OpenARC icon indicating copy to clipboard operation
OpenARC copied to clipboard

Published 20 hours ago verified publisher icon trusteddomainproject

OpenARC is generating invalid ARC headers

Open seriv opened this issue 6 years ago • 7 comments

This is related to issue #31 of OpenDMARC created by @jikamens. Header "Authentication-Results" created by perl Mail-Milter-Authentication produces headers like

Authentication-Results: mrouter00.cs.umd.edu;
    dkim=fail (message has been altered, 2048-bit rsa key sha256) header.d=whitleymott-net.20150623.gappssmtp.com [email protected] header.b=0vPzhS0n header.a=rsa-sha256 header.s=20150623;
    x-return-mx=pass header.domain=greatlakedata.com policy.is_org=yes (MX Record found);
    x-return-mx=pass smtp.domain=openvz.org policy.is_org=yes (MX Record found);
    x-trusted-ip=pass

There are a few methods defined in the code of openarc/openarc-ar.c, and when the name does not match any of these, OpenARC puts "(null)=pass" or "(null)=fail" or other results, with "(null)" in place of the method name. I think it should be fixed by 1) adding some good methods as per commit https://github.com/seriv/OpenARC/commit/2d18d2e1bd657c4326bbd10490fabcba9e66bbc9 and/or 2) skip unknown method when creating ARC-Authentication-Results header as in https://github.com/trusteddomainproject/OpenARC/pull/114

seriv avatar Oct 07 '18 01:10 seriv

opendmarc 1.4.0-beta2 is throwing similar errors when run with openarc 1.0.0-beta2.

Milter insert (1): header: ARC-Authentication-Results: i=1; example.com; dkim=pass (1024-bit key; unprotected) header.d=email.theonion.com [email protected] header.a=rsa-sha256 header.s=class header.b=wlhJmNVD

...

opendmarc: ignoring invalid ARC-Authentication-Results header "i=1; example.com; dkim=pass (1024-bit key; unprotected) header.d=email.theonion.com [email protected] header.a=rsa-sha256 header.s=class header.b=wlhJmNVD"

mdomsch avatar Sep 09 '19 17:09 mdomsch

Same failure with openarc 1.0.0-beta3.

mdomsch avatar Sep 09 '19 18:09 mdomsch

I suspect it's the semicolon within the parenthesis (1024-bit key; unprotected) that's throwing off opendmarc. I don't see where that's coming from at this time though...

mdomsch avatar Sep 09 '19 21:09 mdomsch

Removing (comments) from the header in opendmarc_arcares_parse() silences the warning which I think is bogus anyway.

syslog(LOG_WARNING, "tag_label = %s", tag_label) in the default case in opendmarc_arcares_parse() opendmarc[40053]: tag_label = unprotected) header.d

Running current openarc-develop and opendmarc-develop

jcapo avatar Nov 02 '20 15:11 jcapo

the (comments) portion e.g. "(1024-bit key; secure)" is coming from opendkim. https://github.com/trusteddomainproject/OpenDKIM/blob/14d54524e0a97d3fe9b80441907d7e356c9ded04/opendkim/opendkim.c#L10766

And yes it's still causing a syslog warning message in opendmarc-1.4.2.

Changing the semicolon to a comma in opendkim prevents opendmarc from emitting the syslog warning message and opendmarc appears to work as expected.

mdomsch avatar Dec 27 '21 06:12 mdomsch

PR to opendkim: https://github.com/trusteddomainproject/OpenDKIM/pull/136

mdomsch avatar Dec 29 '21 02:12 mdomsch

PR to opendkim: trusteddomainproject/OpenDKIM#136

Only problem: as noted, the semicolon is valid... and there will be versions of opendkim etc producing semicolons in the comments for a long time to come. Wouldn't it be better to fix openDMARC?

I've tracked down the actual issue, and am adding issues to openDMARC and openARC, with references.

(Key insights: many of these headers have ABNF that includes references to CFWS (Folding Whitespace and Comments); most of the tokens in *-Authentication-Results headers are actually generalized dot-atom -- including authserv-id.

MrPeteH avatar Apr 10 '23 17:04 MrPeteH