D
D
Dorothy2019-07-14 19:55:57
linux
Dorothy, 2019-07-14 19:55:57

How to solve timeout issue in spamassassin check?

Hello.
I have a mail server on CentOS 7 from Exim + Dovecot + Spamassassin v3.4.0, VestaCP control panel.
Everything works well, except for a long 10-11 second check of the letter by spamassassin.
Spamassasin's debug log shows that the problem is with the DNS query, on the first line , which timeouts after 10 seconds (3rd line) and thus causing a long check and failure of the DKIM test:

Sun Jul 14 14:47:12 2019 [94687] dbg: dkim: performing public key lookup and signature verification
Sun Jul 14 14:47:22 2019 [94687] dbg: dkim: DKIM, [email protected], d=yandex.ru, s=mail, a=rsa-sha256, c=relaxed/relaxed, invalid, matches author domain
Sun Jul 14 14:47:22 2019 [94687] dbg: dkim: signature verification result: INVALID (PUBLIC KEY: DNS QUERY TIMEOUT FOR MAIL._DOMAINKEY.YANDEX.RU)
Sun Jul 14 14:47:22 2019 [94687] dbg: dkim: adsp: performing lookup on _adsp._domainkey.yandex.ru
Sun Jul 14 14:47:22 2019 [94687] dbg: dkim: adsp result: U/unknown (dns: unknown), author domain 'yandex.ru'
Sun Jul 14 14:47:22 2019 [94687] dbg: spf: checking to see if the message has a Received-SPF header that we can use
Sun Jul 14 14:47:22 2019 [94687] dbg: spf: checking HELO (helo=forward400j.mail.yandex.net, ip=5.45.198.245)
Sun Jul 14 14:47:22 2019 [94687] dbg: dns: bgsend,  DNS servers: [8.8.8.8]:53, [8.8.4.4]:53
Sun Jul 14 14:47:22 2019 [94687] dbg: dns: attempt 1/2, trying connect/sendto to [8.8.8.8]:53
Sun Jul 14 14:47:22 2019 [94687] dbg: dns: providing a callback for id: 49973/IN/SPF/forward400j.mail.yandex.net
Sun Jul 14 14:47:22 2019 [94687] dbg: dns: dns reply 690 is OK, 4 answer records
Sun Jul 14 14:47:22 2019 [94687] dbg: async: calling callback on key dns:A:yandex.ru
Sun Jul 14 14:47:22 2019 [94687] dbg: dns: hit <dns:yandex.ru> 5.255.255.5
Sun Jul 14 14:47:22 2019 [94687] dbg: dns: hit <dns:yandex.ru> 77.88.55.50
Sun Jul 14 14:47:22 2019 [94687] dbg: dns: hit <dns:yandex.ru> 77.88.55.88
Sun Jul 14 14:47:22 2019 [94687] dbg: dns: hit <dns:yandex.ru> 5.255.255.88

If you do an artificial check on the same letter , then everything is processed quickly and the DKIM check is successful:
# spamassassin -t -D dkim < /home/admin/mail/domain/user/cur/messageId
Jul 14 20:46:49.922 [24398] dbg: dkim: using Mail::DKIM version 0.39
Jul 14 20:46:49.923 [24398] dbg: dkim: performing public key lookup and signature verification
Jul 14 20:46:49.962 [24398] dbg: dkim: DKIM, [email protected], d=yandex.ru, s=mail, a=rsa-sha256, c=relaxed/relaxed, pass, matches author domain
Jul 14 20:46:49.962 [24398] dbg: dkim: signature verification result: PASS

How to overcome this problem?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
V
Vladimir Dubrovin, 2019-07-15
@Dorothy

Make sure that you
1. do not filter DNS traffic over TCP (port 53/tcp) to external DNS servers (
and
for the sake of completeness)
2. there are no problems with MTU and large packets pass with external DNS servers (
)
3. Public resolver like 8.8.8.8 is not used. For any "combat" servers, it is better to raise your own resolver, usually a local one, there may be rate limits on public ones.
4. That you do not have an open resolver that can be used to amplify traffic, it is possible that DDoS is going through you and therefore some of the TXT requests are blocked

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question