CentOS 7で構築されたメールサーバにAuthenticated Received Chain(ARC)を実装するためにOpenARCをインストールしてみました。
Authenticated Received Chain(ARC)については、こちらのサイトが分かりやすかったです。
ARC について
https://www.naritai.jp/technology_arc.html
trusteddomainproject/OpenARC: Open source ARC
https://github.com/trusteddomainproject/OpenARC
環境
・CentOS Linux release 7.9.2009 (Core)
・Kernel 3.10.0-1160.2.2.el7.x86_64
・Postfix 2.10.1-9
OpenARCはepep repositoryにあります。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
Available Packages Name : openarc Arch : x86_64 Version : 1.0.0 Release : 0.1.Beta0.el7 Size : 51 k Repo : epel/x86_64 Summary : An open source library and milter for providing ARC service URL : https://github.com/trusteddomainproject/OpenARC License : BSD and Sendmail Description : The Trusted Domain Project is a community effort to develop and : maintain a C library for producing ARC-aware applications and an : open source milter for providing ARC service through milter-enabled : MTAs. |
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[root@centos7 ~]# repoquery --list openarc /etc/openarc.conf /usr/lib/systemd/system/openarc.service /usr/lib/tmpfiles.d/openarc.conf /usr/sbin/openarc /usr/share/doc/openarc-1.0.0 /usr/share/doc/openarc-1.0.0/README /usr/share/doc/openarc-1.0.0/RELEASE_NOTES /usr/share/licenses/openarc-1.0.0 /usr/share/licenses/openarc-1.0.0/LICENSE /usr/share/licenses/openarc-1.0.0/LICENSE.Sendmail /usr/share/man/man5/openarc.conf.5.gz /usr/share/man/man8/openarc.8.gz |
- インストール
- 設定ファイル /etc/openarc.conf の編集
- /var/run/openarc/の作成
- 自動起動の設定と起動
- postfix nain.cfの編集
- postfix再起動
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
[root@centos7 ~]# yum install -y install openarc Resolving Dependencies --> Running transaction check ---> Package openarc.x86_64 0:1.0.0-0.1.Beta0.el7 will be installed --> Processing Dependency: libopenarc = 1.0.0-0.1.Beta0.el7 for package: openarc-1.0.0-0.1.Beta0.el7.x86_64 --> Processing Dependency: libopenarc(x86-64) = 1.0.0-0.1.Beta0.el7 for package: openarc-1.0.0-0.1.Beta0.el7.x86_64 --> Processing Dependency: libopenarc.so.0()(64bit) for package: openarc-1.0.0-0.1.Beta0.el7.x86_64 --> Running transaction check ---> Package libopenarc.x86_64 0:1.0.0-0.1.Beta0.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================== Package Arch Version Repository Size ================================================================================== Installing: openarc x86_64 1.0.0-0.1.Beta0.el7 epel 51 k Installing for dependencies: libopenarc x86_64 1.0.0-0.1.Beta0.el7 epel 37 k Transaction Summary ================================================================================== Install 1 Package (+1 Dependent package) Total download size: 88 k Installed size: 177 k Downloading packages: (1/2): libopenarc-1.0.0-0.1.Beta0.el7.x86_64.rpm | 37 kB 00:00:00 (2/2): openarc-1.0.0-0.1.Beta0.el7.x86_64.rpm | 51 kB 00:00:00 ---------------------------------------------------------------------------------- Total 291 kB/s | 88 kB 00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : libopenarc-1.0.0-0.1.Beta0.el7.x86_64 Installing : openarc-1.0.0-0.1.Beta0.el7.x86_64 2/2 Verifying : libopenarc-1.0.0-0.1.Beta0.el7.x86_64 1/2 Verifying : openarc-1.0.0-0.1.Beta0.el7.x86_64 2/2 Installed: openarc.x86_64 0:1.0.0-0.1.Beta0.el7 Dependency Installed: libopenarc.x86_64 0:1.0.0-0.1.Beta0.el7 Complete! |
デフォルトの設定ファイルです。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
[root@centos7 ~]# cat /etc/openarc.conf ## See openarc.conf(5) or /usr/share/doc/openarc-1.0.0/openarc.conf.sample for more PidFile /var/run/openarc/openarc.pid Syslog yes #Umask 002 UserID openarc:openarc Socket inet:8894@localhost ## After setting Mode to "sv", running ## opendkim-genkey -D /etc/openarc -s key -d phx2.fedoraproject.org ## and putting /etc/openarc #Canonicalization relaxed/simple #Domain example.com # change to domain #Selector key #KeyFile /etc/openarc/key.private #SignatureAlgorithm rsa-sha256 |
internal.hostsファイルには内部ネットワークなどが記述されています。
KeyFileにはDKIMの秘密鍵ファイルをコピーして設定してあります。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
[root@centos7 ~]# cat /etc/openarc.conf ## See openarc.conf(5) or /usr/share/doc/openarc-1.0.0/openarc.conf.sample for more PidFile /var/run/openarc/openarc.pid Syslog yes #Umask 002 UserID openarc:openarc Socket inet:8894@localhost Mode sv InternalHosts /etc/openarc/internal.hosts PeerList /etc/openarc/internal.hosts ## After setting Mode to "sv", running ## opendkim-genkey -D /etc/openarc -s key -d phx2.fedoraproject.org ## and putting /etc/openarc Canonicalization relaxed/relaxed Domain rootlinks.net Selector default KeyFile /etc/openarc/openarc.private SignatureAlgorithm rsa-sha256 |
/var/run/openarc/ を作成します。
1 2 |
[root@centos7 ~]# mkdir /var/run/openarc [root@centos7 ~]# chown openarc:openarc /var/run/openarc/ |
1 2 3 4 |
[root@centos7 ~]# systemctl enable openarc Created symlink from /etc/systemd/system/multi-user.target.wants/openarc.service to /usr/lib/systemd/system/openarc.service. [root@centos7 ~]# systemctl start openarc |
milterにopenarcを追加します。
8891はopendkim,8893はopendmarcが動作しています。
1 |
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8894, inet:127.0.0.1:8893 |
1 |
[root@centos7 ~]# systemctl restart postfix |
届いたメールをgmailに転送してテストしみました。
1 2 3 4 5 6 7 8 |
ARC-Authentication-Results: i=1; centos7.rootlinks.net; arc=none smtp.client-ip=xxx.xxx.xxx.xxx ARC-Message-Signature: i=1; a=rsa-sha256; d=rootlinks.net; s=default; t=1605514930; c=relaxed/relaxed; ARC-Seal: i=1; a=rsa-sha256; d=rootlinks.net; s=default; t=1605514930; cv=none; ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1); ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; ARC-Seal: i=2; a=rsa-sha256; t=1605514932; cv=pass; |
rootlinks.netでARC検証、ARC署名してからgmailでARC検証arc=pass (i=1);してARC署名を追加(i=2)していました。
実際のヘッダは60行ぐらいにありました(^^;
man openarc.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 |
openarc.conf(5) File Formats Manual openarc.conf(5) NAME openarc.conf - Configuration file for openarc LOCATION /etc/openarc.conf DESCRIPTION openarc(8) implements the ARC (Authenticated Received Chain) specifica- tion for verifying authentication and handling of messages as they are routed to their destinations. This file is its configuration file. Blank lines are ignored. Lines containing a hash ("#") character are truncated at the hash character to allow for comments in the file. Other content should be the name of a parameter, followed by white space, followed by the value of that parameter, each on a separate line. For parameters that are Boolean in nature, only the first byte of the value is processed. For positive values, the following are accepted: "T", "t", "Y", "y", "1". For negative values, the following are accepted: "F", "f", "N", "n", "0". See the openarc(8) man page for details about how and when the configu- ration file contents are reloaded. Unless otherwise stated, Boolean values default to "false", integer val- ues default to 0, and string and dataset values default to being unde- fined. PARAMETERS AutoRestart (Boolean) Automatically re-start on failures. Use with caution; if the filter fails instantly after it starts, this can cause a tight fork(2) loop. AutoRestartCount (integer) Sets the maximum automatic restart count. After this number of automatic restarts, the filter will give up and terminate. A value of 0 implies no limit; this is the default. AutoRestartRate (string) Sets the maximum automatic restart rate. If the filter begins restarting faster than the rate defined here, it will give up and terminate. This is a string of the form n/t[u] where n is an integer limiting the count of restarts in the given interval and t[u] defines the time interval through which the rate is calcu- lated; t is an integer and u defines the units thus represented ("s" or "S" for seconds, the default; "m" or "M" for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a value of "10/1h" limits the restarts to 10 in one hour. There is no default, meaning restart rate is not limited. Background (Boolean) Causes openarc to fork and exits immediately, leaving the service running in the background. The default is "true". Canonicalization (string) Selects the canonicalization method(s) to be used when signing messages. When verifying, the message's ARC-Message-Signature: header field specifies the canonicalization method. The recog- nized values are relaxed and simple as defined by the DKIM speci- fication. The default is relaxed/simple. The value may include two different canonicalizations separated by a slash ("/") char- acter, in which case the first will be applied to the header and the second to the body. ChangeRootDirectory (string) Requests that the operating system change the effective root directory of the process to the one specified here prior to beginning execution. chroot(2) requires superuser access. A warning will be generated if UserID is not also set. EnableCoredumps (boolean) On systems that have such support, make an explicit request to the kernel to dump cores when the filter crashes for some reason. Some modern UNIX systems suppress core dumps during crashes for security reasons if the user ID has changed during the lifetime of the process. Currently only supported on Linux. Include (string) Names a file to be opened and read as an additional configuration file. Nesting is allowed to a maximum of five levels. InternalHosts (dataset) Identifies a set of hosts that identifies clients whose connec- tions should be treated as "internal" by this filter. Messages received from such sources will not be verified and are instead trusted as-is; in particular, their Authentication-Results fields are trusted to be correct and authentic, meaning they will be assumed to contain the correct chain status when generating an outgoing seal. See the description of "PeerList" for a descrip- tion of the supported format. If no set is provided, "127.0.0.1" is added to the list by default. MilterDebug (integer) Sets the debug level to be requested from the milter library. The default is 0. Mode (string) Selects the operating mode(s) for this filter. If the string contains the character "s", the filter will sign and seal mes- sages passing through the filter. If the string contains the character "v", the filter will do signature and seal validation of arriving messages. The two can be combined. If neither is specified, the operating mode will be inferred on a per-connec- tion basis based on the entries in the InternalHosts list; con- nections from internal hosts will be assigned to signing mode, and all others will be assigned to verify mode. OversignHeaders (string) Specifies a comma-separated list of header field names that should be included in all signature header lists (the "h=" tag) once more than the number of times they were actually present in the signed message. The set is empty by default. The purpose of this, and especially of listing an absent header field, is to prevent the addition of important fields between the signer and the verifier. Since the verifier would include that header field when performing verification if it had been added by an interme- diary, the signed message and the verified message were different and the verification would fail. Note that listing a field name here and not listing it in the SignHeaders list is likely to gen- erate invalid signatures. PeerList (dataset) Identifies a set of "peers" that identifies clients whose connec- tions should be accepted without processing by this filter. The set should contain on each line a hostname, domain name (e.g. ".example.com"), IP address, an IPv6 address (including an IPv4 mapped address), or a CIDR-style IP specification (e.g. "192.168.1.0/24"). An entry beginning with a bang ("!") charac- ter means "not", allowing exclusions of specific hosts that are otherwise members of larger sets. Host and domain names are matched first, then the IP or IPv6 address depending on the con- nection type. More precise entries are preferred over less pre- cise ones, i.e. "192.168.1.1" will match before "!192.168.1.0/24". The text form of IPv6 addresses will be forced to lowercase when queried (RFC5952), so the contents of this data set should also use lowercase. The IP address portion of an entry may optionally contain square brackets; both forms (with and without) will be checked. PidFile (string) Specifies the path to a file that should be created at process start containing the process ID. SignatureAlgorithm (string) Selects the signing algorithm to use when generating signatures. Use 'openarc -V' to see the list of supported algorithms. The default is rsa-sha256. SignHeaders (string) Specifies the set of header fields that should be included when generating signatures. This is expected to be a comma-separated list of header field names, and matching is case-insensitive. If the list omits any header field that is mandated by the ARC spec- ification, those fields are implicitly added. By default, those fields listed in the DKIM specification as "SHOULD" be signed (RFC6376, Section 5.4) will be signed by the filter. Socket (string) Specifies the socket that should be established by the filter to receive connections from sendmail(8) in order to provide service. socketspec is in one of two forms: local:path, which creates a UNIX domain socket at the specified path, or inet:port[@host] or inet6:port[@host] which creates a TCP socket on the specified port and in the specified protocol family. If the host is not given as either a hostname or an IP address, the socket will be listening on all interfaces. A literal IP address must be enclosed in square brackets. This option is mandatory either in the configuration file or on the command line. Syslog (Boolean) Log via calls to syslog(3) any interesting activity. SyslogFacility (string) Log via calls to syslog(3) using the named facility. The facil- ity names are the same as the ones allowed in syslog.conf(5). The default is "mail". UserID (string) Attempts to become the specified userid before starting opera- tions. The value is of the form userid[:group]. The process will be assigned all of the groups and primary group ID of the named userid unless an alternate group is specified. NOTES Features that involve specification of IPv4 addresses or CIDR blocks will use the inet_addr(3) function to parse that information. Users should be familiar with the way that function handles the non-trivial cases (for example, "192.0.2/24" and "192.0.2.0/24" are not the same thing). FILES /etc/openarc.conf Default location of this file. VERSION This man page covers version 0.1.0 of openarc. COPYRIGHT Copyright (c) 2007, 2008, Sendmail, Inc. and its suppliers. All rights reserved. Copyright (c) 2009-2017, The Trusted Domain Project. All rights reserved. SEE ALSO openarc(8), sendmail(8) RFC5451 - Message Header Field for Indicating Message Authentication Status RFC5617 - DKIM Author Domain Signing Practises RFC5965 - An Extensible Format for Email Feedback Reports RFC6008 - Authentication-Results Registration for Differentiating among Cryptographic Results RFC6376 - DomainKeys Identified Mail RFC6651 - Extensions to DomainKeys Identified Mail (DKIM) for Failure Reporting The Trusted Domain Project openarc.conf(5) |