Solved py-spf-engine - "warning: connect to Milter service unix:/var/run/pyspf-milter/pyspf-milter.sock"

carltonfsck · Jan 25, 2022

Running:

FreeBSD v12.3-RELEASE
Postfix v3.6.3

I recently installed port 'py-spf-engine' (mail/py-spf-engine) to provide SPF for emails via Postfix.
After installation, the package message provides steps for implementing the config changes via 'pkg-message.in.'

Code:

[
{ type: install
  message: <<EOM
#
# Using policyd-spf with Postfix
#

Policyd-spf must be integrated with Postfix to be effective:

 1. Add to your postfix master.cf:

        policyd-spf  unix  -       n       n       -       0       spawn
            user=nobody argv=%%PREFIX%%/bin/policyd-spf

 2. Configure the Postfix policy service in your main.cf so that the
    "smtpd_recipient_restrictions" includes a call to the policyd-spf policy
    filter.  If you already have a "smtpd_recipient_restrictions" line, you can
    add the "check_policy_service" command anywhere *after* the line which
    reads "reject_unauth_destination" (otherwise you're system can become an
    open relay).

        smtpd_recipient_restrictions =
            ...
            reject_unauth_destination
            check_policy_service unix:private/policyd-spf
            ...

        policyd-spf_time_limit = 3600

  3. Please consult the postfix documentation for more information on these and
     other settings you may wish to have in the "smtpd_recipient_restrictions"
     configuration.

  4. Reload postfix.

#
# Automatically starting pyspf-milter at boot time.
#

Add 'pyspf_milter_enable="YES"' to /etc/rc.conf.

#
# Using pyspf-milter with Sendmail
#

Following is an example configuration line to include in your sendmail.mc.

INPUT_MAIL_FILTER(`pyspf-milter', `S=local:/var/run/pyspf-milter/pyspf-milter.sock')dnl

#
# Using pyspf-milter with Postfix
#

Integration of pyspf-milter into Postfix is like any milter (See Postfix's
README_FILES/MILTER_README). But care is required to segregate outbound mail
from inbound mail to be checked. Here is example using milter macros to keep
the mail streams segregated.

%%PREFIX%%/etc/postfix/main.cf:

smtpd_milters = unix:/var/run/pyspf-milter/pyspf-milter.sock

%%PREFIX%%/etc/postfix/master.cf:

smtp       inet  n       -       -       -       -       smtpd
    ...
        -o milter_macro_daemon_name=VERIFYING
    ...

%%PREFIX%%/etc/python-policyd-spf/policyd-spf.conf:

MacroList               daemon_name|VERIFYING

EOM
}
]

After making the necessary changes and reloading Postfix, I'm seeing this error/warning in '/var/log/maillog' pertaining to "No such file or directory" anytime an incoming email is received....

/var/log/maillog

Code:

Jan 25 05:05:09 ssh1 postfix/smtpd[90462]: connect from mail-1a.dshield.org[66.35.60.131]
Jan 25 05:05:09 ssh1 postfix/smtpd[90462]: warning: connect to Milter service unix:/var/run/pyspf-milter/pyspf-milter.sock: No such file or directory.    <<======= !!!!
Jan 25 05:05:10 ssh1 postfix/smtpd[90462]: 28969497DE6: client=mail-1a.dshield.org[66.35.60.131]
Jan 25 05:05:10 ssh1 postfix/cleanup[90465]: 28969497DE6: message-id=<[email]20220125050509.791248303F@dshield.org[/email]>
Jan 25 05:05:10 ssh1 postfix/qmgr[37265]: 28969497DE6: from=<[email]dshield@dshield.org[/email]>, size=2979, nrcpt=1 (queue active)
Jan 25 05:05:10 ssh1 postfix/smtpd[90462]: disconnect from mail-1a.dshield.org[66.35.60.131] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jan 25 05:05:10 ssh1 postfix/local[90466]: 28969497DE6: to=<[email]xxxxxxxxxxx@xxxxxxx.net[/email]>, relay=local, delay=0.25, delays=0.21/0.02/0/0.02, dsn=2.0.0, status=sent (delivered to maildir)
Jan 25 05:05:10 ssh1 postfix/qmgr[37265]: 28969497DE6: removed

If I go ahead and touch the file in the appropriate directory, then the error changes in /var/log/maillog...

Code:

Jan 25 05:17:04 ssh1 postfix/smtpd[90478]: warning: connect to Milter service unix:/var/run/pyspf-milter/pyspf-milter.sock: Socket operation on non-socket.

File location....

Code:

[xxxxxxxx@ssh1:~ ] $ ls -l /var/run/pyspf-milter
total 0K
-rw-r--r-- 1 root pyspf-milter 0 Jan 24 11:14 pyspf-milter.sock
[xxxxxxxx@ssh1:~ ] $

I also tried changing the group (pyspf-milter) for the file to 'w' writable, but still seeing the warning.

What am I missing here?? Has anyone installed this port and seen this warning? It doesn't seem to affect functionality of the port that I can see. Should I just ignore it as benign?

Thanks to anyone who provides feedback and clues.

Regards,

--Cf

covacat · Jan 25, 2022

did you start the milter program ?
service pyspf-milter start
also remove pyspf-milter.sock before you start it
it has to be a socket not a regular file

carltonfsck · Jan 25, 2022

covacat said:
did you start the milter program ?
service pyspf-milter start
also remove pyspf-milter.sock before you start it
it has to be a socket not a regular file

Thanks for the reply, covacat!

Well, looks like pyspf-milter wasn't running. You'd figure that this particular step would be in the pkg-message. Totally forgot about starting the daemon. Thanks!

Looks like the daemon is started and I sent a test email. Now I'm seeing this in /var/log/maillog...

"warning: connect to Milter service unix:/var/run/pyspf-milter/pyspf-milter.sock: Permission denied"

So, I went into the directory and chmod'ed the file (chmod o+rw) and the error/warning went away. However, upon restarting the service again and it's back to complaining about the permissions issue.

covacat · Jan 25, 2022

well, im not familiar with postfix but make that postfix process can write to that socket
maybe this user=nobody needs to be changed ?

carltonfsck · Jan 25, 2022

covacat said:
well, im not familiar with postfix but make that postfix process can write to that socket
maybe this user=nobody needs to be changed ?

Perhaps this is the case. I'll look into that. But for the most part, this issue is resolved. Thank you, covacat!!

Regards,

--Cf

sko · Jan 25, 2022

If you also want to provide other means of mail/spam filtering apart from SPF-checks, I can highly recommend mail/rspamd which can do all sorts of additional filtering/scanning (spamassasin, clamav...) and also DKIM-signing of outgoing mail.
rspamd uses SPF lookup only as one of several filters which add (or substract) to/from an overall score, which is used to determine if a message should be considered as junk.

Regarding your problem with access rights to the socket: I'd always recommend running each service on a mailserver in a separate jail and attach those to the same loopback interface (e.g. lo1). All connections between services are done via the jails address on that loopback-interface. This prevents the need for mangling with socket access rights and makes communication between services easily observable via tcpdump on the loopback interface.

carltonfsck · Jan 26, 2022

Thank you for the additional insight and recommendations, sko!

Regards,

--Cf

gessel · May 31, 2022

I think the "nobody" is correct, but the user postfix should be added to the pyspf-milter group in /etc/group

klimenta · Sep 13, 2023

If you look at the /usr/local/etc/pyspf-milter.conf file, there are two options:

Code:

# Milter specific options
Socket = local:/var/run/pyspf-milter/pyspf-milter.sock
#Socket = inet:8893@localhost

You'll probably have to comment the inet line and uncomment the local line.