The mailing list for listmasters using Sympa

[Robin Roevens <address@concealed>]

Hi Ikeda

I've sent a test message with the mentioned mail adres as subscriber to
the list.

Meanwhile I however discovered that Google marked arc=fail (tests
passed) due to the 't=y;' parameter in the DKIM selector DNS TXT entry.
This parameter was now removed and now Google ARC tests pass:
----
ARC-Authentication-Results: i=2; mx.google.com; dkim=pass
 header.i=@<signer domain (sympa)> header.s=lists header.b="AzMol/f6"; 
arc=pass
 (i=1 spf=pass spfdomain=<sender domain> dkim=pass dkdomain=<sender domain>
 dmarc=pass fromdomain=<sender domain>); spf=pass (google.com: domain of
 robin_test-owner@<signer domain (sympa) designates <signer host IP> as
 permitted sender) smtp.mailfrom=robin_test-owner@<signer domain (sympa)>;
 dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=<sender domain>
----
So it seems the ARC seal that is added by Sympa is valid after all.

O365 however keeps bouncing the mails with 
----
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender
ip is
 <signer host IP>) smtp.rcpttodomain=<recipient domain>
 smtp.mailfrom=<signer domain (sympa)>; dmarc=fail (p=reject sp=reject
pct=100)
 action="oreject" header.from=<sender domain>; dkim=pass (signature was
verified)
 header.d=<signer domain (sympa)>; arc=fail (47)
----
while the ARC results added by Sympa earlier in the header indicate
that everything passes.
----
ARC-Authentication-Results: i=1; <signer domain (sympa)>;
    arc=none;
        dkim=pass header.d=disroot.org header.s=mail
header.b=kpXgBzR1;
        spf=pass (<signer domain (sympa)>: domain of
robin.roevens@<sender domain> designates <sender host IP> as permitted
sender) smtp.mailfrom=robin.roevens@<sender domain>;
        dmarc=pass (policy=reject) header.from=<sender domain>
----
despite the fact that <signer domain (sympa)> is added as trusted
sealer in O365.

Regards
Robin



IKEDA Soji schreef op wo 14-02-2024 om 22:17 [+0900]:
> CAUTION: This email originated from outside of the organization. Do
> not click links or open attachments unless you recognize the sender
> and know the content is safe.
> 
> 
> Hi Robin,
> 
> > 2024/02/14 1:16、Robin Roevens <address@concealed>のメール:
> > 
> > Hi all
> > 
> > I'm trying to have ARC sealing work in Sympa but I don't seem to be
> > able to do so.
> > 
> > I have set up dkim with these settings in sympa.conf:
> > ---
> > dkim_feature on
> > dkim_add_signature_to   robot,list
> > dkim_signature_apply_on any
> > dkim_parameters.private_key_path        /etc/sympa/dkim_private.pem
> > dkim_parameters.signer_domain   <censored>
> > dkim_parameters.selector lists
> > ---
> > 
> > which seems to work correctly as I see a DKIM signature and I see
> > Authentication-Result headers added by the receiving mailservers
> > indicating dkim=pass (test mode)
> > 
> > Then I also enabled ARC as initial topics started by certain
> > subscribers who have an email that had dmarc policy set to 'reject'
> > currently get bounced by O365:
> > ---
> > arc_feature on
> > arc_srvid <censored, identical to dkim_parameters.signer_domain>
> > ---
> > And I set up my MX (postfix) to add the Authorization-Results
> > header
> > using rspamd.
> > 
> > Now I see ARC- headers being added by Sympa but still the mails
> > bounce
> > on O365 adresses, even after adding the host as trusted ARC sealer
> > in
> > O365.
> > 
> > I do note that on Gmail receivers I see "arc=fail (test pass)" in
> > the
> > Authorization-Results header added by Google (but they still get
> > delivered.. for now.. ) and in the headers of the bounced messages
> > that
> > was sent to O365 receivers I see "arc=fail (47)" added.
> > 
> > And for as far as I understand it, this indicates that the ARC-seal
> > added by Sympa does not validate.
> > For O365 explicit trust of ARC sealers is required, but that only
> > works
> > if arc=pass (0 oda=0 ...) is added which would indicate that the
> > ARC-
> > seal validated, but is not trusted (oda=0) and that would change in
> > arc=pass (0 oda=1 ...) when trusted. (and then no longer bounce)
> > 
> > But I have absolutely no idea why the ARC seals of Sympa won't
> > validate. For what I understand from the sympa docs, it should just
> > work when dkim is working and arc_feature is turned on.
> > 
> > What can I do to further debug this ? and/or are there any more
> > settings in sympa that could influence this ?
> > 
> 
> Please add an address > as a subscriber of the list in question
> tentatively and send message via the list.  So we might check if your
> ARC seal is correct.
> 
> Regasrds,
> 
> 
> > Thanks
> > 
> > Robin
>