OpenARC is (according to Zoho) creating a bad signature on outbound email

[pcolmer]

I'm trying to get ARC set up on a Mailman 3 server. I'm using Postfix as the MTA and OpenDKIM for the DKIM piece. As ARC sealing needs to happen after signatures, I've installed OpenARC rather than using the functionality in Mailman 3 (since the latter would result in sealing before signatures).

I've been sending and receiving emails from a Zoho Mail mailbox, partly because that seems to give me clearer headers but the upshot is that Zoho claims that the ARC signature from OpenARC is invalid.

Delivered-To: [email protected]
Received-SPF: pass (zohomail.com: domain of mm3.mailmanserver.org designates 1.2.3.4 as permitted sender) client-ip=1.2.3.4; envelope-from=test-bounces+philip.colmer=example.org@mm3.mailmanserver.org; helo=mm3.mailmanserver.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of mm3.mailmanserver.org designates 1.2.3.4 as permitted sender)  smtp.mailfrom=test-bounces+philip.colmer=example.org@mm3.mailmanserver.org;
	arc=fail (Bad Signature)
Return-Path: <[email protected]>
Received: from mm3.mailmanserver.org (mm3.mailmanserver.org [1.2.3.4]) by mx.zohomail.com
	with SMTPS id 1631693948316297.012328440533; Wed, 15 Sep 2021 01:19:08 -0700 (PDT)
Received: from ip-172-31-73-169.ec2.internal (localhost [127.0.0.1])
	by mm3.mailmanserver.org (Postfix) with ESMTP id 19513BE188
	for <[email protected]>; Wed, 15 Sep 2021 08:19:07 +0000 (UTC)
Received: from sender4-op-o14.zoho.com (sender4-op-o14.zoho.com [5.6.7.8])
	by mm3.mailmanserver.org (Postfix) with ESMTPS id E359EBE180
	for <[email protected]>; Wed, 15 Sep 2021 08:19:04 +0000 (UTC)
Received: from mail.zoho.com by mx.zohomail.com
	with SMTP id 1631693941000415.5911521326384; Wed, 15 Sep 2021 01:19:01 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; d=mm3.mailmanserver.org; s=mailman; t=1631693947;
	cv=pass; b=urGdgo09sdWNe34wp73i5U574X4dOX9FbdRDsl9qSnhUhdAVUoZz8tOvBzjfpsNdH/yR3Uda8xSYvUcPnnVhIuvi0Z/KsGcJZUa4WVDH6gulWpm1JyBbhCT/XJffpZt2ACYwBdk7yOyfLvQBbE5wl7GXRzo4TEkJjJW3s8jOvis=
ARC-Message-Signature: i=2; a=rsa-sha256; d=mm3.mailmanserver.org; s=mailman;
	t=1631693947; c=relaxed/relaxed;
	bh=va3kZuA+d2t6FVs1mZCgVTyums7zkMon0A4ipX0CjRc=;
	h=DKIM-Signature:Received:ARC-Message-Signature:
	 ARC-Authentication-Results:DKIM-Signature:Received:Date:To:
	 Message-Id:MIME-Version:Importance:User-Agent:X-Mailer:
	 Message-ID-Hash:X-Message-ID-Hash:X-MailFrom:X-Mailman-Rule-Misses:
	 X-Mailman-Version:Precedence:Subject:List-Id:Archived-At:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From:Reply-To:Content-Type; b=JXx7yrXwqMPfjyY+eHexLBg/NoH8ChHg/bDDh5nvSQvWZailGF+uf1Z0nHGGe16nZ4IWpgEd8y6jXav3AoL2sogTGyqsCfNzUDV6b0YA/ZKaluRKevfzz3458K3mbx2Pck4Enzo38Lxpd096OYsYrz9yBM/fuG/jZcfTvqsFyOY=
ARC-Authentication-Results: i=2; mm3.mailmanserver.org; arc=pass smtp.remote-ip=5.6.7.8; dkim=pass (1024-bit key; unprotected) header.d=example.org [email protected] header.a=rsa-sha256 header.s=zoho header.b=f3ZQXz+4; dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=mm3.mailmanserver.org; s=mailman; t=1631693947;
	bh=va3kZuA+d2t6FVs1mZCgVTyums7zkMon0A4ipX0CjRc=;
	h=Date:To:Subject:List-Id:List-Archive:List-Help:List-Owner:
	 List-Post:List-Subscribe:List-Unsubscribe:From:Reply-To:From;
	b=aiW9f6bb5tv+I61oeBOQbf2Av4xwNwGffNZpf0jXgHaypvw5GS0VyLDZqyJf2EK0+
	 PwE6yG3MnlaUv+nWEG+lmutLjr/OH2tR7Vf2V5EuK46nq/LqDtdAtPkc7DYrcj4oEE
	 DecGuZa2Cb8HkjJJ2KQ/iQGtWpGKGDvx/lbGKhK8=
Authentication-Results: mm3.mailmanserver.org; arc=pass smtp.remote-ip=5.6.7.8
Authentication-Results: mm3.mailmanserver.org;
	dkim=pass (1024-bit key; unprotected) header.d=example.org [email protected] header.a=rsa-sha256 header.s=zoho header.b=f3ZQXz+4;
	dkim-atps=neutral
ARC-Seal: i=1; a=rsa-sha256; t=1631693942; cv=none;
	d=zohomail.com; s=zohoarc;
	b=cSIi0RrTbaYtyudF892rd3lPdworO50hkn7coJDzqgn7fq1vZ4NOI/OQ/vSQPI9+vYEvwhBjsaLDtasQH5O16z6nfYtU6qemnzsrtfZyoUP1YGS/CG4QvalD5bmh6OXfHKjjYvx4yikTfrjLpdkf7EAJ9zlqHHJmhzeeFJPsGy0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc;
	t=1631693942; h=Content-Type:Date:From:MIME-Version:Message-ID:Subject:To;
	bh=m+YhmNhPpu9AVkALDlWzfYQa+CAFtWYFgPazJNTNIgQ=;
	b=gQgdcRXAhAvWQcaZxBw0qtXOifJktkmXRFX7bw3YqpCjfNx2b4NvrRyzB//HM/RQnZzsbVnF6Ztp/JGln8UEJ8qguiDrKVqjKn80vYplNrsiM4LKp7RHUofD/Q2eNZAwzYPb/+RsmqrDliosZPyGVVacwgWmPr+6+fH2W5ti4s8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass  header.i=example.org;
	spf=pass  [email protected];
	dmarc=pass header.from=<[email protected]>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1631693942;
	s=zoho; d=example.org; [email protected];
	h=Date:From:To:Message-Id:Subject:MIME-Version:Content-Type;
	bh=m+YhmNhPpu9AVkALDlWzfYQa+CAFtWYFgPazJNTNIgQ=;
	b=f3ZQXz+4pyuRnh69wXYyajlwG8z4Y5Yi2VxHpPsiQs9yjhdjm5yj2f0wJIfEjxYp
	muGW5LUl9rHemvHWCa4Uy/Km6w9eW1mInqvGrsLklLPEVD6pNze5TiZJ8XOpvpC0AsN
	3apBPPKiixGKwERJk1nTK9EyaEwrWSMwm7SluGj0=
Date: Wed, 15 Sep 2021 09:19:00 +0100
To: "test" <[email protected]>
Message-Id: <[email protected]>
MIME-Version: 1.0
Importance: Medium
User-Agent: Zoho Mail
X-Mailer: Zoho Mail
Message-ID-Hash: PDMAYDKPKC2XYR5FXGPWHGP5DXMY7N4Y
X-Message-ID-Hash: PDMAYDKPKC2XYR5FXGPWHGP5DXMY7N4Y
X-MailFrom: [email protected]
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.4
Precedence: list
Subject: [Test] And testing after upgrading OpenARC code
List-Id: <test.mm3.mailmanserver.org>
Archived-At: <>
List-Archive: <>
List-Help: <mailto:[email protected]?subject=help>
List-Owner: <mailto:[email protected]>
List-Post: <mailto:[email protected]>
List-Subscribe: <mailto:[email protected]>
List-Unsubscribe: <mailto:[email protected]>
From: Philip Colmer via Test <[email protected]>
Reply-To: Philip Colmer <[email protected]>
Content-Type: multipart/mixed; boundary="===============3602031680822028497=="
X-ZohoMail-DKIM: pass (identity @mm3.mailmanserver.org)

I've changed domains and IP addresses.

In /etc/openarc.conf, I've defined:

AuthservID           mm3.mailmanserver.org
Canonicalization     relaxed/simple
Domain               mm3.mailmanserver.org
KeyFile              <path to file>
OversignHeaders      From
PidFile              <path to file>
Selector             mailman
Socket               <path to socket>
Syslog               yes

I mostly followed the instructions I found at https://weber.fi.eu.org/blog/Informatique/openarc_with_postfix_on_debian_10.html?lang=en so I'm not sure if items like OversignHeaders are correct or not.

Edited to add:

Reading the man page for openarc.conf, I read this part for "OversignHeaders": "Note that listing a field name here and not listing it in the SignHeaders list is likely to generate invalid signatures." Since I wasn't defining anything for "SignHeaders", I've commented out the definition for "OversignHeaders", restarted OpenARC and sent another test. Unfortunately, Zoho still reports a "Bad Signature".

Edited: I've switched to the develop branch of OpenARC and incorporated the changes from #145, #141 and #121. I've updated the headers above to reflect a test performed after changing the OpenARC code. Unfortunately, Zoho still says the signature is bad.

Edited: I've tried explicitly setting SignHeaders (to SignHeaders to,subject,message-id,date,from,mime-version,dkim-signature,arc-authentication-results) but that didn't help either.

[rdemendoza]

+1

[abeverley]

I'm also finding the same with Outlook.com. I've tried all the patches I can find, and it's still showing an ARC fail.

[abeverley]

Just to add that I've also just tried with Zoho, and that appears to be showing valid ARC signatures. That's with my locally-patched version of OpenARC though, so it's possible I've applied something that fixes the original problem.

@pcolmer @rdemendoza - are you still having problems with Zoho?