Mailing List Archive: SPF: Devel

rash of crashes: likely patch included

Index | Next | Previous | View Threaded

clements at brinckerhoff

Apr 20, 2009, 12:24 PM

Post #1 of 2 (2442 views)
Permalink

rash of crashes: likely patch included

For about half an hour this morning, policyd-spf was halting with
error 1 on many spf checks. One such crash was reported in mail.log
as follows:

Apr 20 05:33:12 computer policyd-spf[24302]: None; identity=helo;
client-ip=78.62.105.82; helo=78-56-134-24.static.zebra.lt; envelope-
from=tin.it; receiver=mailders [at] brinckerhoff
Apr 20 05:33:13 computer policyd-spf[24302]: Traceback (most recent
call last):
Apr 20 05:33:13 computer policyd-spf[24302]: File "/usr/local/bin/
policyd-spf", line 420, in <module>
Apr 20 05:33:13 computer policyd-spf[24302]: instance_dict,
configData)
Apr 20 05:33:13 computer policyd-spf[24302]: File "/usr/local/bin/
policyd-spf", line 343, in spfcheck
Apr 20 05:33:13 computer policyd-spf[24302]: mfrom_resultpolicy,
local = get_resultcodes(configData, 'mfrom')
Apr 20 05:33:13 computer policyd-spf[24302]: File "/usr/local/bin/
policyd-spf", line 122, in get_resultcodes
Apr 20 05:33:13 computer policyd-spf[24302]: if
spf.domainmatch(reject_domain_list, sender_domain[1]):
Apr 20 05:33:13 computer policyd-spf[24302]: IndexError: list index
out of range
Apr 20 05:33:13 computer postfix/spawn[24301]: warning: command /usr/
local/bin/policyd-spf exit status 1
Apr 20 05:33:13 computer postfix/smtpd[24300]: warning: premature end-
of-input on private/policyd-spf while reading input attribute name

Looking through the source, I see that the crash is on the second of
these two lines:

sender_domain = string.split(sender, '@', 1)
if spf.domainmatch(reject_domain_list, sender_domain[1]):

... and sure enough, the offending e-mail is missing an '@'. My guess
(my Python is basically nonexistent) is that the string.split on the
prior line therefore returns a list of length 1, and that the
expression 'sender_domain[1]' then fails.

As I say, I don't know python. I'm guessing that the fix should be as
simple as taking the last element of the list, like this:

split_sender = string.split(sender, '@', 1);
;; there might not be a '@', so take the last element of the list:
sender_domain = split_sender[len(split_sender)-1];
if spf.domainmatch(reject_domain_list, sender_domain):
...

If there was a built-in 'last' operation on a list, this would be even
tidier:

;; there might not be a '@', so take the last element of the list:
sender_domain = string.split(sender, '@', 1).last();
if spf.domainmatch(reject_domain_list, sender_domain):
...

Also, I haven't read the relevant RFCs, so I'm guessing that the
current behavior (that is, everything after the first '@' is part of
the domain) matches the RFC spec (though I do find that a bit
surprising).

John Clements

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com

Attachments:

smime.p7s (2.43 KB)

scott at kitterman

Apr 20, 2009, 1:17 PM

Post #2 of 2 (2308 views)
Permalink

Re: rash of crashes: likely patch included [In reply to]

Thanks. I'll have a look. Lack of an "@" in an email address is not RFC
complaint, but the policy server should not crash regardless.

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1007/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1007/
Powered by Listbox: http://www.listbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads