milter-reject: END-OF-MESSAGE when using milter-greylist

Not entirely sure where this is coming from exactly, but since we've enabled the mail rate limiting option in Virtualmin we are running into an issue with email from (mostly)

This is the logging I see in the mail.log file:

May 19 13:51:09 web1 postfix/policy-spf[10577]: Policy action=PREPEND Received-SPF: pass ( Sender is authorized to use '' in 'mfrom' identity (mechanism '' matched)) receiver=web1; identity=mailfrom; envelope-from="";; client-ip=
May 19 13:51:09 web1 postfwd2/policy[12983]: [DNSBL] listed on (answer:, time: 0.01s, ttl: 10800s, '')
May 19 13:51:09 web1 postfwd2/policy[12983]: [RULES] rule=7, id=RWL_003,[], sender=<>, recipient=<>, helo=<>, proto=ESMTP, state=RCPT, delay=0.29s, hits=RWL_001;RWL_003, action=PREPEND X-PFW-STATE: INFO: [<>]
May 19 13:51:09 web1 milter-greylist: (unknown id): skipping greylist because this is the default action, (from=<>, rcpt=<>,[]) ACL 78
May 19 13:51:09 web1 postfix/smtpd[9907]: 632A920975:[]
May 19 13:51:09 web1 postfix/cleanup[6800]: 632A920975: message-id=<AM5P189MB0562A943D8EC539E3F232728B8B90@AM5P189MB0562.EURP189.PROD.OUTLOOK.COM>
May 19 13:51:09 web1 milter-greylist: DKIM failed: Key retrieval failed
May 19 13:51:09 web1 postfix/cleanup[6800]: 632A920975: milter-reject: END-OF-MESSAGE from[]: 4.7.1 Service unavailable - try again later; from=<> to=<> proto=ESMTP helo=<>

I have replaced the sender and receiver with redacted mail addresses. As you can see, it passes through policy-spf first (without any issues), then moves to milter-greylist and there it fails in the cleanup step with the following error: DKIM failed: Key retrieval failed

We haven't enabled DKIM signing on our server. I've been looking for some time now, but haven't gotten a clue about how to debug this problem. This is happening quite a bit, around 50 - 100 times a day. Often Microsoft will retry the email after some time and the 3rd or 4th time the email will pass through, but this results in quite some delay before the email is delivered.

Do you have any idea what this could be?

Postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
message_size_limit = 50000000
milter_default_action = accept
milter_protocol = 2
mydestination = web1, localhost
myhostname = web1
mynetworks = [::ffff:]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = local:/var/run/milter-greylist/milter-greylist.sock
policy-spf_time_limit = 3600s
readme_directory = no
recipient_delimiter = +
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_milters = local:/var/run/milter-greylist/milter-greylist.sock
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service unix:private/policy-spf check_policy_service inet:
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_CAfile = /etc/webmin/letsencrypt-ca.pem
smtpd_tls_cert_file = /etc/webmin/letsencrypt-cert.pem
smtpd_tls_key_file = /etc/webmin/letsencrypt-key.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual


# Simple greylisting config file using the new features
# See greylist2.conf for a more detailed list of available options
# $Id: greylist.conf,v 1.50 2013/08/13 12:45:08 manu Exp $

pidfile "/var/run/"
dumpfile "/var/lib/milter-greylist/greylist.db" 600
dumpfreq 10m

geoipdb "/usr/share/GeoIP/GeoIP.dat"

socket "/var/spool/postfix/var/run/milter-greylist/milter-greylist.sock" 666
user "smmsp"

# Do not tell spammer how long they have to wait

# And here is the access list
ratelimit "virtualmin_limit" rcpt 30 / 30m key "%f"
racl greylist from /.*/ ratelimit "virtualmin_limit" delay 31m autowhite 0m msg "Message quota exceeded"
racl whitelist default

# Example of content filtering for fighting image SPAM
#dacl blacklist body /src[:blank:]*=(3D)?[:blank:]*["']?[:blank:]*cid:/ \
#     msg "Sorry, We do not accept images embedded in HTML"


Category: Bug report » Support request

Could this be something DNS related?