Commit | Line | Data |
---|---|---|
617d3932 JH |
1 | # ARC verify and sign |
2 | # | |
3 | exim -DSERVER=server -bd -oX PORT_D | |
4 | **** | |
5 | # | |
d9604f37 JH |
6 | # This should pass. |
7 | # Mail original in aux-fixed/4560.msg1.txt | |
8 | # Sig generated by: perl aux-fixed/dkim/sign_arc.pl < aux-fixed/4560.msg1.txt | |
9 | client 127.0.0.1 PORT_D | |
10 | ??? 220 | |
11 | HELO xxx | |
12 | ??? 250 | |
13 | MAIL FROM:<CALLER@bloggs.com> | |
14 | ??? 250 | |
15 | RCPT TO:<a@test.ex> | |
16 | ??? 250 | |
17 | DATA | |
18 | ??? 354 | |
19 | ARC-Seal: i=1; a=rsa-sha256; cv=none; d=test.ex; s=sel; t=1521752658; b= | |
20 | xcIN0OEpAc3s8riODm31Q6JgmIECch3iVd1LXWwsypGpCY2UFFuo5HhCEf4a043q | |
21 | YZ+zn/MbFFkvwIqleeQkJ7S5UcvfM8dv/V4YnwAe+JD8r79glh/FRq6uKlc0ixLS | |
22 | CllJMwj98J1P1K9+gwmO5TrD1eTZV68caZj77P+X2kw= | |
23 | ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=test.ex; | |
24 | h=from:to:date:message-id:subject; s=sel; bh=3UbbJTudPxmejzh7U1 | |
25 | Zg33U3QT+16kfV2eOTvMeiEis=; b=WgE+YWSm48w/P448gPlBBNCKt2SJ4gosPx | |
26 | 0JQ98aZJhun2RaVcUO3INc+kZv8YOijofMzFqJxVn1cgMjoU8/QSHIyyt40FzkQB | |
27 | oSGmSrCjtRnzS8pbp491NX3kGuetidaWE5muPSdOystg6mm1rBnl9sqVrwaynCmr | |
28 | fu2jTuUfw= | |
29 | ARC-Authentication-Results: i=1; test.ex; arc=none | |
30 | Authentication-Results: test.ex; arc=none | |
31 | From: mrgus@text.ex | |
32 | To: bakawolf@yahoo.com | |
33 | Date: Thu, 19 Nov 2015 17:00:07 -0700 | |
34 | Message-ID: <qwerty1234@disco-zombie.net> | |
35 | Subject: simple test | |
36 | ||
37 | This is a simple test. | |
38 | . | |
39 | ??? 250 | |
40 | QUIT | |
41 | ??? 221 | |
42 | **** | |
43 | exim -DSERVER=server -DNOTDAEMON -q | |
44 | **** | |
45 | # | |
46 | # | |
47 | # | |
617d3932 JH |
48 | # We send this one through one forwarding hop. |
49 | # It starts off bare, so the forwarder reception gets an ARC status of "none". | |
50 | # The outbound signs it with that, and the final receiver is happy to pass it. | |
51 | # | |
52 | client 127.0.0.1 PORT_D | |
53 | ??? 220 | |
54 | HELO xxx | |
55 | ??? 250 | |
56 | MAIL FROM:<CALLER@bloggs.com> | |
57 | ??? 250 | |
58 | RCPT TO:<za@test.ex> | |
59 | ??? 250 | |
60 | DATA | |
61 | ??? 354 | |
62 | Subject: Test | |
63 | ||
64 | This is a test body. | |
65 | . | |
66 | ??? 250 | |
67 | QUIT | |
68 | ??? 221 | |
69 | **** | |
70 | # | |
71 | exim -DSERVER=server -DNOTDAEMON -q | |
72 | **** | |
73 | exim -DSERVER=server -DNOTDAEMON -q | |
74 | **** | |
75 | # | |
76 | # | |
77 | # | |
78 | # | |
79 | # | |
80 | # | |
81 | # | |
82 | # | |
83 | # | |
84 | # We send this one through two forwarding hops. | |
85 | # It starts off bare, so the 1st forwarder reception gets an ARC status of "none". | |
86 | # The outbound signs it with that, and the 2nd forwarder is happy to pass it. | |
87 | # The outbound signs again, and the final receiver is happy. | |
88 | # | |
89 | client 127.0.0.1 PORT_D | |
90 | ??? 220 | |
91 | HELO xxx | |
92 | ??? 250 | |
93 | MAIL FROM:<CALLER@bloggs.com> | |
94 | ??? 250 | |
95 | RCPT TO:<zza@test.ex> | |
96 | ??? 250 | |
97 | DATA | |
98 | ??? 354 | |
99 | Subject: Test | |
100 | ||
101 | This is a test body. | |
102 | . | |
103 | ??? 250 | |
104 | QUIT | |
105 | ??? 221 | |
106 | **** | |
107 | # | |
108 | exim -DSERVER=server -DNOTDAEMON -q | |
109 | **** | |
110 | exim -DSERVER=server -DNOTDAEMON -q | |
111 | **** | |
112 | exim -DSERVER=server -DNOTDAEMON -q | |
113 | **** | |
114 | # | |
115 | # | |
116 | # | |
117 | # | |
118 | # | |
119 | # | |
120 | # | |
121 | # | |
122 | # | |
123 | # We send this one through one forwarder, one mailinglist, and one more forwarder | |
124 | # | |
125 | client 127.0.0.1 PORT_D | |
126 | ??? 220 | |
127 | HELO xxx | |
128 | ??? 250 | |
129 | MAIL FROM:<CALLER@bloggs.com> | |
130 | ??? 250 | |
131 | RCPT TO:<zmza@test.ex> | |
132 | ??? 250 | |
133 | DATA | |
134 | ??? 354 | |
135 | Subject: Test | |
136 | ||
137 | This is a test body. | |
138 | . | |
139 | ??? 250 | |
140 | QUIT | |
141 | ??? 221 | |
142 | **** | |
143 | # | |
144 | exim -DSERVER=server -DNOTDAEMON -q | |
145 | **** | |
146 | exim -DSERVER=server -DNOTDAEMON -q | |
147 | **** | |
148 | exim -DSERVER=server -DNOTDAEMON -q | |
149 | **** | |
150 | exim -DSERVER=server -DNOTDAEMON -q | |
151 | **** | |
152 | # | |
153 | # | |
154 | # | |
155 | # | |
156 | # | |
157 | # | |
158 | # | |
159 | # | |
160 | # | |
161 | # We send this one through two forwarders, then one ARC-unaware mailinglist | |
162 | # then one more forwarder | |
163 | # | |
164 | client 127.0.0.1 PORT_D | |
165 | ??? 220 | |
166 | HELO xxx | |
167 | ??? 250 | |
168 | MAIL FROM:<CALLER@bloggs.com> | |
169 | ??? 250 | |
170 | RCPT TO:<zzmza@test.ex> | |
171 | ??? 250 | |
172 | DATA | |
173 | ??? 354 | |
174 | Subject: Test | |
175 | ||
176 | This is a test body. | |
177 | . | |
178 | ??? 250 | |
179 | QUIT | |
180 | ??? 221 | |
181 | **** | |
182 | # | |
183 | exim -DSERVER=server -DNOTDAEMON -q | |
184 | **** | |
185 | exim -DSERVER=server -DNOTDAEMON -q | |
186 | **** | |
187 | exim -DSERVER=server -DNOTDAEMON -DOPTION -q | |
188 | **** | |
189 | exim -DSERVER=server -DNOTDAEMON -q | |
190 | **** | |
191 | exim -DSERVER=server -DNOTDAEMON -q | |
192 | **** | |
193 | # | |
194 | # | |
195 | # | |
196 | # | |
197 | # | |
198 | # | |
199 | # | |
200 | # | |
201 | # | |
202 | # We send this one through a forwarders, then an ARC-unaware forwarder | |
203 | # | |
204 | client 127.0.0.1 PORT_D | |
205 | ??? 220 | |
206 | HELO xxx | |
207 | ??? 250 | |
208 | MAIL FROM:<CALLER@bloggs.com> | |
209 | ??? 250 | |
210 | RCPT TO:<zza@test.ex> | |
211 | ??? 250 | |
212 | DATA | |
213 | ??? 354 | |
214 | Subject: Test | |
215 | ||
216 | This is a test body. | |
217 | . | |
218 | ??? 250 | |
219 | QUIT | |
220 | ??? 221 | |
221 | **** | |
222 | # | |
223 | exim -DSERVER=server -DNOTDAEMON -q | |
224 | **** | |
225 | exim -DSERVER=server -DNOTDAEMON -DOPTION -q | |
226 | **** | |
227 | exim -DSERVER=server -DNOTDAEMON -q | |
228 | **** | |
229 | # | |
230 | # | |
231 | # | |
232 | # | |
233 | # | |
234 | # | |
235 | # | |
236 | # | |
237 | # | |
238 | # We send this one through one forwarding hop. | |
239 | # It starts with one ARC-set. | |
240 | # The reception at the forwarder gets an ARC-fail, because the bodyhash does not | |
241 | # match - so the forwarder outbound ARC-signs as a fail, | |
242 | # and the final receiver evaluates ARC status as fail. | |
243 | # Mail original in https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-11#page-14 | |
244 | # | |
245 | client 127.0.0.1 PORT_D | |
246 | ??? 220 | |
247 | HELO xxx | |
248 | ??? 250 | |
249 | MAIL FROM:<CALLER@bloggs.com> | |
250 | ??? 250 | |
251 | RCPT TO:<za@test.ex> | |
252 | ??? 250 | |
253 | DATA | |
254 | ??? 354 | |
255 | Received: from dragon.trusteddomain.org (localhost [127.0.0.1]) | |
256 | by dragon.trusteddomain.org (8.14.5/8.14.5) with ESMTP id w121YG2q036577; | |
257 | Thu, 1 Feb 2018 17:34:20 -0800 (PST) | |
258 | (envelope-from arc-discuss-bounces@dmarc.org) | |
259 | DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dmarc.org; | |
260 | s=clochette; t=1517535263; | |
261 | bh=DXU/xKzzQYeoYB254nZ0AzNm7z2YZ//FpTnhgIjPyt8=; | |
262 | h=Date:To:In-Reply-To:References:Cc:Subject:List-Id: | |
263 | List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: | |
264 | From:Reply-To; | |
265 | b=Z66qes0GxyXtv0ow232KSy/b44fPNLZL8JOXHiJLi9dHzIPyxsQd/Zb5NP8i3427g | |
266 | a9tEyo8Rpz8DPbn351e+IlYqRGLfokTWgX+7NfMLy87p3SfnPytUu6PM8QiW2VC889 | |
267 | Tk0K+5xH5KSgkENaPdLBigHtunyNZaSofgKy5vBM= | |
268 | Authentication-Results: dragon.trusteddomain.org; sender-id=fail (NotPermitted) header.sender=arc-discuss-bounces@dmarc.org; spf=fail (NotPermitted) smtp.mfrom=arc-discuss-bounces@dmarc.org | |
269 | Received: from mailhub.convivian.com (mailhub.convivian.com [72.5.31.108]) | |
270 | by dragon.trusteddomain.org (8.14.5/8.14.5) with ESMTP id w121YEt6036571 | |
271 | for <arc-discuss@dmarc.org>; Thu, 1 Feb 2018 17:34:14 -0800 (PST) | |
272 | (envelope-from jered@convivian.com) | |
273 | Authentication-Results: dragon.trusteddomain.org; dkim=pass | |
274 | reason="1024-bit key" | |
275 | header.d=convivian.com header.i=@convivian.com header.b=LHXEAl5e; | |
276 | dkim-adsp=pass | |
277 | Authentication-Results: dragon.trusteddomain.org; | |
278 | sender-id=pass header.from=jered@convivian.com; | |
279 | spf=pass smtp.mfrom=jered@convivian.com | |
280 | Received: from zimbra8.internal.convivian.com (zimbra8.internal.convivian.com | |
281 | [172.16.0.5]) | |
282 | by mailhub.convivian.com (Postfix) with ESMTP id 471DA66FB6; | |
283 | Thu, 1 Feb 2018 20:34:08 -0500 (EST) | |
284 | ARC-Seal: i=1; a=rsa-sha256; d=convivian.com; s=default; t=1517535248; cv=none; | |
285 | b=HkK4AhtPFBUHtRUKKzTON3wyMj7ZLq881P2qhWg+lO8Y50V9SEc8lJ4dBIM3cj3ftfAbooPSLHAVejA89bpS1eAvODci6pOPaQWkBZmpdu+yPIxqX3FyOaCdIaZFbXaMQ1Jg5Sraf5mkCESmfjR5bCguAaZsnPQDF6wSN8VhbQk= | |
286 | ARC-Message-Signature: i=1; a=rsa-sha256; d=convivian.com; s=default; | |
287 | t=1517535248; c=relaxed/simple; | |
288 | bh=9Cp8KoxNPc7FEuC29xB5bNWWadzdEFhXrX/8i+vd3g4=; | |
289 | h=DKIM-Signature:Date:From:To:Cc:Message-ID:In-Reply-To:References: | |
290 | Subject:MIME-Version:Content-Type:X-Originating-IP:X-Mailer: | |
291 | Thread-Topic:Thread-Index:From; | |
292 | b=jG+KnBrP2oq1z1upStMoWbM1fkS5zbUiir221Gy6h7ao5oy7Qc3m0pXgrSdhgGD4oX/kk2seEt2WAlPNwEsZyvYeG/80ctd/2+hwaVQ6JSOU83Rdd8im8HwMvXzXZIz8ATjPpOv21+xMrqlPSkD/l6X4VP+AAoVVkhW7f4GWcws= | |
293 | ARC-Authentication-Results: i=1; mailhub.convivian.com; none | |
294 | DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=convivian.com; | |
295 | s=default; t=1517535248; | |
296 | bh=9Cp8KoxNPc7FEuC29xB5bNWWadzdEFhXrX/8i+vd3g4=; | |
297 | h=Date:From:To:Cc:In-Reply-To:References:Subject:From; | |
298 | b=LHXEAl5elmfkdXNdK24QonXpkiG38neuJoS7fSQXwZVZkR+cdYNr6eBxx3DF4reJO | |
299 | NgzV5GFyPX6+LdIqR6rnC8BXhjvJq+pxLW3/wKx39W3ANYWRFm1dgyWBz99NxNNvk/ | |
300 | ruQkYYBBk9GPM52EyHNMvHciRAyaSk+VluGj6c6M= | |
301 | Date: Thu, 1 Feb 2018 20:34:08 -0500 (EST) | |
302 | To: Brandon Long <blong@google.com> | |
303 | Message-ID: <1426665656.110316.1517535248039.JavaMail.zimbra@convivian.com> | |
304 | In-Reply-To: <CABa8R6s3e1k=c9wQBtNBWvPT4BrXv3-2NnynyAfRseZ-5s6NKg@mail.gmail.com> | |
305 | References: <CO2PR0501MB981081FA2C73CB83FA1C903F1FA0@CO2PR0501MB981.namprd05.prod.outlook.com> | |
306 | <CAAQnKjAV3zEfP-J6JgTrv1jU9UPmf9dG9SPr-+q4jZ6PaGQjxg@mail.gmail.com> | |
307 | <CAAQnKjBBLS9Lm2vnT3i+WUNhrvv2oDEMFEcyozw+YzyKS4G1qQ@mail.gmail.com> | |
308 | <29030059.107105.1517497494557.JavaMail.zimbra@convivian.com> | |
309 | <4f60039a-a754-ae4c-1543-0a978d9e13be@rolandturner.com> | |
310 | <1544831589.110194.1517532064123.JavaMail.zimbra@convivian.com> | |
311 | <CABa8R6s3e1k=c9wQBtNBWvPT4BrXv3-2NnynyAfRseZ-5s6NKg@mail.gmail.com> | |
312 | MIME-Version: 1.0 | |
313 | X-Originating-IP: [172.16.0.5] | |
314 | X-Mailer: Zimbra 8.7.11_GA_1854 (ZimbraWebClient - FF58 (Mac)/8.7.11_GA_1854) | |
315 | Thread-Topic: Gmail support of ARC headers from third-parties | |
316 | Thread-Index: JantLkX01vLd7pyKcopbBWCs3yDbLQ== | |
317 | Cc: arc-discuss <arc-discuss@dmarc.org> | |
318 | Subject: Re: [arc-discuss] Gmail support of ARC headers from third-parties | |
319 | X-BeenThere: arc-discuss@dmarc.org | |
320 | X-Mailman-Version: 2.1.18 | |
321 | Precedence: list | |
322 | List-Id: Discussion of the ARC protocol <arc-discuss.dmarc.org> | |
323 | List-Unsubscribe: <http://lists.dmarc.org/mailman/options/arc-discuss>, | |
324 | <mailto:arc-discuss-request@dmarc.org?subject=unsubscribe> | |
325 | List-Archive: <http://lists.dmarc.org/pipermail/arc-discuss/> | |
326 | List-Post: <mailto:arc-discuss@dmarc.org> | |
327 | List-Help: <mailto:arc-discuss-request@dmarc.org?subject=help> | |
328 | List-Subscribe: <http://lists.dmarc.org/mailman/listinfo/arc-discuss>, | |
329 | <mailto:arc-discuss-request@dmarc.org?subject=subscribe> | |
330 | From: Jered Floyd via arc-discuss <arc-discuss@dmarc.org> | |
331 | Reply-To: Jered Floyd <jered@convivian.com> | |
332 | Content-Type: multipart/mixed; boundary="===============2728806607597782871==" | |
333 | Errors-To: arc-discuss-bounces@dmarc.org | |
334 | Sender: "arc-discuss" <arc-discuss-bounces@dmarc.org> | |
335 | ||
336 | --===============2728806607597782871== | |
337 | Content-Type: multipart/alternative; | |
338 | boundary="=_bda8d35f-e3be-4e59-9fc8-f78ed0af3226" | |
339 | ||
340 | --=_bda8d35f-e3be-4e59-9fc8-f78ed0af3226 | |
341 | Content-Type: text/plain; charset=utf-8 | |
342 | Content-Transfer-Encoding: 7bit | |
343 | ||
344 | >> Couldn't the first untrusted ARC signer (working in reverse chronological order) | |
345 | >> simply have faked all the earlier headers and applied a "valid" ARC | |
346 | >> signature/seal? This is why I figured you must trust the entire chain if you | |
347 | >> want to trust the sender data. | |
348 | ||
349 | > They can't fake an earlier signature unless they have the private key for the | |
350 | > signing domain. | |
351 | ||
352 | > Ie, a non-modifying hop is basically a no-op, unless you want to trust their | |
353 | > auth results. | |
354 | ||
355 | OK, sure; I agree with that. But I guess I see ARC as primarily for indirect mail flows that break DKIM (i.e. Mailman), in which case I think trust is needed to bridge those hops? | |
356 | ||
357 | --Jered | |
358 | ||
359 | --=_bda8d35f-e3be-4e59-9fc8-f78ed0af3226 | |
360 | Content-Type: text/html; charset=utf-8 | |
361 | Content-Transfer-Encoding: 7bit | |
362 | ||
363 | <html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div><br></div><div data-marker="__QUOTED_TEXT__"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> | |
364 | Couldn't the first untrusted ARC signer (working in reverse chronological order) simply have faked all the earlier headers and applied a "valid" ARC signature/seal? This is why I figured you must trust the entire chain if you want to trust the sender data.<br></blockquote><br><div>They can't fake an earlier signature unless they have the private key for the signing domain.</div><br><div>Ie, a non-modifying hop is basically a no-op, unless you want to trust their auth results.</div></div></div></blockquote><div>OK, sure; I agree with that. But I guess I see ARC as primarily for indirect mail flows that break DKIM (i.e. Mailman), in which case I think trust is needed to bridge those hops?<br></div><div><br data-mce-bogus="1"></div><div>--Jered<br data-mce-bogus="1"></div></div></div></body></html> | |
365 | --=_bda8d35f-e3be-4e59-9fc8-f78ed0af3226-- | |
366 | ||
367 | --===============2728806607597782871== | |
368 | Content-Type: text/plain; charset="us-ascii" | |
369 | MIME-Version: 1.0 | |
370 | Content-Transfer-Encoding: 7bit | |
371 | Content-Disposition: inline | |
372 | ||
373 | _______________________________________________ | |
374 | arc-discuss mailing list | |
375 | arc-discuss@dmarc.org | |
376 | http://lists.dmarc.org/mailman/listinfo/arc-discuss | |
377 | ||
378 | --===============2728806607597782871==-- | |
379 | . | |
380 | ??? 250 | |
381 | QUIT | |
382 | ??? 221 | |
383 | **** | |
384 | # | |
385 | exim -DSERVER=server -DNOTDAEMON -q | |
386 | **** | |
387 | exim -DSERVER=server -DNOTDAEMON -q | |
388 | **** | |
389 | # | |
390 | # | |
391 | # | |
f48946eb | 392 | killdaemon |
617d3932 | 393 | # |
f48946eb JH |
394 | exim -DSERVER=server -DVALUE=/pass -DINSERT='log_message=ARC-FAIL' -bd -oX PORT_D |
395 | **** | |
617d3932 | 396 | # |
f48946eb JH |
397 | # We just send this in for reception, bare, to check the "arc" verify can take options |
398 | # | |
399 | client 127.0.0.1 PORT_D | |
400 | ??? 220 | |
401 | HELO xxx | |
402 | ??? 250 | |
403 | MAIL FROM:<CALLER@bloggs.com> | |
404 | ??? 250 | |
405 | RCPT TO:<a@test.ex> | |
406 | ??? 250 | |
407 | DATA | |
408 | ??? 354 | |
409 | Subject: Test | |
410 | ||
411 | This is a test body. | |
412 | . | |
413 | ??? 250 | |
414 | QUIT | |
415 | ??? 221 | |
416 | **** | |
617d3932 JH |
417 | # |
418 | # | |
419 | # | |
420 | # | |
617d3932 | 421 | # |
f48946eb JH |
422 | # |
423 | killdaemon | |
617d3932 JH |
424 | no_stdout_check |
425 | no_msglog_check |