• Community Support
  • USEnglish

  • signing failure: cannot make request to load DKIM selector for domain

Hi guys,

I’am running Rspamd version 2.6 (pulled the latest mailcow update 2nd of Oktober 2020). I noticed the following message in my rspamd container logs:
lua; dkim_signing.lua:104: signing failure: cannot make request to load DKIM selector for domain google.com: nil

google is not the only one that gives this line i’ts every mail that comes in and makes its way through RspamD that gives the same error (just a different domain at the end of the line)

Since I thought this might be DNS related I checked the ubound logs but there are no errors as far as I can tell. The only thing that shows up every day is:
today at 04:31 [1601951500] unbound[1:0] info: generate keytag query _ta-4f66. NULL IN
today at 16:16 [1601993771] unbound[1:0] info: generate keytag query _ta-4f66. NULL IN
but that doesnt seem like an error to me.

I also checked my firewall. It is quite restrictive on the incoming and outbound ports. But even when opening it up completely for the mailcow host the RspamD error remains.

I checked all the containers and none of them give errors only this one. This doesn’t affect the handeling of mail but I suspect this means DKIM check is not preformed

Anyone got a suggestion that helps me find the cause and a solution?
thnx

  • diekuh

    • Community Hero
    • volunteer
    Moolevel 110
  • Post #2

Cannot confirm this here. It would be fine for arc.lua though.

Please post the FULL logs of rspamd-mailcow and postfix-mailcow here. We only need the time frame of the mail arriving +1 minute.

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

Yes full logs coming up..

rspamd-mailcow:

today at 18:03 2020-10-08 18:03:31 #54(normal) <5724c9>; task; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 8 regexps matched, 3059 regexps total, 2852 regexps cached, 0B scanned using pcre, 89.86KiB scanned total
today at 18:06 2020-10-08 18:06:12 #54(normal) <a400d3>; lua; dkim_signing.lua:104: signing failure: cannot make request to load DKIM selector for domain gmail.com: nil
today at 18:06 2020-10-08 18:06:15 #54(normal) <a400d3>; task; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of classifier bayes: not enough learns 2; 5 required
today at 18:06 2020-10-08 18:06:15 #54(normal) <a400d3>; task; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of classifier bayes: not enough learns 0; 5 required
today at 18:06 2020-10-08 18:06:15 #54(normal) <a400d3>; task; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 6 regexps matched, 3059 regexps total, 2794 regexps cached, 0B scanned using pcre, 57.06KiB scanned total
today at 18:06 2020-10-08 18:06:15 #54(normal) <a400d3>; task; rspamd_task_write_log: id: <CANLOa9RbWO5htSdSYF4gQFnp1nKBWjxKQBPwzV_e1m-V3e1iHQ@mail.gmail.com>, qid: <80BDE341918>, ip: MASKED, from: <SOMEONE@gmail.com>, (default: F (no action): [1.00/15.00] [URI_COUNT_ODD(1.00){59;},MIME_GOOD(-0.10){multipart/alternative;text/plain;},RCVD_NO_TLS_LAST(0.10){},ARC_NA(0.00){},FREEMAIL_ENVFROM(0.00){gmail.com;},FREEMAIL_FROM(0.00){gmail.com;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},MIME_TRACE(0.00){0:+;1:+;2:~;},PREVIOUSLY_DELIVERED(0.00){ME@MYDOMAIN.COM;},RBL_EXCLUDE_FWD_HOST(0.00){},RCPT_COUNT_ONE(0.00){1;},RCPT_MAILCOW_DOMAIN(0.00){MYDOMAIN.COM;},RCVD_COUNT_THREE(0.00){3;},TAGGED_FROM(0.00){},TO_DN_ALL(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){},WHITELISTED_FWD_HOST(0.00){MASKED-IP;}]), len: 39864, time: 2863.760ms, dns req: 17, digest: <d8860a23d855fc21e2d59e068a46b650>, rcpts: <ME@MYDOMAIN.COM>, mime_rcpts: <ME@MYDOMAIN.COM>

And the postfix-mailcow:

today at 18:06 Oct  8 18:06:06 email postfix/postscreen[2321]: CONNECT from [MASKED-IP]:57652 to [172.22.1.10]:25
today at 18:06 Oct  8 18:06:06 email postfix/postscreen[2321]: WHITELISTED [MASKED-IP]:57652
today at 18:06 Oct  8 18:06:06 email postfix/smtpd[2324]: connect from unknown[MASKED-IP]
today at 18:06 Oct  8 18:06:06 email postfix/smtpd[2324]: 37ED93418E6: client=unknown[MASKED-IP]
today at 18:06 Oct  8 18:06:06 email postfix/smtpd[2324]: disconnect from unknown[MASKED-IP] ehlo=1 mail=1 rcpt=1 quit=1 commands=4
today at 18:06 Oct  8 18:06:12 email postfix/postscreen[2321]: CONNECT from [MASKED-IP]:57670 to [172.22.1.10]:25
today at 18:06 Oct  8 18:06:12 email postfix/postscreen[2321]: WHITELISTED [MASKED-IP]:57670
today at 18:06 Oct  8 18:06:12 email postfix/smtpd[2324]: connect from unknown[MASKED-IP]
today at 18:06 Oct  8 18:06:12 email postfix/smtpd[2324]: 80BDE341918: client=unknown[MASKED-IP]
today at 18:06 Oct  8 18:06:12 email postfix/cleanup[2327]: 80BDE341918: message-id=<CANLOa9RbWO5htSdSYF4gQFnp1nKBWjxKQBPwzV_e1m-V3e1iHQ@mail.gmail.com>
today at 18:06 Oct  8 18:06:15 email postfix/qmgr[367]: 80BDE341918: from=<SOMEONE@gmail.com>, size=40115, nrcpt=1 (queue active)
today at 18:06 Oct  8 18:06:15 email postfix/smtpd[2324]: disconnect from unknown[MASKED-IP] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
today at 18:06 Oct  8 18:06:15 email postfix/smtp[2330]: warning: MASKED-IP-INTERNALMAILSRV[MASKED-IP-INTERNALMAILSRV]:25 offered no supported AUTH mechanisms: 'NTLM'
today at 18:06 Oct  8 18:06:15 email postfix/smtp[2330]: Untrusted TLS connection established to MASKED-IP-INTERNALMAILSRV[MASKED-IP-INTERNALMAILSRV]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
today at 18:06 Oct  8 18:06:15 email postfix/smtp[2330]: 80BDE341918: to=<ME@MYDOMAIN.COM>, relay=MASKED-IP-INTERNALMAILSRV[MASKED-IP-INTERNALMAILSRV]:25, delay=3.3, delays=3/0.07/0.07/0.22, dsn=2.6.0, status=sent (250 2.6.0 <CANLOa9RbWO5htSdSYF4gQFnp1nKBWjxKQBPwzV_e1m-V3e1iHQ@mail.gmail.com> [InternalId=106738527240194, Hostname=INTERNAL-MAIL.LANDOMAIN.CORP] 42183 bytes in 0.175, 234,889 KB/sec Queued mail for delivery)
today at 18:06 Oct  8 18:06:15 email postfix/qmgr[367]: 80BDE341918: removed

The mailflow is:
my firewall (acts as mailrelay and queues the mail if the mailserver is unavailable) > mailcow (> and for now mailcow uses a sender transportmap to deliver the mail to my internal exchange server, I want to replace this exchange server with mailcow so this is just temporary, I will remove the transportmap when mailcow configuration works perfectly).
After this I use IMAP sync to keep the exchange server and mailcow mailboxes in sync (for now).

I’ve obscured some identifiers:

  1. the sender (SOMEONE@gmail.com)
  2. reciever (ME@MYDOMAIN.COM)
  3. the internal IP of my firewall (MASKED-IP)
  4. the internal IP of my exchange server (MASKED-IP-INTERNALMAILSRV)
  5. hostname of my internal mailserver (INTERNAL-MAIL.LANDOMAIN.CORP)

  • diekuh

    • Community Hero
    • volunteer
    Moolevel 110
  • Post #4

Why is your firewalls IP visible as connection initiator? What is the reason to hide the connectors IP behind NAT?

Is the question related to the cause of the log entry I see in RspamD?
Maybe I misunderstand your question but my firewall acts as a smtp gateway. The external connection terminates at the firewall. There the message is recieved and scanned and than relayed to the destination (mailcow) mailserver. And for the timebeeing the mailcow relays the message to my exchange server (this one is in a different network).

  • diekuh

    • Community Hero
    • volunteer
    Moolevel 110
  • Post #6

Rspamd probably tries to sign the domain as it thinks it is internal.

All useful filtering and neural/bayes learning is not applied when you terminate the connection pre-mailcow and do not pass the connectors IP. I don’t recommend it at all.

Remember to set the gw as forwarding host and don’t be mad when filtering is not as good.

    Ok so if I understand you correctly the most probable reason this message shows is because of the mailrelay on the firewall. So the reccomended setup is to just foreward the smtp connection directly to the email (mailcow) server and let it do all the antivirus and spam checks.
    thnx for the help.

      No one is typing