groveling for a build with ARC

Mon Dec 18 23:30:05 GMT 2023

Hi Randy,

I had a go at this a while ago. I ended up using the Debian exim source
package to build "exim4-daemon-custom" for a little clusterfoo of 
reasons.

I have a mix of Debian Bullseye and Bookworm servers,
I cannot yet upgrade some of them to Bookworm because reasons.

Because lazy and I just prefer everything in one file (from the
Philip Hazel days) I use my own /etc/exim4/exim4.conf instead
of the debian-exim split conf.

When I upgraded to Bookworm, my existing SPF config broke.

Bullseye exim4-daemon-heavy (4.94 and before) did not enable Exim's
SPF checking, but instead relied on an external tool (spfquery) and
the Debian config shipped appropriate (if a bit ugly!) configuration
to make SPF work, which I stole and put in my exim4.conf.

Bookworm exim4-daemon-heavy (4.96) now has Exim's SPF checking
enabled - but still not ARC - by default. "spfquery" and
the ugly config is gone, but we still need ARC for mailing lists etc.

My config broke because it was trying to use the "spfquery" style
config on newer exim, which hit a bug in the ${run...} expansion
it uses in exim 4.96! I added this to the FAQ, amongst other things.

https://wiki.debian.org/PkgExim4UserFAQ#Why_did_my_SPF_verification_break_after_upgrading_to_Debian_bookworm.3F

Because I wanted the new and older servers to have SPF+DMARC and
the same config, I built it for both Bullseye and Bookworm boxes,
and just used Exim's built-in SPF ACL and at the same time enabled
Experimental_ARC.

I've got DKIM and SPF working. So far so good.

Exim's ARC support is very sparsely documented, and there aren't
(yet) any clear config examples or HOWTOs. Although it doesn't look
too difficult, it means a bit of trial and error in a real environment.

ARC support is mentioned in:

https://github.com/Exim/exim/blob/master/doc/doc-txt/experimental-spec.txt

It provides a few config recommendations, including this nugget:

"to strip incoming messages of A-R headers that claim to be from
our own <admd-identifier>:

"remove_header = \N^(?i)Authentication-Results\s*::\s*example.org;\N""

What it does *not* mention is the ability to use regexp patterns
like this in remove_header is only supported since 4.97 release.
(Current stable release/bookworm is only 4.96)

Worse, it doesn't produce any errors. It just silently doesn't work!
That's an hour I won't get back. I guess have to be careful to read
the version of experimental-spec.txt that ships with whatever is
installed, and not online. It's tucked away in some
/usr/share/doc directory I would never think to look. :)

I still have a bit of testing to do - haven't been brave enough to start
breaking mailing lists and enable ARC everywhere just yet.

I did an internal write-up of how to build exim4-daemon-custom,
enabling/disabling various features. I suppose it wouldn't be too
much work to put it in the Debian wiki somewhere. I found various
other sources which helped, but were a bit out of date.

Another possible benefit of building from the Debian source package,
is that you can build it with only the features you use. A security
gain of sorts, if you can reduce attack surface by just not
compiling in a dozen features.

R.

On 2023-12-18 21:03, Randy Bush wrote:
>>> and i want a pony :)
>> https://www.freshdot.net/img_media/no-pony-for-you.jpg
> 
> sigh.
> 
> i have hacked a recipe set for a sysadmin clan with whom i hang.  i
> would appreciate any input, corrections, ...
> 
> https://git.rg.net/randy/randy/src/master/spf-dkim.md
> 
> randy

-- 
Rob