View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0010979 | Taler | deployment and operations | public | 2026-02-04 15:23 | 2026-06-27 21:58 |
| Reporter | Florian Dold | Assigned To | vecirex | ||
| Priority | urgent | Severity | major | Reproducibility | have not tried |
| Status | confirmed | Resolution | open | ||
| Product Version | git (master) | ||||
| Target Version | 1.7 | ||||
| Summary | 0010979: DKIM/ARC and MTA-STS missing for email setup on firefly | ||||
| Description | That means mail deliverability will be impacted / less than optimal. | ||||
| Tags | No tags attached. | ||||
|
|
See admin log for some ongoing analysis; third-party deliverability reports look good already as for DKIM; more problematic are blocking lists because of other services running on the mail server. Such lists might be consulted by receiving email severs. Wait for some more info, on it. |
|
|
No systematic tests yet done for all domains allowed, but there's, e.g., a DMARC issue when sender is @gnunet.org (@taler.net is fine, used for mytops): Using mail(1) by default using root@gnunet.org as sender yields this in mail.log; using, on the other hand, -a "From: root@taler.net" works perfectly fine with same gmail address: "[...] 550-5.7.26 Unauthenticated email from gnunet.org is not accepted due to domain's 550-5.7.26 DMARC policy. Please contact the administrator of gnunet.org domain 550-5.7.26 if this was a legitimate mail. To learn about the DMARC initiative, 550-5.7.26 go to 550 5.7.26 https://support.google.com/mail/?p=DmarcRejection a640c23a62f3a-b9084fe3d10si822067866b.409 - gsmtp (in reply to end of DATA command))" => DMARC still needs fixing, at least for certain domains, but I do further analysis and tests for sending as @taler.net, as this must immediately work reliably. Ticket, however, only to be marked as done when fixed for all domains used. |
|
|
On it, but need more time for more tests, need also to do other tasks, so reducing prio from just doing this. :) |
|
|
Update: - ARC for email forwarding needs to be configured - MTA-STS seems to be configured for taler.net, but needs testing - DKIM activated for anastasis.lu, taler-ops.ch, taler-systems.com (migration ongoing, to firefly server; i.e., no effect yet) - DKIM activated for gnunet.org & taler.net and tested to work properly Adding (internal) tickets blocking this ticket now: solve them, close this. |
|
|
Analysis with proposed fix attached. @hernani: please review, apply and document in admin-log! fix.sh (4,397 bytes)
#!/bin/bash
#
# Fix for Mantis bug 10979 — DKIM/ARC and MTA-STS on firefly (host-side parts).
#
# Does the two things that can be fixed without DNS access:
# 1. Enable ARC signing in rspamd (reusing the existing DKIM keys/selector).
# 2. Repair the malformed MTA-STS policy served for mta-sts.taler.net
# (the served bytes currently have leading whitespace -> invalid per RFC 8461).
#
# DNS-side work (publishing the DKIM selector, _mta-sts/ TXT records, DMARC, and
# MTA-STS for other domains) is NOT done here — see analysis.md.
#
# Idempotent; validates nginx and rspamd before reloading. Run as root on firefly.
#
set -euo pipefail
if [[ "$(id -u)" -ne 0 ]]; then
echo "ERROR: must be run as root." >&2
exit 1
fi
ts="$(date +%Y%m%d%H%M%S)"
DKIM_CONF="/etc/rspamd/local.d/dkim_signing.conf"
ARC_CONF="/etc/rspamd/local.d/arc.conf"
MTASTS_VHOST="/etc/nginx/sites-enabled/mta-sts.site"
# -------------------------------------------------------------------------
# 1) ARC signing in rspamd, mirroring DKIM signing's key path + selector.
# -------------------------------------------------------------------------
if [[ ! -r "$DKIM_CONF" ]]; then
echo "ERROR: $DKIM_CONF not found; cannot mirror DKIM settings for ARC." >&2
exit 1
fi
# Reuse the same path/selector that DKIM signing uses so ARC signs with the
# same already-deployed keys.
DKIM_PATH="$(sed -nE 's/^[[:space:]]*path[[:space:]]*=[[:space:]]*"([^"]+)".*/\1/p' "$DKIM_CONF" | head -n1)"
DKIM_SELECTOR="$(sed -nE 's/^[[:space:]]*selector[[:space:]]*=[[:space:]]*"([^"]+)".*/\1/p' "$DKIM_CONF" | head -n1)"
DKIM_PATH="${DKIM_PATH:-/etc/rspamd/dkim/\$domain/\$domain-\$selector.key}"
DKIM_SELECTOR="${DKIM_SELECTOR:-mail-2026-3}"
echo "==> Writing ${ARC_CONF} (selector=${DKIM_SELECTOR})"
[[ -f "$ARC_CONF" ]] && cp -a "$ARC_CONF" "${ARC_CONF}.bak.${ts}"
cat > "$ARC_CONF" <<EOF
# Installed by fix for Mantis bug 10979 — ARC signing.
# Mirrors dkim_signing.conf so ARC reuses the same deployed keys/selector.
enabled = true;
allow_envfrom_empty = true;
allow_hdrfrom_mismatch = true; # ARC is about forwarding; mismatch is expected
allow_username_mismatch = true;
path = "${DKIM_PATH}";
selector = "${DKIM_SELECTOR}";
sign_authenticated = true;
sign_local = true;
use_domain = "header";
use_esld = true;
use_redis = false;
try_fallback = true;
EOF
chmod 0644 "$ARC_CONF"
echo "==> Validating rspamd configuration"
if command -v rspamadm >/dev/null 2>&1; then
rspamadm configtest
fi
# -------------------------------------------------------------------------
# 2) Repair the MTA-STS policy (remove leading whitespace from served lines).
# -------------------------------------------------------------------------
if [[ -f "$MTASTS_VHOST" ]]; then
echo "==> Rewriting ${MTASTS_VHOST} with a valid (flush-left) policy"
cp -a "$MTASTS_VHOST" "${MTASTS_VHOST}.bak.${ts}"
cat > "$MTASTS_VHOST" <<'EOF'
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name mta-sts.taler.net;
ssl_certificate /etc/letsencrypt/live/mail/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail/privkey.pem;
include conf.d/gnunet-org-tls-defaults.conf;
error_log off;
access_log off;
root /dev/null;
# RFC 8461: every line must be "key: value" with NO leading whitespace.
# Continuation lines below are intentionally flush-left.
location /.well-known/mta-sts.txt {
default_type text/plain;
return 200 "version: STSv1
mode: testing
max_age: 86400
mx: gv.taler.net
mx: *.taler.net
";
}
}
EOF
echo "==> Validating nginx configuration"
if nginx -t; then
systemctl reload nginx
else
echo "ERROR: nginx -t failed; restoring previous vhost." >&2
cp -a "${MTASTS_VHOST}.bak.${ts}" "$MTASTS_VHOST"
exit 1
fi
else
echo "NOTE: ${MTASTS_VHOST} not found; skipping MTA-STS repair."
fi
# -------------------------------------------------------------------------
# Reload rspamd last (after configtest passed).
# -------------------------------------------------------------------------
echo "==> Reloading rspamd"
systemctl reload rspamd 2>/dev/null || systemctl restart rspamd
echo
echo "Done (host-side). ARC signing enabled; MTA-STS policy now RFC-valid."
echo "Remember the DNS-side records — see analysis.md (DKIM selector publish,"
echo "_mta-sts TXT, DMARC). Validate, then consider MTA-STS mode: enforce."
analysis.md (4,104 bytes)
# Bug 10979 — DKIM/ARC and MTA-STS missing for email setup on firefly
**Mantis:** https://bugs.gnunet.org/view.php?id=10979
**Category:** deployment and operations · **Host:** firefly.gnunet.org
## Problem
The ticket asks for DKIM/ARC and MTA-STS to be set up for firefly's mail. Current
state, confirmed read-only on firefly today:
| Mechanism | State on firefly |
| --- | --- |
| **DKIM signing** | **Already enabled** in rspamd (`/etc/rspamd/local.d/dkim_signing.conf`, `enabled = true`, `selector = "mail-2026-3"`, keys under `/etc/rspamd/dkim/$domain/`). A code comment notes the selector is *"invalid in DNS"*. |
| **ARC** | **Missing** — no `/etc/rspamd/local.d/arc.conf`. |
| **MTA-STS** | **Partially present but broken** — an `mta-sts.taler.net` nginx vhost serves a policy, but the policy body is malformed (see below) and only covers `taler.net`. |
### The MTA-STS policy is malformed
The `mta-sts.taler.net` vhost returns:
```
location /.well-known/mta-sts.txt {
default_type text/plain;
return 200 "version: STSv1
mode: testing
max_age: 86400
mx: gv.taler.net
mx: *.taler.net";
}
```
The continuation lines are indented in the nginx source, so the **served bytes
contain leading whitespace** on every line after the first:
`" mode: testing"`. RFC 8461 §3.2 requires lines of the form `key: value`
with no leading whitespace; a parser that follows the grammar will treat the
policy as invalid and ignore it. So MTA-STS is effectively **not working** even for
taler.net. It is also in `mode: testing` (no enforcement) and exists for no other
domain.
## What can be fixed on firefly (this fix.sh)
Two changes that live entirely on the host and need no DNS:
1. **Enable ARC signing in rspamd.** Add `/etc/rspamd/local.d/arc.conf` mirroring
the existing DKIM signing config (same key path and selector). ARC ("Authenticated
Received Chain") lets downstream receivers trust the original SPF/DKIM results
through firefly when it *forwards* mail — directly complementary to the SRS work
in 11462 and the forwarding/reputation problems in 11317/11393.
2. **Fix the MTA-STS policy** so it is actually valid: rewrite the
`mta-sts.taler.net` vhost with the policy lines flush-left (no leading
whitespace). Mode is kept at `testing` deliberately — that is the safe state
until reporting confirms senders honour the policy; flipping to `enforce` is a
one-word follow-up once validated. nginx config is validated (`nginx -t`) before
reload.
## What cannot be done from firefly (needs DNS — documented, not scripted)
These require editing DNS zones, which is explicitly out of reach from this host
(see also 11264/11279 where the team notes "we don't control the DNS zones"):
- **DKIM:** publish the `mail-2026-3._domainkey.<domain>` TXT record with the public
key for each signing domain (the in-code comment says the current selector is
"invalid in DNS" — i.e. the record is missing/wrong). Generate the public record
per domain with:
`rspamadm dkim_keygen -s mail-2026-3 -d <domain>` (public part only) or read the
existing key's `.pub`/`.txt` — then publish it.
- **MTA-STS DNS:** for each domain needing MTA-STS, publish
`_mta-sts.<domain>. TXT "v=STSv1; id=<timestamp>"` and an
`mta-sts.<domain>` A/AAAA record pointing at firefly, plus (recommended) a
TLSRPT record `_smtp._tls.<domain> TXT "v=TLSRPTv1; rua=mailto:..."`.
- **DMARC** (to make DKIM/SPF actionable): `_dmarc.<domain> TXT "v=DMARC1; p=..."`.
- Extending MTA-STS beyond taler.net (gnunet.org, anastasis.lu, taler-systems.com,
taler-ops.ch) additionally needs a vhost + certificate per `mta-sts.<domain>`,
which depends on the DNS records above existing first.
## Verification
```
# ARC
rspamadm configtest # rspamd config still valid
grep enabled /etc/rspamd/local.d/arc.conf
# send a test message through a forward and confirm ARC-Seal/ARC-Message-Signature headers
# MTA-STS validity (no leading spaces)
curl -s https://mta-sts.taler.net/.well-known/mta-sts.txt | cat -A | head
```
|
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2026-02-04 15:23 | Florian Dold | New Issue | |
| 2026-02-04 20:04 | Christian Grothoff | Assigned To | => vecirex |
| 2026-02-04 20:04 | Christian Grothoff | Priority | normal => urgent |
| 2026-02-04 20:04 | Christian Grothoff | Severity | minor => major |
| 2026-02-04 20:04 | Christian Grothoff | Status | new => assigned |
| 2026-02-04 20:04 | Christian Grothoff | Product Version | => git (master) |
| 2026-02-04 20:04 | Christian Grothoff | Target Version | => 1.5 |
| 2026-02-05 20:11 | vecirex | Status | assigned => acknowledged |
| 2026-02-22 14:41 | Christian Grothoff | Status | acknowledged => confirmed |
| 2026-02-22 15:05 | Christian Grothoff | Relationship added | child of 0011102 |
| 2026-02-22 15:05 | Christian Grothoff | Status | confirmed => assigned |
| 2026-02-23 18:00 | Christian Grothoff | Priority | urgent => immediate |
| 2026-02-24 21:33 | vecirex | Note Added: 0027877 | |
| 2026-02-24 23:00 | vecirex | Note Added: 0027883 | |
| 2026-02-25 13:55 | vecirex | Priority | immediate => high |
| 2026-02-25 13:55 | vecirex | Note Added: 0027889 | |
| 2026-03-17 11:59 | Christian Grothoff | Target Version | 1.5 => 1.6 |
| 2026-03-21 08:52 | vecirex | Priority | high => urgent |
| 2026-03-21 08:52 | vecirex | Note Added: 0028227 | |
| 2026-03-25 14:24 | vecirex | Status | assigned => confirmed |
| 2026-04-22 00:01 | vecirex | Relationship replaced | related to 0011102 |
| 2026-04-22 00:01 | vecirex | Relationship deleted | related to 0011102 |
| 2026-05-29 20:47 | Christian Grothoff | Target Version | 1.6 => 1.7 |
| 2026-06-27 21:58 | Christian Grothoff | Note Added: 0028999 | |
| 2026-06-27 21:58 | Christian Grothoff | File Added: fix.sh | |
| 2026-06-27 21:58 | Christian Grothoff | File Added: analysis.md |
