![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
solarbirdWe’ve had to disable greylisting on our mail server, because ever since the latest round of security updates we loaded over the weekend, every dkim-using host in the world fails key retrieval at milter-greylist, and we don’t get mail from google or twitter or yahoo or much of anybody large anymore.
And there’s no way to just disable dkim check in milter-greylist.
Anybody have any idea what the fuck might have happened? Searching online finds me exactly nothing. Here’s a sample – every transaction involving DKIM-signed mail fails, every time, and it started at the weekend round of security patches:
Jan 25 23:31:25 newmoon sm-mta[978]: u0Q7VOMi000978: from=<ZZZZZZZZ@gmail.com>, size=2334, class=0, nrcpts=1, msgid=<CAAsYJfyDCB0w3uKXjie-uXF_Xskt524MuKU4=HHckYMkeDKZQg@mail.gmail.com>, proto=ESMTP, daemon=MTA, relay=mail-pf0-f179.google.com [209.85.192.179]
Jan 25 23:31:25 newmoon milter-greylist: DKIM failed: Key retrieval failed
Jan 25 23:31:25 newmoon sm-mta[978]: u0Q7VOMi000978: Milter: data, reject=451 4.3.2 Please try again later
Jan 25 23:31:25 newmoon sm-mta[978]: u0Q7VOMi000978: to=<YYYYYYYY@murkworks.net>, delay=00:00:00, pri=32334, stat=Please try again later
Mirrored from Crime and the Blog of Evil. Come check out our music at:
Bandcamp (full album streaming) | Videos | iTunes | Amazon | CD Baby
Thoughts & Ideas
Date: 2016-01-26 11:47 pm (UTC)Starting with the most obvious: Was milter-greylist one of the things updated? If so, I'd be investigating the changes.
Does your DNS still work? Is there anything blocking DNS requests on either UDP or TCP? (Recent DKIM keys are often big enough to require TCP for the DNS, but sometimes TCP DNS is broken while UDP DNS works.) Can you do the DKIM request yourself with dig? (e.g. "dig -t txt 20120113._domainkey.gmail.com" works for me.)
It may be worthwhile to grab the Debian source of milter-greylist, find where the DKIM checking happens, disable it in the code, then do your own build. ("debuild -us -uc", if I remember right.)
Or maybe it would be easier/better just to find a different greylist tool that doesn't try to act outside its scope. (I see one called "gross" that looks like it should work for all mail servers, but I don't know more than the package description.)
Re: Thoughts & Ideas
Date: 2016-01-27 02:29 am (UTC)DNS still works fine. Nothing is blocking requests. I can do the DKIM request myself with dig.
My backup plan (worst-case backup rly) is to build a milter-greylist without dkim. There is a build option sans dkim, or so I'm told. That's still less annoying than switching protocols.
Re: Thoughts & Ideas
Date: 2016-01-27 03:45 am (UTC)Which version of Debian is it?
The openssh part reminds me: DKIM depends on crypto (libssl I believe), so maybe an openssl update messed with it. Or maybe it was ssh; looks like there's a dependency chain of milter-greylist -> libcurl3 -> libssh2. Though I'm not clear on why milter-greylist would need libcurl.
If it were me I'd be seriously questioning why my greylist daemon is checking DKIM. Can you turn it off with "dkim none" in greylist.conf? If not, at this point I think you'd be justified with either the rebuild (causing problems with updates) or just switching greylist daemons.