debian: security updates broke milter-greylist?

[solarbird]

We’ve had to disable greylisting on our mail server, because ever since the latest round of security updates we loaded over the weekend, every dkim-using host in the world fails key retrieval at milter-greylist, and we don’t get mail from google or twitter or yahoo or much of anybody large anymore.

And there’s no way to just disable dkim check in milter-greylist.

Anybody have any idea what the fuck might have happened? Searching online finds me exactly nothing. Here’s a sample – every transaction involving DKIM-signed mail fails, every time, and it started at the weekend round of security patches:

Jan 25 23:31:25 newmoon sm-mta[978]: u0Q7VOMi000978: from=<ZZZZZZZZ@gmail.com>, size=2334, class=0, nrcpts=1, msgid=<CAAsYJfyDCB0w3uKXjie-uXF_Xskt524MuKU4=HHckYMkeDKZQg@mail.gmail.com>, proto=ESMTP, daemon=MTA, relay=mail-pf0-f179.google.com [209.85.192.179]
Jan 25 23:31:25 newmoon milter-greylist: DKIM failed: Key retrieval failed
Jan 25 23:31:25 newmoon sm-mta[978]: u0Q7VOMi000978: Milter: data, reject=451 4.3.2 Please try again later
Jan 25 23:31:25 newmoon sm-mta[978]: u0Q7VOMi000978: to=<YYYYYYYY@murkworks.net>, delay=00:00:00, pri=32334, stat=Please try again later

Mirrored from Crime and the Blog of Evil. Come check out our music at:
Bandcamp (full album streaming) | Videos | iTunes | Amazon | CD Baby

Comments

Re: Thoughts & Ideas

[solarbird]

I don't remember what was updated - I glanced over the list and hit okay. We pick up security updates and not much else. milter-greylist is not showing recent updates. openssh is, and apparently that broke a bunch of people, but I don't know how that interaction makes any sense.

DNS still works fine. Nothing is blocking requests. I can do the DKIM request myself with dig.

My backup plan (worst-case backup rly) is to build a milter-greylist without dkim. There is a build option sans dkim, or so I'm told. That's still less annoying than switching protocols.

Re: Thoughts & Ideas

[rfunk]

Sounds like the problem is internal to the milter-greylist process, not some outside effect, but still possibly some other library it's using.

Which version of Debian is it?

The openssh part reminds me: DKIM depends on crypto (libssl I believe), so maybe an openssl update messed with it. Or maybe it was ssh; looks like there's a dependency chain of milter-greylist -> libcurl3 -> libssh2. Though I'm not clear on why milter-greylist would need libcurl.

If it were me I'd be seriously questioning why my greylist daemon is checking DKIM. Can you turn it off with "dkim none" in greylist.conf? If not, at this point I think you'd be justified with either the rebuild (causing problems with updates) or just switching greylist daemons.