-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature request: ARC for forwarded emails #3759
Comments
I think we can easily integrate an ENV like |
Other mail projects like DMS have this feature already setup with rspamd, so you could likely refer to their source for what they're doing 😎 |
Overview
Current Status QuoIt seems all the changes @Mygod applied are already defaults. The way I understood this issue is that @Mygod stated they had to add the configuration posted explicitly. @Mygod did you match |
Ah I see I haven't actually enabled the module. I believe I've mistaken gmail's arc headers as rspamd. Is there a way to test arc? |
I think you will need to provide |
I copied the |
Did DMS forward an e-mail from another mail server to your GMail account? |
Yep. Gmail -> my server -> Gmail. |
I don't know at the moment whether copying the whole EDIT: Seems like copying from DKIM signing is just fine. EDIT2: Just out of curiosity, how do you restart DMS? The container has to be destroyed properly, otherwise your changes may not have any effect. |
I did I enabled debug log. Looks like some misconfiguration: |
I managed to make it work now (I think). Somehow |
The default in DMS for docker-mailserver/target/bin/rspamd-dkim Lines 218 to 241 in aba218e
Do you have a special Docker setup (64NAT or something alike)? There are multiple reasons the message is regard as "local", and it is not unlikely that this stems from the way DMS handles forwarding. EDIT: In my production setup, |
Not according to this:
|
Can you be more specific, please?:) |
I was trying to say that I followed this tutorial and that's why I had this I don't remember my Docker setup. It's probably default other than enabling |
👍🏼
And there we go - that's very likely the reason :D If the default 64NAT is applied, then the message appears as if it is coming from a local network (Docker's), hence the requirement. Please note that this may also be the reason your SPF checks fail - the origin IP is not correct when mail servers connect to your instance via IPv6. (There are a million other reasons SPF could not check out; the usual advice I give to people: don't use IPv6 😆). |
Alright - I guess ARC works pretty much out of the box except for
Did I miss anything @Mygod? |
LGTM. 👍 |
I'll look into it when my other PRs are merged :) |
@Mygod How did you set up the forwarding from DMS to Gmail? I set up Rspamd with ARC in my DMS and from my limited testing the ARC headers are being added but my emails which are being forwarded to Gmail are still bouncing. I use Mailgun as a relay though, which unfortunately I have to do because port 25 is blocked for outgoing traffic in Google Cloud. Could you share a bit more details on your setup which seems to work? For example how did you set up the forwarding? I am using Nevermind, I got ARC working. Emails arrive at my Gmail now. My issue was that I had to configure relay settings through a config file rather than the ENV vars. I needed to set these vars in order for it to work with Mailgun: Screenshot taken from this guide: This is my
The only reason why I have |
You likely won't need to worry about that as much when v14 is out. Quite a few relay host feature support issues were resolved: docker-mailserver/CHANGELOG.md Line 52 in 849293f
docker-mailserver/CHANGELOG.md Lines 98 to 101 in 849293f
You'd want to go with the Here's the location of the config settings in your screenshot to show that we handle that for you 👍 docker-mailserver/target/scripts/helpers/relay.sh Lines 94 to 101 in 849293f
docker-mailserver/target/postfix/main.cf Line 56 in 849293f
|
@polarathene That is fantastic, thank you for the information, I'm looking forward to v14! |
I think my set up is still not quite right. I am still getting some bounced emails...
EDIT: I added |
@Mygod Did you set up dkim signing via Rspamd as well? Your error message suggests you might have not done it or misconfigured it?
My
Then I have mounted it like so:
|
I think docker-mailserver supports configuring dkim_signing already. |
After some debugging, I see the email in question only supports SPF but not DKIM (this was sent by an external server). I wonder if ARC could be helpful at all for getting this email through gmail... |
Hmm this might be relevant. My mail server is attaching |
EDIT: I fixed it. It turns out I forgot to properly configure IPv6 support for my container. |
I am still seeing ARC not being applied in some cases, more specifically, if the sender passes SPF but does not have DKIM, ARC fails for some reason. Gmail simply bounces the forwarded email, and in Microsoft Outlook I see this:
Other emails with DKIM have |
Is this possibly expected behavior? I mean, if there is no DKIM, can ARC actually work at all? |
Hmm I'm not sure but I thought it was supposed to help. Microsoft's
|
The example you posted in #3759 (comment) failed SPF, DKIM and DMARC. I'd guess ARC is not supposed to work then... |
This seems to indicate DKIM (or at least the DNS record) is a requirement for ARC to work. |
@georglauterbach Yes but that's the downstream validation result. Upstream result has SPF pass but missing DKIM and DMARC.
|
I think it is saying that the domain hosting the forwarding mail needs to have DKIM, which I have. I am unsure if it is required for the sender to have working DKIM. (To be honest, if ARC requires DKIM on the sender then ARC seems a bit pointless?) |
You're right, my bad. One question: Can you please explain to me why having DKIM on the sender's side as a requirement would render ARC mood? |
I'm not saying this because I saw this documented anywhere. I just think that if the original email is already signed with DKIM then we can already know the authenticity of the email, right? |
It's about the receiver trusting the intermediary that forwards the original senders mail. DKIM should help with that trust for the original sender, but ARC is for trust with the intermediary inbetween. https://en.wikipedia.org/wiki/Authenticated_Received_Chain
and
It seems the above was roughly already understood in this discussion, but quoting with bolded emphasis for when ARC is relevant. The wiki entry also notes that it's up to the receiver to place trust in the ARC validation, but for the most part you're providing validation on any modifications to the forwarded mail such that it still allows for SPF and DKIM checks to pass validation despite the intermediary server that delivered it. A good use-case where ARC is probably helpful is the scenario described in this discussion, where an intermediary receives the mail to forward to a private instance for storage purposes. However that complicates validation on SPF/DKIM AFAIK which would fail, so their approach was to blindly trust anything sent from the intermediary, skipping those security checks. That discussion was summarized into a guide for our v14 docs, you can presently view that on our If the intermediary was instead a DMS instance and used ARC, then the private DMS instance should be able to perform the proper security checks on the forwarded mail if it was configured correctly. |
Ah right. So the |
Context
Authenticated Received Chain (ARC) reduces bouncing of forwarded emails. See #3642.
Description
Have an easy switch or a guide to enable ARC in DMS.
Alternatives
Currently it seems possible to enable it through rspamd with a lot of manual tinkering (still testing?): #3642 (comment)
OpenARC is another alternative but doesn't seem quite good: trusteddomainproject/OpenARC#157
Applicable Users
Users that forward emails with DMS.
Are you going to implement it?
Yes, because I know the probability of someone else doing it is low and I can learn from it.
What are you going to contribute?
I could PR a guide to the wiki.
The text was updated successfully, but these errors were encountered: