Microblog: A very long article Wikipedia article on the orientation of toilet paper [Jun 7th, 22:52] [R]

Sunday, April 11th, 2021

OpenARC with Postfix on Debian 10 (buster)

Categories: [ IT ]

Gmail started to complain recently that the messages forwarded by the trivial mailing-list hosted on my server did not pass the ARC validation. As Google already considers e-mail coming from my domain as spam (but strangely, not the emails forwarded by the mailing list on the same domain), I did not want to risk to see my e-mail treated as even less worthy to be delivered to the Valued Customers of Gmail (i.e., probably half the world) than it is now. And I wanted to look into ARC anyway. But the installation is not trivial, there are no official Debian packages, and no clear tutorial on the Web, so here's what I did. It may work for you or not.

This tutorial assumes you already have configured postfix with opendkim, and they are running on a single computer on a Debian 10. The configuration example expects postfix to run as chroot and uses the private key configured for opendkim.

All the following commands need to be run as root or through sudo.

Install the package

Add an apt source by creating the file /etc/apt/sources.list.d/openarc.list and write:
deb https://download.opensuse.org/repositories/home%3A/andreasschulze/Debian_10 /
Then run:
curl https://download.opensuse.org/repositories/home:/andreasschulze/Debian_10/Release.key | apt-key add -
apt update
apt install openarc
If you don't want to run curl as root, you can run that command instead:
curl https://download.opensuse.org/repositories/home:/andreasschulze/Debian_10/Release.key | sudo apt-key add -
This will install openarc 1.0.0 beta3-3, but the package's post-installation script has a bug, so the installation fails. To fix it, edit /var/lib/dpkg/info/openarc.postinst and comment-out line 62 which contains
  ln -s ../../var/lib/supervise/openarc-milter /etc/service/

Then run as root apt install openarc again.

Configure OpenArc

Create /etc/openarc/keys and copy the key from opendkim (e.g., /etc/opendkim/keys/example.private) into /etc/openarc/keys/. Then copy /etc/opendkim/TrustedHosts into /etc/openarc/.

Create /etc/openarc.conf (or create one such file based on /usr/share/doc/openarc/openarc.conf.sample.gz) and modify the following directives (without the quotes around the values, of course):

  • AuthservID: the name of the server (e.g., “server.example.com”)
  • Canonicalization: the value “relaxed/simple”
  • Domain: the domain namd (e.g., “weber.fi.eu.org”)
  • FinalReceiver: the value “no”
  • InternalHosts: the value “/etc/openarc/TrustedHosts” (if there is a such a file)
  • KeyFile: the path to the private key (e.g., “/etc/openarc/keys/example.private”)
  • OversignHeaders: the value “From”
  • PidFile: the value “/var/run/openarc/openarc.pid”
  • Selector: the value of the opendkim selector (see Selector in opendkim.conf)
  • Socket: the value “local:/var/spool/postfix/var/run/openarc/openarc.sock”
  • Syslog: the value “Yes”
Create /var/spool/postfix/var/run/openarc that will contain the socket:
mkdir /var/spool/postfix/var/run/openarc
chown openarc:openarc /var/spool/postfix/var/run/openarc
chmod 750 /var/spool/postfix/var/run/openarc
Add the postfix user to the openarc group so that postfix can access the socket (run as root):
usermod -a -G openarc postfix
Create a systemd service file /etc/systemd/system/openarc.service with the following content:
[Unit]
Description=OpenARC Authenticated Received Chain (ARC) Milter
Documentation=man:openarc(8) man:openarc.conf(5) https://openarc.org/
After=network.target nss-lookup.target·
 
[Service]
Type=forking
PIDFile=/var/run/openarc/openarc.pid
UMask=0002
ExecStart=/usr/sbin/openarc -c /etc/openarc.conf
Restart=on-failure
 
[Install]
WantedBy=multi-user.target

The UMask directive is especially important, so that /var/spool/postfix/var/run/openarc/openarc.sock is readable and writable by the members of the openarc group (i.e., postfix). OpenDKIM has a UMask directive, but OpenARC does not.

You can now start the service with
systemctl start openarc

Configure postfix

Edit /etc/postfix/main.cf and add the socket to the smtpd_milters and non_smtpd_milters lists (you may already have other milters configured, such as OpenDKIM):
smtpd_milters = unix:/var/run/opendkim/opendkim.sock,
                unix:/var/run/openarc/openarc.sock
 
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock,
                    unix:/var/run/openarc/openarc.sock
Finally, restart postfix:
systemctl restart postfix

You can now test your OpenARC setup with the tools provided by openarc.org.

[ Posted on April 11th, 2021 at 20:23 | no comment | ]