For about half an hour this morning, policyd-spf was halting with
error 1 on many spf checks. One such crash was reported in mail.log
as follows:
Apr 20 05:33:12 computer policyd-spf[24302]: None; identity=helo;
client-ip=78.62.105.82; helo=78-56-134-24.static.zebra.lt; envelope-
from=tin.it; receiver=mailders@brinckerhoff.org
Apr 20 05:33:13 computer policyd-spf[24302]: Traceback (most recent
call last):
Apr 20 05:33:13 computer policyd-spf[24302]: File "/usr/local/bin/
policyd-spf", line 420, in <module>
Apr 20 05:33:13 computer policyd-spf[24302]: instance_dict,
configData)
Apr 20 05:33:13 computer policyd-spf[24302]: File "/usr/local/bin/
policyd-spf", line 343, in spfcheck
Apr 20 05:33:13 computer policyd-spf[24302]: mfrom_resultpolicy,
local = get_resultcodes(configData, 'mfrom')
Apr 20 05:33:13 computer policyd-spf[24302]: File "/usr/local/bin/
policyd-spf", line 122, in get_resultcodes
Apr 20 05:33:13 computer policyd-spf[24302]: if
spf.domainmatch(reject_domain_list, sender_domain[1]):
Apr 20 05:33:13 computer policyd-spf[24302]: IndexError: list index
out of range
Apr 20 05:33:13 computer postfix/spawn[24301]: warning: command /usr/
local/bin/policyd-spf exit status 1
Apr 20 05:33:13 computer postfix/smtpd[24300]: warning: premature end-
of-input on private/policyd-spf while reading input attribute name
Looking through the source, I see that the crash is on the second of
these two lines:
sender_domain = string.split(sender, '@', 1)
if spf.domainmatch(reject_domain_list, sender_domain[1]):
... and sure enough, the offending e-mail is missing an '@'. My guess
(my Python is basically nonexistent) is that the string.split on the
prior line therefore returns a list of length 1, and that the
expression 'sender_domain[1]' then fails.
As I say, I don't know python. I'm guessing that the fix should be as
simple as taking the last element of the list, like this:
split_sender = string.split(sender, '@', 1);
;; there might not be a '@', so take the last element of the list:
sender_domain = split_sender[len(split_sender)-1];
if spf.domainmatch(reject_domain_list, sender_domain):
...
If there was a built-in 'last' operation on a list, this would be even
tidier:
;; there might not be a '@', so take the last element of the list:
sender_domain = string.split(sender, '@', 1).last();
if spf.domainmatch(reject_domain_list, sender_domain):
...
Also, I haven't read the relevant RFCs, so I'm guessing that the
current behavior (that is, everything after the first '@' is part of
the domain) matches the RFC spec (though I do find that a bit
surprising).
John Clements
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com
error 1 on many spf checks. One such crash was reported in mail.log
as follows:
Apr 20 05:33:12 computer policyd-spf[24302]: None; identity=helo;
client-ip=78.62.105.82; helo=78-56-134-24.static.zebra.lt; envelope-
from=tin.it; receiver=mailders@brinckerhoff.org
Apr 20 05:33:13 computer policyd-spf[24302]: Traceback (most recent
call last):
Apr 20 05:33:13 computer policyd-spf[24302]: File "/usr/local/bin/
policyd-spf", line 420, in <module>
Apr 20 05:33:13 computer policyd-spf[24302]: instance_dict,
configData)
Apr 20 05:33:13 computer policyd-spf[24302]: File "/usr/local/bin/
policyd-spf", line 343, in spfcheck
Apr 20 05:33:13 computer policyd-spf[24302]: mfrom_resultpolicy,
local = get_resultcodes(configData, 'mfrom')
Apr 20 05:33:13 computer policyd-spf[24302]: File "/usr/local/bin/
policyd-spf", line 122, in get_resultcodes
Apr 20 05:33:13 computer policyd-spf[24302]: if
spf.domainmatch(reject_domain_list, sender_domain[1]):
Apr 20 05:33:13 computer policyd-spf[24302]: IndexError: list index
out of range
Apr 20 05:33:13 computer postfix/spawn[24301]: warning: command /usr/
local/bin/policyd-spf exit status 1
Apr 20 05:33:13 computer postfix/smtpd[24300]: warning: premature end-
of-input on private/policyd-spf while reading input attribute name
Looking through the source, I see that the crash is on the second of
these two lines:
sender_domain = string.split(sender, '@', 1)
if spf.domainmatch(reject_domain_list, sender_domain[1]):
... and sure enough, the offending e-mail is missing an '@'. My guess
(my Python is basically nonexistent) is that the string.split on the
prior line therefore returns a list of length 1, and that the
expression 'sender_domain[1]' then fails.
As I say, I don't know python. I'm guessing that the fix should be as
simple as taking the last element of the list, like this:
split_sender = string.split(sender, '@', 1);
;; there might not be a '@', so take the last element of the list:
sender_domain = split_sender[len(split_sender)-1];
if spf.domainmatch(reject_domain_list, sender_domain):
...
If there was a built-in 'last' operation on a list, this would be even
tidier:
;; there might not be a '@', so take the last element of the list:
sender_domain = string.split(sender, '@', 1).last();
if spf.domainmatch(reject_domain_list, sender_domain):
...
Also, I haven't read the relevant RFCs, so I'm guessing that the
current behavior (that is, everything after the first '@' is part of
the domain) matches the RFC spec (though I do find that a bit
surprising).
John Clements
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com
Attached Files:
-
smime.p7s (2.43 KB)