Does anyone have a working DKIM/ARC configuration?
I've configured a Mailman 3 server with Postfix and added OpenDKIM to the latter to provide the DKIM headers, and configured Mailman to provide the ARC headers.
However, in sending test messages to a mailbox hosted by Microsoft, I'm seeing a header like this:
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 1.2.3.4) smtp.rcpttodomain=destination.org smtp.mailfrom=mmserver.org; dmarc=bestguesspass action=none header.from=mmserver.org; dkim=test (signature was verified) header.d=mmserver.org; dkim=fail (signature did not verify) header.d=sender.org; arc=fail (47)
(I've changed the domains and IP address)
Manually sending an email from the server to the same external email address does give me an email with a valid DKIM header:
Authentication-Results: spf=pass (sender IP is 1.2.3.4) smtp.mailfrom=mmserver.org; destination.org; dkim=test (signature was verified) header.d=mmserver.org;destination.org; dmarc=bestguesspass action=none header.from=mmserver.org;compauth=pass reason=109
So I'm unclear as to where the problem may lie ...
Hence the question: does anyone have Mailman 3 + Postfix working successfully with DKIM and ARC?
Thanks.
Philip
Philip Colmer writes:
However, in sending test messages to a mailbox hosted by Microsoft, I'm seeing a header like this:
We need *all* the relevant fields (all the DKIM signatures, all the ARC-* fields from both your server and Microsoft, and the From field, and if possible all the trace fields like Received) to figure out what's going on. The ARC-A-R header from Microsoft is complex, but here's what I guess is going on:
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 1.2.3.4) smtp.rcpttodomain=destination.org
SPF is OK. rcpttodomain is not relevant.
smtp.mailfrom=mmserver.org; dmarc=bestguesspass action=none header.from=mmserver.org;
I assume IP 1.2.3.4 reverse DNS to mmserver.org, so DMARC passes at this point (I'm assuming that the From: address is an @mmserver.org address, as the header.from parameter indicates). This is a spurious pass; it only works because you happened to send From: somebox@mmserver.org. Any other author domain will fail DMARC.
dkim=test (signature was verified) header.d=mmserver.org;
This is mmserver.org's DKIM signature, presumably added after passing through Mailman, which passes.
dkim=fail (signature did not verify) header.d=sender.org;
This is sender.org's DKIM signature, and it is expected to fail unless Mailman is configured in pure pass-through mode where it does not touch the body or any of the signed header fields. sender.org's DKIM signature may as well not be there for a conforming MTA (I assume Microsoft's does in this, I don't see any advantage to them in breaking DKIM).
arc=fail (47)
I have no idea what went wrong, since you don't provide mmserver's ARC-* fields. This is saying that Microsoft couldn't validate something in the ARC-* fields provided by mmserver.org, or perhaps that Mailman failed to validate something at mmserver.org.
Manually sending an email from the server to the same external email address does give me an email with a valid DKIM header:
The ARC-A-R field above appears to show the expected failure of the "pre-Mailman" DKIM signature and the expected success of the "post-Mailman DKIM signature. DKIM does not appear to be a problem.
Hence the question: does anyone have Mailman 3 + Postfix working successfully with DKIM and ARC?
DKIM is all over the place, working fine. Mailman ARC was tested, and passed, during the ARC development process at the IETF. I don't know offhand if anybody is using that combination now. If you own the MTA, we recommend doing ARC there if supported by the MTA (I think Postfix does). I'm glad to see Microsoft supporting it!
Steve
On Fri, 10 Sept 2021 at 14:52, Stephen J. Turnbull <stephenjturnbull@gmail.com> wrote:
Philip Colmer writes:
However, in sending test messages to a mailbox hosted by Microsoft, I'm seeing a header like this:
We need *all* the relevant fields (all the DKIM signatures, all the ARC-* fields from both your server and Microsoft, and the From field, and if possible all the trace fields like Received) to figure out what's going on.
I hadn't wanted to send too much information (initially, at least) if there was something obviously wrong and I appreciate your explanation of what I have shared.
dkim=fail (signature did not verify) header.d=sender.org;
This is sender.org's DKIM signature, and it is expected to fail unless Mailman is configured in pure pass-through mode where it does not touch the body or any of the signed header fields. sender.org's DKIM signature may as well not be there for a conforming MTA (I assume Microsoft's does in this, I don't see any advantage to them in breaking DKIM).
I hadn't realised that "dkim=fail" applied to the original email that had been sent to Mailman 3, so that is a relief.
DKIM is all over the place, working fine. Mailman ARC was tested, and passed, during the ARC development process at the IETF. I don't know offhand if anybody is using that combination now. If you own the MTA, we recommend doing ARC there if supported by the MTA (I think Postfix does). I'm glad to see Microsoft supporting it!
I will certainly have a go at adding OpenARC to our Postfix MTA.
Presumably I then (re)configure the [ARC] section in Mailman 3 to not be enabled?
Thanks again for the quick and detailed examination.
Regards
Philip
Philip Colmer writes:
I hadn't wanted to send too much information (initially, at least) if there was something obviously wrong and I appreciate your explanation of what I have shared.
If you're worried about leaking sensitive configuration data or about the effort required to redact it, you'll have to make that judgment. But the full header from one email is not a burden.
I hadn't realised that "dkim=fail" applied to the original email that had been sent to Mailman 3, so that is a relief.
Yeah, this is not easy to parse, and whether to remove "failed" DKIM signatures or not is somewhat controversial. The people who developed DKIM and its dependent protocols mostly say "keep it", and the standard is designed to make that harmless.
I will certainly have a go at adding OpenARC to our Postfix MTA.
Presumably I then (re)configure the [ARC] section in Mailman 3 to not be enabled?
That's right.
Steve
Here are the full headers from a new email. I've redacted the various domains and IP addresses but hopefully it all makes sense.
Received: from AM6EUR05HT027.eop-eur05.prod.protection.outlook.com (2603:10a6:10:2b0::12) by DB7P191MB0378.EURP191.PROD.OUTLOOK.COM with HTTPS via DU2PR04CA0157.EURPRD04.PROD.OUTLOOK.COM; Tue, 14 Sep 2021 07:13:02 +0000 ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=fail; b=eb5egkxeCkJnvUpwA/HTQ6aYeCJfbfL3yRdCaAhD9aVMwhljOA6V9RhgWVkVHYRpf77BZvw4IztiAU8Y/sUAUAt7s3f77M4qZ37RzOIWktDkKknW8xFxsOQaJIOaxdWjE7L53F51JMmPlOIQ/RgvkIZyiN77GTCCoxhkayzZaL5O8Gc3Rop9kY90sBNRCi/B1DU1keJ45U+KBfnulEWGE3r2DJ9BrfI8WiQCYFIvR1Ryr0wY8uqQiWlitgbfprEl7mkDzR4x/tNUvowVDqltiedfrM3ML7+AHUW4PI2Ih78Uvv6T0+fZHVrRKCOyczU0S9RilRLxMlh+lEtr+Q9GGg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=jmWFlJwqirfiVtLi98SrRrGA3zfBLMBC8UI7ReTsiOc=; b=n07Rdb5JFtRW5a+UmP0zCEJLks5YOE8ZLI6tzNU37BgF8rsqXy2K+Mj5N5742DMymdKnUnYF99nUp79v9BxwQX7EUt7mCXOlzjo//yR8QzV5mhqBroHoisznRxs70HzISZFDCwzMKgL1/BM6jIMVKWry9aTIt2Ii8ofS/Unw7coGBPccNtALvjJ585UUt2cVfIWPjVgt/ZPJ3d/RRsiao5Ot/Myhzyo3rHpl4nZHoxFDeWWK5kZ1Gy+hUxIqZWz9UswzX8K+i9OshilBicia/q/0RHpUCg1vNQsEIQYMRsNTDmvh+moPz2SVDhgLgJ7UOVjSMaO87T2DTacvEykjBg== ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 1.2.3.4) smtp.rcpttodomain=destination.org smtp.mailfrom=mmserver.org; dmarc=bestguesspass action=none header.from=mmserver.org; dkim=test (signature was verified) header.d=mmserver.org; dkim=fail (signature did not verify) header.d=sender.org; arc=fail (47) Received: from AM6EUR05FT022.eop-eur05.prod.protection.outlook.com (2a01:111:e400:fc11::4b) by AM6EUR05HT027.eop-eur05.prod.protection.outlook.com (2a01:111:e400:fc11::306) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.18; Tue, 14 Sep 2021 07:13:02 +0000 Authentication-Results: spf=pass (sender IP is 1.2.3.4) smtp.mailfrom=mmserver.org; destination.org; dkim=fail (signature did not verify) header.d=sender.org;destination.org; dmarc=bestguesspass action=none header.from=mmserver.org;compauth=pass reason=109 Received-SPF: Pass (protection.outlook.com: domain of mmserver.org designates 1.2.3.4 as permitted sender) receiver=protection.outlook.com; client-ip=1.2.3.4; helo=mmserver.org; Received: from mmserver.org (1.2.3.4) by AM6EUR05FT022.mail.protection.outlook.com (10.233.240.168) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.18 via Frontend Transport; Tue, 14 Sep 2021 07:13:01 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:C027C4C73C859E8BC4DD2D6EB0A2AFC55128E8E6AB569058BEFA2927BD59B759;UpperCasedChecksum:69084D51601C2F94765803933A8A1E513A3CE3B72501EEBE615F8404D9524BF9;SizeAsReceived:5583;Count:36 Received: from ip-172-31-73-169.ec2.internal (localhost [127.0.0.1]) by mmserver.org (Postfix) with ESMTP id 1EB91BDF09 for <philip@destination.org>; Tue, 14 Sep 2021 07:13:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mmserver.org; s=mailman; t=1631603581; bh=jmWFlJwqirfiVtLi98SrRrGA3zfBLMBC8UI7ReTsiOc=; h=Date:To:Subject:List-Id:List-Archive:List-Help:List-Owner: List-Post:List-Subscribe:List-Unsubscribe:From:Reply-To:From; b=c1hpMtUIu4xFaJHhKlp9wvMuMchhYHt8jZhx7iR79DwnuFFRd/YbDd7AvspoQ4tkb ob4ZZRRsX8P0Aw3w2iOOEGVOu7cuJgeOCs3tyjFDb1yfo3GAsbvKeaRQPblbo6Oaob bUuo+5OY825Jdk2FoVAKrxqrkrC4q2OsFoVGFIAc= ARC-Seal: i=1; cv=none; a=rsa-sha256; d=mmserver.org; s=mailman; t=1631603580; b=MriwQYAoGLx6qYcQ3jvD1X6WZP2bfE7/esgXKfCV7gSfQcLpbd3iwiJVFBD+4TX3jfTcG tGL6iZ69TrW2A4QS9zn7j0WbZh0YuDea6OGe0SLqJz3vVsVQJXmiduZET4LVkZKWVOMsghR 2Bti7RMvNwok2WQzsKkOf+cXmUFDOcg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mmserver.org; s=mailman; t=1631603580; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=3DIn1IpjU5aYg7foYX2PvB0NxFt3Yvxu7ufHWw90s3M=; b=fNNEcs1c31725Mfmd4md62MVMIRbGHfnDf3SHY+W5Yz+Cb5RTYJhCpoSA6VpFUSgeGEYT DsjJDpwSbXucdbc2ar1s2TcZpshXBtGb7XSxdJy3ZWpGJ+nZdX+OvBTz8OvtggE6W/W/+KH 41/BqNmfc1MKlWsJH+q0cdwChifyo2I= ARC-Authentication-Results: i=1; mmserver.org; dkim=pass header.d=sender.org header.i=@sender.org header.a=rsa-sha256 header.s=google header.b=xCTkYbMD; dkim-atps=neutral; arc=none; dmarc=pass (Used From Domain Record) header.from=sender.org policy.dmarc=none Authentication-Results-Original: mmserver.org; dkim=pass header.d=sender.org header.i=@sender.org header.a=rsa-sha256 header.s=google header.b=xCTkYbMD; dkim-atps=neutral; arc=none; dmarc=pass (Used From Domain Record) header.from=sender.org policy.dmarc=none Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mmserver.org (Postfix) with ESMTPS id 99732BDF09 for <test@mmserver.org>; Tue, 14 Sep 2021 07:12:58 +0000 (UTC) Received: by mail-pl1-f173.google.com with SMTP id n4so7551535plh.9 for <test@mmserver.org>; Tue, 14 Sep 2021 00:12:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sender.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=3DIn1IpjU5aYg7foYX2PvB0NxFt3Yvxu7ufHWw90s3M=; b=xCTkYbMDUx+tagAdAlyZE+awc/wc1iCI/PWp0jeuJFDM23WMTGo24PJjUFfCV4DH5G fKko+n5wov5IKcBpjLvcmg2OGuOQPGAl1ATWtCbl+SgZD4LBWftNLVz3XxJq2IDxb3me WF+IHsh3nunXExR17sEQx12pbXPhGmmy3G8We7jrZOLVfX0oRZ8Y6QiY1ACetrQ/FlyZ /T4axvHlXsiceP6rr6HwvHdj8XN2NbjkXZF265tfc/l2EdVXyTJlnhxxuxXFGTcBIPN1 OZadmYo5Q8VCsg78leQDp8eBAATL9JwUmFUDhL2U8KCWKXCCQJ4qVKReEqJB4PK5l5hZ 4nmg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=3DIn1IpjU5aYg7foYX2PvB0NxFt3Yvxu7ufHWw90s3M=; b=4mwQclptSSJQVxNaNlxhXDyNREM5qDVMMr8a2AvZFBoVQ6k8z1B8bMkEZB5I32NRnR BNTQUy7XQ2rVx171IgoTC24RPcQvWAd0Eg9+1On7vaMG5bIsY90ED1oavJA5NQ2KVXXn vVLr7JcKg0fsuk/xoy9bzRCZ5D5nYGYE6dCPb20iTTInM2QaXQgpoCElv0PQ7N3lvLeL KXqrhDc9bMVqbYNmu7rIkdAI+N6iY0IB+mMF16GTSM6RlMOuthl1jEQP4QK/7ShupDIM DFWC4U1vdK0+LA5Ep0ajUzgRLAK0k6GqBa+MlOsTxaYCHfruFzVGMYLu+BGhvlK+auc0 J/SA== X-Gm-Message-State: AOAM530xf2FH9mmbMhx3lhbVy3KOURBUXCxFSudsrgoQ/IHguihpAlkq fdjxxPp3FZqmjlPEPCHf6YHBtWkKPAk7jmICOiu0mHBYPA28SvgG X-Google-Smtp-Source: ABdhPJx9DHXrQn1DY+0svX/d2C3cT/h78ckSVX6QV//8wP5/4oBzLKHy5TqrppqktHiH0uZ4L+MDNmPNm1KPNNzet1s= X-Received: by 2002:a17:90a:f192:: with SMTP id bv18mr472417pjb.134.1631603577579; Tue, 14 Sep 2021 00:12:57 -0700 (PDT) Date: Tue, 14 Sep 2021 08:12:48 +0100 Message-ID: <CAKTSSTiPRjknheqN7QbvEZAzscCyRePz4JvQB1fDa39xuShMSA@mail.gmail.com> To: test@mmserver.org Message-ID-Hash: ORMUWLHDNPOVZ24JYJ3PMESIUSRL7XCC X-Message-ID-Hash: ORMUWLHDNPOVZ24JYJ3PMESIUSRL7XCC X-MailFrom: philip.colmer@sender.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.4 Precedence: list Subject: [Test] How does your garden grow? List-Id: <test.mmserver.org> List-Help: <mailto:test-request@mmserver.org?subject=help> List-Owner: <mailto:test-owner@mmserver.org> List-Post: <mailto:test@mmserver.org> List-Subscribe: <mailto:test-join@mmserver.org> List-Unsubscribe: <mailto:test-leave@mmserver.org> From: Philip Colmer via Test <test@mmserver.org> Reply-To: Philip Colmer <philip.colmer@sender.org> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-IncomingHeaderCount: 36 Return-Path: test-bounces+philip=destination.org@mmserver.org X-MS-Exchange-Organization-ExpirationStartTime: 14 Sep 2021 07:13:01.9563 (UTC) X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000 X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit X-MS-Exchange-Organization-Network-Message-Id: 8da823d6-328d-433c-6822-08d9774f16e0 X-EOPAttributedMessage: 0 X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0 X-MS-Exchange-Organization-MessageDirectionality: Incoming X-MS-PublicTrafficType: Email X-MS-Exchange-Organization-AuthSource: AM6EUR05FT022.eop-eur05.prod.protection.outlook.com X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-UserLastLogonTime: 9/14/2021 7:12:57 AM X-MS-Office365-Filtering-Correlation-Id: 8da823d6-328d-433c-6822-08d9774f16e0 X-MS-TrafficTypeDiagnostic: AM6EUR05HT027: X-MS-Exchange-EOPDirect: true X-Sender-IP: 1.2.3.4 X-SID-PRA: TEST@mmserver.org X-SID-Result: PASS X-MS-Exchange-Organization-PCL: 2 X-MS-Exchange-AtpMessageProperties: SA|SL X-MS-Exchange-Organization-SCL: 0 X-Microsoft-Antispam: BCL:0; X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Sep 2021 07:13:01.8683 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 8da823d6-328d-433c-6822-08d9774f16e0 X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-AuthSource: AM6EUR05FT022.eop-eur05.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6EUR05HT027 X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.9874238 X-MS-Exchange-Processed-By-BccFoldering: 15.20.4500.018 X-Microsoft-Antispam-Mailbox-Delivery: abwl:0;wl:0;pcwl:0;kl:0;iwl:0;ijl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;auth:1;dest:I;ENG:(5062000283)(90000117)(91040095)(91044021)(91045095)(9050020)(9060116)(9100336)(5061607266)(5061608174)(4900116)(2008001114)(2008000189)(4920091)(6250099)(4950132)(4990091); X-Message-Info: 5vMbyqxGkdefRiIkrqg4ZwpGLfyUyJn4v5cLoN5lKwXdusI/i41s1qBGsktqj/swtQInJ01+vhFDsyZNXWXqrj0a99+1or22N3ukmdiSyb1k1ptz10WM/SSCU9mbDX6xYzh1iipr2J9mGgoqib5s1JOfhLrVHogoibBIRTGVaeukc7ecTQyRj4ux3Nwhmt43YYWKeqDG4XgX8obB2vWFqw== X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0yO1NDTD0tMQ== X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?g0Qa183Yfq7SY4i7wKx716EEM1w+IyCwbRK9aOFS0Ep+WmpHoOy5Mq966RH7?= =?us-ascii?Q?9RGYWFY1IfZ2w0/ytYgAPbgXGg5okckkKLB3ZKlxNlnfDk/nySn8C6RlCu/t?= =?us-ascii?Q?V6A+kb6zzWQI+PvdwNu1jQew8agjL2Yg8SHSrZJisyu/i5B9cTNrHZTYvX3w?= =?us-ascii?Q?uz9Ozh1NW9HkJTxWtXYTCKtLieIWGobTQbm8fYLF56QCyRJ/sMYWuCwqS1F5?= =?us-ascii?Q?fnsXlwODnSocVPvp2o3SeQXP8xsZ4zT+BX2QRVQG8h7+1iXk9YMNvPkLmIZN?= =?us-ascii?Q?QFZbPndZUuQs9NLggIjHnNkIMBboM+J9C8LBw3V3hm6F1zpHHj8hCGRUSZ4l?= =?us-ascii?Q?XaKZRgKU2G/TSyG1leZYA500/bUGq+1WIcmDt0r7CUc6FLut3toh/roeRjtW?= =?us-ascii?Q?ZmtOwwUTonV4L5h0L7xU4Z+R9EWr9lltQVzXTicTgtrkK32cekaHBL75q+h+?= =?us-ascii?Q?siwo3kUnFJbpeF73jSYExCXeez/DBILLqfGstDQ0bujnK19S7U1RNai1MzOn?= =?us-ascii?Q?BRevh9pn+DzRqiJl3fvMCl9IuARFm9ikxvZXVROuX2hHAliC9rv8OeBH2UWF?= =?us-ascii?Q?Agdb/l+3/X4/GoDLMSDfZevqRjk+T+lke7rNTQoq430CpI85izZCSu3OU+es?= =?us-ascii?Q?DNlxMI3x4G7eHZAHTaC6h8AN/1KDymKmLF2Cim/wyVdoZJW6i9GRBJ4eMAB4?= =?us-ascii?Q?iGGErK5+hPfBPYPpcbFHouJspu6q51ijmY3u/tSivCdveYGEboYopxTLn+qq?= =?us-ascii?Q?TKs7XM+U2ZcnV9Y4FzICuhkPzT4KNuIWhu4p+zbaFbtpBVhMHy02mv7pEEgZ?= =?us-ascii?Q?dvAKMghz0KxeloCEuV5Wg8Lf9ODixXm6v87r0zayges5sK+kHo8o9TkujXBw?= =?us-ascii?Q?slz5LBpRKEM+jpuy6jZLZT2AP0Y+wgmkmGZ+DFZ6+WNR35NWprI/qwAsKwRk?= =?us-ascii?Q?ZkPn8fAsYIYDCq4QJWtE9ni4HG2dNgONZ3/bRiQPKyp7eWoqA7bJa06r0fVc?= =?us-ascii?Q?treJR24f8ritZD/lmZbsb907n/qQrB1lGGtp/YFv82onwV1gd+398pVU9FM9?= =?us-ascii?Q?N19gzh6Z+abRCDRybKg9q00ooajOolfuZrBWGh6Elrqz9mlUE41MH7v/gRfS?= =?us-ascii?Q?9zh2D5b1ONLz?= MIME-Version: 1.0
I've started looking at OpenARC but the documentation is scarce and it isn't clear if the project is being maintained. My preference would be to stick with Mailman for ARC support if possible. I'm also trying to get Google's servers to accept the emails so that I can compare the headers, just in case it is a Microsoft issue ... but at the moment, Microsoft is accepting the emails and Google isn't :(
On 9/10/21 6:52 AM, Stephen J. Turnbull wrote:
[SNIPPED] dkim=fail (signature did not verify) header.d=sender.org;
This is sender.org's DKIM signature, and it is expected to fail unless Mailman is configured in pure pass-through mode where it does not touch the body or any of the signed header fields. sender.org's DKIM signature may as well not be there for a conforming MTA (I assume Microsoft's does in this, I don't see any advantage to them in breaking DKIM).
I'm troubleshooting a similar issue. Can you confirm/share how we set "pure pass-through mode" with Mailman3 to ensure it doesn't touch the body or signed header fields?
thanks!
matt
Matt Wilbur EFS via Mailman-users writes:
I'm troubleshooting a similar issue. Can you confirm/share how we set "pure pass-through mode"
Set the body header, the body footer, the subject tag, and the subject serial number to empty or off. Note that "empty" means *empty*, if there are any non-graphic characters (SPC, TAB, etc) that can cause changes to signed portions of the message.
Set body-part filtering, HTML removal, and HTML-to-plain-text translation to off. (These will not be relevant if your test messages are all pure plain text.) Set failed DKIM signature removal to off (IIRC ARC signs these). There shouldn't be any failures in pass-through mode, but let's be sure.
with Mailman3 to ensure it doesn't touch the body or signed header fields?
I think that's enough to guarantee the body and the normally signed header fields are not touched, but of course your MTA might be configured to sign other DKIM header fields (AFAIK that's very unusual though).
Steve
An update on what I've changed and what works and what still doesn't work ...
I've switched off the ARC/DKIM processing within Mailman 3. I've installed OpenARC as a second milter for Postfix, so all DKIM/ARC processing is now being done by Postfix.
If I send a test email manually from the Mailman 3 server to a test email address, it seems to be valid:
Delivered-To: philip.colmer@codelinaro.org Received-SPF: pass (zohomail.com: domain of mm3.lavasoftware.org designates 3.230.84.86 as permitted sender) client-ip=3.230.84.86; envelope-from=philip.colmer@mm3.lavasoftware.org; helo=mm3.lavasoftware.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of mm3.lavasoftware.org designates 3.230.84.86 as permitted sender) smtp.mailfrom=philip.colmer@mm3.lavasoftware.org; arc=pass (i=1 dmarc=pass fromdomain=mm3.lavasoftware.org) ARC-Seal: i=2; a=rsa-sha256; t=1631777446; cv=pass; d=zohomail.com; s=zohoarc; b=Sf9f7Vc4utokJHB/AhzIBiYUQABBaJmLA5x/oY3fq5yPXxuAW+a5qed5oCPJEHzwopQXN8u/4hzxFa3+8sXJC5tIYMiuG4dr9EyW+oxSMz6vveiiybchxVGMqw/i9gPT5CWT4Q6eHMdiu/3AsBXdwTBqHZy61y6OACk4BbpI8FA= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1631777446; h=Date:From:Message-ID:Subject:To; bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; b=BDNvyCqYEUnD61N5OAtR3W/67HOciIm0eLZdMB4aiigaRO8rlalyM5u5Y41ADg5GJl5gyE9LgkQxpGhQfDlTAD7NvEjsh/LGElk+Esxcf7LFxhRDc9i4MqZvgXu30boDquKFQrSJVZPlpoCY3wOLkKa0F6PKz9hKGLvx8OxweOk= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of mm3.lavasoftware.org designates 3.230.84.86 as permitted sender) smtp.mailfrom=philip.colmer@mm3.lavasoftware.org; arc=pass (i=1 dmarc=pass fromdomain=mm3.lavasoftware.org) Return-Path: <philip.colmer@mm3.lavasoftware.org> Received: from mm3.lavasoftware.org (mm3.lavasoftware.org [3.230.84.86]) by mx.zohomail.com with SMTPS id 1631777446561547.6433787962904; Thu, 16 Sep 2021 00:30:46 -0700 (PDT) Received: by mm3.lavasoftware.org (Postfix, from userid 1000) id 11CC0BE198; Thu, 16 Sep 2021 07:30:45 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; d=mm3.lavasoftware.org; s=mailman; t=1631777445; cv=none; b=ld42BgcROQcdXFNd9MorNvDrjS/EDoFKRFfCJBolfRF3Cg093kCAD8/3lIf5E7v8/9I/qePgswN9BgLbbqxr1WvIlJBZP7aBdULMZ5NlfGDuR7q3TA14hWaaS2AFsYp6rVDPSuyBl8Nl86zHfWvNDsg8ZVkDQSDvy+2BMKKRkFY= ARC-Message-Signature: i=1; a=rsa-sha256; d=mm3.lavasoftware.org; s=mailman; t=1631777445; c=relaxed/relaxed; bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; h=DKIM-Signature:To:Subject:X-Mailer:Message-Id:Date:From; b=SpnEUbFx9bzXUUvWy3symoTeZlDzDPhfcoPVsvHN1zlh3alvvADoi2/UUTRF0l+bX6Iagtgn8eswO9x4Z5YnJtak3bYqd2p59xf9oMswiUvR0piY4sVx3WEE5rqQMibRJrzBmQqTan2xsmOxpCmWSgbv2o+yI+CYg++5pXEDjC4= ARC-Authentication-Results: i=1; mm3.lavasoftware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mm3.lavasoftware.org; s=mailman; t=1631777445; bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; h=To:Subject:Date:From:From; b=VizzJTtzye+R1HGgm7JcpB/a/KqImAjxyDLUvLucTLiquO0xjwD1HCR6N8UXDpV5t nwNULTm0DhjyBrbZMs7jP0hTyS92PXOsIela2IypJUV3KGCagi4+ax6THHlkMgHNv3 zNnTDhTjJPUyGHKwBu9g4vT0SRaVV4VFuQGuBSBw= To: <philip.colmer@codelinaro.org> Subject: Testing X-Mailer: mail (GNU Mailutils 3.7) Message-Id: <20210916073045.11CC0BE198@mm3.lavasoftware.org> Date: Thu, 16 Sep 2021 07:30:45 +0000 (UTC) From: Ubuntu <philip.colmer@mm3.lavasoftware.org> X-ZohoMail-DKIM: pass (identity @mm3.lavasoftware.org) X-ZohoMail-Owner: <20210916073045.11CC0BE198@mm3.lavasoftware.org>+zmo_0_philip.colmer@mm3.lavasoftware.org
However, if I manually send an email from the Mailman 3 server to a list on the same server with the external email address as a subscriber to the list, the headers are no longer valid:
Delivered-To: philip.colmer@codelinaro.org Received-SPF: pass (zohomail.com: domain of mm3.lavasoftware.org designates 3.230.84.86 as permitted sender) client-ip=3.230.84.86; envelope-from=test-bounces+philip.colmer=codelinaro.org@mm3.lavasoftware.org; helo=mm3.lavasoftware.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of mm3.lavasoftware.org designates 3.230.84.86 as permitted sender) smtp.mailfrom=test-bounces+philip.colmer=codelinaro.org@mm3.lavasoftware.org; arc=fail (Bad Signature) Return-Path: <test-bounces+philip.colmer=codelinaro.org@mm3.lavasoftware.org> Received: from mm3.lavasoftware.org (mm3.lavasoftware.org [3.230.84.86]) by mx.zohomail.com with SMTPS id 1631778422868332.996514603768; Thu, 16 Sep 2021 00:47:02 -0700 (PDT) Received: from ip-172-31-73-169.ec2.internal (localhost [127.0.0.1]) by mm3.lavasoftware.org (Postfix) with ESMTP id A710EBDF0B for <philip.colmer@codelinaro.org>; Thu, 16 Sep 2021 07:47:01 +0000 (UTC) Received: by mm3.lavasoftware.org (Postfix, from userid 1001) id B116FBE198; Thu, 16 Sep 2021 07:46:59 +0000 (UTC) ARC-Seal: i=2; a=rsa-sha256; d=mm3.lavasoftware.org; s=mailman; t=1631778421; cv=none; b=Yj1zJeE+QqxFKwCi6Bmr4kGpoEAF3blzJEnimK/whxz9TJUQEzfTMTHV4i+ENdF79Bm++wJTSBfASZGxtLYWLjuf1WwIgs/CPmJI5vFLFpVvPIlCPzoUcKpZ2rPpanbI1w1ZD5R9L5TYqLKk2X0LBX8h+2m2lX12QPqTnDM/omI= ARC-Message-Signature: i=2; a=rsa-sha256; d=mm3.lavasoftware.org; s=mailman; t=1631778421; c=relaxed/relaxed; bh=7okxo56bDMUeGIn5d8B+1XloabAmDiswrokeAElWGvo=; h=DKIM-Signature:ARC-Message-Signature:ARC-Authentication-Results: Received:To:X-Mailer:Message-Id:Date:Message-ID-Hash: X-Message-ID-Hash:X-MailFrom:X-Mailman-Rule-Misses: X-Mailman-Version:Precedence:Subject:List-Id:Archived-At: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From:Reply-To:MIME-Version:Content-Type: Content-Transfer-Encoding; b=nhhYvCuj3zPh1mEVm6BOlhNeekhBeKb2l9SIMRqZqGp8VYG6xYt8754K8qjULqn2r92Vzux1lFXqnaT0ezdGI3CADLN9jgB6NVZzZYZBigh3yAtNWlr4aT6m0wSDVUxfJbAaYFXDVLuDmzTEJfEWqPAzNmHOl7rXVqBN5FvMeow= ARC-Authentication-Results: i=2; mm3.lavasoftware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mm3.lavasoftware.org; s=mailman; t=1631778421; bh=7okxo56bDMUeGIn5d8B+1XloabAmDiswrokeAElWGvo=; h=To:Date:Subject:List-Id:List-Archive:List-Help:List-Owner: List-Post:List-Subscribe:List-Unsubscribe:From:Reply-To:From; b=mLPHnhHmIOkzYTVq3NqBQepuvzC/Df3lKTYZCaB1bmpQ6PeOOz5g98HzbVVlpX9uw afblicz/ISDs131pgU1qvHQBzWq6lKQmMSwrJzZ49CCBeksfxA9tIq4mNv4DUu09io bMk/0uAgDSXs63mAXy6qw/JvXVTDgYMv00yZ+U2U= ARC-Seal: i=1; a=rsa-sha256; d=mm3.lavasoftware.org; s=mailman; t=1631778419; cv=none; b=SiDr6n4UWUHhjTPhxl06MHsElI9ZUTD8B7qLcGf1Kdfbek6OIbPt+DapUSRkRD20bKQXeCdh5O5RdhIZPOZYvYAOclMlOtyfJb5hKNTqO5hXrnVqJ0fiRMgbjQHIM2LKP4qfYVLMXkYHR7U8hNPuw2PqapiXgK8oSddP8JNMKVE= ARC-Message-Signature: i=1; a=rsa-sha256; d=mm3.lavasoftware.org; s=mailman; t=1631778419; c=relaxed/relaxed; bh=tm5RPPTfV2Opc+Qi0lNHW09jqu2Otv/5tnp8ODwYPGM=; h=To:Subject:X-Mailer:Message-Id:Date:From; b=QnXpv4s3JciqcxnUUoumLz3GrXOh20fXnyCprPzXm5mILfC5hCLhe8sCX7CQxbsl/gRDpvQuS0DpxezG3rdvtc7yofsJ+K/oPOMHFAjjNccvmF3MUTEdPrJ8S0qNU6AWl2ApT96fi2ZtgFsJeX2dcmhExpbOWhw6p5Ap/o1gbSA= ARC-Authentication-Results: i=1; mm3.lavasoftware.org To: <test@mm3.lavasoftware.org> X-Mailer: mail (GNU Mailutils 3.7) Message-Id: <20210916074659.B116FBE198@mm3.lavasoftware.org> Date: Thu, 16 Sep 2021 07:46:59 +0000 (UTC) Message-ID-Hash: XBBXTI6IJ6NHUBSN5LLI7DNXWE6IOFZI X-Message-ID-Hash: XBBXTI6IJ6NHUBSN5LLI7DNXWE6IOFZI X-MailFrom: pjctest@papillonpictures.co.uk X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.4 Precedence: list Subject: [Test] Direct test List-Id: <test.mm3.lavasoftware.org> Archived-At: <> List-Archive: <> List-Help: <mailto:test-request@mm3.lavasoftware.org?subject=help> List-Owner: <mailto:test-owner@mm3.lavasoftware.org> List-Post: <mailto:test@mm3.lavasoftware.org> List-Subscribe: <mailto:test-join@mm3.lavasoftware.org> List-Unsubscribe: <mailto:test-leave@mm3.lavasoftware.org> From: pjctest--- via Test <test@mm3.lavasoftware.org> Reply-To: pjctest@papillonpictures.co.uk MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-ZohoMail-DKIM: pass (identity @mm3.lavasoftware.org)
Note that I've had to use different "From" addresses in my testing because I cannot add a "local" email address (e.g. pjctest@mm3.lavasoftware.org) as a user to Mailman 3.
The Postfix configuration for the milters is:
milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8892, unix:/var/run/openarc/openarc.sock non_smtpd_milters = inet:localhost:8892, unix:/var/run/openarc/openarc.sock
I am completely stumped about this.
Regards
Philip
participants (3)
-
Matt Wilbur EFS -
Philip Colmer -
Stephen J. Turnbull