New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rspamd DKIM unsigned #3598
Comments
The issue is here: postfix/smtpd[10600]: warning: milter inet:localhost:11332: can't read SMFIC_OPTNEG reply packet header: Connection timed out
postfix/smtpd[10600]: warning: milter inet:localhost:11332: read error in initial handshake So after Googling this for a while, I will take a big guess and say that TCP on port 53 may be blocked? Please double-check; I know, DNS over TCP is cursed, but this is the mail world, not the normal world... Make sure port 53 is completely open for outbound (and of course established) traffic. |
If this turns out to be a DNS issue, I will update the docs. |
I use Oracle Cloud, my firewall has all ports open, not sure if Oracle Cloud is blocking port 53, but I had no issues when using OpenDKIM before. |
When you exec into your container ( |
|
I see, this is then not the problem. Can you please disable IPv6 shortly and see whether it works without IPv6? |
Ah, and please also try removing the explicit DNS servers set in |
Just a general thought: SMFIC_OPTNEG is usually the first command being sent by the MTA (here: postfix) to the Milter (rspamd). This command does not include any actual mail data, so it should basically return immediately with a list of actions that the Milter can perform [1]. As the command reply is taking too long I would suggest checking the logs of rspamd if the process is indeed running correctly. Also increasing the logging level for rspamd via overriding /etc/rspamd/local.d/logging.inc might also be a good idea - see https://rspamd.com/doc/configuration/logging.html [1] https://github.com/emersion/go-milter/blob/master/milter-protocol.txt#L100 / https://github.com/avar/sendmail-pmilter/blob/master/doc/milter-protocol.txt#L100 (hard to find the official document ...) |
Below is unlikely going to help, but I thought I'd mention it. If a process is running yet appears stalled/unresponsive, then you'll want to set This is known to affect PostSRSd, previously Fail2Ban (fixed), Rsyslogd (only recently fixed upstream, so probably not fixed in DMS), but could affect other processes if unlucky. This would only be relevant though if the following outputs a number around 1 billion: docker run --rm -it alpine ash -c 'ulimit -Sn && ulimit -Hn' |
It seems that the problem has been identified. I tried disabling the DNS settings in compose.yml, but it still couldn't perform DKIM signing. However, after disabling IPv6, I noticed that Rspamd DKIM is working fine. Now I am trying to fix the IPv6 connection for DMS. |
I configured IPv6 based on this document, but it seems that there are new issues. Is there a more comprehensive IPv6 configuration document available? |
Yes that has been revised for upcoming v13 release of the docs: https://docker-mailserver.github.io/docker-mailserver/edge/config/advanced/ipv6/#enable-proper-ipv6-support Let me know how you find that rewrite :) |
I followed the documentation of edge to configure Docker's IPv6 settings, but when I
|
Are you using the latest Docker? It might not be until v25 is released, IPv6 had an issue with the ping command and was resolved around mid 2023 IIRC. I'm not sure if configuring your {
"userland-proxy": false
} will help with the ping issue. It was related to an EDIT: Here's the IPv6 ping issue, seems related to container to container though. It was backported to Docker 24.0.6 in August. Do you have a firewall that might also be blocking the traffic? |
my compose.yaml:
/etc/docker/daemon.json
docker version
This will result in the unavailability of IPv6 for my host machine and containers. At which step did I make a mistake? |
Some guesses ... Generally speaking, you likely want to use the userland-proxy - which is also on per default. Your configuration - apart from the userland-proxy setting looks correct to me at first glance. You can also check with Which firewall frontend are you using? Plain iptables or nft or something else? You might also want to check if you have |
It's mostly for localhost connectivity. There's a few quirks depending on if it's enabled or not, but the intent is to eventually default to disabled and then drop it. I spent a good chunk of time contributing to the upstream tracking issue on that 馃槄
Regardless, Docker only supports managing iptables rules, it doesn't natively support managing rules for nftables. When I asked about firewall, I meant the frontends ufw / firewalld as these have quirks. The remaining advice is good IIRC, on an IPv6 host I recall having to manage NDP proxy for using GUA with containers, but ULA like the DMS docs advise was fine. If you need actual IPv6 reachability you'd publish the ports to the public IPv6 interface with it's GUA address. This works like the containers IPv4 bridged network from private address to public, which is fine. @ceeim ping issue aside, were you able to verify IPv6 is working correctly?: |
I agree, it would be good to get rid of it, but there are still some issues that are unresolved. In the end it's probably a matter of whether you would have to work around some issues if you would be affected.
I did reference iptables6-nft specifically to make clear that there are Linux distributions (RHEL etc) that use the alternatives system to switch from the old iptables to the nftables iptables-translation. Yes, Docker can only use an iptables-compatible command, but iptables6-nft provides this and can be used with Docker. |
Forget about it, at least I have IPv4 available now, I gave up on configuring IPv6. :( |
You did well, believe me. In my not-so-very-humble opinion, IPv6 is useless at best, or incurring problems at worst 馃槅 |
馃摑 Preliminary Checks
馃憖 What Happened?
Rspamd DKIM unsigned, sending emails to mail-tester prompts this issue. Can someone tell me where the problem is? I have no issues when using OpenDKIM.
dkim_signing.conf:
馃憻 Reproduction Steps
No response
馃悑 DMS Version
edge
馃捇 Operating System and Architecture
ARM64
鈿欙笍 Container configuration files
馃摐 Relevant log output
Improvements to this form?
No response
The text was updated successfully, but these errors were encountered: