Hi,
I'm using postfix-3.8.5 on fedora40 and having a problem with forwarding
mail from our relay to gmail recipients. We have some users using
~/.forward files to individual gmail accounts. Obviously not ideal, but I
hoped openarc could help alleviate some of those problems.

Aug  3 17:01:48 cipher postfix-gmail/smtp[478730]: 9415A3D59D: host
gmail-smtp-in.l.google.com[142.251.179.26] said: 421-4.7.26 Your email has
been rate limited because it is unauthenticated. Gmail 421-4.7.26 requires
all senders to authenticate with either SPF or DKIM. 421-4.7.26
421-4.7.26  Authentication results: 421-4.7.26  DKIM = did not pass
421-4.7.26  SPF [clclodging.com] with ip: [209.216.111.60] = did not pass
421-4.7.26  421-4.7.26  For instructions on setting up authentication, go
to 421 4.7.26  https://support.google.com/mail/answer/81126#authentication
6a1803df08f44-6bb9c83f500si53204456d6.247 - gsmtp (in reply to end of DATA
command)

Gmail doesn't recognize the above as a forwarded email, so DKIM and SPF
fail. Will openarc solve the issue above with authentication failure?

Here is my openarc.conf:
PidFile                 /run/openarc/openarc.pid
Syslog                  yes
UserID                  openarc:openarc
Socket                  local:/run/openarc/openarc.sock
Mode                    sv
SignHeaders
 to,subject,message-id,date,from,mime-version,dkim-signature
PeerList                /etc/openarc/PeerList
MilterDebug             1
AuthservID              cipher.example.com
Canonicalization        relaxed/simple
Domain                  mail.example.com
InternalHosts           /etc/openarc/TrustedHosts
KeyFile                 /etc/openarc/keys/example.com/default
FinalReceiver           yes
Selector                default

Here is a message like the one above. It says the DKIM signing key for
hotelplanner.com was too small? The "cv=none" indicates my server (
mail.example.com) was unable to locate an ARC chain to validate?

ARC-Seal: i=1; a=rsa-sha256; d=mail.example.com; s=default;
        t=1722724259; cv=none;
b=fOYv8Kqb6qKgdKewEx25qkFRyWD9KtaUPDn7w59/sqLWtL1aNNQ6OJtn9baAeF512/zP0y8dCpk9O0WifqObfjOJqv+mekC2Zg6qUJeKV0vDcWAiUihZ8vzWJSWIprAUVogVHY/3KodK99EceZDqDGsRVI3lGQzx1s/3EN2PLWc=

But it was able to add its own ARC message, it appears:
ARC-Message-Signature: i=1; a=rsa-sha256; d=mail.example.com; s=default;
        t=1722724259; c=relaxed/simple;
        bh=RnZKEmC2EEAMNOzvw+eIxkLYVgp2xb6lRNdcxiooPwY=;
        h=DKIM-Signature:Date:From:To:Message-ID:Subject:MIME-Version;
b=s9SviFMfjkc5O35u5m9bmB3M2cdpUoD+kewzbfREmir9zuIYX/R/i8VjwDvA6qsvinXTy25tZjork4PJLp5fPC5mYMMCFrGHbQeOR/YtBrj0uY7SWr7JeVax8/8VEmwxZN291AxJpRXufQOwRqrrperI17Fj+dJ8Db4vknnPuS4=
ARC-Authentication-Results: i=1; cipher.example.com; dkim=policy (512-bit
key, unprotected) header.d=hotelplanner.com header.i=@hotelplanner.com
header.a=rsa-sha256 header.s=HotelPlanner header.b=Eh3MZYHI reason="signing
key too small"

As well as DKIM sign the message:
DKIM-Filter: OpenDKIM Filter v2.11.0 cipher.example.com E73BC3F217
Authentication-Results: cipher.example.com;
        dkim=policy reason="signing key too small" (512-bit key,
unprotected) header.d=hotelplanner.com header.i=@hotelplanner.com
header.a=rsa-sha256 header.s=HotelPlanner header.b=Eh3MZYHI

Thanks for any guidance.
Alex
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to