Coming this february, Google/Yahoo/Outlook[1] and [2], are/were "enforcing", to some point, the usage of SPF/DKIM/DMARC to email servers in order to protect emails/users from spam and malware. And now they add ARC protocol to validate forwarded emails signing.
I tried with iRedmail, cause it comes out-of-the-box with SPF/DKIM/DMARC, with some minor touches on the config. All what I'am about to test here is my entire experience on this subject, due to limited documentation by OpenARC[3].
Test environment:
- Linode VPS with 4 cores/4GB of RAM
- OS: Ubuntu 22.04
- iRedmail 1.6.3. It was already installed
OpenARC comes in source code. There are binaries for Fedora, CentOS, Debian 11, but no for Ubuntu 22.04. So, to compile is the only option here.
As root, on the mail server, I will clone repo, install dependencies to compile OpenARC, adjust the config file, and enable milter on Postfix. All of this was adapting the guide [4] and translating [5] to make it compatible with Ubuntu.
First, dependencies:
cd /opt
apt install libssl-dev libtool build-essential pkg-config libbsd-dev libmilter-dev git
Clone repository:
git clone https://github.com/trusteddomainproject/OpenARC.git
Compile OpenARC:
cd OpenARC
autoreconf -fvi
./configure
make -j "$(nproc)"
make install
Testing it:
openarc -V
On ubuntu, this gave me a missing library error, which I quickly fixed with:
ln -s /usr/local/lib/libopenarc.so.0 /usr/lib/libopenarc.so.0
Now the config:
mkdir -p /etc/openarc
cp /usr/local/share/doc/openarc/openarc.conf.sample /etc/openarc/openarc.conf
nano /etc/openarc/openarc.conf
Important stuff in the config. Adjust it to your needs:
##
## openarc.conf -- configuration file for OpenARC filter
##
## Copyright (c) 2010-2015, 2017, The Trusted Domain Project.
## All rights reserved.
##
## CONFIGURATION OPTIONS
AuthservID domain.tld
Canonicalization relaxed/simple
Domain domain.tld
InternalHosts refile:/etc/openarc/TrustedHosts
KeyFile /etc/openarc/keys/domain.tld.pem
Mode sv
PidFile /var/run/openarc.pid
Selector dkim
SignatureAlgorithm rsa-sha256
Socket inet:8895@localhost
Syslog Yes
SyslogFacility mail
And now, we must validate our host. The TrustedHosts' file. Inside must go your domain:
echo "domain.tld" > /etc/openarc/TrustedHosts
And copy the key to OpenARC folder:
mkdir -p /etc/openarc/keys/
cp /var/lib/dkim/domain.tld.pem /etc/openarc/keys/domain.tld.pem
chmod 440 /etc/openarc/keys/domain.tld.pem
chown root:root /etc/openarc/keys/domain.tld.pem
Now, we must create a systemd unit to manage the service.
nano /etc/systemd/system/openarc.service
Adjust it to your needs.
[Unit]
Description=Authenticated Resource Chain (ARC) Milter
Documentation=man:openarc(8) man:openarc.conf(5) http://www.trusteddomain.org/openarc
After=network.target nss-lookup.target syslog.target
[Service]
Type=forking
PIDFile=/var/run/openarc.pid
UMask=0002
ExecStart=/usr/local/sbin/openarc -c /etc/openarc/openarc.conf
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure
#User=openarc
#Group=openarc
[Install]
WantedBy=multi-user.target
Save and exit. Enable it and test that is working:
systemctl daemon-reload
systemctl enable openarc
systemctl start openarc
If you execute netstat -lptun or ss -lptun, you should see something like:
tcp 0 0 127.0.0.1:8895 0.0.0.0:* LISTEN 335573/openarc
This indicates that is working! 🥳
Now, it's time for postfix. Just add this to your main.cf:
smtpd_milters = inet:localhost:8895
non_smtpd_milters = inet:localhost:8895
And restart postfix:
systemctl restart postfix
To test ARC, I use the email validating service on [6]. And it gaves me arc=pass on all checks, which is good.
References:
[1] https://powerdmarc.com/google-and-yahoo-email-authentication-requirements/
[2] https://www.ongage.com/blog/gmail-yahoo-bulk-sender-updates-2024/
[3] https://github.com/trusteddomainproject/OpenARC/
[4] https://weber.fi.eu.org/blog/Informatique/openarc_with_postfix_on_debian_10.html?lang=en