1 Topic by selea

  • selea
  • selea
  • Member
  • Offline
  • Registered: 2017-06-02
  • Posts: 111

Topic: ARC - Authenticated Received Chain in iRedmail

==== Required information ====
Not relevant in this case
====

Citing http://arc-spec.org:

"What are the next steps for ARC?
If you are a mailbox provider or intermediary (mailing list operator, message forwarder), you should be planning your ARC implementation now (first half of 2018). Google has added ARC verification and sealing to their email services (Gmail, G Suite, and Google Groups). Several other companies will incorporate ARC into their products and services in the first half 2018.

Patches for the most popular mailing list managers (MLMs) will be available in the first quarter of 2018. Code libraries and modules are already available for those who need to integrate ARC functions into their systems. The commercial MTA MailerQ incorporates ARC, and the milters authentication_milter and OpenARC can be used to deploy ARC with the Postfix, Oracle Communications Messaging Server, and Sendmail MTAs."

So to my question - when in the implemention of any kind of ARC milter such as OpenARC due?

I do have implemented it myself, but when is it going to be shipped with iRedmail by default?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: ARC - Authenticated Received Chain in iRedmail

selea wrote:

So to my question - when in the implemention of any kind of ARC milter such as OpenARC due?

No plan yet, but i will keep my eyes on this.

BTW, i cannot find any OpenARC document, did i miss something?

selea wrote:

I do have implemented it myself, but when is it going to be shipped with iRedmail by default?

Mind sharing your implementation? it will help other users, and i may merge it if the doc is clear and the implementation is decent.

__PERSONAL__ opinion: we have so many mechanisms to fight spams like Sender ID, SPF, DKIM, but nowadays still a lot mail server administrators don't have them implemented. You can blame them such as they're lazy, no time/willingness to learn something new, whatever, but that's the sad truth. I don't think ARC will be implemented widely so soon.

iRedMail will try to catch up with the best practice.

3 Reply by selea (edited by selea 2018-02-02 20:09:20)

  • selea
  • selea
  • Member
  • Offline
  • Registered: 2017-06-02
  • Posts: 111

Re: ARC - Authenticated Received Chain in iRedmail

ZhangHuangbin wrote:
selea wrote:

So to my question - when in the implemention of any kind of ARC milter such as OpenARC due?

No plan yet, but i will keep my eyes on this.

BTW, i cannot find any OpenARC document, did i miss something?

selea wrote:

I do have implemented it myself, but when is it going to be shipped with iRedmail by default?

Mind sharing your implementation? it will help other users, and i may merge it if the doc is clear and the implementation is decent.

The main documention can be found on github:
https://github.com/trusteddomainproject/OpenARC

Also on the mailing list:
https://openarc.org

Regarding the implementation of OpenARC, it is pretty straight forward:
Compile the OpenARC package:
cd
git clone https://github.com/trusteddomainproject/OpenARC
cd OpenARC
autoreconf -fvi
./configure
make
make install
ldconfig
And check if the libs are found with:
ldconfig -p | grep libopenarc
Verify that the package can be run:

openarc -V
openarc: OpenARC Filter v0.1.0
        Compiled with OpenSSL 1.0.1f 6 Jan 2014
        SMFI_VERSION 0x1000001
        libopenarc 0.1.0:

Set up configs:
mkdir -p /etc/openarc
cp ~/OpenARC/openarc/openarc.conf.sample /etc/OpenARC/openarc.conf

Configure OpenARC as you want in the openarc.conf file
Launch openarc:
openarc -c /etc/openarc/openarc.conf

Then add it as a milter.

I will write a better guide when time allows so you can use it in your docs. OpenARC is not 100% complete so the installation method might change.

ZhangHuangbin wrote:

__PERSONAL__ opinion: we have so many mechanisms to fight spams like Sender ID, SPF, DKIM, but nowadays still a lot mail server administrators don't have them implemented. You can blame them such as they're lazy, no time/willingness to learn something new, whatever, but that's the sad truth. I don't think ARC will be implemented widely so soon.

iRedMail will try to catch up with the best practice.

I fully agree to this! But big providers like Google and Microsoft has already implemented ARC verification/signing already and more providers will do it too. I am working on implementing ARC-signing for the company I work for (one of the bigger emailproviders in Sweden).
iRedmail does everything correct out of the box to fight spam already. But by implemeting ARC and also DMARC (both validation and reporting).

Also, if you want to take a look on my serverconfig, just let me know and I can give you access.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: ARC - Authenticated Received Chain in iRedmail

*) One idea: according to http://arc-spec.org/?page_id=79 , perl module "Mail::DKIM" has ARC signing and verification support, maybe we can ask Amavisd-new developers to implement this in Amavisd directly? This way we don't need to run OpenARC or other programs.

*) I didn't find openarc packages for RHEL/CentOS/Fedora from EPEL repo, Debian/Ubuntu apt repo, OpenBSD and FreeBSD ports tree. Lack of binary packages from Linux/BSD vendors will limit the deployment. Also, iRedMail uses packages from linux/bsd vendors, not compile from source tarball, this will be a problem with iRedMail installer (of course we can do the compile thing in iRedMail, but not preferred).

*) I will try to integrate OpenDMARC in future iRedMail releases, but cannot give you a date right now.

5 Reply by selea

  • selea
  • selea
  • Member
  • Offline
  • Registered: 2017-06-02
  • Posts: 111

Re: ARC - Authenticated Received Chain in iRedmail

ZhangHuangbin wrote:

*) One idea: according to http://arc-spec.org/?page_id=79 , perl module "Mail::DKIM" has ARC signing and verification support, maybe we can ask Amavisd-new developers to implement this in Amavisd directly? This way we don't need to run OpenARC or other programs.

That is actually a good idea, did not think about that even if I knew that amavis is written in perl. Sounds like a good logical step to take. Personally I would prefer ARC support from amavis rather then have an additional package.

ZhangHuangbin wrote:

*) I didn't find openarc packages for RHEL/CentOS/Fedora from EPEL repo, Debian/Ubuntu apt repo, OpenBSD and FreeBSD ports tree. Lack of binary packages from Linux/BSD vendors will limit the deployment. Also, iRedMail uses packages from linux/bsd vendors, not compile from source tarball, this will be a problem with iRedMail installer (of course we can do the compile thing in iRedMail, but not preferred).

That is true that the openarc package is not in the repositories yet, but some people that is involved in the project do already have they own repositories and they are already doing some packaging work with for example the opendmarc package. I think it will take a long time before the openarc package make it to the debian default repo for example - is using a third party repo an alternative for the iRedmail suite?

ZhangHuangbin wrote:

*) I will try to integrate OpenDMARC in future iRedMail releases, but cannot give you a date right now.

Sounds a plan. I would suggest you add the reporting part to the iRedmail Pro version only smile
Meanwhile, I can refer to this guide about implementing OpenDMARC with the reporting function:
https://www.stevejenkins.com/blog/2015/ … os-fedora/

Pretty straight forward and and takes a just a couple of minutes.

I know that you manually have to change some perl functions (atleast in v1.2.0) in some files, but that is quite easy to figure out.

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: ARC - Authenticated Received Chain in iRedmail

selea wrote:

is using a third party repo an alternative for the iRedmail suite?

We prefer repos offered by linux/bsd vendors, not third-party repos, especially personal third-party repos.

selea wrote:

Meanwhile, I can refer to this guide about implementing OpenDMARC with the reporting function:
https://www.stevejenkins.com/blog/2015/ … os-fedora/

I read this blog post before. big_smile Thank you for sharing.