From nobody Thu Jan 30 14:05:51 2025 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YkLQy6KjFz5mW4Q for ; Thu, 30 Jan 2025 14:06:02 +0000 (UTC) (envelope-from gessel@blackrosetech.com) Received: from mail.blackrosetech.com (mail.blackrosetech.com [23.114.97.244]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4YkLQy03fbz3GGC for ; Thu, 30 Jan 2025 14:06:01 +0000 (UTC) (envelope-from gessel@blackrosetech.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=blackrosetech.com header.s=BRTDKIM header.b=lN9czcXI; spf=pass (mx1.freebsd.org: domain of gessel@blackrosetech.com designates 23.114.97.244 as permitted sender) smtp.mailfrom=gessel@blackrosetech.com; dmarc=pass (policy=reject) header.from=blackrosetech.com Received: from [10.2.69.2] (unknown [10.2.69.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) (Authenticated sender: gessel@blackrosetech.com) by mail.blackrosetech.com (Postfix) with ESMTPSA id 981208A9B for ; Thu, 30 Jan 2025 06:05:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blackrosetech.com; s=BRTDKIM; t=1738245955; bh=QA+PoDTml1iZ9tSMfV0T5S+pJ3r8MdiGpS7HvOWw0XU=; h=Date:To:Subject:Reply-To:From; b=lN9czcXI9zdpo3mYnpqnzg/MWBeDmYABOqNc2NUxefqzoaQAvYX7r3P7b9ZQeUan8 CJkSCvtxVuX+/fyi9MejbIZ5tFVC9A8Q4Q07BcV6bpBhUghV13TsfFYfjbzn0DslSN /uR/UGY0Sd/vP/fv3AK1uVUN14s8dZ6lWVO1lM4U= Content-Type: multipart/alternative; boundary="------------o8Bd0mtpK9K0yal0jYWLabJW" Message-ID: Date: Thu, 30 Jan 2025 17:05:51 +0300 List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-ports@freebsd.org Sender: owner-freebsd-ports@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: ports@FreeBSD.org Subject: FreeBSD Port: mail/py-spf-engine py311-pyspf-2.0.14_3 cryptography issue Reply-To: gessel@blackrosetech.com From: David Gessel Content-Language: en-US Autocrypt: addr=gessel@blackrosetech.com; keydata= xjMEXY9NvhYJKwYBBAHaRw8BAQdA705GVnwOPFphjDVkqlzgg5BCfOUP1PId/qWVKC2nfijN J0RhdmlkIEdlc3NlbCA8Z2Vzc2VsQGJsYWNrcm9zZXRlY2guY29tPsKTBBMWCAA7AhsDBQsJ CAcDBRUKCQgLBRYCAwEAAh4BAheAFiEEVJ6Qi0e2D25ua22nvHKodw3rGkMFAl2PTj0CGQEA CgkQvHKodw3rGkN2NwD+J61nWPGfLcB+VcJxApxEKI0gD+4V9OCyojAWuRBPm9gA/1k9tGjs dHsvfuLh7APUX3BeQYOAsvxoccoPWrYke+sFzjgEXY9NvhIKKwYBBAGXVQEFAQEHQKTCytm2 J5L6UeLCOFrRazZswYZryyr5Jq9RKAdmXVQ2AwEIB8J4BBgWCAAgFiEEVJ6Qi0e2D25ua22n vHKodw3rGkMFAl2PTb4CGwwACgkQvHKodw3rGkOYtQD/dmykEjP5Ws2nfPx4h8wOMW1T6OKa eyqz7yNPAHcAO8UBALY4/gY1sHdepWe7RDRKoJ8hAtkEwqu6AqFqXU9ICJoE Organization: Black Rose Technology X-PGP-Key: 0xBC72A8770DEB1A43 X-Briar-ID: briar://adz3ds6tciqa2vylrsgnkgdbepj2as4pz7hwdmjrm73vhaounszus X-Spamd-Result: default: False [-4.00 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[blackrosetech.com,reject]; R_DKIM_ALLOW(-0.20)[blackrosetech.com:s=BRTDKIM]; R_SPF_ALLOW(-0.20)[+a:mail.blackrosetech.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_TLS_ALL(0.00)[]; REPLYTO_DOM_NEQ_TO_DOM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; DKIM_TRACE(0.00)[blackrosetech.com:+]; MIME_TRACE(0.00)[0:+,1:+,2:~]; HAS_ORG_HEADER(0.00)[]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:7018, ipnet:23.112.0.0/12, country:US]; ARC_NA(0.00)[]; TO_DN_NONE(0.00)[]; REPLYTO_ADDR_EQ_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; PREVIOUSLY_DELIVERED(0.00)[ports@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[ports@FreeBSD.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; HAS_REPLYTO(0.00)[gessel@blackrosetech.com] X-Spamd-Bar: --- X-Rspamd-Queue-Id: 4YkLQy03fbz3GGC This is a multi-part message in MIME format. --------------o8Bd0mtpK9K0yal0jYWLabJW Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit There seems to be a bug in mail/py-spf-engine that breaks mail delivery if the pkg-message instructions are followed and   smtpd_recipient_restrictions =             ...             reject_unauth_destination             check_policy_service unix:private/policyd-spf is added to main.cf.  I get the following errors with the check_policy_service unix:private/policyd-spf enabled. pyspf-milter[9915]: prepend Authentication-Resultmailservuki; spf=pass (sender SPF authorized) smtp.mailfrom=gmail.com (client-ip=209.85.214.181; helo=mail-pl1-f181.google.com;envelope-from=dborg@gmail.com; receiver=) postfix/smtp-in/smtpd[38681]: warning: missing attribute action in input from private/policyd-spf postfix/spawn[38795]: warning: command /usr/local/bin/policyd-spf exit status 1 postfix/smtp-in/smtpd[38681]: warning: missing attribute action in input from private/policyd-spf postfix/smtp-in/smtpd[38681]: warning: problem talking to server private/policyd-spf: Application error postfix/smtp-in/smtpd[38681]: NOQUEUE: reject: RCPT from mail-pl1-f181.google.com[209.85.214.181]: 451 4.3.5: Recipient address rejected: Server configuration problem; from= to= proto=ESMTP helo= postfix/spawn[38795]: warning: command /usr/local/bin/policyd-spf exit status 1 If I comment out the policyd-spf smtpd_recipient_restriction, then mail is delivered properly without it.  If I patch the file /usr/local/bin/spf.py-3.11 as follows: import struct  # for pack() and unpack() import time    # for time() ++ import os ++ os.environ['CRYPTOGRAPHY_OPENSSL_NO_LEGACY'] = '1' try:     import urllib.parse as urllibparse # for quote() and re-enable the smtpd_recipient_restriction, the error is resolved and mail is delivered. pyspf-milter[50096]: prepend Authentication-Resultmailservuki; none (SPF check N/A for local connections - client-ip=10.3.0.133; helo=server.domain.com;envelope-from=server@domain.com; receiver=) postfix/smtp-in/smtpd[612]: 5925D8793: client=server.domain.com[10.3.0.133] postfix/cleanup[622]: 5925D8793: message-id=<> pyspf-milter[50096]: Authentication-Resultmailservuki; none (SPF check N/A for local connections - client-ip=10.3.0.133; helo=server.domain.com;envelope-from=server@domain.com; receiver=) postfix/smtp-in/smtpd[612]: disconnect from server.domain.com[10.3.0.133] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 postfix/qmgr[99347]: 5925D8793: from=, size=694, nrcpt=1 (queue active) postfix/pipe[637]: 5925D8793: to=, relay=dovecot, delay=0.09, delays=0.05/0/0/0.04, dsn=2.0.0, status=sent (delivered via dovecot service) postfix/qmgr[99347]: 5925D8793: removed It seems like this might be a useful patch to the port, it isn't clear this impacts other operating systems or even all configurations of FreeBSD, but it has been necessary for me for both FreeBSD 13 and a fresh reinstall with FreeBSD 14.1. https://answers.launchpad.net/spf-engine/+question/818909 https://forums.freebsd.org/threads/pyspf-milter-service-silently-not-starting.95215/#post-674665 --------------o8Bd0mtpK9K0yal0jYWLabJW Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit

There seems to be a bug in mail/py-spf-engine that breaks mail delivery if the pkg-message instructions are followed and 

  smtpd_recipient_restrictions =
            ...
            reject_unauth_destination
            check_policy_service unix:private/policyd-spf

is added to main.cf.  I get the following errors with the check_policy_service unix:private/policyd-spf enabled.

pyspf-milter[9915]: prepend Authentication-Resultmailservuki; spf=pass (sender SPF authorized) smtp.mailfrom=gmail.com (client-ip=209.85.214.181; helo=mail-pl1-f181.google.com; envelope-from=dborg@gmail.com; receiver=<UNKNOWN>)
postfix/smtp-in/smtpd[38681]: warning: missing attribute action in input from private/policyd-spf
postfix/spawn[38795]: warning: command /usr/local/bin/policyd-spf exit status 1
postfix/smtp-in/smtpd[38681]: warning: missing attribute action in input from private/policyd-spf
postfix/smtp-in/smtpd[38681]: warning: problem talking to server private/policyd-spf: Application error
postfix/smtp-in/smtpd[38681]: NOQUEUE: reject: RCPT from mail-pl1-f181.google.com[209.85.214.181]: 451 4.3.5 <borg@domain.com>: Recipient address rejected: Server configuration problem; from=<dborg@gmail.com> to=<borg@domain.com> proto=ESMTP helo=<mail-pl1-f181.google.com>
postfix/spawn[38795]: warning: command /usr/local/bin/policyd-spf exit status 1

If I comment out the policyd-spf smtpd_recipient_restriction, then mail is delivered properly without it.  If I patch the file /usr/local/bin/spf.py-3.11 as follows:

import struct  # for pack() and unpack()
import time    # for time()
++ import os
++ os.environ['CRYPTOGRAPHY_OPENSSL_NO_LEGACY'] = '1'
try:
    import urllib.parse as urllibparse # for quote()

and re-enable the smtpd_recipient_restriction, the error is resolved and mail is delivered.  

pyspf-milter[50096]: prepend Authentication-Resultmailservuki; none (SPF check N/A for local connections - client-ip=10.3.0.133; helo=server.domain.com; envelope-from=server@domain.com; receiver=<UNKNOWN>)
postfix/smtp-in/smtpd[612]: 5925D8793: client=server.domain.com[10.3.0.133]
postfix/cleanup[622]: 5925D8793: message-id=<>
pyspf-milter[50096]: Authentication-Resultmailservuki; none (SPF check N/A for local connections - client-ip=10.3.0.133; helo=server.domain.com; envelope-from=server@domain.com; receiver=<UNKNOWN>)
postfix/smtp-in/smtpd[612]: disconnect from server.domain.com[10.3.0.133] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
postfix/qmgr[99347]: 5925D8793: from=<server@domain.com>, size=694, nrcpt=1 (queue active)
postfix/pipe[637]: 5925D8793: to=<borg@domain.com>, relay=dovecot, delay=0.09, delays=0.05/0/0/0.04, dsn=2.0.0, status=sent (delivered via dovecot service)
postfix/qmgr[99347]: 5925D8793: removed

It seems like this might be a useful patch to the port, it isn't clear this impacts other operating systems or even all configurations of FreeBSD, but it has been necessary for me for both FreeBSD 13 and a fresh reinstall with FreeBSD 14.1.

https://answers.launchpad.net/spf-engine/+question/818909

https://forums.freebsd.org/threads/pyspf-milter-service-silently-not-starting.95215/#post-674665

--------------o8Bd0mtpK9K0yal0jYWLabJW--