Problems with ARC verification
967 views
Skip to first unread message
Jered Floyd
Jan 20, 2018, 4:19:29 PM1/20/18
to rspamd
Greetings!
I'm in the process of migrating from SpamAssassin to Rspamd (for multiple reasons), and I'm finding that ARC verification is failing, from sources that I would expect would be correctly implemented (e.g. Google lists and forwards).
1) Have others observed ARC verification to be working in Rspamd 1.6.5?
2) How can I help debug this problem?
Enabling debug logging for the arc module I see messages like:
2018-01-20 15:29:45 #18084(rspamd_proxy) <b7354a>; arc; arc.lua:192: got 2 arc sections
2018-01-20 15:29:45 #18084(rspamd_proxy) <b7354a>; arc; arc.lua:274: processed arc signature convivian.com: true(nil), 0 processed
2018-01-20 15:29:45 #18084(rspamd_proxy) <b7354a>; arc; arc.lua:274: processed arc signature google.com: true(nil), 0 processed
2018-01-20 15:29:45 #18084(rspamd_proxy) <b7354a>; dkim; rspamd_dkim_canonize_header: header Delivered-To is intended to be unique by email standards, but we have 2 headers of this type, artificially break DKIM check
2018-01-20 15:29:45 #18084(rspamd_proxy) <b7354a>; arc; arc.lua:230: checked arc signature convivian.com: false(reject), 1 processed
2018-01-20 15:29:45 #18084(rspamd_proxy) <b7354a>; dkim; rspamd_dkim_canonize_header: header delivered-to is intended to be unique by email standards, but we have 2 headers of this type, artificially break DKIM check
2018-01-20 15:29:45 #18084(rspamd_proxy) <b7354a>; arc; arc.lua:230: checked arc signature google.com: false(reject), 2 processed
2018-01-20 15:29:45 #18084(rspamd_proxy) <b7354a>; arc; dkim_sign_tools.lua:40: ignoring unauthenticated mail
There are two Delivered-To headers due to intermediate deliveries, and I can't find an RFC that this is not allowed/appropriate. Is this message simply a warning, or is this causing the ARC verification failures?
Regards,
--Jered
Felix Schwarz
Jan 20, 2018, 4:24:09 PM1/20/18
to Jered Floyd, rspamd
Am 20.01.2018 um 22:19 schrieb Jered Floyd:
> I'm in the process of migrating from SpamAssassin to Rspamd (for multiple
> reasons), and I'm finding that ARC verification is failing, from sources that
> I would expect would be correctly implemented (e.g. Google lists and forwards).
I assumed the same but apparantly Google Groups does not do it correctly:
> I'm in the process of migrating from SpamAssassin to Rspamd (for multiple
> reasons), and I'm finding that ARC verification is failing, from sources that
> I would expect would be correctly implemented (e.g. Google lists and forwards).
https://github.com/vstakhov/rspamd/issues/1942
Felix
Jered Floyd
Jan 20, 2018, 5:06:44 PM1/20/18
to Felix Schwarz, rspamd
Felix,
Thanks for the quick response.
Darn. This greatly limits the use of the technology! I've set the value of ARC_REJECT to 0.0 for now.
FWIW, Google seems to validate my ARC Signatures/Seals. (I'm signing with OpenARC in the outgoing path.)
Google's wrong-ness is not limited to Groups. I also get ARC_REJECT on mail that forwards through GMail account. I assume my earlier signature is also failing to validate based on munging by Google? (My test case is mail to a list on my server, which I sign on the way out, sent to a GMail address, which forwards to my personal account adding a second ARC signature.)
--Jered
Vsevolod Stakhov
Jan 20, 2018, 5:07:28 PM1/20/18
to Jered Floyd, rspamd
in all circumstances. However, 'Delivered-To' header is indeed not
intended to be unique. I have fixed this issue in the master branch,
thank you for the report.
Jered Floyd
Jan 20, 2018, 6:21:41 PM1/20/18
to Vsevolod Stakhov, rspamd
Thank you for the quick reply!
I am continuing to investigate, and separate from the "Delivered-To" issue it looks like there may be an interoperability issue with OpenARC. An easy test is to send a message to for...@openarc.org. The returned mail fails the ARC check with Rspamd (although strangely my outgoing signature with OpenARC 0.1.0 validates). Example logs from a transaction are below, although I imagine anyone should be able to verify the interop issue by mailing the forwarder.
Let me know if I can assist in any way. This is with Rspamd 1.6.5 + #f40275e (so OpenARC can parse the AR header).
Regards,
--Jered
2018-01-20 17:50:16 #456(rspamd_proxy) <4927da>; proxy; proxy_accept_socket: accepted milter connection from ::1 port 0
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; milter; rspamd_milter_process_command: got connection from 84.201.3.146:45327
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; proxy; rspamd_message_parse: loaded message; id: <1824595439.11685.151648...@convivian.com>; queue-id: <3C36067E26>; size: 4410; checksum: <3fdf8cc98f3f70af8e5fcdcbab5f422b>
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; proxy; lua_metric_symbol_callback: call to (SETTINGS_CHECK) failed (2): /usr/share/rspamd/lua/url_redirector.lua:260: attempt to index local 'url' (a nil value); trace: [1]:{/usr/share/rspamd/lua/url_redirector.lua:260 - <unknown> [Lua]};
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; proxy; fuzzy_generate_commands: <1824595439.11685.151648...@convivian.com>, part is shorter than 1000 bytes: 2 (1 * 2.00 bytes), skip fuzzy check
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_simple_body_step: update signature with body buffer (42 size, 269 remain, 0 added)
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_simple_body_step: update signature with body buffer (41 size, 228 remain, 0 added)
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_simple_body_step: update signature with body buffer (33 size, 195 remain, 0 added)
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_simple_body_step: update signature with body buffer (2 size, 193 remain, 0 added)
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_simple_body_step: update signature with body buffer (2 size, 191 remain, 0 added)
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_simple_body_step: update signature with body buffer (42 size, 149 remain, 0 added)
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_simple_body_step: update signature with body buffer (40 size, 109 remain, 0 added)
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_simple_body_step: update signature with body buffer (33 size, 76 remain, 0 added)
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_simple_body_step: update signature with body buffer (2 size, 74 remain, 0 added)
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_simple_body_step: update signature with body buffer (28 size, 46 remain, 0 added)
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_simple_body_step: update signature with body buffer (44 size, 2 remain, 0 added)
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header: update signature with header: Date: Sat, 20 Jan 2018 17:50:01 -0500 (EST)
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header: update signature with header: From: Jered Floyd <je...@convivian.com>
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header: update signature with header: To: forward <for...@openarc.org>
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header: update signature with header: Subject: test2
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_signature_update: initial update hash with signature part: DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=convivian.com;
s=default; t=1516488601;
bh=CCG0nPEIiP8wk26wZUjR6ryh9QjpQyhteBheoroZUaE=;
h=Date:From:To:Subject:From;
b=
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; arc; arc.lua:192: got 2 arc sections
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; arc; arc.lua:274: processed arc signature convivian.com: true(nil), 0 processed
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: dkim-signature:v=1; a=rsa-sha256; c=simple/simple; d=convivian.com; s=default; t=1516488601; bh=CCG0nPEIiP8wk26wZUjR6ryh9QjpQyhteBheoroZUaE=; h=Date:From:To:Subject:From; b=VB+XnMa+WGpe0I9cdse6BFeCJQjhG2HT1Ufx8ATtGkH+SQryfrZB1IBJgg0/IfWQC IdpROITYXliEtWaphpzPa4VYoOcFpqTz/uffE6HMjbzmeCMI5ant4ZkZdmgOt0nalG MIxbUkaxAy0XYYW3BZtHNQXTmacgrYLs7nhgXC/s=
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: date:Sat, 20 Jan 2018 17:50:01 -0500 (EST)
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: from:Jered Floyd <je...@convivian.com>
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: to:forward <for...@openarc.org>
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: message-id:<1824595439.11685.151648...@convivian.com>
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: subject:test2
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: mime-version:1.0
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: content-type:multipart/alternative; boundary="=_4e628d5a-fdc6-447b-b5d1-2509a7def7a6"
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: x-originating-ip:[172.16.0.5]
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: x-mailer:Zimbra 8.7.11_GA_1854 (ZimbraWebClient - FF57 (Mac)/8.7.11_GA_1854)
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: thread-index:maIdPy1N/iPzcE0UrAL6ihq1FmRITQ==
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: thread-topic:test2
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_signature_update: initial update hash with signature part: arc-message-signature:i=1; a=rsa-sha256; d=convivian.com; s=default; t=1516488601; c=relaxed/simple; bh=CCG0nPEIiP8wk26wZUjR6ryh9QjpQyhteBheoroZUaE=; h=DKIM-Signature:Date:From:To:Message-ID:Subject:MIME-Version: Content-Type:X-Originating-IP:X-Mailer:Thread-Index:Thread-Topic: From; b=
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; arc; arc.lua:230: checked arc signature convivian.com: true(nil), 1 processed
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; arc; arc.lua:274: processed arc signature openarc.org: true(nil), 1 processed
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: dkim-signature:v=1; a=rsa-sha256; c=simple/simple; d=convivian.com; s=default; t=1516488601; bh=CCG0nPEIiP8wk26wZUjR6ryh9QjpQyhteBheoroZUaE=; h=Date:From:To:Subject:From; b=VB+XnMa+WGpe0I9cdse6BFeCJQjhG2HT1Ufx8ATtGkH+SQryfrZB1IBJgg0/IfWQC IdpROITYXliEtWaphpzPa4VYoOcFpqTz/uffE6HMjbzmeCMI5ant4ZkZdmgOt0nalG MIxbUkaxAy0XYYW3BZtHNQXTmacgrYLs7nhgXC/s=
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: date:Sat, 20 Jan 2018 17:50:01 -0500 (EST)
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: from:Jered Floyd <je...@convivian.com>
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: to:forward <for...@openarc.org>
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: message-id:<1824595439.11685.151648...@convivian.com>
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: subject:test2
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: mime-version:1.0
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: content-type:multipart/alternative; boundary="=_4e628d5a-fdc6-447b-b5d1-2509a7def7a6"
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: x-originating-ip:[172.16.0.5]
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: x-mailer:Zimbra 8.7.11_GA_1854 (ZimbraWebClient - FF57 (Mac)/8.7.11_GA_1854)
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: thread-index:maIdPy1N/iPzcE0UrAL6ihq1FmRITQ==
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_canonize_header_relaxed: update signature with header: thread-topic:test2
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_signature_update: initial update hash with signature part: arc-message-signature:i=2; a=rsa-sha256; d=openarc.org; s=seal_2017071502; t=1516488616; c=relaxed/simple; bh=CCG0nPEIiP8wk26wZUjR6ryh9QjpQyhteBheoroZUaE=; h=DKIM-Signature:Date:From:To:Message-ID:Subject:MIME-Version: Content-Type:X-Originating-IP:X-Mailer:Thread-Index:Thread-Topic; b=
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; dkim; rspamd_dkim_check: rsa verify failed
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; arc; arc.lua:230: checked arc signature openarc.org: false(reject), 2 processed
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; arc; dkim_sign_tools.lua:40: ignoring unauthenticated mail
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; proxy; bayes_classify: skip classification as ham class has not enough learns: 0, 200 required
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; lua; greylist.lua:250: Score too low - skip greylisting
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; proxy; rspamd_task_write_log: id: <1824595439.11685.151648...@convivian.com>, qid: <3C36067E26>, ip: 84.201.3.146, from: <for...@openarc.org>, (default: F (no action): [0.00/15.00] [ARC_REJECT(0.00){signature check failed: fail, {[1] = sig:openarc.org:reject};},ASN(0.00){asn:31400, ipnet:84.201.3.0/24, country:DE;},DMARC_POLICY_ALLOW(0.00){convivian.com;none;},FORGED_RECIPIENTS_FORWARDING(0.00){},FORGED_SENDER_FORWARDING(0.00){},FROM_HAS_DN(0.00){},FROM_NEQ_ENVFROM(0.00){je...@convivian.com;for...@openarc.org;},HAS_XOIP(0.00){},IP_SCORE(0.00){country: DE(0.92);},MID_RHS_MATCH_FROM(0.00){},MIME_GOOD(0.00){multipart/alternative;text/plain;},PREVIOUSLY_DELIVERED(0.00){for...@openarc.org;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_THREE(0.00){4;},RCVD_NO_TLS_LAST(0.00){},R_DKIM_ALLOW(0.00){convivian.com;},R_SPF_ALLOW(0.00){+a;},TO_DN_ALL(0.00){}]), len: 4410, time: 203.995ms real, 11.174ms virtual, dns req: 23, digest: <3fdf8cc98f3f70af8e5fcdcbab5f422b>, rcpts: <je...@convivian.com>, mime_rcpt: <for...@openarc.org>
2018-01-20 17:50:17 #456(rspamd_proxy) <4927da>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 3 regexps matched, 163 regexps total, 78 regexps cached, 0B bytes scanned using pcre, 1.83k bytes scanned total
2018-01-20 17:50:17 #456(rspamd_proxy) <4f5269>; proxy; proxy_milter_finish_handler: finished milter connection
Reply all
Reply to author
Forward
0 new messages