From: Jim P. <ji...@ya...> - 2006-06-18 03:59:59
|
I had a sudden issues with receiving email today, inbound emails from every domain, except Yahoo, were rejected with "554 5.7.1 Command rejected". Disabling dkmilter resolved the issue, any idea on what could have happened? -Jim P. |
From: Jim P. <ji...@ya...> - 2006-06-18 04:03:42
|
Sorry for the few details on the OP. The version is 0.4.1 and has been working fine for a few weeks now. -Jim P. Jim Popovitch wrote: > I had a sudden issues with receiving email today, inbound emails from > every domain, except Yahoo, were rejected with "554 5.7.1 Command > rejected". Disabling dkmilter resolved the issue, any idea on what > could have happened? > > -Jim P. > > > _______________________________________________ > dk-milter-discuss mailing list > dk-...@li... > https://lists.sourceforge.net/lists/listinfo/dk-milter-discuss > |
From: SM <sm...@re...> - 2006-06-18 05:32:27
|
Hi Jim, At 20:59 17-06-2006, Jim Popovitch wrote: >I had a sudden issues with receiving email today, inbound emails from >every domain, except Yahoo, were rejected with "554 5.7.1 Command >rejected". Disabling dkmilter resolved the issue, any idea on what >could have happened? Does it mean that your mail server only accepts the mail if there is a DK signature? Does the maillog show any other information? Regards, -sm |
From: Jim P. <ji...@ya...> - 2006-06-18 05:49:08
|
SM wrote: > Hi Jim, > At 20:59 17-06-2006, Jim Popovitch wrote: >> I had a sudden issues with receiving email today, inbound emails from >> every domain, except Yahoo, were rejected with "554 5.7.1 Command >> rejected". Disabling dkmilter resolved the issue, any idea on what >> could have happened? > > Does it mean that your mail server only accepts the mail if there is > a DK signature? I think that is the case. I just can't understand why it is all of a sudden (since abt 8pm EDT). > Does the maillog show any other information? Yes. Here is a relevant section: -------------------------------- Jun 12 11:41:29 svr1 sm-mta[11839]: k5CIfQ2t011839: from=<bkke8x5@SENDER_DOMAIN.com>, size=1533, class=0, nrcpts=1, msgid=<pt5rk12vclznwi46780@SENDER_DOMAIN.com>, proto=SMTP, daemon=public, relay=RELAY_SERVER_AND_IP Jun 12 11:41:29 svr1 sm-mta[11839]: k5CIfQ2t011839: Milter add: header: X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on svr1 Jun 12 11:41:29 svr1 sm-mta[11839]: k5CIfQ2t011839: Milter add: header: X-Virus-Status: Clean Jun 12 11:41:29 svr1 sm-mta[11839]: k5CIfQ2t011839: Milter add: header: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=no \r\n\tversion=3.1.2 Jun 12 11:41:29 svr1 sm-mta[11839]: k5CIfQ2t011839: Milter add: header: X-Spam-Checker-Version: SpamAssassin 3.1.2 (2006-05-25) on svr1.MY_DOMAIN.org Jun 12 14:41:29 svr1 dk-filter[11842]: k5CIfQ2t011839: signature verification failed Jun 12 11:41:29 svr1 sm-mta[11839]: k5CIfQ2t011839: Milter: data, reject=554 5.7.1 Command rejected Jun 12 11:41:29 svr1 sm-mta[11839]: k5CIfQ2t011839: to=<admin@MY_DOMAIN>, delay=00:00:00, pri=31533, stat=Command rejected ------------------ So, it looks like verification failed, could this be due to a DNS issue? -Jim P. |
From: SM <sm...@re...> - 2006-06-18 15:40:42
|
Hi Jim, At 22:48 17-06-2006, Jim Popovitch wrote: >Jun 12 14:41:29 svr1 dk-filter[11842]: k5CIfQ2t011839: signature >verification failed > >Jun 12 11:41:29 svr1 sm-mta[11839]: k5CIfQ2t011839: Milter: data, >reject=554 5.7.1 Command rejected > >Jun 12 11:41:29 svr1 sm-mta[11839]: k5CIfQ2t011839: >to=<admin@MY_DOMAIN>, delay=00:00:00, pri=31533, stat=Command rejected > >So, it looks like verification failed, could this be due to a DNS issue? Does the verification fail for all DK-signed mail? That might point to a DNS issue. Please see from your maillog whether the problem (mail rejected) is specific to that domain. Regards, -sm |
From: Murray S. K. <ms...@se...> - 2006-06-19 02:10:56
|
With which command line arguments are you starting the filter? |
From: Jim P. <ji...@ya...> - 2006-06-19 02:46:06
|
Murray S. Kucherawy wrote: > With which command line arguments are you starting the filter? All of this lies in an init.d script, here are the options that are setup: --------------------------------------------- # Local config options needing unique settings MTA_NAMES="local" KEYFILE="/etc/dkfilter/dk1.key.pem" SELECTOR_NAME="dk1" # Might want to change, but no need to PORT="inet:8891@localhost" USER="dkfilter" DKFILTER="/usr/bin/dk-filter" REJECTION="bad=r,dns=t,int=t,no=a,miss=r" SIGNED_DOMAINS_LIST="/etc/dkfilter/signed-domains" PEER_HOSTS_LISTS="/etc/dkfilter/peer-hosts" INTERNAL_HOSTS_LIST="/etc/dkfilter/internal-hosts" EXTERNAL_HOSTS_LIST="/etc/dkfilter/external-hosts" DOMAINKEYS_ARGS="-l -a $PEER_HOSTS_LISTS -i $INTERNAL_HOSTS_LIST \ -I $EXTERNAL_HOSTS_LIST -m $MTA_NAMES -p $PORT -C $REJECTION \ -d $SIGNED_DOMAINS_LIST -u $USER -s $KEYFILE -S $SELECTOR_NAME" ---------------------------------------------- The process is then started (in this case on Redhat) by: initlog -c "$DKFILTER $DOMAINKEYS_ARGS" && success || failure The files in /etc/dkfilter contain valid FQDNs for the signed-domains, and RFC1918 IPs for peer-hosts and internal-hosts. One of the domains in signed-domains does NOT resolve to an IP simply because there is nothing ever addressed to that domain, rather things are addressed to subdomains (mx1, mx2, etc) of that domain. Internal-hosts and peer-hosts have some overlapping IPs, external-hosts is just the public IPs of 2 external systems that this DK install signs mail for (this system is the smart host for those 2 IPs). Thanks for any insight, -Jim P. |
From: SM <sm...@re...> - 2006-06-19 21:14:25
|
Hi Murray, At 19:45 18-06-2006, Jim Popovitch wrote: >All of this lies in an init.d script, here are the options that are setup: [snip] >REJECTION="bad=r,dns=t,int=t,no=a,miss=r" This explains the rejection. The "bad" means that the message will be rejected if the signature found in the in did not verify successfully. If there was a dns error, it would trigger a temporary failure. In your case, it was a "bad" signature. Regards, -sm |
From: Jim P. <ji...@ya...> - 2006-06-19 21:54:45
|
SM wrote: > Hi Murray, > At 19:45 18-06-2006, Jim Popovitch wrote: >> All of this lies in an init.d script, here are the options that are setup: > > [snip] > >> REJECTION="bad=r,dns=t,int=t,no=a,miss=r" > > This explains the rejection. The "bad" means that the message will > be rejected if the signature found in the in did not verify > successfully. If there was a dns error, it would trigger a temporary > failure. In your case, it was a "bad" signature. Very interesting. Ok, since DNS for sending hosts is outside of my control, is it generally acceptable to leave badsignature set to tempfail? I'm using the DNS default timeout (5), so I look into increasing that also. Thanks SM! -Jim P. |
From: SM <sm...@re...> - 2006-06-19 22:43:59
|
Hi Jim, At 14:54 19-06-2006, Jim Popovitch wrote: >Very interesting. Ok, since DNS for sending hosts is outside of my >control, is it generally acceptable to leave badsignature set to >tempfail? I'm using the DNS default timeout (5), so I look into >increasing that also. A tempfail tells the sending server to retry again. That may not solve the bad signature problem. If you are reading your logs, you can take measure to accept the mail instead of rejecting it outright on the first delivery attempt. The downside is that these retries will increase the load which doesn't make sense if you are going to reject the mail in the end. Currently, my dk-filter setup does not reject mail. It is used as part of the filtering process. Regards, -sm |
From: Jim P. <ji...@ya...> - 2006-06-20 03:46:33
|
SM wrote: > Hi Jim, > At 14:54 19-06-2006, Jim Popovitch wrote: >> Very interesting. Ok, since DNS for sending hosts is outside of my >> control, is it generally acceptable to leave badsignature set to >> tempfail? I'm using the DNS default timeout (5), so I look into >> increasing that also. > > A tempfail tells the sending server to retry again. That may not > solve the bad signature problem. If you are reading your logs, you > can take measure to accept the mail instead of rejecting it outright > on the first delivery attempt. The downside is that these retries > will increase the load which doesn't make sense if you are going to > reject the mail in the end. > > Currently, my dk-filter setup does not reject mail. It is used as > part of the filtering process. As always, Thank you SM for your assistance. -Jim P. |
From: SM <sm...@re...> - 2006-06-20 17:51:50
|
At 10:30 20-06-2006, Murray S. Kucherawy wrote: >Actually what's more interesting to me is "miss=r" which means >reject on missing >signatures. This should apply to messages bearing no signature if >the sending >domain advertises a "we sign all" policy. > >If however an unsigned message with no such policy is being >rejected, that's a bug. Jim, were unsigned messages being rejected? REJECTION="bad=r" would reject DK signed messages coming through most mailing lists as they usually break the DK signatures. Regards, -sm |
From: Jim P. <ji...@ya...> - 2006-06-20 19:17:54
|
SM wrote: > At 10:30 20-06-2006, Murray S. Kucherawy wrote: >> Actually what's more interesting to me is "miss=r" which means >> reject on missing >> signatures. This should apply to messages bearing no signature if >> the sending >> domain advertises a "we sign all" policy. >> >> If however an unsigned message with no such policy is being >> rejected, that's a bug. > > Jim, were unsigned messages being rejected? > :-) (RTFM, i know) After reading the new README that came with 0.4.1, I decided to remove my custom -C parameters (which were "bad=r,dns=t,int=t,no=a,miss=r"). When I upgraded dk-filter from 0.4.0 I started creating an init.d script and in doing so, I guess I was a little over zealous with the restriction and actions config. So, now I am using the default restrictions and not experiencing any email problems other than the occasional "syntax error in signature data" related to spam/rbl'ed emails. I would like to move back towards bad=r soon, but I'll wait until I learn more about it's affect on good mail. > REJECTION="bad=r" would reject DK signed messages coming through most > mailing lists as they usually break the DK signatures. I think that I (we, thank you again) have worked out all those kinks as outbound list traffic is still signed correctly (for the domains that have DNS that supports TXT records). The problems that started this thread were related to near complete rejection of inbound emails. I still have a ton of logs to parse through to determine the good/bad rejection ratio, because I do know that bad=r worked correctly for a considerable amount of inbound spam last week. Right now I do RBL, ClamAV, and SA, checks _before_ dk-filter processing, I hope to move DK and DKIM to the front line soon and clear out the obvious crap before doing further filtering. Thanks again for all the help and advice, -Jim P. |
From: SM <sm...@re...> - 2006-06-24 04:44:51
|
Hi Adrian, At 16:31 23-06-2006, Adrian Havill wrote: >With the most recent upgrade, I've had the same problem. Yes, unsigned >messages are being rejected for me. Can you post a sample of your log for the unsigned message? Regards, -sm |
From: Murray S. K. <ms...@se...> - 2006-06-20 17:30:46
|
Jim Popovitch wrote: >>>REJECTION="bad=r,dns=t,int=t,no=a,miss=r" >> >>This explains the rejection. The "bad" means that the message will >>be rejected if the signature found in the in did not verify >>successfully. If there was a dns error, it would trigger a temporary >>failure. In your case, it was a "bad" signature. > > Very interesting. Ok, since DNS for sending hosts is outside of my > control, is it generally acceptable to leave badsignature set to > tempfail? I'm using the DNS default timeout (5), so I look into > increasing that also. Actually what's more interesting to me is "miss=r" which means reject on missing signatures. This should apply to messages bearing no signature if the sending domain advertises a "we sign all" policy. If however an unsigned message with no such policy is being rejected, that's a bug. |
From: Adrian H. <ha...@re...> - 2006-06-23 23:31:09
|
SM wrote: >At 10:30 20-06-2006, Murray S. Kucherawy wrote: > > >>Actually what's more interesting to me is "miss=r" which means >>reject on missing >>signatures. This should apply to messages bearing no signature if >>the sending >>domain advertises a "we sign all" policy. >> >>If however an unsigned message with no such policy is being >>rejected, that's a bug. >> >> > >Jim, were unsigned messages being rejected? > >REJECTION="bad=r" would reject DK signed messages coming through most >mailing lists as they usually break the DK signatures. > > With the most recent upgrade, I've had the same problem. Yes, unsigned messages are being rejected for me. |
From: Adrian H. <ha...@re...> - 2006-06-23 23:35:22
|
Jim Popovitch wrote: >I had a sudden issues with receiving email today, inbound emails from >every domain, except Yahoo, were rejected with "554 5.7.1 Command >rejected". Disabling dkmilter resolved the issue, any idea on what >could have happened? > > I noticed this too upon upgrading to 0.4.1-- it seems to be a regression from 0.4.0; downgrading to 0.4.0 solved the problem for me. |
From: Adrian H. <ha...@re...> - 2006-06-24 14:49:07
|
SM wrote: >Hi Adrian, >At 16:31 23-06-2006, Adrian Havill wrote: > > >>With the most recent upgrade, I've had the same problem. Yes, unsigned >>messages are being rejected for me. >> >> > >Can you post a sample of your log for the unsigned message? > > The /var/log/mailog? |
From: SM <sm...@re...> - 2006-06-24 15:13:30
|
Hi Adrian, At 07:49 24-06-2006, Adrian Havill wrote: >The /var/log/mailog? Yes. Post an extract only and not the entire log. :) Regards, -sm |
From: SM <sm...@re...> - 2006-06-25 14:32:33
|
Hi Adrian, At 16:56 24-06-2006, Adrian D. Havill wrote: >Attached. It's been edited a bit... lots of dmail and milter lines >deleted, but the It looks like a bug in version dk-milter 0.4.1. This may be related to the "dk_skipbody" change in this release. Regards, -sm |