Hey everyone,
I'm running eFa-4.0.4 as an outbound only filter. I have setup SPF, DMARC, DKIM on the TLD.
Everything comes up fine when I send a test to Gmail. All passes.
However I know that it's not running openARC and I'm reading that it will be one of the requirements for GMAIL/Google for all hosting providers that are forwarding mail. We will be required to sign all outbound mail with ARC seals.
Does anybody have efa filter running with ARC setup?
If it's not installed, do I have to manually setup openarc?
Thanks in advance!
ARC - GMAIL
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: ARC - GMAIL
Make sure opendkim-tools and openarc is installed and execute the following (substitute your domain for example.com)
Make an entry for DNS in your domain and name it arc._domainkey using info in arc.txt
/etc/openarc.conf:
/etc/postfix/main.cf: (make sure the openarc is before mailscanner on port 33333 just like the others)
Create /etc/openarc/internal.hosts and enter the following:
Remove 127.0.0.1/32 and [::1]/128 /etc/openarc/PeerList
Execute the following
Add openarc to /etc/sysconfig/eFa-Monitor
If all is working you'll see this in the message source (google in this case) with an arc=pass:
Code: Select all
opendkim-genkey -D /etc/openarc -s arc -d example.com
/etc/openarc.conf:
Code: Select all
Syslog yes
UserID openarc:openarc
Socket inet:8895@localhost
SignHeaders to,subject,message-id,date,from,mime-version,dkim-signature
PeerList /etc/openarc/PeerList
MilterDebug 6
EnableCoredumps yes
#Mode sv # Leave commented out to have opernarc sign internal hosts only verify all others
Canonicalization relaxed/simple
Domain example.com
Selector arc
KeyFile /etc/openarc/arc.private
SignatureAlgorithm rsa-sha256
InternalHosts /etc/openarc/internal.hosts
Code: Select all
smtpd_milters = inet:localhost:8891, inet:localhost:8893, inet:localhost:8895, inet:127.0.0.1:33333
non_smtpd_milters = inet:localhost:8891, inet:localhost:8893, inet:localhost:8895
Code: Select all
127.0.0.1/32
[::1]/128
Execute the following
Code: Select all
sudo chown openarc:openarc /etc/openarc/*
sudo systemctl enable openarc
sudo systemctl start openarc
sudo systemctl reload postfix
Code: Select all
MonitoredServices=("mariadb=mariadb" "MailScanner=mailscanner" "master=postfix" "httpd=httpd" "clamd=clamd@scan" "unbound=unbound" "dccifd=adcc" "MSMilter=msmilter" "opendkim=opendkim" "opendmarc=opendmarc" "openarc=openarc")
Code: Select all
Authentication-Results: mx.google.com;
arc=pass (i=1);
spf=pass (google.com: domain of shawniverson@example.com designates <redacted> as permitted sender) smtp.mailfrom=shawniverson@example.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com
Re: ARC - GMAIL
I don't have a PeerList file existing currently. Should I just create an empty file for openarc to reference or have I misunderstood the bit about removing localhost addresses?
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: ARC - GMAIL
An empty file should be sufficient.