On 9/18/23 08:09, Curtis Maurand via Postfix-users wrote:
I'm running Postfix with rspamd which is a milter. At what point in the
email conversation does the DKIM lookup happen? Does Postfix handle that
or am I asking on the wrong list and I should be asking the question on
the rspamd list? I'm getting a DNS failure on my setup that gmail is
not getting. It's a delegated subdomain. I'm getting this temp error.
the relevant message header is below.
Authentication-Results: sirius.xyonet.com;
dkim=temperror ("DNS error when getting key")
header.d=news.circadian.com header.s=default header.b=KGxjxIVc;
spf=temperror (sirius.xyonet.com: error in processing during lookup
ofxyo...@news.circadian.com: DNS error)smtp.mailfrom=xyo...@news.circadian.com;
dmarc=temperror reason="query refused" header.from=circadian.com
(policy=temperror)
SPF, DKIM, and DMARC all pass at gmail.
I know nothing about rspamd. I use opendkim, amavisd-new, and postscreen.
Are the xyonet.com and/or circadian.com domains under your control?
Based on Received headers in the list message I replied to, I think they
are.
The log says "query refused" when it tries to lookup SPF info in DNS...
which sounds to me like a probable issue in the DNS server used by the
system that added that header. This is also probably what happened to
cause the temperror on the DKIM lookup, but in that case the actual
error was not logged.
Is the mail server that added the header also under your control?
If I had to guess, I would say that the DNS server in question either
has the mail server that added the header blocked, or that it is not
configured to accept recursive queries from the mail server. But there
could be other reasons that the connection was refused. Usually if the
traffic was blocked by a firewall, the connection would time out, not be
refused ... but some firewalls can be configured to use connection
refused instead.
It is generally a good idea for a mail server to also run a local
caching DNS server, independent of any DNS servers that you may be
running for your internal infrastructure. That DNS server should NOT be
accessible from the Internet unless you happen to be running the mail
server on the same host as your DNS infrastructure ... which I would say
is probably not the best idea.
My mail server in AWS, running postfix, dovecot, and roundcube, also
runs bind9, config mostly unmodified from the ubuntu defaults. It is
not authoritative for any domains, including the ones that postfix and
dovecot are handling. It does not have forwarders, it performs a
recursing lookup starting at the public root servers for all queries
that it receives related to public domains.
Thanks,
Shawn
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
