Milter-greylist

Running Debian stretch's version of milter-greylist, 4.5.11.

I recently noticed an odd issue, after some local DNS changes.  

The reason why this issue cropped up, is that the new DNS server
has reduced access via firewalling to certain geographical locations.  So
while postfix/milter-greylist/other milters have full access to the
RDNS/DNS of the IP address / sending email address... the DKIM
domain/signature is pulled from an entirely other geographical location,
and is therefore unretrievable.

It should be noted that this only exposed this issue, and is not its
root cause.  Other DNS issues (upstream routing problems, DKIM signing
DNS down, etc, etc) would cause this same problem.

It is only the persistence of this issue (since it is a permanent
firewall rule) that made things so apparent.  Other users are likely
experiencing this issue transiently, perhaps due to temporary signing DNS
being down, unrouteable, etc.

A paste of the mail transaction:

Aug  8 14:22:28 woo postfix/smtpd[32400]: connect from some.hostname[x.x.x.x]
Aug  8 14:22:28 woo milter-greylist: smfi_getsymval failed for {i}
Aug  8 14:22:28 woo milter-greylist: (unknown id): skipping greylist because sender is SPF-compliant, (from=<aliens-users-bounces@...>, rcpt=<an.email.addy@someplace>, addr=some.hostname[x.x.x.x]) ACL 562
Aug  8 14:22:28 woo postfix/smtpd[32400]: 49A0B2073F: client=some.hostname[x.x.x.x]
Aug  8 14:22:28 woo postfix/cleanup[1655]: 49A0B2073F: message-id=<426ceeb5-a6f1-50c7-5017-553dc09be19b@...>
Aug  8 14:22:30 woo milter-greylist: DKIM failed: Key retrieval failed
Aug  8 14:22:30 woo postfix/cleanup[1655]: 49A0B2073F: milter-reject: END-OF-MESSAGE from some.hostname[x.x.x.x]: 4.7.1 Service unavailable - try again later; from=<aliens-users-bounces@...> to=<an.email.addy@someplace> proto=ESMTP helo=<some.hostname>
Aug  8 14:22:30 woo postfix/smtpd[32400]: disconnect from some.hostname[x.x.x.x] ehlo=1 mail=1 rcpt=1 data=0/1 quit=1 commands=4/5

Now -- normally, before DNS issues came into play, and DKIM key retrieval
was possible, all worked fine.  Note that I have *no* DKIM lines in my
config file.  I don't care about it, don't want it, and just ignored it
until now.

Before, I would get the following instead of "retrieval failed" above:

Aug  6 07:20:46 woo milter-greylist: DKIM failed: Bad signature

And mail processing would complete.  In other words, prior to the
retrieval failed issue, a lack of DKIM or broken DKIM, didn't cause a
tempfail. Processing completed, which included handing off to another
milter, and postfix processing things just fine.

However, what happens with

Aug  8 14:22:30 woo milter-greylist: DKIM failed: Key retrieval failed

Is that postfix immediately tempfails the message.  After I noticed this,
I attempted all manner of dacl lines, yet none had any effect on the
above 'immediate tempfail' behaviour.

If this is expected behaviour, I find it unusual.. for, it means that if
DKIM is compiled in, you're essentially in trouble if DKIM key retrieval
fails... even if you don't want DKIM.  Or, if you don't want DKIM for
some emails.

If it isn't intended behaviour, yet fixed in a newer version -- I'd like
to see if I can get Debian to patch/update for it.  Especially before the
next release pops out...

Note that I recompiled Debian's package without DKIM, and all now works
fine.