ARC - GMAIL

[pingu]

Hey everyone,

I'm running eFa-4.0.4 as an outbound only filter. I have setup SPF, DMARC, DKIM on the TLD.
Everything comes up fine when I send a test to Gmail. All passes.

However I know that it's not running openARC and I'm reading that it will be one of the requirements for GMAIL/Google for all hosting providers that are forwarding mail. We will be required to sign all outbound mail with ARC seals.

Does anybody have efa filter running with ARC setup?
If it's not installed, do I have to manually setup openarc?

Thanks in advance!

[shawniverson]

Make sure opendkim-tools and openarc is installed and execute the following (substitute your domain for example.com)

Code: Select all

opendkim-genkey -D /etc/openarc -s arc -d example.com

Make an entry for DNS in your domain and name it arc._domainkey using info in arc.txt
/etc/openarc.conf:

Code: Select all

Syslog                  yes
UserID                  openarc:openarc
Socket                  inet:8895@localhost
SignHeaders             to,subject,message-id,date,from,mime-version,dkim-signature
PeerList                /etc/openarc/PeerList
MilterDebug             6
EnableCoredumps         yes
#Mode                    sv    # Leave commented out to have opernarc sign internal hosts only verify all others
Canonicalization        relaxed/simple
Domain                  example.com
Selector                arc
KeyFile                 /etc/openarc/arc.private
SignatureAlgorithm      rsa-sha256
InternalHosts           /etc/openarc/internal.hosts

/etc/postfix/main.cf: (make sure the openarc is before mailscanner on port 33333 just like the others)

Code: Select all

smtpd_milters = inet:localhost:8891, inet:localhost:8893, inet:localhost:8895, inet:127.0.0.1:33333
non_smtpd_milters = inet:localhost:8891, inet:localhost:8893, inet:localhost:8895

Create /etc/openarc/internal.hosts and enter the following:

Code: Select all

127.0.0.1/32
[::1]/128

Remove 127.0.0.1/32 and [::1]/128 /etc/openarc/PeerList

Execute the following

Code: Select all

sudo chown openarc:openarc /etc/openarc/*
sudo systemctl enable openarc
sudo systemctl start openarc
sudo systemctl reload postfix

Add openarc to /etc/sysconfig/eFa-Monitor

Code: Select all

MonitoredServices=("mariadb=mariadb" "MailScanner=mailscanner" "master=postfix" "httpd=httpd" "clamd=clamd@scan" "unbound=unbound" "dccifd=adcc" "MSMilter=msmilter" "opendkim=opendkim" "opendmarc=opendmarc" "openarc=openarc")

If all is working you'll see this in the message source (google in this case) with an arc=pass:

Code: Select all

Authentication-Results: mx.google.com;
       arc=pass (i=1);
       spf=pass (google.com: domain of shawniverson@example.com designates <redacted> as permitted sender) smtp.mailfrom=shawniverson@example.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com

[AITCS]

Remove 127.0.0.1/32 and [::1]/128 /etc/openarc/PeerList

I don't have a PeerList file existing currently. Should I just create an empty file for openarc to reference or have I misunderstood the bit about removing localhost addresses?

[shawniverson]

An empty file should be sufficient.