[exim.git] / test / scripts / 4560-ARC / 4560

# ARC verify and sign
#
exim -DSERVER=server -bd -oX PORT_D
****
#
# This should pass.
# Mail original in aux-fixed/4560.msg1.txt
# Sig generated by: perl aux-fixed/dkim/sign_arc.pl < aux-fixed/4560.msg1.txt
client 127.0.0.1 PORT_D
??? 220
HELO xxx
??? 250
MAIL FROM:<CALLER@bloggs.com>
??? 250
RCPT TO:<a@test.ex>
??? 250
DATA
??? 354
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=test.ex; s=sel; t=1521752658; b=
        xcIN0OEpAc3s8riODm31Q6JgmIECch3iVd1LXWwsypGpCY2UFFuo5HhCEf4a043q
        YZ+zn/MbFFkvwIqleeQkJ7S5UcvfM8dv/V4YnwAe+JD8r79glh/FRq6uKlc0ixLS
        CllJMwj98J1P1K9+gwmO5TrD1eTZV68caZj77P+X2kw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=test.ex;
         h=from:to:date:message-id:subject; s=sel; bh=3UbbJTudPxmejzh7U1
        Zg33U3QT+16kfV2eOTvMeiEis=; b=WgE+YWSm48w/P448gPlBBNCKt2SJ4gosPx
        0JQ98aZJhun2RaVcUO3INc+kZv8YOijofMzFqJxVn1cgMjoU8/QSHIyyt40FzkQB
        oSGmSrCjtRnzS8pbp491NX3kGuetidaWE5muPSdOystg6mm1rBnl9sqVrwaynCmr
        fu2jTuUfw=
ARC-Authentication-Results: i=1; test.ex; arc=none
Authentication-Results: test.ex; arc=none
From: mrgus@text.ex
To: bakawolf@yahoo.com
Date: Thu, 19 Nov 2015 17:00:07 -0700
Message-ID: <qwerty1234@disco-zombie.net>
Subject: simple test

This is a simple test.
.
??? 250
QUIT
??? 221
****
exim -DSERVER=server -DNOTDAEMON -q
****
#
#
#
# We send this one through one forwarding hop.
# It starts off bare, so the forwarder reception gets an ARC status of "none".
# The outbound signs it with that, and the final receiver is happy to pass it.
#
client 127.0.0.1 PORT_D
??? 220
HELO xxx
??? 250
MAIL FROM:<CALLER@bloggs.com>
??? 250
RCPT TO:<za@test.ex>
??? 250
DATA
??? 354
Subject: Test

This is a test body.
.
??? 250
QUIT
??? 221
****
#
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
#
#
#
#
#
#
#
#
#
# We send this one through two forwarding hops.
# It starts off bare, so the 1st forwarder reception gets an ARC status of "none".
# The outbound signs it with that, and the 2nd forwarder is happy to pass it.
# The outbound signs again, and the final receiver is happy.
#
client 127.0.0.1 PORT_D
??? 220
HELO xxx
??? 250
MAIL FROM:<CALLER@bloggs.com>
??? 250
RCPT TO:<zza@test.ex>
??? 250
DATA
??? 354
Subject: Test

This is a test body.
.
??? 250
QUIT
??? 221
****
#
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
#
#
#
#
#
#
#
#
#
# We send this one through one forwarder, one mailinglist, and one more forwarder
#
client 127.0.0.1 PORT_D
??? 220
HELO xxx
??? 250
MAIL FROM:<CALLER@bloggs.com>
??? 250
RCPT TO:<zmza@test.ex>
??? 250
DATA
??? 354
Subject: Test

This is a test body.
.
??? 250
QUIT
??? 221
****
#
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
#
#
#
#
#
#
#
#
#
# We send this one through two forwarders, then one ARC-unaware mailinglist
# then one more forwarder
#
client 127.0.0.1 PORT_D
??? 220
HELO xxx
??? 250
MAIL FROM:<CALLER@bloggs.com>
??? 250
RCPT TO:<zzmza@test.ex>
??? 250
DATA
??? 354
Subject: Test

This is a test body.
.
??? 250
QUIT
??? 221
****
#
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -DOPTION -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
#
#
#
#
#
#
#
#
#
# We send this one through a forwarders, then an ARC-unaware forwarder
#
client 127.0.0.1 PORT_D
??? 220
HELO xxx
??? 250
MAIL FROM:<CALLER@bloggs.com>
??? 250
RCPT TO:<zza@test.ex>
??? 250
DATA
??? 354
Subject: Test

This is a test body.
.
??? 250
QUIT
??? 221
****
#
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -DOPTION -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
#
#
#
#
#
#
#
#
#
# We send this one through one forwarding hop.
# It starts with one ARC-set.
# The reception at the forwarder gets an ARC-fail, because the bodyhash does not
# match - so the forwarder outbound ARC-signs as a fail,
# and the final receiver evaluates ARC status as fail.
# Mail original in https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-11#page-14
#
client 127.0.0.1 PORT_D
??? 220
HELO xxx
??? 250
MAIL FROM:<CALLER@bloggs.com>
??? 250
RCPT TO:<za@test.ex>
??? 250
DATA
??? 354
Received: from dragon.trusteddomain.org (localhost [127.0.0.1])
	by dragon.trusteddomain.org (8.14.5/8.14.5) with ESMTP id w121YG2q036577;
	Thu, 1 Feb 2018 17:34:20 -0800 (PST)
	(envelope-from arc-discuss-bounces@dmarc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dmarc.org;
	s=clochette; t=1517535263;
	bh=DXU/xKzzQYeoYB254nZ0AzNm7z2YZ//FpTnhgIjPyt8=;
	h=Date:To:In-Reply-To:References:Cc:Subject:List-Id:
	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	 From:Reply-To;
	b=Z66qes0GxyXtv0ow232KSy/b44fPNLZL8JOXHiJLi9dHzIPyxsQd/Zb5NP8i3427g
	 a9tEyo8Rpz8DPbn351e+IlYqRGLfokTWgX+7NfMLy87p3SfnPytUu6PM8QiW2VC889
	 Tk0K+5xH5KSgkENaPdLBigHtunyNZaSofgKy5vBM=
Authentication-Results: dragon.trusteddomain.org; sender-id=fail (NotPermitted) header.sender=arc-discuss-bounces@dmarc.org; spf=fail (NotPermitted) smtp.mfrom=arc-discuss-bounces@dmarc.org
Received: from mailhub.convivian.com (mailhub.convivian.com [72.5.31.108])
 by dragon.trusteddomain.org (8.14.5/8.14.5) with ESMTP id w121YEt6036571
 for <arc-discuss@dmarc.org>; Thu, 1 Feb 2018 17:34:14 -0800 (PST)
 (envelope-from jered@convivian.com)
Authentication-Results: dragon.trusteddomain.org; dkim=pass
 reason="1024-bit key"
 header.d=convivian.com header.i=@convivian.com header.b=LHXEAl5e;
 dkim-adsp=pass
Authentication-Results: dragon.trusteddomain.org;
 sender-id=pass header.from=jered@convivian.com;
 spf=pass smtp.mfrom=jered@convivian.com
Received: from zimbra8.internal.convivian.com (zimbra8.internal.convivian.com
 [172.16.0.5])
 by mailhub.convivian.com (Postfix) with ESMTP id 471DA66FB6;
 Thu,  1 Feb 2018 20:34:08 -0500 (EST)
ARC-Seal: i=1; a=rsa-sha256; d=convivian.com; s=default; t=1517535248; cv=none;
 b=HkK4AhtPFBUHtRUKKzTON3wyMj7ZLq881P2qhWg+lO8Y50V9SEc8lJ4dBIM3cj3ftfAbooPSLHAVejA89bpS1eAvODci6pOPaQWkBZmpdu+yPIxqX3FyOaCdIaZFbXaMQ1Jg5Sraf5mkCESmfjR5bCguAaZsnPQDF6wSN8VhbQk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=convivian.com; s=default;
 t=1517535248; c=relaxed/simple;
 bh=9Cp8KoxNPc7FEuC29xB5bNWWadzdEFhXrX/8i+vd3g4=;
 h=DKIM-Signature:Date:From:To:Cc:Message-ID:In-Reply-To:References:
 Subject:MIME-Version:Content-Type:X-Originating-IP:X-Mailer:
 Thread-Topic:Thread-Index:From;
 b=jG+KnBrP2oq1z1upStMoWbM1fkS5zbUiir221Gy6h7ao5oy7Qc3m0pXgrSdhgGD4oX/kk2seEt2WAlPNwEsZyvYeG/80ctd/2+hwaVQ6JSOU83Rdd8im8HwMvXzXZIz8ATjPpOv21+xMrqlPSkD/l6X4VP+AAoVVkhW7f4GWcws=
ARC-Authentication-Results: i=1; mailhub.convivian.com; none
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=convivian.com;
 s=default; t=1517535248;
 bh=9Cp8KoxNPc7FEuC29xB5bNWWadzdEFhXrX/8i+vd3g4=;
 h=Date:From:To:Cc:In-Reply-To:References:Subject:From;
 b=LHXEAl5elmfkdXNdK24QonXpkiG38neuJoS7fSQXwZVZkR+cdYNr6eBxx3DF4reJO
 NgzV5GFyPX6+LdIqR6rnC8BXhjvJq+pxLW3/wKx39W3ANYWRFm1dgyWBz99NxNNvk/
 ruQkYYBBk9GPM52EyHNMvHciRAyaSk+VluGj6c6M=
Date: Thu, 1 Feb 2018 20:34:08 -0500 (EST)
To: Brandon Long <blong@google.com>
Message-ID: <1426665656.110316.1517535248039.JavaMail.zimbra@convivian.com>
In-Reply-To: <CABa8R6s3e1k=c9wQBtNBWvPT4BrXv3-2NnynyAfRseZ-5s6NKg@mail.gmail.com>
References: <CO2PR0501MB981081FA2C73CB83FA1C903F1FA0@CO2PR0501MB981.namprd05.prod.outlook.com>
 <CAAQnKjAV3zEfP-J6JgTrv1jU9UPmf9dG9SPr-+q4jZ6PaGQjxg@mail.gmail.com>
 <CAAQnKjBBLS9Lm2vnT3i+WUNhrvv2oDEMFEcyozw+YzyKS4G1qQ@mail.gmail.com>
 <29030059.107105.1517497494557.JavaMail.zimbra@convivian.com>
 <4f60039a-a754-ae4c-1543-0a978d9e13be@rolandturner.com>
 <1544831589.110194.1517532064123.JavaMail.zimbra@convivian.com>
 <CABa8R6s3e1k=c9wQBtNBWvPT4BrXv3-2NnynyAfRseZ-5s6NKg@mail.gmail.com>
MIME-Version: 1.0
X-Originating-IP: [172.16.0.5]
X-Mailer: Zimbra 8.7.11_GA_1854 (ZimbraWebClient - FF58 (Mac)/8.7.11_GA_1854)
Thread-Topic: Gmail support of ARC headers from third-parties
Thread-Index: JantLkX01vLd7pyKcopbBWCs3yDbLQ==
Cc: arc-discuss <arc-discuss@dmarc.org>
Subject: Re: [arc-discuss] Gmail support of ARC headers from third-parties
X-BeenThere: arc-discuss@dmarc.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Discussion of the ARC protocol <arc-discuss.dmarc.org>
List-Unsubscribe: <http://lists.dmarc.org/mailman/options/arc-discuss>,
 <mailto:arc-discuss-request@dmarc.org?subject=unsubscribe>
List-Archive: <http://lists.dmarc.org/pipermail/arc-discuss/>
List-Post: <mailto:arc-discuss@dmarc.org>
List-Help: <mailto:arc-discuss-request@dmarc.org?subject=help>
List-Subscribe: <http://lists.dmarc.org/mailman/listinfo/arc-discuss>,
 <mailto:arc-discuss-request@dmarc.org?subject=subscribe>
From: Jered Floyd via arc-discuss <arc-discuss@dmarc.org>
Reply-To: Jered Floyd <jered@convivian.com>
Content-Type: multipart/mixed; boundary="===============2728806607597782871=="
Errors-To: arc-discuss-bounces@dmarc.org
Sender: "arc-discuss" <arc-discuss-bounces@dmarc.org>

--===============2728806607597782871==
Content-Type: multipart/alternative; 
	boundary="=_bda8d35f-e3be-4e59-9fc8-f78ed0af3226"

--=_bda8d35f-e3be-4e59-9fc8-f78ed0af3226
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

>> Couldn't the first untrusted ARC signer (working in reverse chronological order)
>> simply have faked all the earlier headers and applied a "valid" ARC
>> signature/seal? This is why I figured you must trust the entire chain if you
>> want to trust the sender data.

> They can't fake an earlier signature unless they have the private key for the
> signing domain.

> Ie, a non-modifying hop is basically a no-op, unless you want to trust their
> auth results.

OK, sure; I agree with that. But I guess I see ARC as primarily for indirect mail flows that break DKIM (i.e. Mailman), in which case I think trust is needed to bridge those hops? 

--Jered 

--=_bda8d35f-e3be-4e59-9fc8-f78ed0af3226
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div><br></div><div data-marker="__QUOTED_TEXT__"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Couldn't the first untrusted ARC signer (working in reverse chronological order) simply have faked all the earlier headers and applied a "valid" ARC signature/seal?&nbsp; This is why I figured you must trust the entire chain if you want to trust the sender data.<br></blockquote><br><div>They can't fake an earlier signature unless they have the private key for the signing domain.</div><br><div>Ie, a non-modifying hop is basically a no-op, unless you want to trust their auth results.</div></div></div></blockquote><div>OK, sure; I agree with that.&nbsp; But I guess I see ARC as primarily for indirect mail flows that break DKIM (i.e. Mailman), in which case I think trust is needed to bridge those hops?<br></div><div><br data-mce-bogus="1"></div><div>--Jered<br data-mce-bogus="1"></div></div></div></body></html>
--=_bda8d35f-e3be-4e59-9fc8-f78ed0af3226--

--===============2728806607597782871==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
arc-discuss mailing list
arc-discuss@dmarc.org
http://lists.dmarc.org/mailman/listinfo/arc-discuss

--===============2728806607597782871==--
.
??? 250
QUIT
??? 221
****
#
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
#
#
# Check attemtping to sign, with a missing keyfile
# It starts off bare, so the forwarder reception gets an ARC status of "none".
# The outbound tries to sign it with that.
#
client 127.0.0.1 PORT_D
??? 220
HELO xxx
??? 250
MAIL FROM:<CALLER@bloggs.com>
??? 250
RCPT TO:<za@test.ex>
??? 250
DATA
??? 354
Subject: Test

This is a test body.
.
??? 250
QUIT
??? 221
****
#
exim -DSERVER=server -DNOTDAEMON -DBAD -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
#
#
#
#
#
#
#
#
killdaemon
#
exim -DSERVER=server -DVALUE=/pass -DINSERT='log_message=ARC-FAIL' -bd -oX PORT_D
****
#
# We just send this in for reception, bare, to check the "arc" verify can take options
#
client 127.0.0.1 PORT_D
??? 220
HELO xxx
??? 250
MAIL FROM:<CALLER@bloggs.com>
??? 250
RCPT TO:<a@test.ex>
??? 250
DATA
??? 354
Subject: Test

This is a test body.
.
??? 250
QUIT
??? 221
****
#
#
#
#
#
#
killdaemon
no_stdout_check
no_msglog_check
Commit	Line	Data
617d3932 JH	1	# ARC verify and sign
	2	#
	3	exim -DSERVER=server -bd -oX PORT_D
	4	****
	5	#
d9604f37 JH	6	# This should pass.
	7	# Mail original in aux-fixed/4560.msg1.txt
	8	# Sig generated by: perl aux-fixed/dkim/sign_arc.pl < aux-fixed/4560.msg1.txt
	9	client 127.0.0.1 PORT_D
	10	??? 220
	11	HELO xxx
	12	??? 250
	13	MAIL FROM:<CALLER@bloggs.com>
	14	??? 250
	15	RCPT TO:<a@test.ex>
	16	??? 250
	17	DATA
	18	??? 354
	19	ARC-Seal: i=1; a=rsa-sha256; cv=none; d=test.ex; s=sel; t=1521752658; b=
	20	xcIN0OEpAc3s8riODm31Q6JgmIECch3iVd1LXWwsypGpCY2UFFuo5HhCEf4a043q
	21	YZ+zn/MbFFkvwIqleeQkJ7S5UcvfM8dv/V4YnwAe+JD8r79glh/FRq6uKlc0ixLS
	22	CllJMwj98J1P1K9+gwmO5TrD1eTZV68caZj77P+X2kw=
	23	ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=test.ex;
	24	h=from:to:date:message-id:subject; s=sel; bh=3UbbJTudPxmejzh7U1
	25	Zg33U3QT+16kfV2eOTvMeiEis=; b=WgE+YWSm48w/P448gPlBBNCKt2SJ4gosPx
	26	0JQ98aZJhun2RaVcUO3INc+kZv8YOijofMzFqJxVn1cgMjoU8/QSHIyyt40FzkQB
	27	oSGmSrCjtRnzS8pbp491NX3kGuetidaWE5muPSdOystg6mm1rBnl9sqVrwaynCmr
	28	fu2jTuUfw=
	29	ARC-Authentication-Results: i=1; test.ex; arc=none
	30	Authentication-Results: test.ex; arc=none
	31	From: mrgus@text.ex
	32	To: bakawolf@yahoo.com
	33	Date: Thu, 19 Nov 2015 17:00:07 -0700
	34	Message-ID: <qwerty1234@disco-zombie.net>
	35	Subject: simple test
	36
	37	This is a simple test.
	38	.
	39	??? 250
	40	QUIT
	41	??? 221
	42	****
	43	exim -DSERVER=server -DNOTDAEMON -q
	44	****
	45	#
	46	#
	47	#
617d3932 JH	48	# We send this one through one forwarding hop.
	49	# It starts off bare, so the forwarder reception gets an ARC status of "none".
	50	# The outbound signs it with that, and the final receiver is happy to pass it.
	51	#
	52	client 127.0.0.1 PORT_D
	53	??? 220
	54	HELO xxx
	55	??? 250
	56	MAIL FROM:<CALLER@bloggs.com>
	57	??? 250
	58	RCPT TO:<za@test.ex>
	59	??? 250
	60	DATA
	61	??? 354
	62	Subject: Test
	63
	64	This is a test body.
	65	.
	66	??? 250
	67	QUIT
	68	??? 221
	69	****
	70	#
	71	exim -DSERVER=server -DNOTDAEMON -q
	72	****
	73	exim -DSERVER=server -DNOTDAEMON -q
	74	****
	75	#
	76	#
	77	#
	78	#
	79	#
	80	#
	81	#
	82	#
	83	#
	84	# We send this one through two forwarding hops.
	85	# It starts off bare, so the 1st forwarder reception gets an ARC status of "none".
	86	# The outbound signs it with that, and the 2nd forwarder is happy to pass it.
	87	# The outbound signs again, and the final receiver is happy.
	88	#
	89	client 127.0.0.1 PORT_D
	90	??? 220
	91	HELO xxx
	92	??? 250
	93	MAIL FROM:<CALLER@bloggs.com>
	94	??? 250
	95	RCPT TO:<zza@test.ex>
	96	??? 250
	97	DATA
	98	??? 354
	99	Subject: Test
	100
	101	This is a test body.
	102	.
	103	??? 250
	104	QUIT
	105	??? 221
	106	****
	107	#
	108	exim -DSERVER=server -DNOTDAEMON -q
	109	****
	110	exim -DSERVER=server -DNOTDAEMON -q
	111	****
112	exim -DSERVER=server -DNOTDAEMON -q
113	****
114	#
115	#
116	#
117	#
118	#
119	#
120	#
121	#
122	#
123	# We send this one through one forwarder, one mailinglist, and one more forwarder
124	#
125	client 127.0.0.1 PORT_D
126	??? 220
127	HELO xxx
128	??? 250
129	MAIL FROM:<CALLER@bloggs.com>
130	??? 250
131	RCPT TO:<zmza@test.ex>
132	??? 250
133	DATA
134	??? 354
135	Subject: Test
136
137	This is a test body.
138	.
139	??? 250
140	QUIT
141	??? 221
142	****
143	#
144	exim -DSERVER=server -DNOTDAEMON -q
145	****
146	exim -DSERVER=server -DNOTDAEMON -q
147	****
148	exim -DSERVER=server -DNOTDAEMON -q
149	****
150	exim -DSERVER=server -DNOTDAEMON -q
151	****
152	#
153	#
154	#
155	#
156	#
157	#
158	#
159	#
160	#
161	# We send this one through two forwarders, then one ARC-unaware mailinglist
162	# then one more forwarder
163	#
164	client 127.0.0.1 PORT_D
165	??? 220
166	HELO xxx
167	??? 250
168	MAIL FROM:<CALLER@bloggs.com>
169	??? 250
170	RCPT TO:<zzmza@test.ex>
171	??? 250
172	DATA
173	??? 354
174	Subject: Test
175
176	This is a test body.
177	.
178	??? 250
179	QUIT
180	??? 221
181	****
182	#
183	exim -DSERVER=server -DNOTDAEMON -q
184	****
185	exim -DSERVER=server -DNOTDAEMON -q
186	****
187	exim -DSERVER=server -DNOTDAEMON -DOPTION -q
188	****
189	exim -DSERVER=server -DNOTDAEMON -q
190	****
191	exim -DSERVER=server -DNOTDAEMON -q
192	****
193	#
194	#
195	#
196	#
197	#
198	#
199	#
200	#
201	#
202	# We send this one through a forwarders, then an ARC-unaware forwarder
203	#
204	client 127.0.0.1 PORT_D
205	??? 220
206	HELO xxx
207	??? 250
208	MAIL FROM:<CALLER@bloggs.com>
209	??? 250
210	RCPT TO:<zza@test.ex>
211	??? 250
212	DATA
213	??? 354
214	Subject: Test
215
216	This is a test body.
217	.
218	??? 250
219	QUIT
220	??? 221
221	****
222	#
223	exim -DSERVER=server -DNOTDAEMON -q
224	****
225	exim -DSERVER=server -DNOTDAEMON -DOPTION -q
226	****
227	exim -DSERVER=server -DNOTDAEMON -q
228	****
229	#
230	#
231	#
232	#
233	#
234	#
235	#
236	#
237	#
238	# We send this one through one forwarding hop.
239	# It starts with one ARC-set.
240	# The reception at the forwarder gets an ARC-fail, because the bodyhash does not
241	# match - so the forwarder outbound ARC-signs as a fail,
242	# and the final receiver evaluates ARC status as fail.
243	# Mail original in https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-11#page-14
244	#
245	client 127.0.0.1 PORT_D
246	??? 220
247	HELO xxx
248	??? 250
249	MAIL FROM:<CALLER@bloggs.com>
250	??? 250
251	RCPT TO:<za@test.ex>
252	??? 250
253	DATA
254	??? 354
255	Received: from dragon.trusteddomain.org (localhost [127.0.0.1])
256	by dragon.trusteddomain.org (8.14.5/8.14.5) with ESMTP id w121YG2q036577;
257	Thu, 1 Feb 2018 17:34:20 -0800 (PST)
258	(envelope-from arc-discuss-bounces@dmarc.org)
259	DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dmarc.org;
260	s=clochette; t=1517535263;
261	bh=DXU/xKzzQYeoYB254nZ0AzNm7z2YZ//FpTnhgIjPyt8=;
262	h=Date:To:In-Reply-To:References:Cc:Subject:List-Id:
263	List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
264	From:Reply-To;
265	b=Z66qes0GxyXtv0ow232KSy/b44fPNLZL8JOXHiJLi9dHzIPyxsQd/Zb5NP8i3427g
266	a9tEyo8Rpz8DPbn351e+IlYqRGLfokTWgX+7NfMLy87p3SfnPytUu6PM8QiW2VC889
267	Tk0K+5xH5KSgkENaPdLBigHtunyNZaSofgKy5vBM=
268	Authentication-Results: dragon.trusteddomain.org; sender-id=fail (NotPermitted) header.sender=arc-discuss-bounces@dmarc.org; spf=fail (NotPermitted) smtp.mfrom=arc-discuss-bounces@dmarc.org
269	Received: from mailhub.convivian.com (mailhub.convivian.com [72.5.31.108])
270	by dragon.trusteddomain.org (8.14.5/8.14.5) with ESMTP id w121YEt6036571
271	for <arc-discuss@dmarc.org>; Thu, 1 Feb 2018 17:34:14 -0800 (PST)
272	(envelope-from jered@convivian.com)
273	Authentication-Results: dragon.trusteddomain.org; dkim=pass
274	reason="1024-bit key"
275	header.d=convivian.com header.i=@convivian.com header.b=LHXEAl5e;
276	dkim-adsp=pass
277	Authentication-Results: dragon.trusteddomain.org;
278	sender-id=pass header.from=jered@convivian.com;
279	spf=pass smtp.mfrom=jered@convivian.com
280	Received: from zimbra8.internal.convivian.com (zimbra8.internal.convivian.com
281	[172.16.0.5])
282	by mailhub.convivian.com (Postfix) with ESMTP id 471DA66FB6;
283	Thu, 1 Feb 2018 20:34:08 -0500 (EST)
284	ARC-Seal: i=1; a=rsa-sha256; d=convivian.com; s=default; t=1517535248; cv=none;
285	b=HkK4AhtPFBUHtRUKKzTON3wyMj7ZLq881P2qhWg+lO8Y50V9SEc8lJ4dBIM3cj3ftfAbooPSLHAVejA89bpS1eAvODci6pOPaQWkBZmpdu+yPIxqX3FyOaCdIaZFbXaMQ1Jg5Sraf5mkCESmfjR5bCguAaZsnPQDF6wSN8VhbQk=
286	ARC-Message-Signature: i=1; a=rsa-sha256; d=convivian.com; s=default;
287	t=1517535248; c=relaxed/simple;
288	bh=9Cp8KoxNPc7FEuC29xB5bNWWadzdEFhXrX/8i+vd3g4=;
289	h=DKIM-Signature:Date:From:To:Cc:Message-ID:In-Reply-To:References:
290	Subject:MIME-Version:Content-Type:X-Originating-IP:X-Mailer:
291	Thread-Topic:Thread-Index:From;
292	b=jG+KnBrP2oq1z1upStMoWbM1fkS5zbUiir221Gy6h7ao5oy7Qc3m0pXgrSdhgGD4oX/kk2seEt2WAlPNwEsZyvYeG/80ctd/2+hwaVQ6JSOU83Rdd8im8HwMvXzXZIz8ATjPpOv21+xMrqlPSkD/l6X4VP+AAoVVkhW7f4GWcws=
293	ARC-Authentication-Results: i=1; mailhub.convivian.com; none
294	DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=convivian.com;
295	s=default; t=1517535248;
296	bh=9Cp8KoxNPc7FEuC29xB5bNWWadzdEFhXrX/8i+vd3g4=;
297	h=Date:From:To:Cc:In-Reply-To:References:Subject:From;
298	b=LHXEAl5elmfkdXNdK24QonXpkiG38neuJoS7fSQXwZVZkR+cdYNr6eBxx3DF4reJO
299	NgzV5GFyPX6+LdIqR6rnC8BXhjvJq+pxLW3/wKx39W3ANYWRFm1dgyWBz99NxNNvk/
300	ruQkYYBBk9GPM52EyHNMvHciRAyaSk+VluGj6c6M=
301	Date: Thu, 1 Feb 2018 20:34:08 -0500 (EST)
302	To: Brandon Long <blong@google.com>
303	Message-ID: <1426665656.110316.1517535248039.JavaMail.zimbra@convivian.com>
304	In-Reply-To: <CABa8R6s3e1k=c9wQBtNBWvPT4BrXv3-2NnynyAfRseZ-5s6NKg@mail.gmail.com>
305	References: <CO2PR0501MB981081FA2C73CB83FA1C903F1FA0@CO2PR0501MB981.namprd05.prod.outlook.com>
306	<CAAQnKjAV3zEfP-J6JgTrv1jU9UPmf9dG9SPr-+q4jZ6PaGQjxg@mail.gmail.com>
307	<CAAQnKjBBLS9Lm2vnT3i+WUNhrvv2oDEMFEcyozw+YzyKS4G1qQ@mail.gmail.com>
308	<29030059.107105.1517497494557.JavaMail.zimbra@convivian.com>
309	<4f60039a-a754-ae4c-1543-0a978d9e13be@rolandturner.com>
310	<1544831589.110194.1517532064123.JavaMail.zimbra@convivian.com>
311	<CABa8R6s3e1k=c9wQBtNBWvPT4BrXv3-2NnynyAfRseZ-5s6NKg@mail.gmail.com>
312	MIME-Version: 1.0
313	X-Originating-IP: [172.16.0.5]
314	X-Mailer: Zimbra 8.7.11_GA_1854 (ZimbraWebClient - FF58 (Mac)/8.7.11_GA_1854)
315	Thread-Topic: Gmail support of ARC headers from third-parties
316	Thread-Index: JantLkX01vLd7pyKcopbBWCs3yDbLQ==
317	Cc: arc-discuss <arc-discuss@dmarc.org>
318	Subject: Re: [arc-discuss] Gmail support of ARC headers from third-parties
319	X-BeenThere: arc-discuss@dmarc.org
320	X-Mailman-Version: 2.1.18
321	Precedence: list
322	List-Id: Discussion of the ARC protocol <arc-discuss.dmarc.org>
323	List-Unsubscribe: <http://lists.dmarc.org/mailman/options/arc-discuss>,
324	<mailto:arc-discuss-request@dmarc.org?subject=unsubscribe>
325	List-Archive: <http://lists.dmarc.org/pipermail/arc-discuss/>
326	List-Post: <mailto:arc-discuss@dmarc.org>
327	List-Help: <mailto:arc-discuss-request@dmarc.org?subject=help>
328	List-Subscribe: <http://lists.dmarc.org/mailman/listinfo/arc-discuss>,
329	<mailto:arc-discuss-request@dmarc.org?subject=subscribe>
330	From: Jered Floyd via arc-discuss <arc-discuss@dmarc.org>
331	Reply-To: Jered Floyd <jered@convivian.com>
332	Content-Type: multipart/mixed; boundary="===============2728806607597782871=="
333	Errors-To: arc-discuss-bounces@dmarc.org
334	Sender: "arc-discuss" <arc-discuss-bounces@dmarc.org>
335
336	--===============2728806607597782871==
337	Content-Type: multipart/alternative;
338	boundary="=_bda8d35f-e3be-4e59-9fc8-f78ed0af3226"
339
340	--=_bda8d35f-e3be-4e59-9fc8-f78ed0af3226
341	Content-Type: text/plain; charset=utf-8
342	Content-Transfer-Encoding: 7bit
343
344	>> Couldn't the first untrusted ARC signer (working in reverse chronological order)
345	>> simply have faked all the earlier headers and applied a "valid" ARC
346	>> signature/seal? This is why I figured you must trust the entire chain if you
347	>> want to trust the sender data.
348
349	> They can't fake an earlier signature unless they have the private key for the
350	> signing domain.
351
352	> Ie, a non-modifying hop is basically a no-op, unless you want to trust their
353	> auth results.
354
355	OK, sure; I agree with that. But I guess I see ARC as primarily for indirect mail flows that break DKIM (i.e. Mailman), in which case I think trust is needed to bridge those hops?
356
357	--Jered
358
359	--=_bda8d35f-e3be-4e59-9fc8-f78ed0af3226
360	Content-Type: text/html; charset=utf-8
361	Content-Transfer-Encoding: 7bit
362
363	<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div><br></div><div data-marker="__QUOTED_TEXT__"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
364	Couldn't the first untrusted ARC signer (working in reverse chronological order) simply have faked all the earlier headers and applied a "valid" ARC signature/seal?  This is why I figured you must trust the entire chain if you want to trust the sender data.<br></blockquote><br><div>They can't fake an earlier signature unless they have the private key for the signing domain.</div><br><div>Ie, a non-modifying hop is basically a no-op, unless you want to trust their auth results.</div></div></div></blockquote><div>OK, sure; I agree with that.  But I guess I see ARC as primarily for indirect mail flows that break DKIM (i.e. Mailman), in which case I think trust is needed to bridge those hops?<br></div><div><br data-mce-bogus="1"></div><div>--Jered<br data-mce-bogus="1"></div></div></div></body></html>
365	--=_bda8d35f-e3be-4e59-9fc8-f78ed0af3226--
366
367	--===============2728806607597782871==
368	Content-Type: text/plain; charset="us-ascii"
369	MIME-Version: 1.0
370	Content-Transfer-Encoding: 7bit
371	Content-Disposition: inline
372
373	_______________________________________________
374	arc-discuss mailing list
375	arc-discuss@dmarc.org
376	http://lists.dmarc.org/mailman/listinfo/arc-discuss
377
378	--===============2728806607597782871==--
379	.
380	??? 250
381	QUIT
382	??? 221
383	****
384	#
385	exim -DSERVER=server -DNOTDAEMON -q
386	****
387	exim -DSERVER=server -DNOTDAEMON -q
388	****
389	#
390	#
97e939df JH	391	# Check attemtping to sign, with a missing keyfile
	392	# It starts off bare, so the forwarder reception gets an ARC status of "none".
	393	# The outbound tries to sign it with that.
	394	#
	395	client 127.0.0.1 PORT_D
	396	??? 220
	397	HELO xxx
	398	??? 250
	399	MAIL FROM:<CALLER@bloggs.com>
	400	??? 250
	401	RCPT TO:<za@test.ex>
	402	??? 250
	403	DATA
	404	??? 354
	405	Subject: Test
	406
	407	This is a test body.
	408	.
	409	??? 250
	410	QUIT
	411	??? 221
	412	****
	413	#
	414	exim -DSERVER=server -DNOTDAEMON -DBAD -q
	415	****
	416	exim -DSERVER=server -DNOTDAEMON -q
	417	****
	418	#
	419	#
	420	#
	421	#
	422	#
	423	#
	424	#
617d3932	425	#
f48946eb	426	killdaemon
617d3932	427	#
f48946eb JH	428	exim -DSERVER=server -DVALUE=/pass -DINSERT='log_message=ARC-FAIL' -bd -oX PORT_D
f48946eb JH	429	****
617d3932	430	#
f48946eb JH	431	# We just send this in for reception, bare, to check the "arc" verify can take options
	432	#
	433	client 127.0.0.1 PORT_D
	434	??? 220
	435	HELO xxx
	436	??? 250
	437	MAIL FROM:<CALLER@bloggs.com>
	438	??? 250
	439	RCPT TO:<a@test.ex>
	440	??? 250
	441	DATA
	442	??? 354
	443	Subject: Test
	444
	445	This is a test body.
	446	.
	447	??? 250
	448	QUIT
	449	??? 221
	450	****
617d3932 JH	451	#
	452	#
	453	#
	454	#
617d3932	455	#
f48946eb JH	456	#
f48946eb JH	457	killdaemon
617d3932 JH	458	no_stdout_check
617d3932 JH	459	no_msglog_check