Autore: Jeremy Harris Data: To: exim-users Oggetto: Re: [exim] ARC signing and verification
On 20/04/2020 14:33, Tom Crane via Exim-users wrote: > I am attempting to configure my server (exim-4.92.3) to ARC
> (Authenticated Received Chain) sign and possibly also verify messages.
There's been several ARC-related fixes since then; I suggest you
consider moving closer to the bleeding-edge.
> I already DKIM sign messages which verify on external receiving MTAs
> when the sender address is in my local domain. The server also
> maintains a set of distribution lists expanded from aliases. Some of
> the senders to these distribution lists are outside my local domain
> which breaks DKIM verification, which is why I want to try ARC signing.
>
> I accept ARC is a new, experimental feature in EXIM but the
> documentation in doc/experimental-spec.txt is very brief. The thing I
> really need is some simple worked example configurations.
>
> Ideally I just need to check whether an incoming message was for one of
> my distribution lists and if so ARC sign it.
>
> Currently I have tried this simple configuration,
>
> remote_smtp:
> driver = smtp
> dkim_domain = $sender_address_domain
> dkim_selector = selector3
> dkim_private_key = /etc/exim/dkim/selector3.pem
> dkim_canon = relaxed
>
> EXPERIMENTAL_ARC=yes
> arc_sign = $primary_hostname : selector3 : /etc/exim/dkim/selector3.pem
The line "EXPERIMENTAL_ARC=yes" needs to go in the Local/Makefile
for the build of exim. You need to build your own, if you are not
using a distro that does.
The current "experimental-spec.txt" says:
"Enable using EXPERIMENTAL_ARC=yes in your Local/Makefile".
It does not need to go in your config. What you have there is a
macro definition (and likely never used).
> but exim fails to start with "Exim configuration error in line XXX"
> "transport name missing"
>
> where line XXX is the 'arc_sign = ' line.
>
> What am I doing wrong?
Check the "Support for" line from "exim -bV". If it doesn't mention ARC
then you are running a build without ARC. I suspect this is the case.
--
Cheers,
Jeremy