Microblog : A very long article Wikipedia article on the orientation of toilet paper [7 jun à 22:52] [R]

Dimanche, 11 avril 2021

OpenARC with Postfix on Debian 10 (buster)

Traduction: [ Google | Babelfish ]

Catégories : [ Informatique ]

Gmail started to complain recently that the messages forwarded by the trivial mailing-list hosted on my server did not pass the ARC validation. As Google already considers e-mail coming from my domain as spam (but strangely, not the emails forwarded by the mailing list on the same domain), I did not want to risk to see my e-mail treated as even less worthy to be delivered to the Valued Customers of Gmail (i.e., probably half the world) than it is now. And I wanted to look into ARC anyway. But the installation is not trivial, there are no official Debian packages, and no clear tutorial on the Web, so here's what I did. It may work for you or not.

This tutorial assumes you already have configured postfix with opendkim, and they are running on a single computer on a Debian 10. The configuration example expects postfix to run as chroot and uses the private key configured for opendkim.

All the following commands need to be run as root or through sudo.

Install the package

Add an apt source by creating the file /etc/apt/sources.list.d/openarc.list and write: 
deb https://download.opensuse.org/repositories/home%3A/andreasschulze/Debian_10 /
Then run: 
curl https://download.opensuse.org/repositories/home:/andreasschulze/Debian_10/Release.key | apt-key add -
apt update
apt install openarc
If you don't want to run curl as root, you can run that command instead: 
curl https://download.opensuse.org/repositories/home:/andreasschulze/Debian_10/Release.key | sudo apt-key add -
This will install openarc 1.0.0 beta3-3, but the package's post-installation script has a bug, so the installation fails. To fix it, edit /var/lib/dpkg/info/openarc.postinst and comment-out line 62 which contains 
  ln -s ../../var/lib/supervise/openarc-milter /etc/service/

Then run as root apt install openarc again.

Configure OpenArc

Create /etc/openarc/keys and copy the key from opendkim (e.g., /etc/opendkim/keys/example.private) into /etc/openarc/keys/. Then copy /etc/opendkim/TrustedHosts into /etc/openarc/.

Create /etc/openarc.conf (or create one such file based on /usr/share/doc/openarc/openarc.conf.sample.gz) and modify the following directives (without the quotes around the values, of course):

  • AuthservID: the name of the server (e.g., “server.example.com”)
  • Canonicalization: the value “relaxed/simple”
  • Domain: the domain namd (e.g., “weber.fi.eu.org”)
  • FinalReceiver: the value “no”
  • InternalHosts: the value “/etc/openarc/TrustedHosts” (if there is a such a file)
  • KeyFile: the path to the private key (e.g., “/etc/openarc/keys/example.private”)
  • OversignHeaders: the value “From”
  • PidFile: the value “/var/run/openarc.pid”
  • Selector: the value of the opendkim selector (see Selector in opendkim.conf)
  • Socket: the value “local:/var/spool/postfix/var/run/openarc/openarc.sock”
  • Syslog: the value “Yes”
Create /var/spool/postfix/var/run/openarc that will contain the socket: 
mkdir /var/spool/postfix/var/run/openarc
chown openarc:openarc /var/spool/postfix/var/run/openarc
chmod 750 /var/spool/postfix/var/run/openarc
Add the postfix user to the openarc group so that postfix can access the socket (run as root): 
usermod -a -G openarc postfix
Create a systemd service file /etc/systemd/system/openarc.service with the following content: 
[Unit]
Description=OpenARC Authenticated Received Chain (ARC) Milter
Documentation=man:openarc(8) man:openarc.conf(5) https://openarc.org/
After=network.target nss-lookup.target·
 
[Service]
Type=forking
PIDFile=/var/run/openarc.pid
UMask=0002
ExecStart=/usr/sbin/openarc -c /etc/openarc.conf
Restart=on-failure
 
[Install]
WantedBy=multi-user.target

The UMask directive is especially important, so that /var/spool/postfix/var/run/openarc/openarc.sock is readable and writable by the members of the openarc group (i.e., postfix). OpenDKIM has a UMask directive, but OpenARC does not.

You can now start the service with 
systemctl start openarc

Configure postfix

Edit /etc/postfix/main.cf and add the socket to the smtpd_milters and non_smtpd_milters lists (you may already have other milters configured, such as OpenDKIM): 
smtpd_milters = unix:/var/run/opendkim/opendkim.sock,
                unix:/var/run/openarc/openarc.sock
 
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock,
                    unix:/var/run/openarc/openarc.sock
Finally, restart postfix: 
systemctl restart postfix

You can now test your OpenARC setup with the tools provided by openarc.org.

[ Posté le 11 avril 2021 à 20:23 | 7 commentaires | ]

Adresse de trackback

https://weber.fi.eu.org/blog/Informatique/openarc_with_postfix_on_debian_10.trackback

Commentaires

Sadly, these instructions don't work as of Dec 2021. The OpenARC package is invalid for downloading, let alone installation.

Commentaire N° 1, MrPete (Peyton, United States) le 12 décembre 2021 à 05:25

Update for Debian 11

To install it in Debian 11, you need to downlowad the release key with

curl https://download.opensuse.org/repositories/home:/andreasschulze/Debian_11/Release.key | gpg --dearmor | sudo tee /usr/share/keyrings/openarc-archive-keyring.gpg

and then configure the Debian 11 repo with that key in /etc/apt/sources.list.d/openarc.list using "signed-by":

deb [signed-by=/usr/share/keyrings/openarc-archive-keyring.gpg] https://download.opensuse.org/repositories/home:/andreasschulze/Debian_11 /

The upgrade worked without having to hack the post-install script.

Commentaire N° 2, Matthieu Weber (Kyröskoski, Finlande) le 30 novembre 2022 à 10:58

Hello! You really got it working?

Hi!

You really get arc=pass using: echo@openarc.org ?

For example..

/T

Commentaire N° 3, Tommy (Sweden) le 18 janvier 2023 à 19:31

I just tried, and the message I sent and which I received back as an attachment from the echo server contains Authentication-Results: dahlem.somaf.de; arc=pass smtp.remote-ip=185.87.108.178

The message that I received from MAILER_DAEMON@openarc.org however contains ARC-Authentication-Results: i=1; lentokone.weber.fi.eu.org; [...] arc=none smtp.remote-ip=185.183.157.243

I don't know how to interpret this, now :( Any idea?

Commentaire N° 4, Matthieu Weber (Helsinki, Finlande) le 18 janvier 2023 à 20:46

Signing works for you???

I've got this set up. Openarc adds a generic "I was here" line to all messages:

`ARC-Filter: OpenARC Filter v1.0.0 my.dom.ain EAA4BA042E`

But no signing of any kind.

Have you ever diagnosed this kind of thing?

Commentaire N° 5, MrPete le 24 mars 2023 à 03:22

Signing works for you???

I've got this set up. Openarc adds a generic "I was here" line to all messages:

`ARC-Filter: OpenARC Filter v1.0.0 my.dom.ain EAA4BA042E`

But no signing of any kind.

Have you ever diagnosed this kind of thing?

Commentaire N° 6, MrPete le 24 mars 2023 à 03:23

Signing works for me, yes. As far as I remember, it worked correctly after I set it up with the parameters above. And I'm sorry to say, I'm no expert in debugging openarc :( What I put in my blog post is what worked for me, and I have not needed to modify it since then.

Did you enable logging to Syslog? Does it leave any kind of useful information there?

Commentaire N° 7, Matthieu Weber (Finlande) le 24 mars 2023 à 08:23

Ajouter un commentaire

Vous pouvez utiliser les balises HTML suivantes: <p>, <br>, <em> <strong>, <pre>. Les URLs commençant par http:// seront automatiquement transformées en liens hypertextes.

(optionnel)
(optionnel)


Sauver mon nom et mon URL/Email pour la prochaine fois

12 - 7 =