efa-project.org


https://forum.efa-project.org/

ARC - GMAIL

https://forum.efa-project.org/viewtopic.php?t=5316

Page 1 of 1

ARC - GMAIL

Posted: 14 Jan 2024 12:28
by pingu
Hey everyone,

I'm running eFa-4.0.4 as an outbound only filter. I have setup SPF, DMARC, DKIM on the TLD.
Everything comes up fine when I send a test to Gmail. All passes.

However I know that it's not running openARC and I'm reading that it will be one of the requirements for GMAIL/Google for all hosting providers that are forwarding mail. We will be required to sign all outbound mail with ARC seals.

Does anybody have efa filter running with ARC setup?
If it's not installed, do I have to manually setup openarc?

Thanks in advance!

Re: ARC - GMAIL

Posted: 15 Jan 2024 16:19
by shawniverson
Make sure opendkim-tools and openarc is installed and execute the following (substitute your domain for example.com)

Code: Select all

opendkim-genkey -D /etc/openarc -s arc -d example.com
Make an entry for DNS in your domain and name it arc._domainkey using info in arc.txt
/etc/openarc.conf:

Code: Select all

Syslog                  yes
UserID                  openarc:openarc
Socket                  inet:8895@localhost
SignHeaders             to,subject,message-id,date,from,mime-version,dkim-signature
PeerList                /etc/openarc/PeerList
MilterDebug             6
EnableCoredumps         yes
#Mode                    sv    # Leave commented out to have opernarc sign internal hosts only verify all others
Canonicalization        relaxed/simple
Domain                  example.com
Selector                arc
KeyFile                 /etc/openarc/arc.private
SignatureAlgorithm      rsa-sha256
InternalHosts           /etc/openarc/internal.hosts
/etc/postfix/main.cf: (make sure the openarc is before mailscanner on port 33333 just like the others)

Code: Select all

smtpd_milters = inet:localhost:8891, inet:localhost:8893, inet:localhost:8895, inet:127.0.0.1:33333
non_smtpd_milters = inet:localhost:8891, inet:localhost:8893, inet:localhost:8895
Create /etc/openarc/internal.hosts and enter the following:

Code: Select all

127.0.0.1/32
[::1]/128
Remove 127.0.0.1/32 and [::1]/128 /etc/openarc/PeerList

Execute the following

Code: Select all

sudo chown openarc:openarc /etc/openarc/*
sudo systemctl enable openarc
sudo systemctl start openarc
sudo systemctl reload postfix
Add openarc to /etc/sysconfig/eFa-Monitor

Code: Select all

MonitoredServices=("mariadb=mariadb" "MailScanner=mailscanner" "master=postfix" "httpd=httpd" "clamd=clamd@scan" "unbound=unbound" "dccifd=adcc" "MSMilter=msmilter" "opendkim=opendkim" "opendmarc=opendmarc" "openarc=openarc")
If all is working you'll see this in the message source (google in this case) with an arc=pass:

Code: Select all

Authentication-Results: mx.google.com;
       arc=pass (i=1);
       spf=pass (google.com: domain of shawniverson@example.com designates <redacted> as permitted sender) smtp.mailfrom=shawniverson@example.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com

Re: ARC - GMAIL

Posted: 14 Feb 2024 04:19
by AITCS
shawniverson wrote: 15 Jan 2024 16:19 Remove 127.0.0.1/32 and [::1]/128 /etc/openarc/PeerList
I don't have a PeerList file existing currently. Should I just create an empty file for openarc to reference or have I misunderstood the bit about removing localhost addresses?

Re: ARC - GMAIL

Posted: 18 Feb 2024 20:07
by shawniverson
An empty file should be sufficient.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited