SM wrote:
At 15:07 16-12-2009, Rolf E. Sonneveld wrote:
  
Today I discovered that dkim-milter rejected messages, while I have (as
far as I know) no configuration settings that would explain this rejection.

AFAICS there are three settings in dkim-filter.conf that could make a
message be rejected:

ADSPDiscard
ADSPNoSuchDomain
RequiredHeaders

Default for all of them is 'no' which means: do not reject. In my
configuration I did not explicitely define them, so they should not be
responsible for the reject action (correct?).

The two most recent log entries on system 1 are:

Dec 16 23:11:09 lynx postfix/cleanup[21219]: A600B70395: milter-reject:
END-OF-MESSAGE from russian-caravan.cloud9.net[168.100.1.4]: 4.7.1
Service unavailable - try again later;
from=<owner-postfix-users@postfix.org> to=<first.last@sonnection.nl>
proto=ESMTP helo=<russian-caravan.cloud9.net>
Dec 16 23:27:24 lynx postfix/cleanup[21347]: 3224870395: milter-reject:
END-OF-MESSAGE from 128-220.colo.introweb.nl[84.241.128.220]: 4.7.1
Service unavailable - try again later; from=<addisonliu@ms29.hinet.net>
to=<first.last@sonnection.nl> proto=ESMTP helo=<lisa.crolox.nl>

The most recent log entries on system 2 are:

16-Dec-2009 23:08:44.88 tcp_internet              JE 0
31:owner-postfix-users@postfix.org 7:rfc822; 0: 0: 3:msg
52:russian-caravan.cloud9.net ([unknown] [168.100.1.4]) 33:451 4.3.2
Milter rejected message
16-Dec-2009 23:25:01.10 tcp_internet              JE 0
25:addisonliu@ms29.hinet.net 7:rfc822; 0: 0: 3:msg 43:lisa.crolox.nl
([unknown] [84.241.128.220]) 33:451 4.3.2 Milter rejected message
    

The 451 code denotes a temporary failure when the message was DKIM 
verified.  Add:

Syslog Yes

in your dkim-milter configuration file.  The maillog will show what 
caused the error.
  

>From maillog:

Dec 17 09:54:42 lion dkim-filter[29733]: 0KUS00EAFGR5IO00 no signing keylist match for `"Jermaine Pitts"<addisonliu@ms29.hinet.net'
Dec 17 09:54:42 lion dkim-filter[29733]: 0KUS00EAFGR5IO00 not internal
Dec 17 09:54:42 lion dkim-filter[29733]: 0KUS00EAFGR5IO00 not authenticated
Dec 17 09:54:42 lion dkim-filter[29733]: 0KUS00EAFGR5IO00 mode select: verifying
Dec 17 09:54:42 lion dkim-filter[29733]: 0KUS00EAFGR5IO00: key retrieval failed (s=s1024, d=nmvf.us): res_query(): `s1024._domainkey.nmvf.us' Unknown host

and another example:

Dec 17 01:38:34 lion dkim-filter[29733]: 0KUR00E2HTSAIO00 no signing keylist match for `owner-postfix-users@postfix.org'
Dec 17 01:38:34 lion dkim-filter[29733]: 0KUR00E2HTSAIO00 not internal
Dec 17 01:38:34 lion dkim-filter[29733]: 0KUR00E2HTSAIO00 not authenticated
Dec 17 01:38:34 lion dkim-filter[29733]: 0KUR00E2HTSAIO00 mode select: verifying
Dec 17 01:38:35 lion dkim-filter[29733]: 0KUR00E2HTSAIO00: key retrieval failed (s=dkim.private, d=splitstreams.com): res_query(): `dkim.private._domainkey.splitstreams.com' Unknown host

Seems these messages carry a DKIM signature, but their DKIM DNS entry is not correct. I assume the dkim-filter status is then not 'reject' but maybe the mail server is interpreting the result of dkim-filter as a temp. failure, giving back a 4.x.y status code to the SMTP partner?

/rolf