Date: Thu, 30 Jan 2025 17:05:51 +0300 From: David Gessel <gessel@blackrosetech.com> To: ports@FreeBSD.org Subject: FreeBSD Port: mail/py-spf-engine py311-pyspf-2.0.14_3 cryptography issue Message-ID: <fab09862-5022-44b4-8edf-32e1fe2be218@blackrosetech.com>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------o8Bd0mtpK9K0yal0jYWLabJW Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit There seems to be a bug in mail/py-spf-engine that breaks mail delivery if the pkg-message instructions are followed and smtpd_recipient_restrictions = ... reject_unauth_destination check_policy_service unix:private/policyd-spf is added to main.cf. I get the following errors with the check_policy_service unix:private/policyd-spf enabled. pyspf-milter[9915]: prepend Authentication-Resultmailservuki; spf=pass (sender SPF authorized) smtp.mailfrom=gmail.com (client-ip=209.85.214.181; helo=mail-pl1-f181.google.com;envelope-from=dborg@gmail.com; receiver=<UNKNOWN>) postfix/smtp-in/smtpd[38681]: warning: missing attribute action in input from private/policyd-spf postfix/spawn[38795]: warning: command /usr/local/bin/policyd-spf exit status 1 postfix/smtp-in/smtpd[38681]: warning: missing attribute action in input from private/policyd-spf postfix/smtp-in/smtpd[38681]: warning: problem talking to server private/policyd-spf: Application error postfix/smtp-in/smtpd[38681]: NOQUEUE: reject: RCPT from mail-pl1-f181.google.com[209.85.214.181]: 451 4.3.5<borg@domain.com>: Recipient address rejected: Server configuration problem; from=<dborg@gmail.com> to=<borg@domain.com> proto=ESMTP helo=<mail-pl1-f181.google.com> postfix/spawn[38795]: warning: command /usr/local/bin/policyd-spf exit status 1 If I comment out the policyd-spf smtpd_recipient_restriction, then mail is delivered properly without it. If I patch the file /usr/local/bin/spf.py-3.11 as follows: import struct # for pack() and unpack() import time # for time() ++ import os ++ os.environ['CRYPTOGRAPHY_OPENSSL_NO_LEGACY'] = '1' try: import urllib.parse as urllibparse # for quote() and re-enable the smtpd_recipient_restriction, the error is resolved and mail is delivered. pyspf-milter[50096]: prepend Authentication-Resultmailservuki; none (SPF check N/A for local connections - client-ip=10.3.0.133; helo=server.domain.com;envelope-from=server@domain.com; receiver=<UNKNOWN>) postfix/smtp-in/smtpd[612]: 5925D8793: client=server.domain.com[10.3.0.133] postfix/cleanup[622]: 5925D8793: message-id=<> pyspf-milter[50096]: Authentication-Resultmailservuki; none (SPF check N/A for local connections - client-ip=10.3.0.133; helo=server.domain.com;envelope-from=server@domain.com; receiver=<UNKNOWN>) postfix/smtp-in/smtpd[612]: disconnect from server.domain.com[10.3.0.133] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 postfix/qmgr[99347]: 5925D8793: from=<server@domain.com>, size=694, nrcpt=1 (queue active) postfix/pipe[637]: 5925D8793: to=<borg@domain.com>, relay=dovecot, delay=0.09, delays=0.05/0/0/0.04, dsn=2.0.0, status=sent (delivered via dovecot service) postfix/qmgr[99347]: 5925D8793: removed It seems like this might be a useful patch to the port, it isn't clear this impacts other operating systems or even all configurations of FreeBSD, but it has been necessary for me for both FreeBSD 13 and a fresh reinstall with FreeBSD 14.1. https://answers.launchpad.net/spf-engine/+question/818909 https://forums.freebsd.org/threads/pyspf-milter-service-silently-not-starting.95215/#post-674665 --------------o8Bd0mtpK9K0yal0jYWLabJW Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit <!DOCTYPE html> <html style="scroll-behavior: auto !important;"> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <style></style> </head> <body text="#000000" bgcolor="#FFFFFF" style="scroll-behavior: auto !important;"> <p>There seems to be a bug in mail/py-spf-engine that breaks mail delivery if the pkg-message instructions are followed and <br> </p> <pre> smtpd_recipient_restrictions = ... reject_unauth_destination check_policy_service unix:private/policyd-spf</pre> <p>is added to main.cf. I get the following errors with the check_policy_service unix:private/policyd-spf enabled.</p> <pre>pyspf-milter[9915]: prepend Authentication-Resultmailservuki; spf=pass (sender SPF authorized) smtp.mailfrom=gmail.com (client-ip=209.85.214.181; helo=mail-pl1-f181.google.com; <a class="moz-txt-link-abbreviated" href="mailto:envelope-from=dborg@gmail.com">envelope-from=dborg@gmail.com</a>; receiver=<UNKNOWN>) postfix/smtp-in/smtpd[38681]: warning: missing attribute action in input from private/policyd-spf postfix/spawn[38795]: warning: command /usr/local/bin/policyd-spf exit status 1 postfix/smtp-in/smtpd[38681]: warning: missing attribute action in input from private/policyd-spf postfix/smtp-in/smtpd[38681]: warning: problem talking to server private/policyd-spf: Application error postfix/smtp-in/smtpd[38681]: NOQUEUE: reject: RCPT from mail-pl1-f181.google.com[209.85.214.181]: 451 4.3.5 <a class="moz-txt-link-rfc2396E" href="mailto:borg@domain.com"><borg@domain.com></a>: Recipient address rejected: Server configuration problem; from=<a class="moz-txt-link-rfc2396E" href="mailto:dborg@gmail.com"><dborg@gmail.com></a> to=<a class="moz-txt-link-rfc2396E" href="mailto:borg@domain.com"><borg@domain.com></a> proto=ESMTP helo=<mail-pl1-f181.google.com> postfix/spawn[38795]: warning: command /usr/local/bin/policyd-spf exit status 1</pre> <p>If I comment out the policyd-spf smtpd_recipient_restriction, then mail is delivered properly without it. If I patch the file /usr/local/bin/spf.py-3.11 as follows:</p> <pre>import struct # for pack() and unpack() import time # for time() ++ import os ++ os.environ['CRYPTOGRAPHY_OPENSSL_NO_LEGACY'] = '1' try: import urllib.parse as urllibparse # for quote() </pre> <p>and re-enable the smtpd_recipient_restriction, the error is resolved and mail is delivered. </p> <pre>pyspf-milter[50096]: prepend Authentication-Resultmailservuki; none (SPF check N/A for local connections - client-ip=10.3.0.133; helo=server.domain.com; <a class="moz-txt-link-abbreviated" href="mailto:envelope-from=server@domain.com">envelope-from=server@domain.com</a>; receiver=<UNKNOWN>) postfix/smtp-in/smtpd[612]: 5925D8793: client=server.domain.com[10.3.0.133] postfix/cleanup[622]: 5925D8793: message-id=<> pyspf-milter[50096]: Authentication-Resultmailservuki; none (SPF check N/A for local connections - client-ip=10.3.0.133; helo=server.domain.com; <a class="moz-txt-link-abbreviated" href="mailto:envelope-from=server@domain.com">envelope-from=server@domain.com</a>; receiver=<UNKNOWN>) postfix/smtp-in/smtpd[612]: disconnect from server.domain.com[10.3.0.133] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 postfix/qmgr[99347]: 5925D8793: from=<a class="moz-txt-link-rfc2396E" href="mailto:server@domain.com"><server@domain.com></a>, size=694, nrcpt=1 (queue active) postfix/pipe[637]: 5925D8793: to=<a class="moz-txt-link-rfc2396E" href="mailto:borg@domain.com"><borg@domain.com></a>, relay=dovecot, delay=0.09, delays=0.05/0/0/0.04, dsn=2.0.0, status=sent (delivered via dovecot service) postfix/qmgr[99347]: 5925D8793: removed </pre> <p>It seems like this might be a useful patch to the port, it isn't clear this impacts other operating systems or even all configurations of FreeBSD, but it has been necessary for me for both FreeBSD 13 and a fresh reinstall with FreeBSD 14.1.</p> <p><a class="moz-txt-link-freetext" href="https://answers.launchpad.net/spf-engine/+question/818909">https://answers.launchpad.net/spf-engine/+question/818909</a></p>; <p><a class="moz-txt-link-freetext" href="https://forums.freebsd.org/threads/pyspf-milter-service-silently-not-starting.95215/#post-674665">https://forums.freebsd.org/threads/pyspf-milter-service-silently-not-starting.95215/#post-674665</a><br>; </p> </body> </html> --------------o8Bd0mtpK9K0yal0jYWLabJW--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fab09862-5022-44b4-8edf-32e1fe2be218>