Startup problems with pyspf-milter on freebsd

Asked by David Gessel

I am configuring a new migration install of pyspf-milter on FreeBSD 14 and the service won't run for me, that is,
#service pyspf-milter restart
pyspf_milter not running? (check /var/run/pyspf-milter/pyspf-milter.pid).
Starting pyspf_milter.

Then silently fails to be running. I'm not collecting any errors in the log files.

py311-pyspf-2.0.14_2
py311-spf-engine-3.0.4

The interpreter, python3.11 exists and the command is correct.

Executing the daemon command without the -f option, as:
# /usr/sbin/daemon -c /usr/local/bin/pyspf-milter /usr/local/etc/pyspf-milter/pyspf-milter.conf

yields some scary looking errors (below), well one and one I can't figure out.

* Does spf require the legacy option built into OpenSSL?
* py311-dnspython-2.6.1,1 is installed as a FreeBSD package. I think that's what is being asked for.
* are the below errors why it is failing to start or irrelevant to another problem?

# Traceback (most recent call last):
  File "/usr/local/bin/spf.py", line 155, in <module>
    import dns.resolver # http://www.dnspython.org
    ^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/dns/resolver.py", line 30, in <module>
    import dns._ddr
  File "/usr/local/lib/python3.11/site-packages/dns/_ddr.py", line 12, in <module>
    import dns.nameserver
  File "/usr/local/lib/python3.11/site-packages/dns/nameserver.py", line 5, in <module>
    import dns.asyncquery
  File "/usr/local/lib/python3.11/site-packages/dns/asyncquery.py", line 32, in <module>
    import dns.quic
  File "/usr/local/lib/python3.11/site-packages/dns/quic/__init__.py", line 7, in <module>
    import aioquic.quic.configuration # type: ignore
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/aioquic/quic/configuration.py", line 6, in <module>
    from ..tls import (
  File "/usr/local/lib/python3.11/site-packages/aioquic/tls.py", line 26, in <module>
    import service_identity
  File "/usr/local/lib/python3.11/site-packages/service_identity/__init__.py", line 6, in <module>
    from . import cryptography, hazmat, pyopenssl
  File "/usr/local/lib/python3.11/site-packages/service_identity/cryptography.py", line 11, in <module>
    from cryptography.x509 import (
  File "/usr/local/lib/python3.11/site-packages/cryptography/x509/__init__.py", line 7, in <module>
    from cryptography.x509 import certificate_transparency, verification
  File "/usr/local/lib/python3.11/site-packages/cryptography/x509/certificate_transparency.py", line 11, in <module>
    from cryptography.hazmat.bindings._rust import x509 as rust_x509
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/pyspf-milter", line 5, in <module>
    from spf_engine.milter_spf import main
  File "/usr/local/lib/python3.11/site-packages/spf_engine/__init__.py", line 53, in <module>
    import spf
  File "/usr/local/bin/spf.py", line 165, in <module>
    import DNS # https://launchpad.net/pydns
    ^^^^^^^^^^
ModuleNotFoundError: No module named 'DNS'

Question information

Language:
English Edit question
Status:
Solved
For:
SPF Engine Edit question
Assignee:
No assignee Edit question
Solved by:
David Gessel
Solved:
Last query:
Last reply:
Revision history for this message
David Gessel (dgessel) said :
#1

It appears to be a bug in py-cryptography and not a new one, but apparently a bit complicated.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273770

I will test after enabling legacy crypto in OpenSSL first, and if that fails, reverting to cryptography-40.0.2

Revision history for this message
David Gessel (dgessel) said :
#2

Patching /usr/local/bin/pyspf-milter as the following resolves the issue:

*** /usr/local/bin/pyspf-milter Thu Oct 3 23:10:03 2024
--- /usr/local/bin/pyspf-milter.mod Fri Oct 4 05:34:09 2024
***************
*** 1,8 ****
--- 1,10 ----
  #!/usr/local/bin/python3.11
  # -*- coding: utf-8 -*-
  import re
  import sys
+ import os
+ os.environ['CRYPTOGRAPHY_OPENSSL_NO_LEGACY'] = '1'
  from spf_engine.milter_spf import main
  if __name__ == "__main__":
      sys.argv[0] = re.sub(r"(-script\.pyw|\.exe)?$", "", sys.argv[0])
      sys.exit(main())

Revision history for this message
David Gessel (dgessel) said :
#3

This patch will also fix errors that come from trying to integrate py-spf with postfix in FreeBSD.

The pkg-message for py311-spf-engine advises adding:

  smtpd_recipient_restrictions =
            ...
            reject_unauth_destination
            check_policy_service unix:private/policyd-spf

to main.cf, however without the os.environ patch, you may get errors similar to below and mail may not be delivered at all:

pyspf-milter[9915]: prepend Authentication-Resultmailservuki; spf=pass (sender SPF authorized) smtp.mailfrom=gmail.com (client-ip=209.85.214.181; helo=mail-pl1-f181.google.com; <email address hidden>; receiver=<UNKNOWN>)
postfix/smtp-in/smtpd[38681]: warning: missing attribute action in input from private/policyd-spf
postfix/spawn[38795]: warning: command /usr/local/bin/policyd-spf exit status 1
postfix/smtp-in/smtpd[38681]: warning: missing attribute action in input from private/policyd-spf
postfix/smtp-in/smtpd[38681]: warning: problem talking to server private/policyd-spf: Application error
postfix/smtp-in/smtpd[38681]: NOQUEUE: reject: RCPT from mail-pl1-f181.google.com[209.85.214.181]: 451 4.3.5 <email address hidden>: Recipient address rejected: Server configuration problem; from=<email address hidden> to=<email address hidden> proto=ESMTP helo=<mail-pl1-f181.google.com>
postfix/spawn[38795]: warning: command /usr/local/bin/policyd-spf exit status 1

with the patch above, this issue is resolved:

pyspf-milter[50096]: prepend Authentication-Resultmailservuki; none (SPF check N/A for local connections - client-ip=10.3.0.133; helo=server.domain.com; <email address hidden>; receiver=<UNKNOWN>)
postfix/smtp-in/smtpd[612]: 5925D8793: client=server.domain.com[10.3.0.133]
postfix/cleanup[622]: 5925D8793: message-id=<>
pyspf-milter[50096]: Authentication-Resultmailservuki; none (SPF check N/A for local connections - client-ip=10.3.0.133; helo=server.domain.com; <email address hidden>; receiver=<UNKNOWN>)
postfix/smtp-in/smtpd[612]: disconnect from server.domain.com[10.3.0.133] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
postfix/qmgr[99347]: 5925D8793: from=<email address hidden>, size=694, nrcpt=1 (queue active)
postfix/pipe[637]: 5925D8793: to=<email address hidden>, relay=dovecot, delay=0.09, delays=0.05/0/0/0.04, dsn=2.0.0, status=sent (delivered via dovecot service)
postfix/qmgr[99347]: 5925D8793: removed