Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Crash of mail-filter/pypolicyd-spf
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
SwordArMor
n00b
n00b


Joined: 21 Feb 2015
Posts: 55
Location: Bretagne

PostPosted: Wed Apr 08, 2015 4:31 pm    Post subject: [SOLVED] Crash of mail-filter/pypolicyd-spf Reply with quote

Hi,

Today I tried to add SPF support to my postfix, but mail-filter/pypolicyd-spf crash when I receive an email
Code:
Apr  8 16:11:40 bulbizarre postfix/smtpd[26779]: connect from cabale.usenet-fr.net[2001:1b78:0:2:d918:5204:0:1]
Apr  8 16:11:40 bulbizarre postgrey[32332]: action=pass, reason=triplet found, client_name=cabale.usenet-fr.net, client_address=2001:1b78:0:2:d918:5204:0:1, sender=frnog-owner@frnog.org, recipient=alarig@swordarmor.fr
Apr  8 16:11:40 bulbizarre policyd-spf[26813]: Traceback (most recent call last):
Apr  8 16:11:40 bulbizarre policyd-spf[26813]:   File "/usr/bin/policyd-spf-2.7", line 684, in <module>
Apr  8 16:11:40 bulbizarre policyd-spf[26813]:     instance_dict, configData, peruser)
Apr  8 16:11:40 bulbizarre policyd-spf[26813]:   File "/usr/bin/policyd-spf-2.7", line 350, in _spfcheck
Apr  8 16:11:40 bulbizarre policyd-spf[26813]:     skip_check = _spfbypass(data, 'skip_addresses', configData)
Apr  8 16:11:40 bulbizarre policyd-spf[26813]:   File "/usr/bin/policyd-spf-2.7", line 206, in _spfbypass
Apr  8 16:11:40 bulbizarre policyd-spf[26813]:     if _cidrmatch(ip, good_ip, int(cidr_range)):
Apr  8 16:11:40 bulbizarre policyd-spf[26813]:   File "/usr/bin/policyd-spf-2.7", line 53, in _cidrmatch
Apr  8 16:11:40 bulbizarre policyd-spf[26813]:     connectip = spf.inet_pton(connectip)
Apr  8 16:11:40 bulbizarre policyd-spf[26813]: AttributeError: 'module' object has no attribute 'inet_pton'
Apr  8 16:11:40 bulbizarre postfix/spawn[26789]: warning: command /usr/bin/policyd-spf exit status 1
Apr  8 16:11:40 bulbizarre postfix/smtpd[26779]: warning: premature end-of-input on private/policyd-spf while reading input attribute name
Apr  8 16:11:41 bulbizarre policyd-spf[26824]: Traceback (most recent call last):
Apr  8 16:11:41 bulbizarre policyd-spf[26824]:   File "/usr/bin/policyd-spf-2.7", line 684, in <module>
Apr  8 16:11:41 bulbizarre policyd-spf[26824]:     instance_dict, configData, peruser)
Apr  8 16:11:41 bulbizarre policyd-spf[26824]:   File "/usr/bin/policyd-spf-2.7", line 350, in _spfcheck
Apr  8 16:11:41 bulbizarre policyd-spf[26824]:     skip_check = _spfbypass(data, 'skip_addresses', configData)
Apr  8 16:11:41 bulbizarre policyd-spf[26824]:   File "/usr/bin/policyd-spf-2.7", line 206, in _spfbypass
Apr  8 16:11:41 bulbizarre policyd-spf[26824]:     if _cidrmatch(ip, good_ip, int(cidr_range)):
Apr  8 16:11:41 bulbizarre policyd-spf[26824]:   File "/usr/bin/policyd-spf-2.7", line 53, in _cidrmatch
Apr  8 16:11:41 bulbizarre policyd-spf[26824]:     connectip = spf.inet_pton(connectip)
Apr  8 16:11:41 bulbizarre policyd-spf[26824]: AttributeError: 'module' object has no attribute 'inet_pton'
Apr  8 16:11:41 bulbizarre postfix/spawn[26789]: warning: command /usr/bin/policyd-spf exit status 1
Apr  8 16:11:41 bulbizarre postfix/smtpd[26779]: warning: premature end-of-input on private/policyd-spf while reading input attribute name
Apr  8 16:11:41 bulbizarre postfix/smtpd[26779]: warning: problem talking to server private/policyd-spf: Success
Apr  8 16:11:41 bulbizarre postfix/smtpd[26779]: NOQUEUE: reject: RCPT from cabale.usenet-fr.net[2001:1b78:0:2:d918:5204:0:1]: 451 4.3.5 <alarig@swordarmor.fr>: Recipient address rejected: Server configuration problem; from=<frnog-owner@frnog.org> to=<alarig@swordarmor.fr> proto=ESMTP helo=<cabale.usenet-fr.net>
Apr  8 16:11:41 bulbizarre postfix/smtpd[26779]: disconnect from cabale.usenet-fr.net[2001:1b78:0:2:d918:5204:0:1] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=4/6


I can’t find the spf.pl file as described in https://wiki.gentoo.org/wiki/Mailfiltering_Gateway#SPF_.28Sender_Policy_Framework.29 and the link to the development version point to a 404.

Here is my configuration, I can’t find where is my error:
Code:
bulbizarre ~ # cat /etc/postfix/main.cf
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_unknown_recipient_domain,
   reject_non_fqdn_recipient,
   reject_unauth_destination,
   reject_unauth_pipelining,
   reject_invalid_hostname,
   reject_unauth_pipelining,
   check_policy_service inet:127.0.0.1:10030,
   check_policy_service unix:private/policyd-spf,
   permit
bulbizarre ~ # cat /etc/postfix/master.cf
policyd-spf unix -   n   n   -   0   spawn
                   user=nobody argv=/usr/bin/policyd-spf
bulbizarre ~ # cat /etc/python-policyd-spf/policyd-spf.conf
#  For a fully commented sample config file see policyd-spf.conf.commented

debugLevel = 1
defaultSeedOnly = 1

#HELO_reject = SPF_Not_Pass
HELO_reject = Null
#Mail_From_reject = Fail
Mail_From_reject = False

PermError_reject = False
TempError_Defer = False

skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0//104,::1//128
Whitelist = 91.224.149.128/32,2a01:6600:8081:8000::1//128


Last edited by SwordArMor on Tue Apr 28, 2015 1:44 pm; edited 1 time in total
Back to top
View user's profile Send private message
Peter Robb
n00b
n00b


Joined: 28 Apr 2015
Posts: 2
Location: Poland

PostPosted: Tue Apr 28, 2015 10:15 am    Post subject: Reply with quote

Most likely it received an ipv6 address in the spf reply..
From the ebuild file..

# With >=python-3.3, the built-in ipaddress module handles the parsing
# of IP addresses. If python is built without ipv6 support, then
# ipaddress can't parse ipv6 addresses, and the daemon will crash if it
# sees an ipv6 SPF record. In other words, it's completely broken.
#
# Ideally this would remain optional for python-2.x, but until there's
# an easy way to do that, "maybe annoying" seems a better option than
# "maybe broken."
PYTHON_REQ_USE="ipv6"

So I guess try rebuilding dev-python/ipaddr with the ipv6 use flag on,
USE="ipv6" emerge -av dev-python/ipaddr

and if that's not enuf, rebuild python and the spf packages with ipv6.

It has also been mentioned in several places that in /etc/postfix/master.cf you should add the address of the conf file just after the argv= entry.
Back to top
View user's profile Send private message
SwordArMor
n00b
n00b


Joined: 21 Feb 2015
Posts: 55
Location: Bretagne

PostPosted: Tue Apr 28, 2015 1:12 pm    Post subject: Reply with quote

Peter Robb wrote:

So I guess try rebuilding dev-python/ipaddr with the ipv6 use flag on,
USE="ipv6" emerge -av dev-python/ipaddr

and if that's not enuf, rebuild python and the spf packages with ipv6.


I already have the ipv6 useflag for the whole system.

The dev-python/ipaddr package haven’t any ipv6 useflag but it is built for python 3.3 and not python 3.4.
Code:
$ equery uses dev-python/ipaddr
[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for dev-python/ipaddr-2.1.11:
 U I
 + + python_targets_python2_7 : Build with Python 2.7
 + + python_targets_python3_3 : Build with Python 3.3
 - - python_targets_python3_4 : Build with Python 3.4
Back to top
View user's profile Send private message
Peter Robb
n00b
n00b


Joined: 28 Apr 2015
Posts: 2
Location: Poland

PostPosted: Tue Apr 28, 2015 1:22 pm    Post subject: Reply with quote

Python 3.3 has the ipaddr module builtin.. If your error says the attribute 'inet_pton' doesn't exist, either it compiled badly or dev-python/ipaddr conflicts somehow.
Check to see dev-python/ipaddr didn't clobber an existing file.
equery files dev-python/ipaddr

Then remove it.

I had this same problem but chose to use the perl based spf instead of recompiling with ipv6.
I don't have the python spf installed so I can't check files etc..
Back to top
View user's profile Send private message
SwordArMor
n00b
n00b


Joined: 21 Feb 2015
Posts: 55
Location: Bretagne

PostPosted: Tue Apr 28, 2015 1:42 pm    Post subject: Reply with quote

I don’t think that there is a conflict on a file between two packages
Code:
alarig@bulbizarre ~ $ equery files dev-python/ipaddr
 * Searching for ipaddr in dev-python ...
 * Contents of dev-python/ipaddr-2.1.11:
/usr
/usr/lib64
/usr/lib64/python2.7
/usr/lib64/python2.7/site-packages
/usr/lib64/python2.7/site-packages/ipaddr-2.1.11-py2.7.egg-info
/usr/lib64/python2.7/site-packages/ipaddr.py
/usr/lib64/python2.7/site-packages/ipaddr.pyc
/usr/lib64/python2.7/site-packages/ipaddr.pyo
/usr/lib64/python3.3
/usr/lib64/python3.3/site-packages
/usr/lib64/python3.3/site-packages/__pycache__
/usr/lib64/python3.3/site-packages/__pycache__/ipaddr.cpython-33.pyc
/usr/lib64/python3.3/site-packages/__pycache__/ipaddr.cpython-33.pyo
/usr/lib64/python3.3/site-packages/ipaddr-2.1.11-py3.3.egg-info
/usr/lib64/python3.3/site-packages/ipaddr.py
/usr/share
/usr/share/doc
/usr/share/doc/ipaddr-2.1.11
/usr/share/doc/ipaddr-2.1.11/README.bz2
/usr/share/doc/ipaddr-2.1.11/RELEASENOTES.bz2
alarig@bulbizarre ~ $ for file in $(equery -C files dev-python/ipaddr | grep site-packages/); do equery belongs $file; done
 * Searching for /usr/lib64/python2.7/site-packages/ipaddr-2.1.11-py2.7.egg-info ...
dev-python/ipaddr-2.1.11 (/usr/lib64/python2.7/site-packages/ipaddr-2.1.11-py2.7.egg-info)
 * Searching for /usr/lib64/python2.7/site-packages/ipaddr.py ...
dev-python/ipaddr-2.1.11 (/usr/lib64/python2.7/site-packages/ipaddr.py)
 * Searching for /usr/lib64/python2.7/site-packages/ipaddr.pyc ...
dev-python/ipaddr-2.1.11 (/usr/lib64/python2.7/site-packages/ipaddr.pyc)
 * Searching for /usr/lib64/python2.7/site-packages/ipaddr.pyo ...
dev-python/ipaddr-2.1.11 (/usr/lib64/python2.7/site-packages/ipaddr.pyo)
 * Searching for /usr/lib64/python3.3/site-packages/__pycache__ ...
dev-lang/python-3.3.5-r1 (/usr/lib64/python3.3/site-packages/__pycache__)
dev-python/configobj-5.0.5 (/usr/lib64/python3.3/site-packages/__pycache__)
dev-python/ipaddr-2.1.11 (/usr/lib64/python3.3/site-packages/__pycache__)
dev-python/pyspf-2.0.10 (/usr/lib64/python3.3/site-packages/__pycache__)
dev-python/setuptools-12.0.1 (/usr/lib64/python3.3/site-packages/__pycache__)
dev-python/six-1.8.0 (/usr/lib64/python3.3/site-packages/__pycache__)
dev-python/virtualenv-1.11.6 (/usr/lib64/python3.3/site-packages/__pycache__)
mail-filter/pypolicyd-spf-1.3.1 (/usr/lib64/python3.3/site-packages/__pycache__)
net-analyzer/speedtest-cli-0.2.4 (/usr/lib64/python3.3/site-packages/__pycache__)
 * Searching for /usr/lib64/python3.3/site-packages/__pycache__/ipaddr.cpython-33.pyc ...
dev-python/ipaddr-2.1.11 (/usr/lib64/python3.3/site-packages/__pycache__/ipaddr.cpython-33.pyc)
 * Searching for /usr/lib64/python3.3/site-packages/__pycache__/ipaddr.cpython-33.pyo ...
dev-python/ipaddr-2.1.11 (/usr/lib64/python3.3/site-packages/__pycache__/ipaddr.cpython-33.pyo)
 * Searching for /usr/lib64/python3.3/site-packages/ipaddr-2.1.11-py3.3.egg-info ...
dev-python/ipaddr-2.1.11 (/usr/lib64/python3.3/site-packages/ipaddr-2.1.11-py3.3.egg-info)
 * Searching for /usr/lib64/python3.3/site-packages/ipaddr.py ...
dev-python/ipaddr-2.1.11 (/usr/lib64/python3.3/site-packages/ipaddr.py)


I installed the version 1.3.1 of mail-filter/pypolicyd-spf (the stable is 1.1) and I don’t meet this issue, so I think that there is a bug in the version 1.1.

Thanks for your help :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum