Mailing List Archive

On 2024-02-08 at 19:07:16 UTC-0500 (Thu, 08 Feb 2024 18:07:16 -0600)
Larry Rosenman via Exim-users <ler@lerctr.org>
is rumored to have said:

> I want to verify that the arc signing is happening for my outbound
> mail.

It mostly shouldn't be happening.

> I see an "exim 38801 - - 1rYEEa-00000000A4g-1GSd ARC: no
> Authentication-Results header for signing'
> this was mail sent directly to this host and authenticated.

Normal.

> Should I add an Authentication-Results header for mail coming in via
> 587?

NO.

> Or am I misusing/abusing ARC?

That.

ARC is for forwarding systems. It is intended to protect forwarded mail
from looking like forged mail. The ARC header asserts that when the
message arrived, the SPF and DKIM mechanisms scored a particular way. As
neither SPF or DKIM is relevant for initial mail submission, there's
nothing for ARC to do when it gets a message that has no pre-existing
DKIM signature from an authenticated client via port 587 or 465.



--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2/9/24 14:09, Bill Cole via Exim-users wrote:
>> Should I add an Authentication-Results header for mail coming in via 587?
>
> NO.
>
>> Or am I misusing/abusing ARC?
>
> That.
>
> ARC is for forwarding systems.

Probably per the real intent of ARC, yes.

But it's technically possible to regard what an MSA does
as "forwarding", and you could reasonably add an AR on
reception on 587 to label whatever exim did to authenticate
the client (eg. an SMTP AUTH method such as PLAIN) -
and initiate an ARC chain using that.

Exim will include the value from authenticated_sender in
the ${authresults()} expansion, if one is set.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2024-02-09 at 09:38:27 UTC-0500 (Fri, 9 Feb 2024 14:38:27 +0000)
Jeremy Harris via Exim-users <jgh@wizmail.org>
is rumored to have said:

> On 2/9/24 14:09, Bill Cole via Exim-users wrote:
>>> Should I add an Authentication-Results header for mail coming in via
>>> 587?
>>
>> NO.
>>
>>> Or am I misusing/abusing ARC?
>>
>> That.
>>
>> ARC is for forwarding systems.
>
> Probably per the real intent of ARC, yes.
>
> But it's technically possible to regard what an MSA does
> as "forwarding", and you could reasonably add an AR on
> reception on 587 to label whatever exim did to authenticate
> the client (eg. an SMTP AUTH method such as PLAIN) -
> and initiate an ARC chain using that.

Ewww. :)

There's already a widespread mechanism in broad use for tagging a
message as having used SMTP AUTH at a particular MTA: 'ESMTP[S]A' in the
relevant Received header. Some systems even put the authentication
identity there. I expect that any automated system looking for
indicators of authentication at a SMTP/Submission "hop" will already be
relying on that rather than looking for an AR header. BICBW



--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 02/09/2024 8:38 am, Jeremy Harris via Exim-users wrote:
> On 2/9/24 14:09, Bill Cole via Exim-users wrote:
>>> Should I add an Authentication-Results header for mail coming in via
>>> 587?
>>
>> NO.
>>
>>> Or am I misusing/abusing ARC?
>>
>> That.
>>
>> ARC is for forwarding systems.
>
> Probably per the real intent of ARC, yes.
>
> But it's technically possible to regard what an MSA does
> as "forwarding", and you could reasonably add an AR on
> reception on 587 to label whatever exim did to authenticate
> the client (eg. an SMTP AUTH method such as PLAIN) -
> and initiate an ARC chain using that.
>
> Exim will include the value from authenticated_sender in
> the ${authresults()} expansion, if one is set.

Interestingly, I added one via the acl_smtp_data, but I still get the no
A-R header message. THe header DOES show, however.

> --
> Cheers,
> Jeremy

--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: ler@lerctr.org
US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2/9/24 15:24, Larry Rosenman via Exim-users wrote:
> I still get the no
> A-R header message.  THe header DOES show, however.

Those two items don't seem to match up!
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 02/09/2024 9:51 am, Jeremy Harris via Exim-users wrote:
> On 2/9/24 15:24, Larry Rosenman via Exim-users wrote:
>> I still get the no
>> A-R header message.  THe header DOES show, however.
>
> Those two items don't seem to match up!
> --
> Cheers,
> Jeremy

Here are the logs, and the manual SMTP transaction, and the headers on
the receiving end:


<22>1 2024-02-09T10:12:51.373610-06:00 thebighonker.lerctr.org exim
81333 - - 1rYTU8-00000000L9p-1GyI ARC DEBUG: none (), 0
<22>1 2024-02-09T10:12:51.384294-06:00 thebighonker.lerctr.org exim
81333 - - 1rYTU8-00000000L9p-1GyI <= ler@lerctr.org
H=99-190-128-217.lightspeed.austtx.sbcglobal.net (lerctr.org)
[99.190.128.217]:60268 I=[192.147.25.65]:587 P=esmtpa
A=dovecot_plain:ler@lerctr.org S=889
<21>1 2024-02-09T10:12:51.874755-06:00 thebighonker.lerctr.org exim
81381 - - H=(localhost) [84.212.198.230]:39831 I=[192.147.25.65]:587
rejected EHLO or HELO localhost: CHECK_HELO: localhost
helo/non-localhost address.
<22>1 2024-02-09T10:12:52.080901-06:00 thebighonker.lerctr.org exim
81389 - - 1rYTU8-00000000L9p-1GyI ARC: no Authentication-Results header
for signing
<22>1 2024-02-09T10:12:52.683895-06:00 thebighonker.lerctr.org exim
81387 - - 1rYTU8-00000000L9p-1GyI => larryrtx@gmail.com R=dnslookup
T=remote_smtp S=1555 H=gmail-smtp-in.l.google.com [142.250.31.27]:25
I=[192.147.25.65]:25172 X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes
DN="/CN=mx.google.com" K C="250 2.0.0 OK
kl21-20020a056214519500b0068ca121e30bsi2249782qvb.193 - gsmtp" QT=1s
DT=1s

Delivered-To: larryrtx@gmail.com
Received: by 2002:a9a:5c09:0:b0:286:f44b:5653 with SMTP id
f9csp964638lkg;
Fri, 9 Feb 2024 08:12:52 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IGb0Z+tiJw7bfnjqT4JPKbRbtAjIH1MeDOe/64VBDUYbPMxty1uMGPAPk6vXl3gQiDJNCHf
X-Received: by 2002:a05:6214:448e:b0:68c:9419:be13 with SMTP id
on14-20020a056214448e00b0068c9419be13mr2423263qvb.6.1707495172484;
Fri, 09 Feb 2024 08:12:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1707495172; cv=none;
d=google.com; s=arc-20160816;

b=NsItMZnafYcH4NSE1czKH/a+xUwAq8M+ic7wv6qs5Ksa/LzZ/Xmr5KV/TsqVG5FmDS

bTeTTHVze5RN1J1m9xiPeD2qUt+txTJ5CWIoLQrcB6upfkBSfaDL5LnKck/XMgV+ESJf

ifYUG8oXcgMn40S49PFUUZaDPlFiITYTiNM/eH/pWjBeZ1D60cLftwrKaE9gvLObc6nt

cJ2veYvK/vDKvBRLG98IDNjOC2p/TM4t4WK5wamDxP6zO5ZbyDCAuVqlPd48uEKjG8Tn

t+BWv0HRyY5U/kblROh8MckRMt/lHFgxEBlI6lDWZuUBNdZknwGU57gg7qngowE8iTgj
rXyw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=arc-20160816;
h=date:message-id:subject:to:from:dkim-signature;
bh=t6KqIBhykiogGA3Joki6tXlJ3t26ycOj4sgIResO0aA=;
fh=W3I30aEjcxh+r8PsWReNVDMgO/BuIency6+WLAoU67g=;

b=nO0LciEWOQMSQyVH+Ib/Fb/LQAXpF7nsjagD3xSJx9w4ZdZJ8H21o3kKWj6l64Mm9V

OvLOWTmrfa3a3UAf6wlZx7NAASEMIlnx9Zy1WQ+Z/ip3nUj5wdU6CDbtBjDOQcSUuxnl

d+M53vr+PI+xKlXLjMmV/egG6yI+MDTSpUYuDPye1flkY6t9jndafQMnyvkqqzkUzjaN

kC3J4hWZ2yKJLZLhL1MMS+dhYFl2/j0uABf7zabAQKm4ZUK66TE/Br80PDYJ+H+PIMSG

ZqhDliEAzZcNMdrMkJ2WIl1DHJ7xL50oHqEgc5PcK1fxBOtQ2W6DbmlPoLLN/w8SxMiZ
XaGg==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@lerctr.org header.s=ler2019
header.b=O9gv05XW;
spf=pass (google.com: domain of ler@lerctr.org designates
192.147.25.65 as permitted sender) smtp.mailfrom=ler@lerctr.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=lerctr.org
Return-Path: <ler@lerctr.org>
Received: from thebighonker.lerctr.org (thebighonker.lerctr.org.
[192.147.25.65])
by mx.google.com with ESMTPS id
kl21-20020a056214519500b0068ca121e30bsi2249782qvb.193.2024.02.09.08.12.52
for <larryrtx@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 09 Feb 2024 08:12:52 -0800 (PST)
Received-SPF: pass (google.com: domain of ler@lerctr.org designates
192.147.25.65 as permitted sender) client-ip=192.147.25.65;
Authentication-Results: mx.google.com;
dkim=pass header.i=@lerctr.org header.s=ler2019
header.b=O9gv05XW;
spf=pass (google.com: domain of ler@lerctr.org designates
192.147.25.65 as permitted sender) smtp.mailfrom=ler@lerctr.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=lerctr.org
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=lerctr.org; s=ler2019;
h=Date:Message-Id:Subject:To:From:Sender:Reply-To:Cc:MIME-Version:
Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description;
bh=t6KqIBhykiogGA3Joki6tXlJ3t26ycOj4sgIResO0aA=;
b=O9gv05XWSkGWzTEmhJRT5nf6he
hAG1IzHjFEKKPGWzwW5+ohStkAoTazqNkx5pseyZh0mkksqm2q8DUFg0SdL5ByxHwphSr7Jvg9Tne
hdCzizW1yh14PnHQrfoO4vq/xXjWuDMvb3nye+kyXfj498j8elQAjRQqiaHpV+tn0ivAS3WM3uiak
W5lhGiv/8k+AvVSqPKiZmBDo3oVcUf2bpS1yNa9I009/LuHy4wlsMmm7KSfZJ1fkV4cNKSbWpT3wI
zN7PN4ICYfj9orx4a3sL+X5e8JSczWCjYf8wSyTFfRpmCv6BBtSsLK8lj69LWgwxqY56vGsej27p6
lD7g2cQQ==;
Authentication-Results: thebighonker.lerctr.org; iprev=pass
(99-190-128-217.lightspeed.austtx.sbcglobal.net)
smtp.remote-ip=99.190.128.217; auth=pass (PLAIN)
smtp.auth=ler@lerctr.org; spf=pass smtp.mailfrom=lerctr.org; arc=none
Received-SPF: pass (thebighonker.lerctr.org: domain of lerctr.org
designates 99.190.128.217 as permitted sender) client-ip=99.190.128.217;
envelope-from=ler@lerctr.org; helo=lerctr.org;
Received: from 99-190-128-217.lightspeed.austtx.sbcglobal.net
([99.190.128.217]:60268 helo=lerctr.org) by thebighonker.lerctr.org with
esmtpa (Exim 4.97.1 (FreeBSD)) (envelope-from <ler@lerctr.org>) id
1rYTU8-00000000L9p-1GyI for larryrtx@gmail.com; Fri, 09 Feb 2024
10:12:51 -0600
From: LER <ler@lerctr.org>
To: <larryrtx@gmail.com>
Subject: ARC Test
Message-Id: <E1rYTU8-00000000L9p-1GyI@thebighonker.lerctr.org>
Date: Fri, 09 Feb 2024 10:12:46 -0600



Trying 192.147.25.65...
Connected to thebighonker.lerctr.org.
Escape character is '^]'.
220 thebighonker.lerctr.org ESMTP Exim 4.97.1 Fri, 09 Feb 2024 10:11:20
-0600
EHLO lerctr.org
250-thebighonker.lerctr.org Hello
99-190-128-217.lightspeed.austtx.sbcglobal.net [99.190.128.217]
250-SIZE 262144000
250-8BITMIME
250-DSN
250-PIPELINING
250-PIPECONNECT
250-AUTH PLAIN LOGIN
250-CHUNKING
250-STARTTLS
250-SMTPUTF8
250 HELP
AUTH PLAIN <REDACTED>
235 Authentication succeeded
MAIL FROM:<ler@lerctr.org>
250 OK
RCPT TO:<larryrtx@gmail.com>
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
From: LER <ler@lerctr.org>
To: <larryrtx@gmail.com>
Subject: ARC Test

testing arc
.
250 OK id=1rYTU8-00000000L9p-1GyI
quit
221 thebighonker.lerctr.org closing connection
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: ler@lerctr.org
US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2/9/24 16:15, Larry Rosenman via Exim-users wrote:
> On 02/09/2024 9:51 am, Jeremy Harris via Exim-users wrote:
>> On 2/9/24 15:24, Larry Rosenman via Exim-users wrote:
>>> I still get the no
>>> A-R header message.  THe header DOES show, however.
>>
>> Those two items don't seem to match up!

The only way for that I can think of involves the A-R beaing
added in router or transport (ie. during delivery), rather than
ACL (reception)...
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/