bridgedb is not monitored enough by nagios?
I have not had any replies from bridges@torproject.org this week, and we've received a few complaints on help@rt.torproject.org as well. Can someone please figure out what's wrong?
Activity
https://bridges.torproject.org/ works fine.
Is there any way to estimate when this stopped working? From the logs, I can tell that BridgeDB processed email requests at least until Jan 15 06:07:31.
If it stopped working after that, or if we aren't sure, we should let someone with admin rights (weasel or phobos) check whether or not emails are forwarded from whatever MTA to BridgeDB. To me, it currently looks like mails aren't arriving for processing in BridgeDB.
I just got a response from bridges@torproject.org. I think the problem was that the bridgedb service was down.
I guess the followup problem is: how come no nagios things noticed that the service was down?
-
Trac:
Summary: bridges@torproject.org does not reply to bridgedb is not monitored enough by nagios?
Owner: N/A to phobos
Component: BridgeDB to Company 
Replying to arma:
I just changed a ~ to a /home/bridges in the @reboot line of its crontab. Maybe that will improve things.
shouldn't. crontab entries pass through the shell which does tilde expansion.
Replying to arma:
Works fine for me -- I just got an email response.
I wonder if these users are expecting more than one answer per hour?
Or if they're not sending from the right domains.
Did you send the email from a GMail account? I just tried again (and I had a friend try as well), and still no reply.
-
bridgedb's logs say:
Feb 10 07:50:38 [INFO] Got a completed email; deciding whether to reply. Feb 10 07:50:38 [INFO] Got a bad dkim header ('invalid (public key: DNS query timeout for gamma._domainkey.gmail.com)') on an incoming mail; rejecting it.Looks like our dkim proxy is failing to do a dkim step, and declaring the email invalid.
Where does our dkim proxy live? I heard a rumor it was on gettor? I think kaner runs that?
Trac:
Cc: N/A to kaner I wonder whats going on there. Its not like dkimproxy completely fails to work:
dnsel2:/var/log# grep "DKIM verify - pass" mail.log* | wc -l 18 dnsel2:/var/log# grep "DKIM verify - invalid" mail.log* | wc -l 5084But it has a really bad success rate. All the "invalid"s there are timeouts, btw.
Running the query from the command line doesn't look slow at all:
dnsel2:/var/log# time dig +short TXT gamma._domainkey.gmail.com "k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIhyR3oItOy22ZOaBrIVe9m/iME3RqOJeasANSpg2YTHTYV+Xtp4xwf5gTjCmHQEMOs0qYu0FYiNQPQogJ2t0Mfx9zNu06rfRBDjiIU9tpx2T+NGlWZ8qhbiLo5By8apJavLyqTLavyPSrvsx0B3YzC63T4Age2CDqZYA+OwSMWQIDAQAB" real 0m0.047s user 0m0.000s sys 0m0.020sWhy is it only slow when the query is called from dkimproxy? Why did that timeout problem start to occur all of a sudden anyway? It did work for quite a while, then started getting problems, without anyone changing the setup (to my knowledge).
I tried to verify one of the GetTor DKIM test emails from the command line:
dnsel2:/var/log# cat /tmp/testmail.txt | dkimproxy-verify originator address: ioerror@gmail.com signature identity: @gmail.com verify result: pass signature identity: ioerror@gmail.com verify result: pass sender policy result: accept author policy result: accept ADSP policy result: acceptWorked.
Fun fact: I don't see any DNS requests for domainkey hosts when I run:
tcpdump -n -i eth0 udp port 53 | grep domainkeyUnless I do a manual request from the command line like so:
dig +short TXT s1024._domainkey.yahoo.cnor
cat /tmp/testmail.txt | dkimproxy-verifyAs arma concluded, it may be that dkimproxy only thinks it does a DNS requests. Maybe it starts those requests with a timeout of 0? Someone with better perl-foo than myself should maybe take a look at /usr/share/perl5/Mail/DKIM/DNS.pm?
mentioned in issue #32105 (moved)