Jayson Smith writes:
> I've recently been playing with the OpenARC milter for Sendmail.
IIRC, OpenARC is the sample implementation by the ARC developers. It
should be robust. Mailman uses a different implementation based on
Python. (You should use an MTA-based implementation if it works
correctly for all the usual reasons: performance, more correct
behavior especially for SPF.)
> I have it running, and it seems to be working properly, except for
> one thing. When a message is sent to one of my Mailman 2 lists,
> OpenARC adds an ARC set to the incoming message before it ever hits
> Mailman.
It's been a while since I read the RFC, but AIUI, adding the full set
is incorrect behavior. An ARC processor should add only
ARC-Authentication-Results on the way in to the AD (administrative
domain), then add any DKIM stuff, the ARC-Signature, and the ARC-Seal
on the way out of the AD.
The fact that it adds the full set suggests that it thinks that
Mailman is outside of the AD.
> Then the message hits Mailman,
Is Mailman running on the same host as Sendmail? Is it the same host
running the same instance of Sendmail on the way in and the on the way
out?
> and on the way out, OpenARC adds another ARC set to the message,
> this one indicating the ARC validation failed. Now, if I understand
> the RFC correctly, any ARC-aware MTA that sees this failure is
> going to treat the entire ARC chain as though it never existed
> since the most recent ARC set indicated validation failure.
That is not quite correct. An ARC-capable MTA will treat the ARC
chain as though it begins at Mailman's outgoing MTA. If Mailman's MTA
has a good reputation, that may help with some filters. It will not
help with DMARC, though.
> If this is the case, then the whole exercise is pointless.
> Now some questions. OpenARC has a configuration option to treat certain
> hosts as trusted, and the Man page indicates that if no hosts are listed
> there, localhost is automatically added. If this is true, I don't know
> why OpenARC is processing messages on the way out of Mailman, since that
> should be a localhost to localhost connection.
It's processing on the way out because what ARC establishes is a chain
of custody:
1. I checked it on the way in (ARC-Authentication-Results = A-A-R).
2. I watched it all the way to the outgoing MTA, and only processes I
trust touched it. They may have changed it (invalidating the
author's DKIM signature) but I assure you my processes didn't
change anything you care about (specifically From if you're doing
DMARC). If you trust me, you can trust the authenticity of From.
3. Here's my ARC-Signature (= A-Sig) on the final state (which I
swear is authentic to the author's intent) just before I put it
back on the wire, and here's an ARC-Seal to bind up both the A-A-R
and A-Sig so you can trust them.
If you don't do A-Sig and A-Seal on the way out, the chain of custody
is broken if changes are made to the message (such as mailing lists
typically do) because the incoming signatures (author's DKIM and all
intermediate A-Sigs, as well as your incoming A-Sig!!) are all broken.
> Is OpenARC the best Milter to use with Sendmail for this purpose?
> Is there something else I'm doing wrong or overlooking?
I don't see why not. I'm pretty sure that's what most of the IETF
Working Group used, although Google and Yahoo! probably used their own
code.
I would guess there's some issue with OpenARC configuration, or with
your network configuration (this might include DNS! does Mailman live
on a different domain aliased to that host?), that makes OpenARC think
Mailman leaves the AD.
If this doesn't provide the necessary hints, let me know. I don't
have time to study up on OpenARC today, but if needed I'll try to get
to it in the next couple of days.
Steve
------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
