As far as I understood ARC, posts to mailing lists, for example, should be signed with it so obligatory DMARC failures will not matter. rspamd currently does not do this since it only looks at the "From"-header. I am not sure what to do about this, worse, the documentation is somewhat unintentional (https://rspamd.com/doc/modules/arc.html).
This needs some extra work (understanding details of ARC, generic mail signing with rspamd, ...), setting status to ON_DEV.
Signing forwarded mails with ARC is implemented (but not documented): - https://github.com/vstakhov/rspamd/issues/1993 - https://github.com/vstakhov/rspamd/pull/2018 However, the situation is more complex since f*cking Mailman rewrites header, breaking DKIM/ARC signatures. Actually, we need to go as follows: (a) A mail is received by mail01.ipfire.org. (b) rspamd on mail01.ipfire.org performs ARC checks and adds ARC signature (c) mail is relayed through mailman and then delivered to recipients. But since mailman modifies the mail, we need to switch steps (b) and (c). However, in that case, we cannot use the destination addresses for ARC signatures anymore, since these are remote domains we do not have keys for. @Michael: Can you switch off the mail modification (subject tags, ...) for the test list?
(In reply to Peter Müller from comment #2) > However, the situation is more complex since f*cking Mailman rewrites > header, breaking DKIM/ARC signatures. It *is* supposed to do that. I clearly think that this is a horrible horrible failure in designing DMARC. > @Michael: Can you switch off the mail modification (subject tags, ...) for > the test list? Subject is switched off for Test, but we have lists that modify the Subject header and body. That is something we want.
(In reply to Michael Tremer from comment #3) > (In reply to Peter Müller from comment #2) > > However, the situation is more complex since f*cking Mailman rewrites > > header, breaking DKIM/ARC signatures. > > It *is* supposed to do that. I clearly think that this is a horrible > horrible failure in designing DMARC. Sorry, I think this is not a problem with DMARC after all. Mailman rewrites the header lines of an incoming mail (I never found anyone with a satisfying idea why the software is doing that), and all DKIM/ARC signatures are broken afterwards. We need to add the ARC signature _afterwards_, after all content manipulation has been applied. Further, it seems like we sign messages delivered via ESMTPSA. > > > @Michael: Can you switch off the mail modification (subject tags, ...) for > > the test list? > > Subject is switched off for Test, but we have lists that modify the Subject > header and body. That is something we want. I see. Thanks. For a test mail via mailman, my rspamd results look like: X-Spamd-Result: default: False [-3.16 / 11.00]; FORGED_SENDER_MAILLIST(0.00)[]; DKIM_TRACE(0.00)[link38.eu:-]; HAS_LIST_UNSUB(-0.01)[]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; DMARC_POLICY_SOFTFAIL(0.10)[link38.eu : SPF not aligned (relaxed), No valid DKIM,none]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; IP_SCORE(-3.64)[ip: (-9.54), ipnet: 2001:470::/32(-4.77), asn: 6939(-3.82), country: US(-0.09)]; MX_GOOD(-0.01)[cached: mail01.ipfire.org]; HAS_ATTACHMENT(0.00)[]; TO_DN_NONE(0.00)[]; MIME_GOOD(-0.20)[multipart/mixed,multipart/signed,text/plain]; RCVD_IN_DNSWL_MED(-2.00)[1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.2.0.0.3.8.1.7.0.7.4.0.1.0.0.2.list.dnswl.org : 127.0.9.2]; FROM_HAS_DN(0.00)[]; ARC_REJECT(2.00)[signature check failed: fail, {[1] = sig:ipfire.org:reject}]; FROM_NEQ_ENVFROM(0.00)[peter.mueller@link38.eu,test-bounces@lists.ipfire.org]; R_DKIM_REJECT(1.00)[link38.eu]; R_SPF_ALLOW(-0.20)[+ip6:2001:470:7183:25::1]; ARC_SIGNED(0.00)[i=2]; RCPT_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; MAILLIST(-0.20)[mailman] X-Spam-Status: No, score=-3.16 X-Rspamd-Server: mx-nbg.link38.eu The ARC_REJECT symbol is the problem here... As long as I haven't figured out how to solve this, are you OK with disabling ARC? I consider a missing signature better than a broken one. Sorry for all the rush here. :-(
Yes, please disable it so far. How do we fix this?
ARC signing disabled for now. The solution is rather complex: First, we only need to ARC sign incoming mails (destination mail equals signing key, see links to github above). That way, we have a signature especially useful for mailing lists and similar stuff. Second, since Mailman messes with mails (rewrites Subject, body and breaks signatures), we need to inject the signature _after_ the mail is delivered back to Postfix. Certainly, this could be done via running a second instance of Postfix and maybe rspamd, but I hate this idea. Currently, I am looking for better ways to go here. Unfortunately, things are busy here, so please be patient.
This is still alive. Sorry for being so sloppy.
We need to update Mailman for this. There seems to be no other way, since the current version breaks all DKIM signatures, which applies to ARC as well.
There is no updated version available. I have no idea if RH has any interest in updating it. The only way would be to fork the RPM and manually add patches that we need.
rspamd included the feature, it will be released with 1.8.1 .
rspamd 1.8.1 released, updating...
Enabling ARC destiation to MIME was not possible (or I am too stupid), waiting for vstakhov's response...
This is fixed by now.
Yay. \o/