No arc header added

[Philippe34]

Hi,

I have upgraded sympa 6.2.36 to 6.2.40.
I already use DKIM features and I want to have arc seals added on outgoing messages.
I added in sympa.conf : arc_feature on

My sympa adds correctly dkim signature as this:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=ies.univ-montp2.fr; h=to
	:from:message-id:date:mime-version:content-type
	:content-transfer-encoding:subject:reply-to:sender:list-id
	:list-help:list-subscribe:list-unsubscribe:list-post:list-owner
	:list-archive; s=mail; [email protected];
	 bh=FlmeZGmsBCaUbZf1wH+vwAvTiSRoI+JfY8oQaz24csk=; b=fNh7HCfrCrfF
	C9tAnqtDsGXjp01nCTMo2pf/JfZmRPBZ0JVNjdLUye1NEUXrVvQmro3jkQPaInzm
	ONVn9EWU7k4KypAsHU1Lru4P1WceikZHIjZw72KEHZsEqtf3CKwb6RMAKbczOZJc
	ti66Yy24jn7kkICU1q1FaWaxlyXgrl4

I can see the Authentication-Results added by the MTA:

Authentication-Results: mauka.ies.univ-montp2.fr (amavisd-new);
	dkim=pass (1024-bit key) header.d=ies.univ-montp2.fr

But I have no ARC-Seal and Arc-message-Signature added as google does:

ARC-Seal: i=1; a=rsa-sha256; t=1553788241; cv=none;
        d=google.com; s=arc-20160816;
        b=gcHPwvmSpS27SgglSaSeEjWmUZhbrpFYzTyHLvgE77dsWDlCW1Ec594zsWCmcw0QcF
         u8+ThE5+1cQ4FmJc0xmf1QifDIBU+daxaHmGdOVm1B7Yw3vMQ/ZzE8GGLNaY6EWaYXHx
         cB1hrQ6qzQ1dj19P1rHuDo+7OeCKtTRiNw3R1Syl5UMf2mmBd6VCZwKFAa0xjJVQbEwT
         T4S3upJaNo8kYBrDiz4XfjjPgk3z+rRsTE56MF+hUHFLav0vviwQZu5nwOAkD5JnrjGV
         FCzNjgnkI5PD4dQ9Ixi33xIoj/eUjlmIafumAF7nf60MkoWcqUN9rV+K/i7Lrd6G5uy+
         tXdw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=archived-at:list-archive:list-owner:list-post:list-unsubscribe
         :list-subscribe:list-help:list-id:sender:precedence:precedence
         :errors-to:reply-to:subject:content-language:mime-version:user-agent
         :date:message-id:from:to:delivered-to:dkim-signature;
        bh=o5iRFcMBoJzw9v5VhDLQnUEx5R17z2GnvpqFA6k3FZM=;
        b=zKVZ9agsS4m5CFUuQ+SSUOkUYGkWjYbrIMUbkF4c4sonnvsFdJhmjo6wdxFpfE5WX7
         KmB2fSNchCcin1q9B3znSQRYS8COTKPJbe22gMxhPDLmT5Li7jZiiEppSlOcgyYCewjQ
         BVLSZCgp6ONV5SICLeIT+3V1nVM1rjoqNJq3gS9pnx0fCA4bAgR9/56+54XWTtvO9r9l
         Z5BtijW9QN1UaV3Ogp/Fa4fL97E3o7MvhTDmplKIoV3BPaPZm6xe/C/hTQ+PZav9I9ie
         vmdhttbZ0aXUavviMKo0fYWOkI+o9QJ7PeuA9UXuTX67deZjU8/A2WKatcrS7FZ33QX0
         Ak8Q==

What headers should I have been added by sympa
What could be wrong with arc in my sympa and how to debug ?

Thank you

[Philippe34]

I have checked my perl-Mail-DKIM (centoOS7 ) version: 0.53
to have the modules:
/usr/share/perl5/vendor_perl/Mail/DKIM/ARC/Seal.pm
/usr/share/perl5/vendor_perl/Mail/DKIM/ARC/Signer.pm

I saw in web configuration that I could activate ARC list by list, but it did no change anything.

[ikedas]

Hi @Philippe34,
Could you please show us how you configured parameters described in this section?

[Philippe34]

Hi @ikedas

Thanks. I helped myself with this documentation to configure DKIM and ARC (very well presented).
sympa.conf:
dkim_feature on
dkim_add_signature_to robot,list
dkim_private_key_path /etc/sympa/key_dkim
dkim_signature_apply_on any
dkim_signer_domain ies.univ-montp2.fr
dkim_selector mail
arc_feature on

I have not specified other arc parameters (by default dkim parameters)

[Philippe34]

I put log_level 3.
I did :
#grep -i Message /var/log/sympa.log | egrep 'arc_|ARC'
sympa_msg[22256]: debug2 Sympa::Message::check_arc_chain() ARC library installed, but no arc_srvid set

So I suppose I have to fill arc_srvid.
I put : arc_srvid mydomain.fr

Now I have:
sympa_msg[23349]: debug2 Sympa::Message::check_arc_chain() ARC enabled but no Authentication-Results: ies.univ-montp2.fr;

I have only Authentication-Results with my MTA which manage the mailboxes and this header is not transmitted to sympa and is added when messages are going out (in mailboxes or transmitted to gateway)
For the messages, I have the way :
postfix gateway <-> postfix MTA mailboxes with DKIM signing <-> postfix with no DKIM signing + sympa

Does this main that I have to install DKIM signing in the postfix that works with sympa ?

[ikedas]

Does this main that I have to install DKIM signing in the postfix that works with sympa ?

Reading description in the manual, I think so. Sympa treats the messages with trustworthy DKIM signature as authenticated messages.

[Edit] MTA which adds DKIM signature may not always be running in Sympa server, but it should add signature with arc_srvid domain.

[Philippe34]

I think that I have well Authentication-Results header in Sympa. My last post was not good.
If I send a message to a list, and I connect to the web interface to the archives and I click to the source code, I can see the header Authentication-Results. I guess that it comes from my MTA because I can see it in the archives.

I print here the code source of the message in sympa archives

Received: by listhost.ies.univ-montp2.fr (Postfix)
	id A14B31CB9A5; Mon,  1 Apr 2019 16:54:48 +0200 (CEST)
Delivered-To: [email protected]
Received: from xxx.ies.univ-montp2.fr (xxx.ies.univ-montp2.fr [xxx])
	by listhost.ies.univ-montp2.fr (Postfix) with ESMTP id 8A7231CAAA5
	for <[email protected]>; Mon,  1 Apr 2019 16:54:48 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by xxx.ies.univ-montp2.fr (Postfix) with ESMTP id 5F4DB8235F
	for <[email protected]>; Mon,  1 Apr 2019 16:54:48 +0200 (CEST)
**Authentication-Results**: xxx.ies.univ-montp2.fr (amavisd-new);
	dkim=pass (1024-bit key) reason="pass (just generated, assumed good)"
	header.d=ies.univ-montp2.fr
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=
	ies.univ-montp2.fr; h=content-language:content-type:content-type
	:mime-version:user-agent:date:date:message-id:subject:subject
	:from:from:received:received; s=mail; t=1554130488; x=
	1555944889; bh=3ukZsV0sxdMY00WNLi+pERMuTcZjyW/Cs22Mgpte0iU=; b=d
	V2jm/hD9XRwXq51Lvc/zEcrllyG2XD4S5PYrFVMx6JAja5YvcDMzV9LhN7qJvNA4
	K29xBW2+Ee7SXZVf3z8lQQvlPMMzLXlcq7hkAQJwFIGPuXvSxQUlSDljVmNjAfjZ
	fN+ytaAlQ4yFUq8y87hJ45L20EvKNohBATVbaMyjNk=
X-Virus-Scanned: amavisd-new at ies.univ-montp2.fr
Received: from xxx.ies.univ-montp2.fr ([127.0.0.1])
	by localhost (xxx.ies.univ-montp2.fr [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id TEXkRTLjLpod for <[email protected]>;
	Mon,  1 Apr 2019 16:54:48 +0200 (CEST)
Received: from [xxx] (xxx.ies.univ-montp2.fr [xxx])
	by xxx.ies.univ-montp2.fr (Postfix) with ESMTPSA id 1FB7882357
	for <[email protected]>; Mon,  1 Apr 2019 16:54:48 +0200 (CEST)
To: [email protected]

Should it be possible that sympa community post an arc header added by sympa ?
On my side, I have always this message:
debug2 Sympa::Message::check_arc_chain() ARC enabled but no Authentication-Results: ies.univ-montp2.fr;

which comes from Message.pm with this code:

my @ars =
        grep {m{^\s*\Q$srvid\E;}} $self->get_header('Authentication-Results');

    unless (@ars) {
        $log->syslog('debug2',
            'ARC enabled but no Authentication-Results: %s;', $srvid);
        return;
    }

[ikedas]

Your authentication result has a domain xxx.ies.univ-montp2.fr , but you put “arc_srvid ies.univ-montp2.fr”.

Though I don’t decide if it is fair according to ARC specification, the two things looks not the same.

[ikedas]

@jrlevine, do you have any suggestion?

[jrlevine]

Your analysis is correct -- the message must have an Authentication-Results: header with the srvid listed in arc_srvid. I can't change it, ARC needs a trustworthy A-R header to build the ARC chain.

[Philippe34]

So I put : arc_srvid xxx.ies.univ-montp2.fr.
xxx is the name of the MTA which provides the header
Google does the same thing : Authentication-Results: mx.google.com;
But the issue persists:

debug2 Sympa::Message::check_arc_chain() ARC enabled but no Authentication-Results: xxx.ies.univ-montp2.fr;

[jrlevine]

Your MTA is misconfigured. All of the MTAs for a domain should put the same srvid in the A-R header, in your case probably umontpellier.fr. The error you're seeing is the one you get if the srvid in the A-R doesn't exactly match the srvid in the sympa config.

mx.google.com is a generic name for thousands of Google MTAs, all of which put the same srvid so their ARC signatures work.

[Philippe34]

Hi @jrlevine
My MTA is not misconfigured. Sympa receives the A-R header, but I found and was trying to fix the issue.
It cannot work because my A-R is:
Authentication-Results: xxx.domain.fr (amavisd-new);
Yes, I'm using amavisd-new to DKIM signing and it does like this in A-R

So I changed the Message.pm in :

my @ars =
grep {m{^\s*\Q$srvid\E;}} $self->get_header('Authentication-Results');

by:
my @ars =
grep {m{^\s*\Q$srvid\E\s*\S*;}} $self->get_header('Authentication-Results');

When I'm doing this change, I have not : my @ars =
grep {m{^\s*\Q$srvid\E;}} $self->get_header('Authentication-Results');

BUT sympa no longer transmits any messages.
Fortunately, I could reverse my VM to old state, but I'm in production, so I have to give up arc features.
I think arc is not well implanted in Sympa.

[Philippe34]

Sorry my last post:
When I'm doing this change, I have not:
sympa_msg[23349]: debug2 Sympa::Message::check_arc_chain() ARC enabled but no Authentication-Results: ies.univ-montp2.fr;

[jrlevine]

Oh, OK, it hadn't occurred to me that someone might put a comment next to the srvid, but that is indeed valid. Try this:
my @ars =
grep {m{^(\s|([^)]))\Q$srvid\E(\s|([^)]));}} $self->get_header('Authentication-Results');

[Philippe34]

I have tried what you said.
I sent a message and I received. No bug in sympa.
I have no arc message in sympa.log:
#grep Message /var/log/sympa.log | grep debug2 | egrep 'ARC|arc_'
-> nothing

But, I still can not see the header.

[jrlevine]

Without more clues it is hard to say what the problem is. I can assure you that the ARC code works for other people. Could you provide a complete unredacted copy of one of the A-R headers it doesn't recognize?

[Philippe34]

I can provide this code source in the message I sent et I received by sympa.
When ARC code works for other people, what kind of logs can we see that shows ARC ?
I only see dkim logs.
One moment I have this log:
info Sympa::Message::remove_invalid_dkim_signature() DKIM signature of message Sympa::Message <[email protected]_z,5801,2892/z/shelved:dkim_sign> is invalid, removing

If sympa removes dkim_signature before adding a new, can it make arc not working ?

source-code-noarcheader.txt

[jrlevine]

Deleting the DKIM header shouldn't make any difference.
In your sympa configuration, what is the arc_srvid?
Is it ies.univ-montp2.fr or mauka.ies.univ-montp2.fr?

[Philippe34]

My arc_srvid is: mauka.ies.univ-montp2.fr

[Philippe34]

Just to say this test that I've tried.
As I'm sure sympa receives the A-R, I've commented in Message.pm the "return" to bypass that sympa can not see the A-R: in my case, because I guess the format of my A-R with amavisd-new is not compatible with sympa (despite your suggestion in the grep).

my @ars =
#grep {m{^\s*\Q$srvid\E;}} $self->get_header('Authentication-Results');
grep {m{^(\s|([^)]))\Q$srvid\E(\s|([^)]));}} $self->get_header('Authentication-Results');

unless (@ars) {
    $log->syslog('debug2',
        'ARC enabled but no Authentication-Results: %s;', $srvid);
    # ADDED TO BYPASS THIS WRONG GREP return;
}

I sent a message
I always have:
debug2 Sympa::Message::check_arc_chain() ARC enabled but no Authentication-Results: mauka.ies.univ-montp2.fr;

After that, sympa is no longer able to send any messages.
In my case, arc makes disable my sympa (bugs). Even if, I'm going back to the original Message.pm, and I'm restarting sympa, there is nothing to do to make it work again.
The only solution I have is to revert my VM.

[jrlevine]

ARC works fine for me so there is clearly something else going on that you haven't figured out. In particular, if the A-R lookup fails, Sympa should go ahead and send the message without ARC.

[Philippe34]

OK @jrlevine arc is not for me.
I regret it because I wanted to improve the emails working with yahoo.
So never mind and thank you for the time you spent helping me;

For my curiosity, could you post arc headers ? Il is not documented.
Thanks

[jrlevine]

See https://datatracker.ietf.org/doc/draft-ietf-dmarc-arc-protocol/

[Philippe34]

OK But I was curious with ARC header added by sympa. Please ..

[ikedas]

Hi @Philippe34 and @jrlevine ,

It cannot work because my A-R is:
Authentication-Results: xxx.domain.fr (amavisd-new);
Yes, I'm using amavisd-new to DKIM signing and it does like this in A-R

Could you please check if this patch would solve this problem? Thanks.

[Philippe34]

I've patched Message.pm.
I sent a message but sympa did not send me the message. It finds himself blocked (like I had before).

I can see in /var/spool/sympa/tmp stderr files:
-rw-r--r--. 1 993 991 0 5 avril 10:22 15584.stderr
-rw-r--r--. 1 993 991 0 5 avril 10:22 15578.stderr
-rw-r--r--. 1 993 991 1609 5 avril 10:23 15579.stderr

#cat 15584.stderr
Use of uninitialized value $ardom in lc at /usr/share/perl5/vendor_perl/Mail/DKIM/ARC/Signer.pm line 255.
Use of uninitialized value $ahdr in split at /usr/share/sympa/lib/Sympa/Message.pm line 616.
DIED: Bad RFC822 field name '' at /usr/share/sympa/lib/Sympa/Message.pm line 393.
at /usr/share/perl5/vendor_perl/Mail/Header.pm line 170.
Mail::Header::_fmt_line(MIME::Head=HASH(0x4daf388), undef, undef) called at /usr/share/perl5/vendor_perl/Mail/Header.pm line 480
Mail::Header::add(MIME::Head=HASH(0x4daf388), undef, undef, 0) called at /usr/share/sympa/lib/Sympa/Message.pm line 393
Sympa::Message::add_header(Sympa::Message <[email protected]_z,15573,6628/z/shelved:arc_cv=none;dkim_sign>, undef, undef, 0) called at /usr/share/sympa/lib/Sympa/Message.pm line 617
Sympa::Message::arc_seal(Sympa::Message <[email protected]_z,15573,6628/z/shelved:arc_cv=none;dkim_sign>, 'arc_d', 'ies.univ-montp2.fr', 'arc_selector', 'mail', 'arc_srvid', 'mauka.ies.univ-montp2.fr', 'arc_privatekey', '-----BEGIN RSA PRIVATE KEY-----\x{a}MIICXgIBAAKBgQDJRXF9r8gqgFxEe...', ...) called at /usr/share/sympa/lib/Sympa/Spindle/ProcessOutgoing.pm line 398
Sympa::Spindle::ProcessOutgoing::_twist(Sympa::Spindle::ProcessOutgoing=HASH(0x4d0e700), Sympa::Message <[email protected]_z,15573,6628/z/shelved:arc_cv=none;dkim_sign>) called at /usr/share/sympa/lib/Sympa/Spindle.pm line 83
Sympa::Spindle::spin(Sympa::Spindle::ProcessOutgoing=HASH(0x4d0e700)) called at /usr/sbin/bulk.pl line 160

I think having this non zero stderr explains that my sympa is no longer delivers any messages.

In sympa.log, I don't
sympa-log-arc.txt
have any more: debug2 Sympa::Message::check_arc_chain() ARC enabled but no Authentication-Results: mauka.ies.univ-montp2.fr;

I send you my sympa.log with a grep on : arc_

I had again to revert my VM to clean this stderr

[jrlevine]

Hm, it looks like a parameter isn't defaulting correctly. What version of Sympa are you using?

[Philippe34]

I'm using the version 6.2.40

[ikedas]

Hi,
Could you please apply this additional patch?

[Philippe34]

Hi @ikedas
I've applied this additional patch.
It's very better. I can receive the message that I sent to the list and my sympa did not crash.

I have just this log in /var/spool/tmp/20176.stderr:
Use of uninitialized value $ardom in lc at /usr/share/perl5/vendor_perl/Mail/DKIM/ARC/Signer.pm line 255.

When I'm looking at the code source of the message, there is still no ARC headers.
I send the sympa.log.
sympa-log-arc-patch2.txt

[ikedas]

I added debug log. Could you please try again?

[Philippe34]

I have applied the patch with debug log.
Here is the sympa.log:
sympa-log-arc-patch3.txt

I can see the "ARC skipped".
I wonder why ? So I sent a moderate message so that I can look at the message in moderation spool.
I can verify that the A-R is in the message:
[email protected]_223de8d589e3ff9889ba2b554d9cdb5e.txt

[Philippe34]

The problem could be explained by : Use of uninitialized value $ardom in lc at /usr/share/perl5/vendor_perl/Mail/DKIM/ARC/Signer.pm line 255

Signer.pm does not match comments. With amavisd-new, I should have:
m/^Authentication-Results:\s*([-.0-9a-z]+)\s*\S*;\s*(.*)/is;

And the code is:

if ( $header =~ m/^Authentication-Results:/ ) {
my ( $ardom, $arval ) = $header =~
m/^Authentication-Results:\s*([-.0-9a-z]+)\s*;\s*(.*)/is;

Should it possible that sympa normalizes my A-R header (removing the comment) ?
Maybe my analysis is wrong. It's just a suggestion.

[ikedas]

The problem could be explained by : Use of uninitialized value $ardom in lc at /usr/share/perl5/vendor_perl/Mail/DKIM/ARC/Signer.pm line 255

I reported a bug as RT#129066.

[Philippe34]

If I do the modification I suggested in Signer.pm, it works now for me !
I can see the ARC headers:

ARC-Seal: i=1; a=rsa-sha256; cv=none; d=ies.univ-montp2.fr; s=mail; t=
	1554720139; b=TVGDnIRp5RNIAPdeUiZzjCbFgROELWxIvnVlzPqqPbNo8clsEe
	1i2us1nRJtN2UYusqUvyY+3AeGmZp//mPGW6H6A4TTg7MN3kRVppwll8DH74sR0u
	ub9Yebwsu53iYXPimwkKy5pPA3m8+trEo5A3ZrbfkMVpOknzny2i402VY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
	ies.univ-montp2.fr; h=to:from:message-id:date:mime-version
	:content-type:subject:reply-to:sender:list-id:list-help
	:list-subscribe:list-unsubscribe:list-post:list-owner
	:list-archive; s=mail; bh=iYTvom7HY0p03nkEexTNxz7ybBA27vmZ8AD3K0
	oaGJU=; b=vFZx4vNitG+XlA9hhX5HW/awo0i094MPX2lowendGVe8zDyMBHAJup
	fs1rciQEZzF7R0XpkjbY7xat624VJuDRVANQa5O48btVdJ8G5ov4WtXptrxz2R1Z
	abJLdK1YvhW7E/G0YoP9NGhFf9Gqq3TlBfNa8lRW4F5pLCbjPj59M=
ARC-Authentication-Results: i=1; mauka.ies.univ-montp2.fr; dkim=pass (1024-bit key) reason="pass (just generated, assumed good)"
	header.d=ies.univ-montp2.fr

Thank you Soji

[ikedas]

Hi @Philippe34,

MBRADSHAW@cpan says:

Hi ikedas,

Thanks for the report, and the suggested fix to the regex in the linked github issue.

Annoyingly, the ABNF for the Authentication-Results header is as follows

authres-header = "Authentication-Results:" [CFWS] authserv-id
[ CFWS authres-version ]
( no-result / 1*resinfo ) [CFWS] CRLF

Meaning that it is legal for the comment to also appear before the authserv-id. Although I have never seen an instance of this in the wild.

A fix has been released to github which uses Mail::AuthenticationResults to parse out the authserv-id, this should cover all valid headers.

https://github.com/marcbradshaw/mail-dkim

Let me know if this works for you and I'll release it to CPAN.

Could you please check the new Mail-DKIM in repo (and Mail::AuthenticationResults)?

Thanks!

[Philippe34]

I removed the perl-Mail-DKIM package and I followed the instructions to install the Mail-DKIM in github repo (I had to install dependancies)

cpan[1]> i Mail::DKIM
Reading '/root/.cpan/Metadata'
Database was generated on Mon, 08 Apr 2019 00:29:02 GMT
Module id = Mail::DKIM
CPAN_USERID JASLONG (Jason Long [email protected])
CPAN_VERSION 0.54
CPAN_FILE M/MB/MBRADSHAW/Mail-DKIM-0.54.tar.gz
UPLOAD_DATE 2018-10-13
MANPAGE Mail::DKIM - Signs/verifies Internet mail with DKIM/DomainKey signatures
INST_FILE /usr/local/share/perl5/Mail/DKIM.pm
INST_VERSION 0.54

cpan[2]> i Mail::AuthenticationResults
Module id = Mail::AuthenticationResults
CPAN_USERID MBRADSHAW (Marc Bradshaw [email protected])
CPAN_VERSION 1.20180923
CPAN_FILE M/MB/MBRADSHAW/Mail-AuthenticationResults-1.20180923.tar.gz
UPLOAD_DATE 2018-09-23
MANPAGE Mail::AuthenticationResults - Object Oriented Authentication-Results Headers
INST_FILE /usr/local/share/perl5/Mail/AuthenticationResults.pm
INST_VERSION 1.20180923

I sent and I received fine my email and the ARC headers:

ARC-Seal: i=1; a=rsa-sha256; cv=none; d=ies.univ-montp2.fr; s=mail; t=
	1554738386; b=FtKuLiWGBDCC3EDhBK5yFWSdufAYe9tqneHBOxRDD+68E3LBT+
	hgGZ3dZqkOsPYlv6DgxDzKIDkG3YeQyXA3uImAl+c6qcx7YZ8ACUNAwS60iX2RQy
	Yi/apDAgL9eW3pZRGm5fRDLS1P0xvRzyCgIWIZoBAuVRcpsNumaPBNV2w=

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
	ies.univ-montp2.fr; h=to:from:message-id:date:mime-version
	:content-type:subject:reply-to:sender:list-id:list-help
	:list-subscribe:list-unsubscribe:list-post:list-owner
	:list-archive; s=mail; bh=SqrgtnHCP4MeE7B/z1DXzJbB311hIWJAuCW7qM
	BDkNM=; b=iOwF7dVV00ygYnQ8kjPU8keaNmQyW3PtZv0tD7+RCbeDrTE7qKOjbV
	5dsYs41XIF0yByAfoqLCubhhxZRpqWRk8kBY0XNpgPdZ9MdIL3Yv2dDOjfOBpl4g
	ZR96pwf41wcF9Am6yo6A/l/P1ddlaDfHkvhSkrDOkFOvwbBk0Y2z8=
ARC-Authentication-Results: i=1; mauka.ies.univ-montp2.fr; dkim=pass (1024-bit key) reason="pass (just generated, assumed good)"
	header.d=ies.univ-montp2.fr

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=ies.univ-montp2.fr; h=to
	:from:message-id:date:mime-version:content-type:subject:reply-to
	:sender:list-id:list-help:list-subscribe:list-unsubscribe
	:list-post:list-owner:list-archive; s=mail; i=
	[email protected]; bh=/dXyHrgApztR/kC7JDyUbcv4
	UiLOQRA6kPa2Nfaxaks=; b=ZYTzR5C0LGzZei8tIEzAwC5R15D8L4qUIK7jqrNN
	ywhjB9YV8msPFnZjT1cMhXUxm+QF+ZAt5jQOPNE6CHeZX0jJ84MMjw5m4cYpsNoL
	l+2x4dCaBnlDRh6QBPHajHsLoqeE+zI+iXkqnwxb6a6baKgo2ExonE/dpyfJqtEi
	v5s=

For me, it works fine.

Just something that confused with "arc_feature on|off" in sympa.conf

If sympa.conf : arc_feature off and config list: arc_feature on -> arc is on
if sympa.conf : arc_feature on and config list: arc_feature off -> arc is off
if sympa.conf : arc_feature on and config list: arc_feature on -> arc is on
The config of the lists overload that of sympa.conf
It should be documented.

This new arc working should be confirmed by other people

[ikedas]

For me, it works fine.

Thanks! I'll tell it to cpan.

I'll test it again when the new Mail-DKIM will be released.

[Philippe34]

Now that my sympa provides ARC headers, I would like to give you my feedback with gmail anf Yahoo subscribers.

When a subscriber of my domain writes to the list, gmail and yahoo subscribers receive well the message.

When gmail subscriber writes to the list, whatever DKIM or ARC are on or off, he does not receive the message (no bounce, no sympa errors, not in spam mailbox). It seems that google destroys the message without any warnings.

Yahoo does the same thing, but Sympa receives bounces and we know that the message is on errors.

I'm surprised that, in my case, ARC did not change anything with google, because google uses ARC (maybe google does not like my amavisd-new or the new Mail-DKIM ? I don't know)
It seems Yahoo does not use ARC, so it can be normal.

That is the results of my tests. I think other people will have best results.

[racke]

You are sure that the email doesn't end up in SPAM for Gmail?

[Philippe34]

I've cheched my Spam for Gmail and I only see the message sent by the Yahoo subscriber (it's me).
There are no messages sent by the Gmail subscriber (it's me)

[racke]

Do your mail logs confirm successfully delivery to Gmail?

[Philippe34]

Yes I can verify in mail logs that the postfix gateway of my domain delivers messages to Gmail adress.

[ikedas]

I guess ARC chain has been broken from the view of google. That is, I think that the (new) ARC seal Sympa added considers only A-R by ies.univ-montp2.fr server which is not trusted by gmail.com, I.e. the server of originators.
I’m not sure I’m right, and don’t know how to solve it.

[ldidry]

When gmail subscriber writes to the list, whatever DKIM or ARC are on or off, he does not receive the message (no bounce, no sympa errors, not in spam mailbox). It seems that google destroys the message without any warnings.

In fact, it hides it: as Gmail already has the message in "Sent" folder, it assumes that the user doesn't have to read it again (or something like that). See https://webapps.stackexchange.com/questions/73779/messages-sent-to-mailing-list-not-shown-in-gmail/73805#73805

Gmail ¯\_(ツ)_/¯

[Philippe34]

Thank you @ldidry for this information. It could be the good explanations.
I have to find someone with an another Gmail adress to confirm.

[Philippe34]

Everything is good with Gmail (cv=pass)

ARC-Seal: i=2; a=rsa-sha256; t=1554812633; cv=pass;
        d=google.com; s=arc-20160816;
        b=NTcyaD86MzNYJNDc7SFCmXDdbkoz0c3v/9rEOzxtvZSiL68jdeCuhp1L5cCcPXgEo5
         HHUsX/6TuPTseanZH/167n5zneKtRIxTFy3nBw35eUKfk5THrjpBpWegslPt0ID/OvvX
         NOITlwMYJtEK+Hj+pqA8OsryBFUpwF6B8ht28KBaDHT6mckTImu0bNOb2+ZXMquFfTU6
         xkiZv/0U4zdG1QFvOjqlRRThBcpGOXKCgjTJJTpLNwD06/qwnuGm9axEslzJ26+aKVLv
         IPPY0DKCUyzjOwoH0RO4eF2zU4eD5WPl9A01hmzU8g+8O4DeoPa7yuli77YWXgVGCx/x
         0Z4A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=archived-at:list-archive:list-owner:list-post:list-unsubscribe
         :list-subscribe:list-help:list-id:sender:precedence:precedence
         :errors-to:reply-to:subject:to:message-id:date:from:mime-version
         :delivered-to:dkim-signature;
        bh=2Oexw1hi8uYuQATRvoEZuvjvljmNDdbtzRtjOLxaooE=;
        b=sOFRhVrn4xs0YGnJ4/1mlP/fTu/ZbkrwCIHHKeVsPyL/LyBr/88XxvDl0fntrUlmCR
         P8LVYUuEN1EIyatLIP3t79a3/5rq/C5tiD4zDSPy/ahtdbrripeSDRe2niGOrg0CSJ9s
         htJm41h+Hl3catr3yEaS4EgOPKA38tb64T7Hnci1a+u6zuFVU+TehI+DxdOMGy21kFW9
         XSHGb5asPMyRmwoKNoEaUsVg0cLp/6Y3tjrVmUZccVRRbfBmlyzj2aRdN9iSUdjOYc2A
         tyCkaQ8VoZznD7yqx0Bt5D/yycMMF+TMoNc/oTYT7aH1UaKm9Ie2m4aBRaCXaB2hOD9a
         jaDg==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass [email protected] header.s=mail header.b=e+Hj2v0r;
       arc=pass (i=1 dkim=pass dkdomain=gmail.com);
       spf=pass (google.com: domain of [email protected] designates 162.38.101.226 as permitted sender) [email protected];
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com

[ikedas]

Mail-DKIM 0.55 has been released. I have merged accumulated fixes on Sympa and they will be included in the next release.

@Philippe34, if you don't see problems or questions anymore, please close this issue.

Thank you so much for reporting bug and confirming fixes!

[Philippe34]

Thank you very much to the Sympa community and Soji for all you do to advance Sympa. I feel it as a living project.
I will test the new version as soon as possible when it comes out.

PS: I might have another problem to report (mod_proxy_fcgi), but I still have to test. This is an other story ... 😉