#121 PeerList not working?

v2.8.2
closed-invalid
5
2009-05-26
2009-03-21
Igor Novgorodov
No

There is a domain (yandex.ru) which has a [* "v=spf1 -all"], even _adsp._domainkey has this TXT entry.
So, dkim-milter kept complaining "ADSP query: missing parameter(s) in policy data" and had been rejecting mail from this domain.
I've tried to setup local adsp policy (yandex.ru:unknown), it didn't helped (thogh it stopped complaining in logs, the mail didn't get through anyway...)
Then tried adding domain into PeerList file (yandex.ru), it didn't worked either. The logs are clean, and the mail from this domain is blocked.
How to whitelist this domain after all? I had to switch to sign-only mode because of this...

Logs:
----
Mar 22 00:22:52 xenon dkim-filter[16733]: 077151CF958 ADSP query: missing parameter(s) in policy data
----

----
Mar 22 00:22:52 xenon postfix/cleanup[18271]: 077151CF958: milter-hold: END-OF-MESSAGE from forwards1.yandex.ru[77.88.60.125]: milter triggers HOLD action; from=<a@yandex.ru> to=<a@domain.net> proto=ESMTP helo=<forwards1.yandex.ru>
----

Discussion

    • assigned_to: nobody --> sm-msk
    • status: open --> pending
     
  • What did you add to the peerlist? If it was just "yandex.ru", then that only looks for a host called that. According to your logs, the machine is called "forwards1.yandex.ru", which doesn't match. Try changing your peerlist entry to ".yandex.ru", as described in the man page.

    However, I invented a message from that domain and I got the ADSP error, but it didn't affect mail delivery. The message was allowed to continue. I don't know why postfix would think it requested a HOLD action (quarantine). That is only done in special cases of internal or resource errors.

    What FFRs do you have enabled?

    What was the entire log output for that message?

     
  • Well, it look like that solution is found: Quarantine was enabled...
    Somewhy i thought that it would not affect mail delivery, but will just quarantine the ones that failed check to be examined later...

    Thanks for advice!

     
    • status: pending --> open
     
  • No, that's not what's going on. The filter only requests quarantine of messages that cause some kind of internal library problem or a resource unavailability issue. Regular verification errors don't get quarantined.

    So, what was the entire log output for that message?

     
  • Postfix:
    ----
    Mar 20 15:58:03 xenon postfix/smtpd[6294]: connect from forwards8.yandex.ru[77.88.61.49]
    Mar 20 15:58:03 xenon postfix/smtpd[6294]: NOQUEUE: filter: RCPT from forwards8.yandex.ru[77.88.61.49]: <a@domain.ru>: Recipient address triggers FILTER dspam:unix:/var/run/dspam/dspam.sock; from=<a@yandex.ru> to=<a@domain.ru> proto=ESMTP helo=<forwards8.yandex.ru>
    Mar 20 15:58:03 xenon postfix/smtpd[6294]: A8CFA1CF968: client=forwards8.yandex.ru[77.88.61.49]
    Mar 20 15:58:03 xenon postfix/cleanup[6486]: A8CFA1CF968: message-id=<135491237553881@webmail28.yandex.ru>
    Mar 20 15:58:03 xenon postfix/cleanup[6486]: A8CFA1CF968: milter-hold: END-OF-MESSAGE from forwards8.yandex.ru[77.88.61.49]: milter triggers HOLD action; from=<a@yandex.ru> to=<a@domain.ru> proto=ESMTP helo=<forwards8.yandex.ru>
    Mar 20 15:58:03 xenon postfix/smtpd[6294]: disconnect from forwards8.yandex.ru[77.88.61.49]
    ----

    DKIM:
    ----
    Mar 20 15:58:03 xenon dkim-filter[4025]: A8CFA1CF968 ADSP query: missing parameter(s) in policy data
    ----

    And that's all, the mail is gone.
    Maybe DSPAM messes up? But it looks like that the mail is not getting in it anyway, it's blocked by dkim-milter.

    The only thing i change is Quarantine - i set it to on, bah, milter triggers hold action.
    I set it to off - the mail gets through even without peerlist and localadsp defined...

     
  • Something strange is going on, because dkim-filter doesn't request quarantine unless there's some kind of internal error.

    What are your command line arguments and configuration file contents (if any)?

     
  • dkim-milter.conf:
    ADSPDiscard yes
    ADSPNoSuchDomain yes
    AllowSHA1Only no
    AlwaysAddARHeader yes
    AuthservID mail.domain.ru
    AuthservIDWithJobId yes
    AutoRestart yes
    AutoRestartCount 0
    AutoRestartRate 1/10s
    BaseDirectory /var/run/dkim-filter
    BodyLengths yes
    Canonicalization simple/simple
    ClockDrift 300
    Diagnostics yes
    DNSTimeout 15
    Domain domain.ru, domain.net, domain2.net
    EnableCoredumps no
    FixCRLF no
    KeepTemporaryFiles no
    KeyList /etc/mail/dkim-filter/keylist
    LogWhy no
    MaximumHeaders 65536
    MilterDebug 0
    Mode sv
    Quarantine no
    QueryCache no
    RemoveARAll no
    RemoveOldSignatures yes
    ReportAddress admin@domain.ru
    Selector default
    SendADSPReports no
    SendReports yes
    SignatureAlgorithm rsa-sha256
    SignatureTTL 0
    Socket local:/var/run/dkim-filter/dkim-filter.sock
    StrictTestMode no
    SubDomains no
    Syslog yes
    SyslogFacility mail
    SyslogSuccess yes
    TemporaryDirectory /var/tmp
    UMask 002
    UserID milter
    X-Header yes
    Statistics /var/run/dkim-filter/dkim-filter.stats

    /etc/mail/dkim-filter/keylist:
    *@domain.ru:domain.ru:/etc/mail/dkim-filter/keys/domain.ru/default
    *@domain.net:domain.net:/etc/mail/dkim-filter/keys/domain.net/default
    *@domain2.net:domain2.net:/etc/mail/dkim-filter/keys/domain2.net/default

    cmd line arguments:
    /usr/sbin/dkim-filter -x /etc/mail/dkim-filter/dkim-filter.conf -P /var/run/dkim-filter/dkim-filter.pid

    I can provide any additional info if needed, though problem is worked around it would be useful to find out the cause...

     
  • I forgot postfix's main.cf (milter-relevant part):
    milter_default_action = accept
    milter_command_timeout = 30s
    milter_command_timeout = 30s
    milter_content_timeout = 30s
    milter_protocol = 6
    smtpd_milters =
    unix:/var/run/dkim-filter/dkim-filter.sock
    unix:/var/run/dk-filter/dk-filter.sock
    non_smtpd_milters =
    unix:/var/run/dkim-filter/dkim-filter.sock
    unix:/var/run/dk-filter/dk-filter.sock

    (the other milter is old dk-filter just for compatibility; the problem is not related to it being enabled or not)

     
    • status: open --> closed-invalid