Comment 0 for bug 1914889

Revision history for this message
Nick Tait (nick.t) wrote :

My mail logs show that OpenDKIM experienced a DNS timeout when validating the DKIM signature on an inbound email, but then accepted the message. As a result the DMARC policy was applied and the message was quarantined.

The expected behaviour in the event of a DNS timeout is that it would use the On-DNSError setting, which defaults to tempfail, and would cause the sending MTA to retry at a later time, and when this happened it is expected that the result of the earlier DNS query would be immediately available because it would have been cached by the DNS server, and so the signature would have been successfully verified and therefore would have passed DMARC check (and the email would have been accepted).

Here is what my mail logs showed:

Jan 28 11:27:33 mx postfix/postscreen[19584]: CONNECT from []:14353 to []:25
Jan 28 11:27:33 mx postfix/postscreen[19584]: PASS OLD []:14353
Jan 28 11:27:33 mx postfix/smtpd[19585]: connect from[]
Jan 28 11:27:34 mx postfix/smtpd[19585]: Anonymous TLS connection established from[]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Jan 28 11:27:35 mx policyd-spf[19610]: prepend Received-SPF: None (mailfrom) identity=mailfrom; client-ip=;; <email address hidden>; receiver=<UNKNOWN>
Jan 28 11:27:35 mx policyd-spf[19615]: prepend Received-SPF: None (mailfrom) identity=mailfrom; client-ip=;; <email address hidden>; receiver=<UNKNOWN>
Jan 28 11:27:35 mx postfix/smtpd[19585]: 5481E5E10A6:[]
Jan 28 11:27:35 mx postfix/cleanup[19627]: 5481E5E10A6: message-id=<email address hidden>
Jan 28 11:27:40 mx opendkim[1731]: 5481E5E10A6: key retrieval failed (s=202101-e055eb0c, '' query timed out
Jan 28 11:27:40 mx opendmarc[1534]: implicit authentication service:
Jan 28 11:27:40 mx opendmarc[1534]: 5481E5E10A6: SPF(mailfrom): <email address hidden> none
Jan 28 11:27:44 mx opendmarc[1534]: 5481E5E10A6: fail
Jan 28 11:27:44 mx postfix/cleanup[19627]: 5481E5E10A6: milter-hold: END-OF-MESSAGE from[]: milter triggers HOLD action; from=<email address hidden> to=<email address hidden> proto=ESMTP helo=<>
Jan 28 11:27:44 mx postfix/smtpd[19585]: disconnect from[] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7

Here is the content of opendkim.conf (with comments and blank lines removed):

Syslog yes
UMask 007
KeyFile /etc/dkimkeys/20201017.private
Selector 20201017
Canonicalization relaxed/simple
AlwaysAddARHeader yes
Socket local:/var/run/opendkim/opendkim.sock
PidFile /var/run/opendkim/
OversignHeaders From
TrustAnchorFile /usr/share/dns/root.key
UserID opendkim

You can see there is no DNSTimeout setting, meaning it uses the default value of 5 seconds. Also there are no On-... options, so these are also using default settings.query timed out My expectation is that a DNS timeout would use On-DNSError default value, which is documented as tempfail. However it would appear that it is using some other setting which defaults to accept?

Version info:

$ lsb_release -rd
Description: Ubuntu 18.04.5 LTS
Release: 18.04

$ apt-cache policy opendkim
  Installed: 2.11.0~alpha-11build1
  Candidate: 2.11.0~alpha-11build1
  Version table:
 *** 2.11.0~alpha-11build1 500
        500 bionic/universe i386 Packages
        100 /var/lib/dpkg/status

As far as I can tell this is a one-off occurrence, and not something I can easily recreate. But hopefully there is enough information here to determine what happened?