Sorry for the top-post, my regular laptop is busted so I am using GMail. Executive Summary: Either removing "sv" from the "mode" line in openarc.conf or removing that line entirely should make OpenARC behave correctly for you.
Gory details (sorry for verbosity): I took a look at the OpenARC man pages and sample configuration file. It seems to me that Sendmail+OpenARC should work fine in your single-host configuration, although I guess that you're in a VM, and that might affect the network configuration as perceived by the MTA+milter. I don't think it *should* but I'm not familiar with Linode VPSes. There are two optional configuration files that may be set in openarc.conf: InternalHosts, which contains a list of those hosts where the milter trusts an incoming message from those hosts to be authentic, and PeerHosts, which lists those hosts where the milter is not invoked at all. (I guess it's invoked by the MTA but does nothing.) My guess is that the "peer" in PeerHosts does not mean peers of this host, but rather those hosts that communicate with peers in other administrative (untrusted) domains. You should not have a PeerHosts files (or it should be empty), and your InternalHosts file can probably not be specified, but perhaps it should be specified and contain all aliases for the domain that might be in use (IP4 and IP6 addresses, domain names, maybe localhost). The other possibility is that you have mode specified improperly, but I think that no mode spec or empty mode spec should do what you want. I am guessing that you have "mode sv" set. This may explain why you have full sets of ARC headers incoming and outgoing, and they break. According to the man page, if neither s nor v is set, external connections will be verified but not signed, and internal host connections (ie, from Mailman) will be signed but not verified (ie, trusted to have the appropriate Authentication-Results header). If changing mode doesn't help, it may help if you can send the complete headers from a message after it has passed through your Linode host so I can see the complete set. On Sun, Apr 10, 2022 at 9:06 PM Jayson Smith <jayb...@bluegrasspals.com> wrote: > Hi, > > To answer your main question, everything is on one Linode VPS, there's > no networking or separate servers/hosts involved, everything's on one box. > > Jayson > > On 4/10/2022 4:41 AM, Stephen J. Turnbull wrote: > > Jayson Smith writes: > > > > > I've recently been playing with the OpenARC milter for Sendmail. > > > > IIRC, OpenARC is the sample implementation by the ARC developers. It > > should be robust. Mailman uses a different implementation based on > > Python. (You should use an MTA-based implementation if it works > > correctly for all the usual reasons: performance, more correct > > behavior especially for SPF.) > > > > > I have it running, and it seems to be working properly, except for > > > one thing. When a message is sent to one of my Mailman 2 lists, > > > OpenARC adds an ARC set to the incoming message before it ever hits > > > Mailman. > > > > It's been a while since I read the RFC, but AIUI, adding the full set > > is incorrect behavior. An ARC processor should add only > > ARC-Authentication-Results on the way in to the AD (administrative > > domain), then add any DKIM stuff, the ARC-Signature, and the ARC-Seal > > on the way out of the AD. > > > > The fact that it adds the full set suggests that it thinks that > > Mailman is outside of the AD. > > > > > Then the message hits Mailman, > > > > Is Mailman running on the same host as Sendmail? Is it the same host > > running the same instance of Sendmail on the way in and the on the way > > out? > > > > > and on the way out, OpenARC adds another ARC set to the message, > > > this one indicating the ARC validation failed. Now, if I understand > > > the RFC correctly, any ARC-aware MTA that sees this failure is > > > going to treat the entire ARC chain as though it never existed > > > since the most recent ARC set indicated validation failure. > > > > That is not quite correct. An ARC-capable MTA will treat the ARC > > chain as though it begins at Mailman's outgoing MTA. If Mailman's MTA > > has a good reputation, that may help with some filters. It will not > > help with DMARC, though. > > > > > If this is the case, then the whole exercise is pointless. > > > > > Now some questions. OpenARC has a configuration option to treat > certain > > > hosts as trusted, and the Man page indicates that if no hosts are > listed > > > there, localhost is automatically added. If this is true, I don't > know > > > why OpenARC is processing messages on the way out of Mailman, since > that > > > should be a localhost to localhost connection. > > > > It's processing on the way out because what ARC establishes is a chain > > of custody: > > > > 1. I checked it on the way in (ARC-Authentication-Results = A-A-R). > > 2. I watched it all the way to the outgoing MTA, and only processes I > > trust touched it. They may have changed it (invalidating the > > author's DKIM signature) but I assure you my processes didn't > > change anything you care about (specifically From if you're doing > > DMARC). If you trust me, you can trust the authenticity of From. > > 3. Here's my ARC-Signature (= A-Sig) on the final state (which I > > swear is authentic to the author's intent) just before I put it > > back on the wire, and here's an ARC-Seal to bind up both the A-A-R > > and A-Sig so you can trust them. > > > > If you don't do A-Sig and A-Seal on the way out, the chain of custody > > is broken if changes are made to the message (such as mailing lists > > typically do) because the incoming signatures (author's DKIM and all > > intermediate A-Sigs, as well as your incoming A-Sig!!) are all broken. > > > > > Is OpenARC the best Milter to use with Sendmail for this purpose? > > > Is there something else I'm doing wrong or overlooking? > > > > I don't see why not. I'm pretty sure that's what most of the IETF > > Working Group used, although Google and Yahoo! probably used their own > > code. > > > > I would guess there's some issue with OpenARC configuration, or with > > your network configuration (this might include DNS! does Mailman live > > on a different domain aliased to that host?), that makes OpenARC think > > Mailman leaves the AD. > > > > If this doesn't provide the necessary hints, let me know. I don't > > have time to study up on OpenARC today, but if needed I'll try to get > > to it in the next couple of days. > > > > Steve > > > > ------------------------------------------------------ Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
