SPF Engine

policyd-spf: IndexError: list index out of range

Bug #2015609 reported by Uffe Jakobsen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
SPF Engine
Fix Released
Medium
Scott Kitterman
SPF Engine 3.0.4

Bug Description

After updating from spf-engine version 2.9.3 to 3.0.3 (on FreeBSD) I'm getting the following errors from policyd-spf on my syslog:

Apr 6 09:33:17 mail policyd-spf[3692]: Traceback (most recent call last):
Apr 6 09:33:17 mail policyd-spf[3692]: File "/usr/local/bin/policyd-spf", line 8, in <module> sys.exit(main())
Apr 6 09:33:17 mail policyd-spf[3692]: File "/usr/local/lib/python3.9/site-packages/spf_engine/policyd_spf.py", line 97, in main data['recipient'] = data.get('recipient').split('@')[1]
Apr 6 09:33:17 mail policyd-spf[3692]: IndexError: list index out of range

Downgrading to version 2.9.3 makes the problem go away again...

I've tracked the problem down to local network email messages containing recipients without a '@' - recipients like 'sysadmin' 'netadmin'

The originating systems are internal/local systems - and their ip/netmask is already added both to skip_adresses and Whitelists to keep them out of SPF checks - but these checks are never reached before policyd-spf errors out...

The problem is introduced in commit:

commit fa82ae0e8c57183dd020dc7b458a2eeae460a06c
Author: Scott Kitterman <email address hidden>
AuthorDate: Sun Nov 27 19:35:58 2022 -0500
Commit: Scott Kitterman <email address hidden>
CommitDate: Sun Nov 27 19:36:29 2022 -0500

   Changed recipient tracking to only use recipient host name (per RFC 7208) in the policy server if per user processing is not being used and as a result, changedHide_Receiver defau....

Besides being a plain error - this could be misused as a denial-of-service vector by making lots of requests with recipients without '@' in their email addresses

Details: FreeBSD 13.1 with postfix 3.7.4

Revision history for this message
Scott Kitterman (kitterman) wrote :

I think that's an odd recipient. Definitely not a case I'd considered, but it's easy enough to fix, so I'll take care of it. Thanks for the report.

Changed in spf-engine:
assignee: nobody → Scott Kitterman (kitterman)
importance: Undecided → Medium
milestone: none → 3.0.4
status: New → Triaged
Revision history for this message
Scott Kitterman (kitterman) wrote :

Would you please try it again with the change I just pushed to see if that works for you?

Changed in spf-engine:
status: Triaged → Fix Committed
Revision history for this message
Uffe Jakobsen (uffe-uffe) wrote :

Thanks for your quick reply.

I can confirm that the fix works - thanks :-)

Revision history for this message
Uffe Jakobsen (uffe-uffe) wrote :

PS: I've also created a question about how to use the test suite - my thought was that this special case maybe should be tested for ?

Scott Kitterman (kitterman)
Changed in spf-engine:
status: Fix Committed → Fix Released
Revision history for this message
Scott Kitterman (kitterman) wrote :

I released 3.0.4 to fix this. Thanks for the thorough investigation prior to the report. It made it easy to resolve.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.