OpenARC with Postfix on Debian 10 (buster)
Käännös: [ Google ]
Kategoriat: [ ATK ]
Gmail started to complain recently that the messages forwarded by the trivial mailing-list hosted on my server did not pass the ARC validation. As Google already considers e-mail coming from my domain as spam (but strangely, not the emails forwarded by the mailing list on the same domain), I did not want to risk to see my e-mail treated as even less worthy to be delivered to the Valued Customers of Gmail (i.e., probably half the world) than it is now. And I wanted to look into ARC anyway. But the installation is not trivial, there are no official Debian packages, and no clear tutorial on the Web, so here's what I did. It may work for you or not.
This tutorial assumes you already have configured postfix with opendkim, and they are running on a single computer on a Debian 10. The configuration example expects postfix to run as chroot and uses the private key configured for opendkim.
All the following commands need to be run as root or through sudo.
Install the package
Add an apt source by creating the file/etc/apt/sources.list.d/openarc.list
and write:
deb https://download.opensuse.org/repositories/home%3A/andreasschulze/Debian_10 /Then run:
curl https://download.opensuse.org/repositories/home:/andreasschulze/Debian_10/Release.key | apt-key add - apt update apt install openarcIf you don't want to run
curl
as root, you can run that command instead:
curl https://download.opensuse.org/repositories/home:/andreasschulze/Debian_10/Release.key | sudo apt-key add -This will install openarc 1.0.0 beta3-3, but the package's post-installation script has a bug, so the installation fails. To fix it, edit
/var/lib/dpkg/info/openarc.postinst
and comment-out line 62 which contains
ln -s ../../var/lib/supervise/openarc-milter /etc/service/
Then run as root apt install openarc
again.
Configure OpenArc
Create /etc/openarc/keys
and copy the key from opendkim (e.g.,
/etc/opendkim/keys/example.private
) into /etc/openarc/keys/
. Then copy
/etc/opendkim/TrustedHosts
into /etc/openarc/
.
Create /etc/openarc.conf
(or create one such file based on
/usr/share/doc/openarc/openarc.conf.sample.gz
) and modify the following
directives (without the quotes around the values, of course):
- AuthservID: the name of the server (e.g., “server.example.com”)
- Canonicalization: the value “relaxed/simple”
- Domain: the domain namd (e.g., “weber.fi.eu.org”)
- FinalReceiver: the value “no”
- InternalHosts: the value “/etc/openarc/TrustedHosts” (if there is a such a file)
- KeyFile: the path to the private key (e.g., “/etc/openarc/keys/example.private”)
- OversignHeaders: the value “From”
- PidFile: the value “/var/run/openarc.pid”
- Selector: the value of the opendkim selector (see Selector in opendkim.conf)
- Socket: the value “local:/var/spool/postfix/var/run/openarc/openarc.sock”
- Syslog: the value “Yes”
/var/spool/postfix/var/run/openarc
that will contain the socket:
mkdir /var/spool/postfix/var/run/openarc chown openarc:openarc /var/spool/postfix/var/run/openarc chmod 750 /var/spool/postfix/var/run/openarcAdd the postfix user to the openarc group so that postfix can access the socket (run as root):
usermod -a -G openarc postfixCreate a systemd service file
/etc/systemd/system/openarc.service
with the
following content:
[Unit] Description=OpenARC Authenticated Received Chain (ARC) Milter Documentation=man:openarc(8) man:openarc.conf(5) https://openarc.org/ After=network.target nss-lookup.target· [Service] Type=forking PIDFile=/var/run/openarc.pid UMask=0002 ExecStart=/usr/sbin/openarc -c /etc/openarc.conf Restart=on-failure [Install] WantedBy=multi-user.target
The UMask
directive is especially important, so that
/var/spool/postfix/var/run/openarc/openarc.sock
is readable and writable by
the members of the openarc group (i.e., postfix). OpenDKIM has a UMask
directive, but OpenARC does not.
systemctl start openarc
Configure postfix
Edit/etc/postfix/main.cf
and add the socket to the smtpd_milters
and
non_smtpd_milters
lists (you may already have other milters configured, such
as OpenDKIM):
smtpd_milters = unix:/var/run/opendkim/opendkim.sock, unix:/var/run/openarc/openarc.sock non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock, unix:/var/run/openarc/openarc.sockFinally, restart postfix:
systemctl restart postfix
You can now test your OpenARC setup with the tools provided by openarc.org.