Re: [exim] ARC signing and verification

Góra strony
Delete this message
Reply to this message
Autor: Tom Crane
Data:  
Dla: Jeremy Harris
CC: exim-users
Temat: Re: [exim] ARC signing and verification
On Mon, 20 Apr 2020, Jeremy Harris via Exim-users wrote:

> On 20/04/2020 14:33, Tom Crane via Exim-users wrote:
>>     I am attempting to configure my server (exim-4.92.3) to ARC
>> (Authenticated Received Chain) sign and possibly also verify messages.
>
> There's been several ARC-related fixes since then; I suggest you
> consider moving closer to the bleeding-edge.



I will do so. exim-4.93.tar.bz2 looks like the latest stable release to
build.

>
>> I already DKIM sign messages which verify on external receiving MTAs
>> when the sender address is in my local domain.  The server also
>> maintains a set of distribution lists expanded from aliases.  Some of
>> the senders to these distribution lists are outside my local domain
>> which breaks DKIM verification, which is why I want to try ARC signing.
>>
>> I accept ARC is a new, experimental feature in EXIM but the
>> documentation in doc/experimental-spec.txt is very brief.  The thing I
>> really need is some simple worked example configurations.
>>
>> Ideally I just need to check whether an incoming message was for one of
>> my distribution lists and if so ARC sign it.
>>
>> Currently I have tried this simple configuration,
>>
>> remote_smtp:
>>   driver = smtp
>>   dkim_domain = $sender_address_domain
>>   dkim_selector = selector3
>>   dkim_private_key = /etc/exim/dkim/selector3.pem
>>   dkim_canon = relaxed
>>
>> EXPERIMENTAL_ARC=yes
>> arc_sign = $primary_hostname : selector3 : /etc/exim/dkim/selector3.pem
>
> The line "EXPERIMENTAL_ARC=yes" needs to go in the Local/Makefile
> for the build of exim. You need to build your own, if you are not
> using a distro that does.
>
> The current "experimental-spec.txt" says:
> "Enable using EXPERIMENTAL_ARC=yes in your Local/Makefile".
>
> It does not need to go in your config. What you have there is a
> macro definition (and likely never used).


Many thanks for the clarification. EXPERIMENTAL_ARC= was not documented
in the "experimental-spec.txt" file which came with my distro (SLC6) and
so I had guessed, wrongly, that it was needed in the exim.conf file.
Curiously without EXPERIMENTAL_ARC=yes in the exim.conf I received a
different error -- obviously a red herring though.

>
>> but exim fails to start with "Exim configuration error in line XXX"
>> "transport name missing"
>>
>> where line XXX is the 'arc_sign = ' line.
>>
>> What am I doing wrong?
>
> Check the "Support for" line from "exim -bV". If it doesn't mention ARC
> then you are running a build without ARC. I suspect this is the case.


Yes. That also turned out to be the case, so thanks again for clarifying
that.

In the meantime, do you know of any working / example ARC exim.conf
configurations available anywhere to study?

Many thanks
Tom

> --
> Cheers,
> Jeremy
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>