test/scripts/4560-ARC/4560


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459

# ARC verify and sign
#
exim -DSERVER=server -bd -oX PORT_D
****
#
# This should pass.
# Mail original in aux-fixed/4560.msg1.txt
# Sig generated by: perl aux-fixed/dkim/sign_arc.pl < aux-fixed/4560.msg1.txt
client 127.0.0.1 PORT_D
??? 220
HELO xxx
??? 250
MAIL FROM:<CALLER@bloggs.com>
??? 250
RCPT TO:<a@test.ex>
??? 250
DATA
??? 354
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=test.ex; s=sel; t=1521752658; b=
        xcIN0OEpAc3s8riODm31Q6JgmIECch3iVd1LXWwsypGpCY2UFFuo5HhCEf4a043q
        YZ+zn/MbFFkvwIqleeQkJ7S5UcvfM8dv/V4YnwAe+JD8r79glh/FRq6uKlc0ixLS
        CllJMwj98J1P1K9+gwmO5TrD1eTZV68caZj77P+X2kw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=test.ex;
         h=from:to:date:message-id:subject; s=sel; bh=3UbbJTudPxmejzh7U1
        Zg33U3QT+16kfV2eOTvMeiEis=; b=WgE+YWSm48w/P448gPlBBNCKt2SJ4gosPx
        0JQ98aZJhun2RaVcUO3INc+kZv8YOijofMzFqJxVn1cgMjoU8/QSHIyyt40FzkQB
        oSGmSrCjtRnzS8pbp491NX3kGuetidaWE5muPSdOystg6mm1rBnl9sqVrwaynCmr
        fu2jTuUfw=
ARC-Authentication-Results: i=1; test.ex; arc=none
Authentication-Results: test.ex; arc=none
From: mrgus@text.ex
To: bakawolf@yahoo.com
Date: Thu, 19 Nov 2015 17:00:07 -0700
Message-ID: <qwerty1234@disco-zombie.net>
Subject: simple test

This is a simple test.
.
??? 250
QUIT
??? 221
****
exim -DSERVER=server -DNOTDAEMON -q
****
#
#
#
# We send this one through one forwarding hop.
# It starts off bare, so the forwarder reception gets an ARC status of "none".
# The outbound signs it with that, and the final receiver is happy to pass it.
#
client 127.0.0.1 PORT_D
??? 220
HELO xxx
??? 250
MAIL FROM:<CALLER@bloggs.com>
??? 250
RCPT TO:<za@test.ex>
??? 250
DATA
??? 354
Subject: Test

This is a test body.
.
??? 250
QUIT
??? 221
****
#
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
#
#
#
#
#
#
#
#
#
# We send this one through two forwarding hops.
# It starts off bare, so the 1st forwarder reception gets an ARC status of "none".
# The outbound signs it with that, and the 2nd forwarder is happy to pass it.
# The outbound signs again, and the final receiver is happy.
#
client 127.0.0.1 PORT_D
??? 220
HELO xxx
??? 250
MAIL FROM:<CALLER@bloggs.com>
??? 250
RCPT TO:<zza@test.ex>
??? 250
DATA
??? 354
Subject: Test

This is a test body.
.
??? 250
QUIT
??? 221
****
#
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
#
#
#
#
#
#
#
#
#
# We send this one through one forwarder, one mailinglist, and one more forwarder
#
client 127.0.0.1 PORT_D
??? 220
HELO xxx
??? 250
MAIL FROM:<CALLER@bloggs.com>
??? 250
RCPT TO:<zmza@test.ex>
??? 250
DATA
??? 354
Subject: Test

This is a test body.
.
??? 250
QUIT
??? 221
****
#
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
#
#
#
#
#
#
#
#
#
# We send this one through two forwarders, then one ARC-unaware mailinglist
# then one more forwarder
#
client 127.0.0.1 PORT_D
??? 220
HELO xxx
??? 250
MAIL FROM:<CALLER@bloggs.com>
??? 250
RCPT TO:<zzmza@test.ex>
??? 250
DATA
??? 354
Subject: Test

This is a test body.
.
??? 250
QUIT
??? 221
****
#
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -DOPTION -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
#
#
#
#
#
#
#
#
#
# We send this one through a forwarders, then an ARC-unaware forwarder
#
client 127.0.0.1 PORT_D
??? 220
HELO xxx
??? 250
MAIL FROM:<CALLER@bloggs.com>
??? 250
RCPT TO:<zza@test.ex>
??? 250
DATA
??? 354
Subject: Test

This is a test body.
.
??? 250
QUIT
??? 221
****
#
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -DOPTION -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
#
#
#
#
#
#
#
#
#
# We send this one through one forwarding hop.
# It starts with one ARC-set.
# The reception at the forwarder gets an ARC-fail, because the bodyhash does not
# match - so the forwarder outbound ARC-signs as a fail,
# and the final receiver evaluates ARC status as fail.
# Mail original in https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-11#page-14
#
client 127.0.0.1 PORT_D
??? 220
HELO xxx
??? 250
MAIL FROM:<CALLER@bloggs.com>
??? 250
RCPT TO:<za@test.ex>
??? 250
DATA
??? 354
Received: from dragon.trusteddomain.org (localhost [127.0.0.1])
	by dragon.trusteddomain.org (8.14.5/8.14.5) with ESMTP id w121YG2q036577;
	Thu, 1 Feb 2018 17:34:20 -0800 (PST)
	(envelope-from arc-discuss-bounces@dmarc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dmarc.org;
	s=clochette; t=1517535263;
	bh=DXU/xKzzQYeoYB254nZ0AzNm7z2YZ//FpTnhgIjPyt8=;
	h=Date:To:In-Reply-To:References:Cc:Subject:List-Id:
	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	 From:Reply-To;
	b=Z66qes0GxyXtv0ow232KSy/b44fPNLZL8JOXHiJLi9dHzIPyxsQd/Zb5NP8i3427g
	 a9tEyo8Rpz8DPbn351e+IlYqRGLfokTWgX+7NfMLy87p3SfnPytUu6PM8QiW2VC889
	 Tk0K+5xH5KSgkENaPdLBigHtunyNZaSofgKy5vBM=
Authentication-Results: dragon.trusteddomain.org; sender-id=fail (NotPermitted) header.sender=arc-discuss-bounces@dmarc.org; spf=fail (NotPermitted) smtp.mfrom=arc-discuss-bounces@dmarc.org
Received: from mailhub.convivian.com (mailhub.convivian.com [72.5.31.108])
 by dragon.trusteddomain.org (8.14.5/8.14.5) with ESMTP id w121YEt6036571
 for <arc-discuss@dmarc.org>; Thu, 1 Feb 2018 17:34:14 -0800 (PST)
 (envelope-from jered@convivian.com)
Authentication-Results: dragon.trusteddomain.org; dkim=pass
 reason="1024-bit key"
 header.d=convivian.com header.i=@convivian.com header.b=LHXEAl5e;
 dkim-adsp=pass
Authentication-Results: dragon.trusteddomain.org;
 sender-id=pass header.from=jered@convivian.com;
 spf=pass smtp.mfrom=jered@convivian.com
Received: from zimbra8.internal.convivian.com (zimbra8.internal.convivian.com
 [172.16.0.5])
 by mailhub.convivian.com (Postfix) with ESMTP id 471DA66FB6;
 Thu,  1 Feb 2018 20:34:08 -0500 (EST)
ARC-Seal: i=1; a=rsa-sha256; d=convivian.com; s=default; t=1517535248; cv=none;
 b=HkK4AhtPFBUHtRUKKzTON3wyMj7ZLq881P2qhWg+lO8Y50V9SEc8lJ4dBIM3cj3ftfAbooPSLHAVejA89bpS1eAvODci6pOPaQWkBZmpdu+yPIxqX3FyOaCdIaZFbXaMQ1Jg5Sraf5mkCESmfjR5bCguAaZsnPQDF6wSN8VhbQk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=convivian.com; s=default;
 t=1517535248; c=relaxed/simple;
 bh=9Cp8KoxNPc7FEuC29xB5bNWWadzdEFhXrX/8i+vd3g4=;
 h=DKIM-Signature:Date:From:To:Cc:Message-ID:In-Reply-To:References:
 Subject:MIME-Version:Content-Type:X-Originating-IP:X-Mailer:
 Thread-Topic:Thread-Index:From;
 b=jG+KnBrP2oq1z1upStMoWbM1fkS5zbUiir221Gy6h7ao5oy7Qc3m0pXgrSdhgGD4oX/kk2seEt2WAlPNwEsZyvYeG/80ctd/2+hwaVQ6JSOU83Rdd8im8HwMvXzXZIz8ATjPpOv21+xMrqlPSkD/l6X4VP+AAoVVkhW7f4GWcws=
ARC-Authentication-Results: i=1; mailhub.convivian.com; none
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=convivian.com;
 s=default; t=1517535248;
 bh=9Cp8KoxNPc7FEuC29xB5bNWWadzdEFhXrX/8i+vd3g4=;
 h=Date:From:To:Cc:In-Reply-To:References:Subject:From;
 b=LHXEAl5elmfkdXNdK24QonXpkiG38neuJoS7fSQXwZVZkR+cdYNr6eBxx3DF4reJO
 NgzV5GFyPX6+LdIqR6rnC8BXhjvJq+pxLW3/wKx39W3ANYWRFm1dgyWBz99NxNNvk/
 ruQkYYBBk9GPM52EyHNMvHciRAyaSk+VluGj6c6M=
Date: Thu, 1 Feb 2018 20:34:08 -0500 (EST)
To: Brandon Long <blong@google.com>
Message-ID: <1426665656.110316.1517535248039.JavaMail.zimbra@convivian.com>
In-Reply-To: <CABa8R6s3e1k=c9wQBtNBWvPT4BrXv3-2NnynyAfRseZ-5s6NKg@mail.gmail.com>
References: <CO2PR0501MB981081FA2C73CB83FA1C903F1FA0@CO2PR0501MB981.namprd05.prod.outlook.com>
 <CAAQnKjAV3zEfP-J6JgTrv1jU9UPmf9dG9SPr-+q4jZ6PaGQjxg@mail.gmail.com>
 <CAAQnKjBBLS9Lm2vnT3i+WUNhrvv2oDEMFEcyozw+YzyKS4G1qQ@mail.gmail.com>
 <29030059.107105.1517497494557.JavaMail.zimbra@convivian.com>
 <4f60039a-a754-ae4c-1543-0a978d9e13be@rolandturner.com>
 <1544831589.110194.1517532064123.JavaMail.zimbra@convivian.com>
 <CABa8R6s3e1k=c9wQBtNBWvPT4BrXv3-2NnynyAfRseZ-5s6NKg@mail.gmail.com>
MIME-Version: 1.0
X-Originating-IP: [172.16.0.5]
X-Mailer: Zimbra 8.7.11_GA_1854 (ZimbraWebClient - FF58 (Mac)/8.7.11_GA_1854)
Thread-Topic: Gmail support of ARC headers from third-parties
Thread-Index: JantLkX01vLd7pyKcopbBWCs3yDbLQ==
Cc: arc-discuss <arc-discuss@dmarc.org>
Subject: Re: [arc-discuss] Gmail support of ARC headers from third-parties
X-BeenThere: arc-discuss@dmarc.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Discussion of the ARC protocol <arc-discuss.dmarc.org>
List-Unsubscribe: <http://lists.dmarc.org/mailman/options/arc-discuss>,
 <mailto:arc-discuss-request@dmarc.org?subject=unsubscribe>
List-Archive: <http://lists.dmarc.org/pipermail/arc-discuss/>
List-Post: <mailto:arc-discuss@dmarc.org>
List-Help: <mailto:arc-discuss-request@dmarc.org?subject=help>
List-Subscribe: <http://lists.dmarc.org/mailman/listinfo/arc-discuss>,
 <mailto:arc-discuss-request@dmarc.org?subject=subscribe>
From: Jered Floyd via arc-discuss <arc-discuss@dmarc.org>
Reply-To: Jered Floyd <jered@convivian.com>
Content-Type: multipart/mixed; boundary="===============2728806607597782871=="
Errors-To: arc-discuss-bounces@dmarc.org
Sender: "arc-discuss" <arc-discuss-bounces@dmarc.org>

--===============2728806607597782871==
Content-Type: multipart/alternative; 
	boundary="=_bda8d35f-e3be-4e59-9fc8-f78ed0af3226"

--=_bda8d35f-e3be-4e59-9fc8-f78ed0af3226
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

>> Couldn't the first untrusted ARC signer (working in reverse chronological order)
>> simply have faked all the earlier headers and applied a "valid" ARC
>> signature/seal? This is why I figured you must trust the entire chain if you
>> want to trust the sender data.

> They can't fake an earlier signature unless they have the private key for the
> signing domain.

> Ie, a non-modifying hop is basically a no-op, unless you want to trust their
> auth results.

OK, sure; I agree with that. But I guess I see ARC as primarily for indirect mail flows that break DKIM (i.e. Mailman), in which case I think trust is needed to bridge those hops? 

--Jered 

--=_bda8d35f-e3be-4e59-9fc8-f78ed0af3226
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div><br></div><div data-marker="__QUOTED_TEXT__"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Couldn't the first untrusted ARC signer (working in reverse chronological order) simply have faked all the earlier headers and applied a "valid" ARC signature/seal?&nbsp; This is why I figured you must trust the entire chain if you want to trust the sender data.<br></blockquote><br><div>They can't fake an earlier signature unless they have the private key for the signing domain.</div><br><div>Ie, a non-modifying hop is basically a no-op, unless you want to trust their auth results.</div></div></div></blockquote><div>OK, sure; I agree with that.&nbsp; But I guess I see ARC as primarily for indirect mail flows that break DKIM (i.e. Mailman), in which case I think trust is needed to bridge those hops?<br></div><div><br data-mce-bogus="1"></div><div>--Jered<br data-mce-bogus="1"></div></div></div></body></html>
--=_bda8d35f-e3be-4e59-9fc8-f78ed0af3226--

--===============2728806607597782871==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
arc-discuss mailing list
arc-discuss@dmarc.org
http://lists.dmarc.org/mailman/listinfo/arc-discuss

--===============2728806607597782871==--
.
??? 250
QUIT
??? 221
****
#
exim -DSERVER=server -DNOTDAEMON -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
#
#
# Check attemtping to sign, with a missing keyfile
# It starts off bare, so the forwarder reception gets an ARC status of "none".
# The outbound tries to sign it with that.
#
client 127.0.0.1 PORT_D
??? 220
HELO xxx
??? 250
MAIL FROM:<CALLER@bloggs.com>
??? 250
RCPT TO:<za@test.ex>
??? 250
DATA
??? 354
Subject: Test

This is a test body.
.
??? 250
QUIT
??? 221
****
#
exim -DSERVER=server -DNOTDAEMON -DBAD -q
****
exim -DSERVER=server -DNOTDAEMON -q
****
#
#
#
#
#
#
#
#
killdaemon
#
exim -DSERVER=server -DVALUE=/pass -DINSERT='log_message=ARC-FAIL' -bd -oX PORT_D
****
#
# We just send this in for reception, bare, to check the "arc" verify can take options
#
client 127.0.0.1 PORT_D
??? 220
HELO xxx
??? 250
MAIL FROM:<CALLER@bloggs.com>
??? 250
RCPT TO:<a@test.ex>
??? 250
DATA
??? 354
Subject: Test

This is a test body.
.
??? 250
QUIT
??? 221
****
#
#
#
#
#
#
killdaemon
no_stdout_check
no_msglog_check