pypolicyd-spf

DNS timeout error

Asked by SW

I have installed postfix-policyd-spf-python on my FreeBSD 10.1 server today which runs the latest version of Postfix. I added the following to my main.cf file:

smtpd_recipient_restrictions = check_policy_service unix:private/policyd-spf

and the following to master.cf:

policyd-spf unix - n n - 0 spawn
   user=nobody argv=/usr/local/bin/policyd-spf

and restarted the Postfix daemon.

But when I send myself a test email from my Gmail address I get the following in the maillog and email header:

Code:

Jan 18 13:26:59 mail policyd-spf[58514]: Action: prepend: Text: Received-SPF: Temperror (SPF Temporary Error: DNS Timeout) identity=mailfrom; client-ip=209.85.216.170; helo=mail-qc0-f170.google.com; <email address hidden>; <email address hidden>

Yet, when I rnn dig txt _spf.google.com I get the following results:

Code:

; <<>> DiG 9.10.1-P1 <<>> txt _spf.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47665
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_spf.google.com. IN TXT

;; ANSWER SECTION:
_spf.google.com. 300 IN TXT "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"

;; AUTHORITY SECTION:
google.com. 80969 IN NS ns1.google.com.
google.com. 80969 IN NS ns2.google.com.
google.com. 80969 IN NS ns3.google.com.
google.com. 80969 IN NS ns4.google.com.

;; ADDITIONAL SECTION:
ns1.google.com. 129116 IN A 216.239.32.10
ns2.google.com. 129116 IN A 216.239.34.10
ns3.google.com. 129116 IN A 216.239.36.10
ns4.google.com. 95353 IN A 216.239.38.10

;; Query time: 35 msec
;; SERVER: 213.133.223.11#53(213.133.223.11)
;; WHEN: Sun Jan 18 13:37:02 GMT 2015
;; MSG SIZE rcvd: 296

Any ideas why I am getting DNS timeouts? I use Postscreen and RBL lists and never have DNS timeouts. I am using my ISPs DNS servers.

Appreciate any help!

Question information

Language:
English Edit question
Status:
Answered
For:
pypolicyd-spf Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Scott Kitterman (kitterman) said : 		#1

What version of the policy server do you have installed? (the simplest way to do this is open /usr/local/bin/policyd-spf in your preferred editor and check the __version__ attribute (line 26 on the latest version)

Is the port configured to run it with python or python3?

What versions of pydns or py3dns do you have installed?

Revision history for this message
SW (spf-5) said : 		#2

Hi Scott, thanks for the reply.

1) I am running __version__ = "1.2: JULY 25, 2013". This is the most up to date port version I can run on FreeBSD:

http://www.freshports.org/mail/postfix-policyd-spf-python/

2) I'm not sure about your 2nd question, how do I know if it is using python or python3? If this helps I am running these:

python2-2_3 The "meta-port" for version 2 of the Python interpreter
python27-2.7.9 Interpreted object-oriented programming language

3) py27-dns-2.3.6_1 - is this the same as pydns or py3dns?

Appreciate your help.

Revision history for this message
Scott Kitterman (kitterman) said : 		#3

1. OK, that's not the latest, but there's been no changes since then that would affect this.

2. Look at the first line of /usr/local/bin/policyd-spf. As released upstream it's #! /usr/bin/python3 (so it would use python3), but the port maintainer may have changed it.

3. I believe that's the same as pydns. If the answer from question #2 is python3, you'll need the python3 version. It can be found here: https://launchpad.net/py3dns if it's not available through ports.

You need to have a version of the DNS module that works for the python version you're using. The version of the policy server you're using will work with either python2 or python3, but it uses python3 by default. I suspect either installing the python3 version of the DNS module or changing the policy server to use python (python2) instead of python3 will solve your problem.

Revision history for this message
SW (spf-5) said : 		#4

Ok to answer question 2:

#!/usr/local/bin/python2.7

Considering I have py27-dns-2.3.6_1 installed and /usr/local/bin/policyd-spf is showing python2.7, shouldn't I have everything in place then to perform DNS queries?

Revision history for this message
Scott Kitterman (kitterman) said : 		#5

Yes. You should. What's the output of this python script:

#! /usr/local/bin/python2.7

import DNS

DNS.DiscoverNameServers()
print DNS.defaults['server']

Revision history for this message
SW (spf-5) said : 		#6

I get the following output:

['213.133.223.11', '213.133.192.12']

(my ISP DNS servers)

Revision history for this message
Scott Kitterman (kitterman) said : 		#7

OK. That confirms that pydns is finding your name servers. Another possiblity is that one of the name servers is timing out. There's a bug in pydns 2.3.6 that it works exactly backwards in the case of a timeout. It returns a timeout result if any DNS server times out not an answer if any server returns and answer.

I wrote a patch for it that's in Debian and Ubuntu that fixes it, but there hasn't been a new pydns release with the fix yet. You can get the patch here:

http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/vivid/python-dns/vivid/view/head:/debian/patches/pydns_timeout.patch

You'll need to figure out where your system has the file DNS/Base.py located as I don't know where such things go on FreeBSD.

Revision history for this message
SW (spf-5) said : 		#8

To be honest, I'm not sure how to apply this patch! ;-)

I did a global search on my server and nothing came back with DNS/Base.py. I did get some results for base.py:

/usr/local/lib/python2.7/idlelib/SearchDialogBase.py
/usr/local/lib/python2.7/idlelib/SearchDialogBase.pyc
/usr/local/lib/python2.7/idlelib/SearchDialogBase.pyo

But I don't think they are relevant.

In /usr/ports/dns/py-dns/files there are these files:

patch-DNS-Lib.py
patch-DNS-Type.py

Does the patch go here and then I reinstall py27-dns?

Revision history for this message
Scott Kitterman (kitterman) said : 		#9

Based on locations on my Linux system, you might try:

/usr/local/lib/python2.7/dist-packages/DNS

Might also be:

/usr/local/lib/python2.7/site-packages/DNS

Being unfamiliar with FreeBSD ports, I don't know if just dropping the patch file in the patch directory would work. It might. This might be a good time to contact the port maintainer and see if they can help you with the port specific part of getting this resolved.

Revision history for this message
SW (spf-5) said : 		#10

Thanks Scott.

So it looks like the directory location is:

/usr/local/lib/python2.7/site-packages/DNS/Base.py

So do I rename the patch I have downloaded and then overwrite the current Base.py?

Revision history for this message
Scott Kitterman (kitterman) said : 		#11

You shoud first make a copy of the existing Base.py file first, just in case.

Try to copy the file into /usr/local/lib/python2.7/site-packages/ (this will probably require root or sudo as appropriate) and then apply it using patch:

patch -p1 <pydns_timeout.patch

Revision history for this message
SW (spf-5) said : 		#12

So I applied the patch and after re-enabling policyd-spf it appears to be working! I say appears as the second time I had to restart Postfix due to a config change I got the timeout errors again. So I am going to monitor it closely for a couple days to see how it goes. Can the DNS lookups be "flaky" at times?

Currently I have the following config set:

debugLevel = 1
defaultSeedOnly = 1

HELO_reject = Fail
Mail_From_reject = Fail
PermError_reject = False
TempError_Defer = False
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0//104,::1//128,192.168.0.0/24

Header_Type = SPF

When I monitor the maillog, the first entry always starts with "None":

Jan 21 21:05:58 mail policyd-spf[48684]: None; identity=helo; client-ip=157.55.1.165; helo=dub004-omc2s26.hotmail.com; <email address hidden>; <email address hidden>
Jan 21 21:05:58 mail policyd-spf[48684]: Pass; identity=mailfrom; client-ip=157.55.1.165; helo=dub004-omc2s26.hotmail.com; <email address hidden>; <email address hidden>

What does the "None" refer to?

I also sent myself a fake email externally from an unauthorised IP for my domain and SPF did fail it and I haven't received it (yet!).

Hotmail and Gmail tests have been successful so far and I can see the SPF header in the received mail.

Thanks very much for your help so far!

Revision history for this message
Scott Kitterman (kitterman) said : 		#13

Great. I've pinged the DNS module upstream again about getting a new release with that fix in it.

SPF can check against two identities in email: HELO and Mail From. The policy server checks both.

This is the check against HELO:
Jan 21 21:05:58 mail policyd-spf[48684]: None; identity=helo; client-ip=157.55.1.165; helo=dub004-omc2s26.hotmail.com; <email address hidden>; <email address hidden>

This is the check against Mail From:
Jan 21 21:05:58 mail policyd-spf[48684]: Pass; identity=mailfrom; client-ip=157.55.1.165; helo=dub004-omc2s26.hotmail.com; <email address hidden>; <email address hidden>

The None means the domain has no SPF record. For the HELO check, the relevant domain is dub004-omc2s26.hotmail.com. Note that for the Mail From check, the domain is hotmail.com and the result is Pass.

This is to be expected as records for HELO identities are less common. The system is working.

Can you help with this problem?

Provide an answer of your own, or ask SW for more information if necessary.

To post a message you must log in.