Repository files navigation

OpenARC is a community effort to develop and maintain both an opensource library for adding Authenticated Received Chain (ARC) supportto applications and an example filter application using the milterprotocol.

ARC is an experimental protocol defined inRFC8617. It provides anauthenticated chain of custody for a message, allowing messagehandlers to see who has handled it before and what those priorhandlers claim the message's authentication status was at that point.

ARC is still experimental and its specification may change. Thispackage is intended for use by operators willing to take part in theexperiment and provide their feedback to the development team.

A substantial amount of the code here is based on code developed aspart of theOpenDKIM project, a TrustedDomain Project activity, which started as a code fork of version 2.8.3of the open sourcedkim-milter package developed and maintainedby Sendmail, Inc. The license used by OpenDKIM and OpenARC is foundin theLICENSE file. Portions of this project are also coveredby the Sendmail Open Source License, which can be found in theLICENSE.Sendmail file. See the copyright notice(s) in each sourcefile to determine which license(s) are applicable to that file.

In order to build OpenARC, you will need:

• A C compiler. Compilation has been tested withGCCandclang, and other modern compilers should alsowork.
• make
• pkg-config or a compatible replacement.
• OpenSSL >= 1.0.0
• Native implementations ofstrlcat() andstrlcpy(),libbsd, or some other library thatprovides them.
• Libidn2

If you are building the filter, you will also need:

• libmilter
• (optional)Jansson >= 2.2.1 for fullSealHeaderChecks support.

If you are building from a git checkout instead of a release tarball,you will also need:

• Autoconf >= 2.61
• Automake >= 1.11.1
• libtool >= 2.2.6

The core OpenARC software will function without it, but tools distributedalongside OpenARC (such asopenarc-keygen) may require:

• Python >= 3.8

Compatibility with older versions of Python 3 has not beendeliberately broken, but this is the oldest version we test against.

$ dnf install autoconf automake gcc jansson-devel libbsd-devel libidn2-devel libtool openssl-devel sendmail-milter-devel

$ apt install build-essential libbsd-dev libidn2-dev libjansson-dev libmilter-dev libssl-dev

Installation follows the standard Autotools process.

If you're building from a git checkout, you first need to generate thebuild system:

$ autoreconf -fiv

Once that's done (or if you're building from a release tarball):

$ ./configure$ make$ make install

You can get a list of available flags and environment variables toinfluence the build by running./configure --help.

Tests can be run withmake check. OpenARC's test suite requires:

• Python >= 3.8
• pytest
• The Pythonmiltertest library

There are also optional test dependencies whose associated tests will beskipped if the dependency is not found:

• dkimpy >= 0.9.0
• Mail::DKIM

The man pages for theopenarc filter are present in theopenarcdirectory of this source distribution.

A number of legal regimes restrict the use or export of cryptography.If you are potentially subject to such restrictions you should seeklegal advice before using, developing, or distributing cryptographiccode.

The filter attempted to get some information from the MTA that the MTAdid not provide.

At various points in the interaction between the MTA and the filter,macros containing information about the job in progress or theconnection being handled are passed from the MTA to the filter.

In the case of Sendmail, the names of the macros the MTA shouldpass to the filter are defined by theMilter.macros settings insendmail.cf, e.g.Milter.macros.connect,Milter.macros.envfrom,etc. This message indicates that the filter needed the contents ofmacroX, but that macro was not passed down from the MTA.

Typically the values needed by this filter are passed from the MTA ifthesendmail.cf was generated by the usual M4 method. If you do nothave those options defined in yoursendmail.cf, try rebuilding itand then restarting Sendmail.

Querying nameservers for key data can take longer than the default MTAtimeouts for communication with the filter. This can cause messages tobe rejected, tempfailed, or delivered without processing by the filter,depending on the MTA configuration.

The only way to address this issue if you encounter it is to increasethe time the MTA waits for replies. Consult your MTA's documentationto find out how to do so, but note that increasing timeouts too muchcan cause other problems.

After retrieving and decoding a public key to perform a messageverification, the OpenSSL library attempted to make use of that keybut failed. The known possible causes are:

• Memory exhaustion
• Key corruption

If you're set to tempfail messages in these cases the remote endwill probably retry the message. If the same message fails againlater, the key is probably corrupted or otherwise invalid.

In order to verify existing ARC signatures the filter needs to see themessage prior to any local modifications. In order to produce a validARC-Message-Signature the filter needs to see the message after anylocal modifications.

The only way to satisfy both requirements in ADMDs thatmodify messages is to use two instances of the filter whichrun at different points in email handling. The first onemust do verification and inject anAuthentication-Resultsheader, and may do signing; the second one must enablePermitAuthenticationOverrides (make sure that your environmentis compliant with the security requirements inRFC 8601 section1.6) anddo signing.