completely different question: Is there anyone that has a working non-naive setup for ARC signing of mail list mail in mailman? I've tried both the built-in version but it was not usable in the version I tried for the case where there are several domains with different selectors and keys and where the outgoing mail also is DKIM-signed. This might be that the documentation is lacking but a very shallow look in the source gave me the impression that the implementation is limited to one domain which is not enough for my use case as I have lists in several domains.
I use DKIM on outgoing mail with a setup where each domain has its own keys and selectors. As discussed here earlier, the DKIM signature should be added before the ARC signature. I have tried to use rspamd after a tip here for this but without luck so far, but this is somewhat off topic for mailman although related of course. rspamd seems very good for other purposes and solves my other problems with greylisting, DKIM-signing and spam filtering. That said, ARC seems difficult to get to work for forwarded mails there also...
cheers // David
David Krantz writes:
A completely different question: Is there anyone that has a working non-naive setup for ARC signing of mail list mail in mailman?
Not in Mailman. As ARC was designed, that's not our job. ARC is intended to be implemented at the perimeter of the administrative domain. As an example, in a one-host domain, that would be the MTA. Mailman, by the nature of its communication with the outside world, lacks much of the information you would like your ARC implementation to have access to. The intent of the ARC module in Mailman is (1) proof of concept and (2) for single-host domains that don't have access to install a proper ARC implementation at the MTA level.
I use DKIM on outgoing mail with a setup where each domain has its own keys and selectors. As discussed here earlier, the DKIM signature should be added before the ARC signature.
I believe we have modules capable of DKIM-signing in the distribution (they are dependencies that get downloaded in the build process and I believe they get copied into the installation), but unlike ARC where we participated in the design and beta of the protocol, DKIM was already well-established so I'm sure it's not exposed in the configuration. I doubt that it's properly integrated. You'd need to write a new handler for it on the model of the ARC handlers.
I think you might also need to modify the ARC code to handle the appropriate selector and private key for each domain.