------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1442
Summary: DNS timeout in DKIM verification can cause email
delivery issues
Product: Exim
Version: 4.72
Platform: x86-64
OS/Version: Linux
Status: NEW
Severity: bug
Priority: medium
Component: DKIM
AssignedTo: tom@???
ReportedBy: kurgan@???
CC: exim-dev@???
I have encountered an issue with DKIM verification where a non-responding DNS
causes exim to stall for more than 800 seconds waiting to be able to verify the
DKIM signature for the email it is receiving via SMTP. The sender hosts then
gets confused by the long stall in SMTP session and retries to send the email,
while Exim has actually received the email. This leads to duplicate emails.
While the whole issue depends also on a misbehaviour by the remote host (and I
believe also a firewall in between) and by the DNS server too, there is
something that I believe can be done in Exim itself to mitigate this issue.
I have no DKIM ACL set, so in my setup Exim just checks for DKIM and logs data.
When Exim checks for DKIM (after the end of SMTP DATA) it makes a DNS request.
A misconfigured DNS caused the query (done via TCP because its answer was
longer than 512 bytes) to hang forever. To be more precise, the TCP requests to
port 53 where dropped, so no answer at all came back to our TCP SYN packet.
This caused Exim to stall for more than 800 seconds waiting for the DNS TXT
record for DKIM verification. After 600 seconds the smtp sender host closed the
connection to our Exim.
I have looked at the documentation and I have found no way to set a shorter
timeout to DKIM verification process.
A timeout parameter for DKIM lookup should exist in Exim, so that I can set a
more reasonable timeout and avoid SMTP session stalling for so much time. A
value of 30 seconds (or even less) should be a reasonable default.
Fabio Muzzi
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email