[exim-dev] [Bug 1442] New: DNS timeout in DKIM verification …

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Fabio Muzzi
Date:  
À: exim-dev
Nouveaux-sujets: [exim-dev] [Bug 1442] DNS timeout in DKIM verification can cause email delivery issues
Sujet: [exim-dev] [Bug 1442] New: DNS timeout in DKIM verification can cause email delivery issues
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1442
           Summary: DNS timeout in DKIM verification can cause email
                    delivery issues
           Product: Exim
           Version: 4.72
          Platform: x86-64
        OS/Version: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: DKIM
        AssignedTo: tom@???
        ReportedBy: kurgan@???
                CC: exim-dev@???



I have encountered an issue with DKIM verification where a non-responding DNS
causes exim to stall for more than 800 seconds waiting to be able to verify the
DKIM signature for the email it is receiving via SMTP. The sender hosts then
gets confused by the long stall in SMTP session and retries to send the email,
while Exim has actually received the email. This leads to duplicate emails.

While the whole issue depends also on a misbehaviour by the remote host (and I
believe also a firewall in between) and by the DNS server too, there is
something that I believe can be done in Exim itself to mitigate this issue.

I have no DKIM ACL set, so in my setup Exim just checks for DKIM and logs data.

When Exim checks for DKIM (after the end of SMTP DATA) it makes a DNS request.
A misconfigured DNS caused the query (done via TCP because its answer was
longer than 512 bytes) to hang forever. To be more precise, the TCP requests to
port 53 where dropped, so no answer at all came back to our TCP SYN packet.

This caused Exim to stall for more than 800 seconds waiting for the DNS TXT
record for DKIM verification. After 600 seconds the smtp sender host closed the
connection to our Exim.

I have looked at the documentation and I have found no way to set a shorter
timeout to DKIM verification process.

A timeout parameter for DKIM lookup should exist in Exim, so that I can set a
more reasonable timeout and avoid SMTP session stalling for so much time. A
value of 30 seconds (or even less) should be a reasonable default.


Fabio Muzzi


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email