[pfx] Re: Stupid questions
On 9/18/23 08:09, Curtis Maurand via Postfix-users wrote:
I'm running Postfix with rspamd which is a milter. At what point in the
email conversation does the DKIM lookup happen? Does Postfix handle that
or am I asking on the wrong list and I should be asking the question on
the rspamd list? I'm getting a DNS failure on my setup that gmail is
not getting. It's a delegated subdomain. I'm getting this temp error.
the relevant message header is below.
Authentication-Results: sirius.xyonet.com;
dkim=temperror ("DNS error when getting key")
header.d=news.circadian.com header.s=default header.b=KGxjxIVc;
spf=temperror (sirius.xyonet.com: error in processing during lookup
ofxyo...@news.circadian.com: DNS error)smtp.mailfrom=xyo...@news.circadian.com;
dmarc=temperror reason="query refused" header.from=circadian.com
(policy=temperror)
SPF, DKIM, and DMARC all pass at gmail.
I know nothing about rspamd. I use opendkim, amavisd-new, and postscreen.
Are the xyonet.com and/or circadian.com domains under your control?
Based on Received headers in the list message I replied to, I think they
are.
The log says "query refused" when it tries to lookup SPF info in DNS...
which sounds to me like a probable issue in the DNS server used by the
system that added that header. This is also probably what happened to
cause the temperror on the DKIM lookup, but in that case the actual
error was not logged.
Is the mail server that added the header also under your control?
If I had to guess, I would say that the DNS server in question either
has the mail server that added the header blocked, or that it is not
configured to accept recursive queries from the mail server. But there
could be other reasons that the connection was refused. Usually if the
traffic was blocked by a firewall, the connection would time out, not be
refused ... but some firewalls can be configured to use connection
refused instead.
It is generally a good idea for a mail server to also run a local
caching DNS server, independent of any DNS servers that you may be
running for your internal infrastructure. That DNS server should NOT be
accessible from the Internet unless you happen to be running the mail
server on the same host as your DNS infrastructure ... which I would say
is probably not the best idea.
My mail server in AWS, running postfix, dovecot, and roundcube, also
runs bind9, config mostly unmodified from the ubuntu defaults. It is
not authoritative for any domains, including the ones that postfix and
dovecot are handling. It does not have forwarders, it performs a
recursing lookup starting at the public root servers for all queries
that it receives related to public domains.
Thanks,
Shawn
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Stupid questions
On 2023-09-18 at 12:33:31 UTC-0400 (Mon, 18 Sep 2023 12:33:31 -0400) Phil Stracchino via Postfix-users is rumored to have said: Any lookup by rspamd happens *after* Postfix has accepted the message and passed it to milters. That is not how milters work. Postfix passes the message data to the milters after the terminating . at end-of-DATA but BEFORE it has responded to the client. The milters can then tell Postfix whether or not to accept the message and what changes to make to the message, such as adding headers. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Stupid questions
On 9/18/23 10:09, Curtis Maurand via Postfix-users wrote: Hello list, At least I think they're stupid questions. I'm running Postfix with rspamd which is a milter. At what point in the email conversation does the DKIM lookup happen? Does Postfix handle that or am I asking on the wrong list and I should be asking the question on the rspamd list? I'm getting a DNS failure on my setup that gmail is not getting. It's a delegated subdomain. I'm getting this temp error. the relevant message header is below. Based on personal experience, my advice to you is let rspamd handle DKIM, DMARC etc for you. Any lookup by rspamd happens *after* Postfix has accepted the message and passed it to milters. If you're doing that and it's not working, try the rspamd mailing list, #rspamd on OFTC, or their Telegram channel. (see https://rspamd.com/support.html) -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Stupid questions
On Mon, Sep 18, 2023 at 10:09:28AM -0400, Curtis Maurand via Postfix-users
wrote:
> I'm getting a DNS failure on my setup that gmail is not getting. It's
> a delegated subdomain. I'm getting this temp error. the relevant
> message header is below.
>
> Authentication-Results: sirius.xyonet.com;
> dkim=temperror ("DNS error when getting key")
> header.d=news.circadian.com header.s=default header.b=KGxjxIVc;
> spf=temperror (sirius.xyonet.com: error in processing during lookup
> ofxyo...@news.circadian.com: DNS
> error)smtp.mailfrom=xyo...@news.circadian.com;
> dmarc=temperror reason="query refused" header.from=circadian.com
> (policy=temperror)
Test your DNS resolver. You should be seeing something like the below,
but perhaps the authoritative servers don't like your resolver, or
something between you and them is mangling the request or response.
$ dig +nocmd +nostats +nocl +nottl +nosplit -t txt
default._domainkey.news.circadian.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51029
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1400
;; QUESTION SECTION:
;default._domainkey.news.circadian.com. IN TXT
;; ANSWER SECTION:
default._domainkey.news.circadian.com. TXT "v=DKIM1;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCp3xxpkLE6h08ejabeWf1ZS+91bssPN7UAwX7R2iF8IRoSoTVibOJVnYqIQf+5xTvBUxpAhThwzefqRmdyUYBeNCcPVSQ8yhYrw6ygU5q10RUx1OT2rkZFh/FTN0cBIlctGOq+nS/efsYY5fKQHt5MQQhvHKetyWoTYw2QPhk1KwIDAQAB;"
---
$ dig +nocmd +nostats +nocl +nottl +nosplit -t txt
_dmarc.news.circadian.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 571
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1400
;; QUESTION SECTION:
;_dmarc.news.circadian.com. IN TXT
;; ANSWER SECTION:
_dmarc.news.circadian.com. TXT "v=DMARC1; p=quarantine; adkim=s; aspf=s"
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
