On 8/6/2022 11:55 p.m., Viktor Dukhovni wrote:
The milter may be performing DKIM signature checks on inbound mail,
signing would be only for outbound. DKIM signature checks may involve
DNS lookups, which could introduce some latency if the remote zone is
uncooperative.
On 9/6/2022 2:41 a.m., Wietse Venema wrote:
I agree that DKIM is unlikely to use upo 255 seconds even if
you had turned on signature checks by mistake.
Based on your comments (and based on our current postfix config, which
is simple) I focused on checking the OpenDKIM config, as a serious
candidate of being responsible for the delays.
I noticed that our incoming mails had DKIM verification signatures from
both servers (mailgw1 AND vmail2) which was not right. There is no point
in verifying DKIM signature twice.
So, yes, I had mistakenly turned on signature checking on vmail2.
Additionally, the usual delay was around 4 minutes, which is consistent
with the 255 seconds timeout you mentioned.
I turned off signature checking on vmail2 and *delays stopped occurring*!
It seems that something in DKIM signature verification process was
causing OpenDKIM to stall when analyzing particular domains.
(Note that DKIM signature checking on mailgw1 through amavis does not
cause any issues whatsoever.)
OpenDKIM logs did not reveal any details regarding the messages with
earlier delays; only the final successful signing event was logged.
I did not try to re-enable (unneeded) signature verification and
increasing OpenDKIM log level in an effort to discover more details on
the issue; therefore I can't tell what exactly may have been the cause
of failures on particular domains. Since it is a production server, it
is not easy to make a decision to re-introduce mail delivery delays to
end-users in order to do further experiments.
Yet, it is clear that the delay was induced by OpenDKIM sig verification
process.
I do appreciate and thank you both Wietse and Victor for the precious
insight you have provided on postfix message processing at various
stages and your commendable kindness in devoting your effort to help me,
even though I am not a mail expert! I would have surely needed your
further guidance to configure postfix in a way that would allow me to
carry out the step-by-step analysis you advised if it had proved necessary.
All the best,
Nick
