[Rspamd-Users] ARC-signing does not happen

David Krantz gazorg at gmail.com
Sat Jul 11 10:20:02 UTC 2020 

Hi,

Sorry, that does not work either.

I skimmed the lua source for the arc module very quickly and I have a
hard time seeing how it could start an ARC chain at all. It can
continue one, though.

I cannot get the module to add any signatures or headers at all. I
just get the ARC_NA symbol in the history. Therefore I read parts of
the ARC-module source very quickly. As I read it, it only can verify
existing ARC chains and cannot start new ones. I have no dev
environment setup for this so I link to github's web version here
instead:

https://github.com/rspamd/rspamd/blob/1fa88bcd56301f2f41319b987ac89909c87b6d0b/src/plugins/lua/arc.lua

What I think is the entry to the arc module starts like follows below.
So if there are no ARC headers, the function exits and sets the symbol
"ARC_NA" on the message. This is not the behaviour I would like.

local function arc_callback(task)
  local arc_sig_headers = task:get_header_full('ARC-Message-Signature')
  local arc_seal_headers = task:get_header_full('ARC-Seal')

  if not arc_sig_headers or not arc_seal_headers then
    task:insert_result(arc_symbols['na'], 1.0)
    return
  end

As a list server normally is the first recipient in a chain, there
normally will be no ARC-headers but as the list forwards the mail ARC
headers with i=1 should be added based on the results for DKIM and SPF
on the incoming mails. Of course you can add headers on the incoming
with i=1 and on the outgoing with i=2, that is maybe even better. You
would have to ignore the failed signature check when performing the
checks on the outgoing side as you know that the mail will have been
changed. Then you know what domains to accept broken signatures from
as that is what you signed with (and there is a list of domains to
consider as automatically valid in the config, IIRC, so that might
work). On the incoming you'd use the recipient domain in the header or
envelope and on the outgoing you'd use a different source for the
domain depending on how the mail list is set up - the header "To:" or
"From:" should be the ones to use in my setup, the point being that it
could be different from when signing the incoming mail.

I could write a change request for this of course. I can make a change
also but as I have too little time it would probably be a solution
that worked for my case only. As I do not want to set up a complete
rspamd dev environment I guess that the easy way out would be a local
LUA-ruleset based on the current ARC module.

Cheers
// David

On Thu, Jul 9, 2020 at 5:25 PM P.V.Anthony <anthony at mindmedia.com.sg> wrote:
>
> On 9/7/20 04:06, David Krantz wrote:
>
> > I cannot get rspamd to set ARC signatures to my outgoing mails. I have
> > a list server so both incoming and outgoing mails are passed through
> > the milter. Incoming mails should be ARC-verified (if applicable) and
> > outgoing should be signed. I know that the outgoing milter works as it
> > adds DKIM signatures which works fine. If there is any resource on how
> > to do this or if someone has a tip on how to proceed I'd be very
> > happy.
>
> Please note that I am not an expert.
>
> The following seems to work for me.
>
> P.V.Anthony
>
> /etc/rspamd/local.d/arc.conf
>
> # If false, messages with empty envelope from are not signed
> allow_envfrom_empty = false;
>
> # If true, envelope/header domain mismatch is ignored
> allow_hdrfrom_mismatch = false;
>
> # If true, multiple from headers are allowed (but only first is used)
> allow_hdrfrom_multiple = false;
>
> # If true, username does not need to contain matching domain
> allow_username_mismatch = false;
>
> # If false, messages from authenticated users are not selected for
> signing (needed)
> auth_only = true;
>
> # Default selector to use (needed)
> selector = "default";
>
> # If false, messages from local networks are not selected for signing
> sign_local = true;
>
> # Symbol to add when message is signed
> symbol_signed = "ARC_SIGNED";
>
> # Domain to use for ARC signing: can be "header" or "envelope" (needed)
> use_domain = "header";
>
> # Whether to normalise domains to eSLD
> use_esld = false;
>
>
> try_fallback = false;
> path_map = "/etc/rspamd/local.d/dkim_domains.map";
> selector_map = "/etc/rspamd/local.d/dkim_selectors.map";
>
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users

More information about the Users mailing list