[pfx] Re: Stupid questions
On 9/18/23 08:09, Curtis Maurand via Postfix-users wrote: I'm running Postfix with rspamd which is a milter. At what point in the email conversation does the DKIM lookup happen? Does Postfix handle that or am I asking on the wrong list and I should be asking the question on the rspamd list? I'm getting a DNS failure on my setup that gmail is not getting. It's a delegated subdomain. I'm getting this temp error. the relevant message header is below. Authentication-Results: sirius.xyonet.com; dkim=temperror ("DNS error when getting key") header.d=news.circadian.com header.s=default header.b=KGxjxIVc; spf=temperror (sirius.xyonet.com: error in processing during lookup ofxyo...@news.circadian.com: DNS error)smtp.mailfrom=xyo...@news.circadian.com; dmarc=temperror reason="query refused" header.from=circadian.com (policy=temperror) SPF, DKIM, and DMARC all pass at gmail. I know nothing about rspamd. I use opendkim, amavisd-new, and postscreen. Are the xyonet.com and/or circadian.com domains under your control? Based on Received headers in the list message I replied to, I think they are. The log says "query refused" when it tries to lookup SPF info in DNS... which sounds to me like a probable issue in the DNS server used by the system that added that header. This is also probably what happened to cause the temperror on the DKIM lookup, but in that case the actual error was not logged. Is the mail server that added the header also under your control? If I had to guess, I would say that the DNS server in question either has the mail server that added the header blocked, or that it is not configured to accept recursive queries from the mail server. But there could be other reasons that the connection was refused. Usually if the traffic was blocked by a firewall, the connection would time out, not be refused ... but some firewalls can be configured to use connection refused instead. It is generally a good idea for a mail server to also run a local caching DNS server, independent of any DNS servers that you may be running for your internal infrastructure. That DNS server should NOT be accessible from the Internet unless you happen to be running the mail server on the same host as your DNS infrastructure ... which I would say is probably not the best idea. My mail server in AWS, running postfix, dovecot, and roundcube, also runs bind9, config mostly unmodified from the ubuntu defaults. It is not authoritative for any domains, including the ones that postfix and dovecot are handling. It does not have forwarders, it performs a recursing lookup starting at the public root servers for all queries that it receives related to public domains. Thanks, Shawn ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Stupid questions
On 2023-09-18 at 12:33:31 UTC-0400 (Mon, 18 Sep 2023 12:33:31 -0400) Phil Stracchino via Postfix-users is rumored to have said: Any lookup by rspamd happens *after* Postfix has accepted the message and passed it to milters. That is not how milters work. Postfix passes the message data to the milters after the terminating . at end-of-DATA but BEFORE it has responded to the client. The milters can then tell Postfix whether or not to accept the message and what changes to make to the message, such as adding headers. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Stupid questions
On 9/18/23 10:09, Curtis Maurand via Postfix-users wrote: Hello list, At least I think they're stupid questions. I'm running Postfix with rspamd which is a milter. At what point in the email conversation does the DKIM lookup happen? Does Postfix handle that or am I asking on the wrong list and I should be asking the question on the rspamd list? I'm getting a DNS failure on my setup that gmail is not getting. It's a delegated subdomain. I'm getting this temp error. the relevant message header is below. Based on personal experience, my advice to you is let rspamd handle DKIM, DMARC etc for you. Any lookup by rspamd happens *after* Postfix has accepted the message and passed it to milters. If you're doing that and it's not working, try the rspamd mailing list, #rspamd on OFTC, or their Telegram channel. (see https://rspamd.com/support.html) -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Stupid questions
On Mon, Sep 18, 2023 at 10:09:28AM -0400, Curtis Maurand via Postfix-users wrote: > I'm getting a DNS failure on my setup that gmail is not getting. It's > a delegated subdomain. I'm getting this temp error. the relevant > message header is below. > > Authentication-Results: sirius.xyonet.com; > dkim=temperror ("DNS error when getting key") > header.d=news.circadian.com header.s=default header.b=KGxjxIVc; > spf=temperror (sirius.xyonet.com: error in processing during lookup > ofxyo...@news.circadian.com: DNS > error)smtp.mailfrom=xyo...@news.circadian.com; > dmarc=temperror reason="query refused" header.from=circadian.com > (policy=temperror) Test your DNS resolver. You should be seeing something like the below, but perhaps the authoritative servers don't like your resolver, or something between you and them is mangling the request or response. $ dig +nocmd +nostats +nocl +nottl +nosplit -t txt default._domainkey.news.circadian.com ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51029 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1400 ;; QUESTION SECTION: ;default._domainkey.news.circadian.com. IN TXT ;; ANSWER SECTION: default._domainkey.news.circadian.com. TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCp3xxpkLE6h08ejabeWf1ZS+91bssPN7UAwX7R2iF8IRoSoTVibOJVnYqIQf+5xTvBUxpAhThwzefqRmdyUYBeNCcPVSQ8yhYrw6ygU5q10RUx1OT2rkZFh/FTN0cBIlctGOq+nS/efsYY5fKQHt5MQQhvHKetyWoTYw2QPhk1KwIDAQAB;" --- $ dig +nocmd +nostats +nocl +nottl +nosplit -t txt _dmarc.news.circadian.com ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 571 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1400 ;; QUESTION SECTION: ;_dmarc.news.circadian.com. IN TXT ;; ANSWER SECTION: _dmarc.news.circadian.com. TXT "v=DMARC1; p=quarantine; adkim=s; aspf=s" -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org