[Rspamd-Users] ARC-signing does not happen

Vsevolod Stakhov vsevolod at rspamd.com
Sat Jul 11 10:27:08 UTC 2020

Hello David,

Please refrain from top posting here.

On 11/07/2020 11:20, David Krantz wrote:
> Hi,
> Sorry, that does not work either.
> I skimmed the lua source for the arc module very quickly and I have a
> hard time seeing how it could start an ARC chain at all. It can
> continue one, though.
> I cannot get the module to add any signatures or headers at all. I
> just get the ARC_NA symbol in the history. Therefore I read parts of
> the ARC-module source very quickly. As I read it, it only can verify
> existing ARC chains and cannot start new ones. I have no dev
> environment setup for this so I link to github's web version here
> instead:
> https://github.com/rspamd/rspamd/blob/1fa88bcd56301f2f41319b987ac89909c87b6d0b/src/plugins/lua/arc.lua
> What I think is the entry to the arc module starts like follows below.
> So if there are no ARC headers, the function exits and sets the symbol
> "ARC_NA" on the message. This is not the behaviour I would like.
> local function arc_callback(task)
>   local arc_sig_headers = task:get_header_full('ARC-Message-Signature')
>   local arc_seal_headers = task:get_header_full('ARC-Seal')
>   if not arc_sig_headers or not arc_seal_headers then
>     task:insert_result(arc_symbols['na'], 1.0)
>     return
>   end
> As a list server normally is the first recipient in a chain, there
> normally will be no ARC-headers but as the list forwards the mail ARC
> headers with i=1 should be added based on the results for DKIM and SPF
> on the incoming mails. Of course you can add headers on the incoming
> with i=1 and on the outgoing with i=2, that is maybe even better. You
> would have to ignore the failed signature check when performing the
> checks on the outgoing side as you know that the mail will have been
> changed. Then you know what domains to accept broken signatures from
> as that is what you signed with (and there is a list of domains to
> consider as automatically valid in the config, IIRC, so that might
> work). On the incoming you'd use the recipient domain in the header or
> envelope and on the outgoing you'd use a different source for the
> domain depending on how the mail list is set up - the header "To:" or
> "From:" should be the ones to use in my setup, the point being that it
> could be different from when signing the incoming mail.
> I could write a change request for this of course. I can make a change
> also but as I have too little time it would probably be a solution
> that worked for my case only. As I do not want to set up a complete
> rspamd dev environment I guess that the easy way out would be a local
> LUA-ruleset based on the current ARC module.
ARC check and ARC sign are different symbols (functions) and they are
completely separated (indeed ARC_NA symbol is completely legit here,
even if ARC_SIGN has also taken place). The first signature should have
cv=none and the following signatures should have cv equal to seals check
results. Hence, I have no idea what change do you suggest.

More information about the Users mailing list