OpenARC
OpenARC copied to clipboard
trusteddomainproject
Google fails to verify ARC
Wanted to write on mailing lists, unfortunately they are non-existent? (as per: http://www.trusteddomain.org/mailman/listinfo/ )
Using same key to sign as used to sign dkim headers google fails signature verification.
Build on FreeBSD 10.3:
openarc -V <[759][17:11]]
openarc: OpenARC Filter v0.1.0
Compiled with OpenSSL 1.0.1s-freebsd 1 Mar 2016
SMFI_VERSION 0x1000001
libmilter version 1.0.1
libopenarc 0.1.0:
Using postfix, milters after Amavisd.
OpenARC config used:
cat /usr/local/etc/openarc/openarc.conf <[760][17:20]]
AuthservID heteigenwijsje.nl
Domain heteigenwijsje.nl
KeyFile /var/lib/dkim/heteigenwijsje.nl.pem
Mode sv
PidFile /var/run/openarc.pid
Selector dkim
SignatureAlgorithm rsa-sha256
Socket inet:8899@localhost
SoftwareHeader yes
Syslog Yes
UserID vscan:vscan
E-mail headers (replace <PRIVATE> with zzzomeone in case of gmail and gijsje in heteigenwijsje case):
Delivered-To: <PRIVATE>@gmail.com
Received: by 10.28.28.136 with SMTP id c130csp768192wmc;
Wed, 11 Oct 2017 08:02:42 -0700 (PDT)
X-Google-Smtp-Source: AOwi7QBd5q+jBZiZUwQwL4vDRWwgAw3BQf1REX91IrEIEJZ7s0HrgXCjc+x9C6l/Iy1HbH+VDpRt
X-Received: by 10.80.139.164 with SMTP id m33mr4924985edm.289.1507734162668;
Wed, 11 Oct 2017 08:02:42 -0700 (PDT)
Return-Path: <<PRIVATE>@heteigenwijsje.nl>
Received: from smtp.heteigenwijsje.nl (smtp.heteigenwijsje.nl. [80.127.116.100])
by mx.google.com with ESMTPS id 1si517428edw.461.2017.10.11.08.02.42
for <<PRIVATE>@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Wed, 11 Oct 2017 08:02:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of <PRIVATE>@heteigenwijsje.nl designates 80.127.116.100 as permitted sender) client-ip=80.127.116.100;
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=dkim header.b=o/sOgCmP;
arc=fail (signature failed);
spf=pass (google.com: domain of <PRIVATE>@heteigenwijsje.nl designates 80.127.116.100 as permitted sender) smtp.mailfrom=<PRIVATE>@heteigenwijsje.nl;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=heteigenwijsje.nl
Received: from mailserv.heteigenwijsje.nl (localhost [127.0.0.1]) by smtp.heteigenwijsje.nl (Postfix) with ESMTP id 63DAA34794 for <<PRIVATE>@gmail.com>; Wed, 11 Oct 2017 17:02:40 +0200 (CEST)
ARC-Filter: OpenARC Filter v0.1.0 smtp.heteigenwijsje.nl 63DAA34794
Authentication-Results: heteigenwijsje.nl; arc=none header.d=heteigenwijsje.nl
ARC-Seal: i=1; a=rsa-sha256; d=heteigenwijsje.nl; s=dkim; t=1507734160; cv=none; b=dY5tKxOhqF/8KUsb3Bo7REygUiejdMtF+iC24oBjojTN2A6VHKyWw/o2jto9jhKnjimSmpYdNhdc2rGP7S+F1InghCkPGufk2iiZ/rrv/iKNgNc0LlJRQdudn0P+B/ZWat2HnGHn8CMqvIpbKpidcXYOmj51IPYwQSE5tmwCNmM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=heteigenwijsje.nl; s=dkim; t=1507734160; c=relaxed/simple; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; h=DKIM-Signature:X-Virus-Scanned:Received:Received:To:From:Subject:
Message-ID:Date:User-Agent:MIME-Version:Content-Type:
Content-Transfer-Encoding:Content-Language; b=TRFkzksm2fVytyzdFNm4Up78OtNBDPf0sgNWo1pgkZECKwH+tsAXuj730I4ghUVEAv7WkTpV7BQBI3PoQqLwiX9ljUJOHDMcYFR+AQAxxE4+MHPVHV/xzyqWwzXxIH2TafWEYqVN9Wbcq3lk/Bmru+JG1SAhqefhh4w1U5OHeiM=
ARC-Authentication-Results: i=1; heteigenwijsje.nl; none
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=heteigenwijsje.nl; s=dkim; t=1507734160; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; h=To:From:Subject:Date; b=o/sOgCmPW6NaUTLVY7GV1AD6+hT4PNzeSWU6piwJJBEcD242lA0VAHBkvPwoa0kMK
N8DIWqhmiO9X7wWdespboQi8nzRFVZ6mYybDecWeR/SIg0cls7bZYzjYl8yAKOXxso
WnoKzyGThXM+tiexss4HEkHTSXtl4Yo9OuDRYsHY=
X-Virus-Scanned: amavisd-new at mailserv.heteigenwijsje.nl
Received: from smtp.heteigenwijsje.nl ([127.0.0.1]) by mailserv.heteigenwijsje.nl (mailserv.heteigenwijsje.nl [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id N7iioL2bFyX7 for <<PRIVATE>@gmail.com>; Wed, 11 Oct 2017 17:02:30 +0200 (CEST)
Received: from [IPv6:2001:984:a1fc:1:bc4f:29a2:28ba:ef40] (unknown [IPv6:2001:984:a1fc:1:bc4f:29a2:28ba:ef40]) by smtp.heteigenwijsje.nl (Postfix) with ESMTPSA id 742DB34789 for <<PRIVATE>@gmail.com>; Wed, 11 Oct 2017 17:02:30 +0200 (CEST)
To: <PRIVATE>@gmail.com
From: Gijs Peskens <<PRIVATE>@heteigenwijsje.nl>
Subject: test123
Message-ID: <[email protected]>
Date: Wed, 11 Oct 2017 17:02:30 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Language: en-US
test
On Wed, Oct 11, 2017 at 3:28 PM, gizahNL [email protected] wrote:
Wanted to write on mailing lists, unfortunately they are non-existent? (as per: http://www.trusteddomain.org/mailman/listinfo/ )
Using your sample message and running it through dkimpy shows that the signatures do not validate:
DEBUG:dkimpy:ams sig[1]: {'a': 'rsa-sha256', 'c': 'relaxed/simple', 'b': 'TRFkzksm2fVytyzdFNm4Up78OtNBDPf0sgNWo1pgkZECKwH+tsAXuj730I4ghUVEAv7WkTpV7BQBI3PoQqLwiX9ljUJOHDMcYFR+AQAxxE4+MHPVHV/xzyqWwzXxIH2TafWEYqVN9Wbcq3lk/Bmru+JG1SAhqefhh4w1U5OHeiM=', 'd': 'heteigenwijsje.nl', 'i': '1', 'h': 'DKIM-Signature:X-Virus-Scanned:Received:Received:To:From:Subject: Message-ID:Date:User-Agent:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-Language', 'bh': 'g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=', 's': 'dkim', 't': '1507734160'} DEBUG:dkimpy:body hashed: 'test\r\n' DEBUG:dkimpy:bh: g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs= DEBUG:dkimpy:signed for ARC-Message-Signature: 'dkim-signature:v=1; a=rsa-sha256; c=simple/simple; d=heteigenwijsje.nl; s=dkim; t=1507734160; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; h=To:From:Subject:Date; b=o/sOgCmPW6NaUTLVY7GV1AD6+hT4PNzeSWU6piwJJBEcD242lA0VAHBkvPwoa0kMK N8DIWqhmiO9X7wWdespboQi8nzRFVZ6mYybDecWeR/SIg0cls7bZYzjYl8yAKOXxso WnoKzyGThXM+tiexss4HEkHTSXtl4Yo9OuDRYsHY=\r\nx-virus-scanned:amavisd-new at mailserv.heteigenwijsje.nl\r\nreceived:from [IPv6:2001:984:a1fc:1:bc4f:29a2:28ba:ef40] (unknown [IPv6:2001:984:a1fc:1:bc4f:29a2:28ba:ef40]) by smtp.heteigenwijsje.nl (Postfix) with ESMTPSA id 742DB34789 for <<PRIVATE>@gmail.com>; Wed, 11 Oct 2017 17:02:30 +0200 (CEST)\r\nreceived:from smtp.heteigenwijsje.nl ([127.0.0.1]) by mailserv.heteigenwijsje.nl (mailserv.heteigenwijsje.nl [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id N7iioL2bFyX7 for < [email protected]>; Wed, 11 Oct 2017 17:02:30 +0200 (CEST)\r\nto:<PRIVATE>@gmail.com\r\nfrom:Gijs Peskens <<PRIVATE>@ heteigenwijsje.nl>\r\nsubject:test123\r\nmessage-id:< [email protected]>\r\ndate:Wed, 11 Oct 2017 17:02:30 +0200\r\nuser-agent:Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0\r\nmime-version:1.0\r\ncontent-type:text/plain; charset=utf-8\r\ncontent-transfer-encoding:7bit\r\ncontent-language:en-US\r\narc-message-signature:i=1; a=rsa-sha256; d=heteigenwijsje.nl; s=dkim; t=1507734160; c=relaxed/simple; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; h=DKIM-Signature:X-Virus-Scanned:Received:Received:To:From:Subject: Message-ID:Date:User-Agent:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-Language; b=' DEBUG:dkimpy:ARC-Message-Signature valid: False DEBUG:dkimpy:ams valid: False DEBUG:dkimpy:as sig[1]: {'a': 'rsa-sha256', 'b': 'dY5tKxOhqF/8KUsb3Bo7REygUiejdMtF+iC24oBjojTN2A6VHKyWw/o2jto9jhKnjimSmpYdNhdc2rGP7S+F1InghCkPGufk2iiZ/rrv/iKNgNc0LlJRQdudn0P+B/ZWat2HnGHn8CMqvIpbKpidcXYOmj51IPYwQSE5tmwCNmM=', 'd': 'heteigenwijsje.nl', 'i': '1', 's': 'dkim', 't': '1507734160', 'cv': 'none'} DEBUG:dkimpy:signed for ARC-Seal: 'arc-authentication-results:i=1; heteigenwijsje.nl; none\r\narc-message-signature:i=1; a=rsa-sha256; d= heteigenwijsje.nl; s=dkim; t=1507734160; c=relaxed/simple; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; h=DKIM-Signature:X-Virus-Scanned:Received:Received:To:From:Subject: Message-ID:Date:User-Agent:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-Language; b=TRFkzksm2fVytyzdFNm4Up78OtNBDPf0sgNWo1pgkZECKwH+tsAXuj730I4ghUVEAv7WkTpV7BQBI3PoQqLwiX9ljUJOHDMcYFR+AQAxxE4+MHPVHV/xzyqWwzXxIH2TafWEYqVN9Wbcq3lk/Bmru+JG1SAhqefhh4w1U5OHeiM=\r\narc-seal:i=1; a=rsa-sha256; d=heteigenwijsje.nl; s=dkim; t=1507734160; cv=none; b=' DEBUG:dkimpy:ARC-Seal valid: False DEBUG:dkimpy:as valid: False arc verification: cv=fail Most recent ARC-Message-Signature did not validate [{'as-domain': 'heteigenwijsje.nl', 'ams-selector': 'dkim', 'as-valid': False, 'instance': 1, 'ams-valid': False, 'as-selector': 'dkim', 'ams-domain': 'heteigenwijsje.nl', 'aar-value': 'i=1; heteigenwijsje.nl; none\r\n', 'cv': 'none'}]
--Kurt
You're right and I've been quite the idiot... Included an outdated file into the config because I copied from an outdated config....
Can confirm that using the right file now leads to correct validation by google if this is of any value ;)
I wasn't aware, guess the README is outdated then ;)
Mailing lists discussing and supporting the ARC software found in this
package are maintained via a list server at trusteddomain.org. Visit
http://www.trusteddomain.org to subscribe or browse archives. The available
lists are:
<<PRIVATE>@gmail.com> hmm imho valid email, but possible not your own :(
use example.org domain, not just random gmail.com
I had to use this in my openarc.conf file: SignHeaders to,subject,message-id,date,from,mime-version,dkim-signature,arc-authentication-results
so that only those headers were included in the signature calculation. Then gmail validates the arc signature properly.
+Brandon
That's good info but not a bug in openARC 😀
--Kurt
On Sun, Aug 19, 2018, 22:00 Matt Domsch [email protected] wrote:
I had to use this in my openarc.conf file: SignHeaders to,subject,message-id,date,from,mime-version,dkim-signature,arc-authentication-results
so that only those headers were included in the signature calculation. Then gmail validates the arc signature properly.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenARC/issues/66#issuecomment-414197777, or mute the thread https://github.com/notifications/unsubscribe-auth/AA1NyWxq3LuO-IXqF-enrNQZyybS8XOpks5uSkJ8gaJpZM4P1rR2 .
Another user signing on origination, also he posted on arc-discuss. openarc shouldn't allow arc-auth-res to be signed on the ams.
it would be good to know which header being signed breaks things on the Gmail side.
Running through dkimpy or anything isn't going to help if you redact data that's in the signature.
The openarc.conf manpage says it will add all SHOULD headers per the RFC. Without a SignHeaders config line, it does not. Either the manpage is wrong or the code is wrong.
On Tue, Aug 21, 2018, 7:48 PM kurta [email protected] wrote:
+Brandon
That's good info but not a bug in openARC 😀
--Kurt
On Sun, Aug 19, 2018, 22:00 Matt Domsch [email protected] wrote:
I had to use this in my openarc.conf file: SignHeaders
to,subject,message-id,date,from,mime-version,dkim-signature,arc-authentication-results
so that only those headers were included in the signature calculation. Then gmail validates the arc signature properly.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub < https://github.com/trusteddomainproject/OpenARC/issues/66#issuecomment-414197777 , or mute the thread < https://github.com/notifications/unsubscribe-auth/AA1NyWxq3LuO-IXqF-enrNQZyybS8XOpks5uSkJ8gaJpZM4P1rR2
.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenARC/issues/66#issuecomment-414868703, or mute the thread https://github.com/notifications/unsubscribe-auth/AAqDqrLYx4ly88GhY57rdzBnvnwUhy5xks5uTKokgaJpZM4P1rR2 .
If it is signing Received headers (as implied in the arc-discuss thread) then I would suggest that the bug is how it behaves in the absence of explicit header signing configuration.
I'm not aware of anyone or any spec that suggests such behavior to be advisable.
--Kurt
On Tue, Aug 21, 2018, 18:04 Matt Domsch [email protected] wrote:
The openarc.conf manpage says it will add all SHOULD headers per the RFC. Without a SignHeaders config line, it does not. Either the manpage is wrong or the code is wrong.
On Tue, Aug 21, 2018, 7:48 PM kurta [email protected] wrote:
+Brandon
That's good info but not a bug in openARC 😀
--Kurt
On Sun, Aug 19, 2018, 22:00 Matt Domsch [email protected] wrote:
I had to use this in my openarc.conf file: SignHeaders
to,subject,message-id,date,from,mime-version,dkim-signature,arc-authentication-results
so that only those headers were included in the signature calculation. Then gmail validates the arc signature properly.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub <
https://github.com/trusteddomainproject/OpenARC/issues/66#issuecomment-414197777
, or mute the thread <
https://github.com/notifications/unsubscribe-auth/AA1NyWxq3LuO-IXqF-enrNQZyybS8XOpks5uSkJ8gaJpZM4P1rR2
.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub < https://github.com/trusteddomainproject/OpenARC/issues/66#issuecomment-414868703 , or mute the thread < https://github.com/notifications/unsubscribe-auth/AAqDqrLYx4ly88GhY57rdzBnvnwUhy5xks5uTKokgaJpZM4P1rR2
.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenARC/issues/66#issuecomment-414871753, or mute the thread https://github.com/notifications/unsubscribe-auth/AA1NycBv10i_6rA47FEqYu5PPVxRthg9ks5uTK4MgaJpZM4P1rR2 .
The code should follow the RFC, and I'll fix that, but that doesn't mean this should be failing. The same header field canonicalization code is applied regardless of which specific headers are being covered.
I'm going to see if I can work with our contact at Gmail to figure out which side has something wrong.
Just to be clear: The code that does selection of header fields to sign should follow the RFC, but currently doesn't. I'll fix that. But apart from that, it shouldn't matter what header fields are getting signed, because they all get handled the same way.
@mdomsch: Can you still reproduce this problem with Beta1? I sent a sample message, key, and signed message to a contact inside GMail and he said his results matched ours.
Beta1 lacks the patch from PR#100 and it's not a clean cherry-pick. Can I use develop HEAD at 824f49bf558f1f34712217a6687fc9e82c0938a5 instead?
On Fri, Sep 28, 2018 at 11:58 AM Murray S. Kucherawy < [email protected]> wrote:
@mdomsch https://github.com/mdomsch: Can you still reproduce this problem with Beta1? I sent a sample message, key, and signed message to a contact inside GMail and he said his results matched ours.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenARC/issues/66#issuecomment-425499899, or mute the thread https://github.com/notifications/unsubscribe-auth/AAqDqqvmnkeDi7jWR12VZ08eSPZ6rePUks5uflTwgaJpZM4P1rR2 .
Just to be clear: The code that does selection of header fields to sign should follow the RFC, but currently doesn't. I'll fix that. But apart from that, it shouldn't matter what header fields are getting signed, because they all get handled the same way.
I'm still seeing this problem with Google Failing ARC while [email protected] says all is fine.
Code Used: Develop branch 20190808 commit 56b22d8 Problem persists with or without SigningHeaders in config file (as above) - headers which get signed are actually same either way.
Google Header has: Authentication-Results: mx.google.com; ... arc=fail (test pass); ..
dkim, dmarc and spf all pass ok according to google. Just ARC has the fail.
User error - google does this in test mode - removing test mode and works fine.