spf-policy not functioning after 9.3->10.3 upgrade

K

kniveton

Hi folks,

I upgraded my personal mail server from FreeBSD 9.3 -> 10.3 this week, and now my SPF package is not functioning correctly. I'm using postfix-policyd-spf-perl-2.010_1 along with postfix-sasl-3.2.2,1, and it's using the standard main.cf and master.cf config that were set up in 2009.

I am getting the following error message which is causing mail not to be delivered:
Code: 
Jul 22 09:00:55 deimos postfix/policy-spf[19053]: Policy action=DEFER_IF_PERMIT SPF-Result=*host*: Unknown error on DNS 'TXT' lookup of '*host*'

I thought maybe this was due to the loss of BIND tools in FreeBSD10, so as a temp fix, I tried installing dns/bind-tools package. But this just caused the daemon to start timing out.

Code: 
Jul 22 09:14:44 deimos postfix/smtpd[19360]: warning: problem talking to server private/spf-policy: Operation timed out

Any ideas?
 
Note that changes that affect individual ports are documented in the UPDATING file.

less -p 20160228 /usr/ports/UPDATING

On the other hand, have you read the instructions documented in /usr/ports/mail/postfix-policyd-spf-perl/files/pkg-message.in?
 
Thanks, I missed that message in usr/ports/UPDATING last year. It says that native spf processing was removed from postfix, and you can enable spf by using package 'mail/*spf*'
As mentioned, I have mail/postfix-policyd-spf-perl installed, which matches that pattern. Do I need to also install another package to get it operational or fill in the missing pieces from the postfix base package?

Yes, I've read the package message in pkg-message.in and have had it configured the way described for at least 8 years.
 
kniveton said:
Hi folks,

I upgraded my personal mail server from FreeBSD 9.3 -> 10.3 this week, and now my SPF package is not functioning correctly. I'm using postfix-policyd-spf-perl-2.010_1 along with postfix-sasl-3.2.2,1, and it's using the standard main.cf and master.cf config that were set up in 2009.

I am getting the following error message which is causing mail not to be delivered:
Code: 
Jul 22 09:00:55 deimos postfix/policy-spf[19053]: Policy action=DEFER_IF_PERMIT SPF-Result=*host*: Unknown error on DNS 'TXT' lookup of '*host*'
Click to expand...

It's a known bug.

Verify that you have installed and updated dns/p5-Net-DNS.
 
Yes, net/p5-Net-DNS-1.11,1 is installed.

Upon further examination, only a small handful of domains were experiencing this issue of failed TXT lookups and deferred messages -- they are domains with lengthy TXT record replies that were being truncated. Changing the default EDNS0 pseudo RR buffersize (using -b flag) causes a correct response to come back.

Maybe the default buffersize, or behavior differences when receiving a long message, are different between BIND and Unbound.


For an example of a domain with this issue, try
% drill starbucks.com txt
and
% drill -b 2048 starbucks.com txt on a FreeBSD-10+ system.

You'll notice the first instance shows an error about a truncated response; whereas the second one succeeds.

Not sure if the solution to this is lies somewhere in postfix-policyd-spf-perl, one of the perl libraries it calls, or just changing unbound's default buffer size.
 
You must log in or register to reply here.
Back
Top