solarbird: (molly-angry)
[personal profile] solarbird

We’ve had to disable greylisting on our mail server, because ever since the latest round of security updates we loaded over the weekend, every dkim-using host in the world fails key retrieval at milter-greylist, and we don’t get mail from google or twitter or yahoo or much of anybody large anymore.

And there’s no way to just disable dkim check in milter-greylist.

Anybody have any idea what the fuck might have happened? Searching online finds me exactly nothing. Here’s a sample – every transaction involving DKIM-signed mail fails, every time, and it started at the weekend round of security patches:

Jan 25 23:31:25 newmoon sm-mta[978]: u0Q7VOMi000978: from=<ZZZZZZZZ@gmail.com>, size=2334, class=0, nrcpts=1, msgid=<CAAsYJfyDCB0w3uKXjie-uXF_Xskt524MuKU4=HHckYMkeDKZQg@mail.gmail.com>, proto=ESMTP, daemon=MTA, relay=mail-pf0-f179.google.com [209.85.192.179]
Jan 25 23:31:25 newmoon milter-greylist: DKIM failed: Key retrieval failed
Jan 25 23:31:25 newmoon sm-mta[978]: u0Q7VOMi000978: Milter: data, reject=451 4.3.2 Please try again later
Jan 25 23:31:25 newmoon sm-mta[978]: u0Q7VOMi000978: to=<YYYYYYYY@murkworks.net>, delay=00:00:00, pri=32334, stat=Please try again later

Mirrored from Crime and the Blog of Evil. Come check out our music at:
Bandcamp (full album streaming) | Videos | iTunes | Amazon | CD Baby

Thoughts & Ideas

Date: 2016-01-26 11:47 pm (UTC)
rfunk: (smash the screen)
From: [personal profile] rfunk
I use postgrey on Ubuntu, so I can only speculate here... apologies if all of this is obvious to you.

Starting with the most obvious: Was milter-greylist one of the things updated? If so, I'd be investigating the changes.

Does your DNS still work? Is there anything blocking DNS requests on either UDP or TCP? (Recent DKIM keys are often big enough to require TCP for the DNS, but sometimes TCP DNS is broken while UDP DNS works.) Can you do the DKIM request yourself with dig? (e.g. "dig -t txt 20120113._domainkey.gmail.com" works for me.)

It may be worthwhile to grab the Debian source of milter-greylist, find where the DKIM checking happens, disable it in the code, then do your own build. ("debuild -us -uc", if I remember right.)

Or maybe it would be easier/better just to find a different greylist tool that doesn't try to act outside its scope. (I see one called "gross" that looks like it should work for all mail servers, but I don't know more than the package description.)

Re: Thoughts & Ideas

Date: 2016-01-27 03:45 am (UTC)
rfunk: (Default)
From: [personal profile] rfunk
Sounds like the problem is internal to the milter-greylist process, not some outside effect, but still possibly some other library it's using.

Which version of Debian is it?

The openssh part reminds me: DKIM depends on crypto (libssl I believe), so maybe an openssl update messed with it. Or maybe it was ssh; looks like there's a dependency chain of milter-greylist -> libcurl3 -> libssh2. Though I'm not clear on why milter-greylist would need libcurl.

If it were me I'd be seriously questioning why my greylist daemon is checking DKIM. Can you turn it off with "dkim none" in greylist.conf? If not, at this point I think you'd be justified with either the rebuild (causing problems with updates) or just switching greylist daemons.

October 2017

S M T W T F S
12 3 4 567
8 91011 12 1314
15 16 17 1819 2021
22232425262728
293031    

Most Popular Tags

Page Summary