# spf-policy not functioning after 9.3->10.3 upgrade



## kniveton (Jul 22, 2017)

Hi folks,

I upgraded my personal mail server from FreeBSD 9.3 -> 10.3 this week, and now my SPF package is not functioning correctly. I'm using postfix-policyd-spf-perl-2.010_1 along with postfix-sasl-3.2.2,1, and it's using the standard main.cf and master.cf config that were set up in 2009.

I am getting the following error message which is causing mail not to be delivered: 

```
Jul 22 09:00:55 deimos postfix/policy-spf[19053]: Policy action=DEFER_IF_PERMIT SPF-Result=*host*: Unknown error on DNS 'TXT' lookup of '*host*'
```

I thought maybe this was due to the loss of BIND tools in FreeBSD10, so as a temp fix, I tried installing dns/bind-tools package. But this just caused the daemon to start timing out.


```
Jul 22 09:14:44 deimos postfix/smtpd[19360]: warning: problem talking to server private/spf-policy: Operation timed out
```

Any ideas?


----------



## cpm@ (Jul 22, 2017)

Note that changes that affect individual ports are documented in the UPDATING file.

`less -p 20160228 /usr/ports/UPDATING`

On the other hand, have you read the instructions documented in /usr/ports/mail/postfix-policyd-spf-perl/files/pkg-message.in?


----------



## kniveton (Jul 23, 2017)

Thanks, I missed that message in usr/ports/UPDATING last year. It says that native spf processing was removed from postfix, and you can enable spf by using package 'mail/*spf*'
As mentioned, I have mail/postfix-policyd-spf-perl installed, which matches that pattern. Do I need to also install another package to get it operational or fill in the missing pieces from the postfix base package?

Yes, I've read the package message in pkg-message.in and have had it configured the way described for at least 8 years.


----------



## cpm@ (Jul 23, 2017)

kniveton said:


> Hi folks,
> 
> I upgraded my personal mail server from FreeBSD 9.3 -> 10.3 this week, and now my SPF package is not functioning correctly. I'm using postfix-policyd-spf-perl-2.010_1 along with postfix-sasl-3.2.2,1, and it's using the standard main.cf and master.cf config that were set up in 2009.
> 
> ...



It's a known bug.

Verify that you have installed and updated dns/p5-Net-DNS.


----------



## kniveton (Jul 23, 2017)

Yes, net/p5-Net-DNS-1.11,1 is installed.

Upon further examination, only a small handful of domains were experiencing this issue of failed TXT lookups and deferred messages -- they are domains with lengthy TXT record replies that were being truncated. Changing the default EDNS0 pseudo RR buffersize (using -b flag) causes a correct response to come back.

Maybe the default buffersize, or behavior differences when receiving a long message, are different between BIND and Unbound.


For an example of a domain with this issue, try
`% drill starbucks.com txt`
and
`% drill -b 2048 starbucks.com txt` on a FreeBSD-10+ system.

You'll notice the first instance shows an error about a truncated response; whereas the second one succeeds.

Not sure if the solution to this is lies somewhere in postfix-policyd-spf-perl, one of the perl libraries it calls, or just changing unbound's default buffer size.


----------



## cpm@ (Jul 23, 2017)

In your case, I would rebuild all the postfix-policyd-spf-perl dependencies. Probably after updating all the perl modules, it should work again.

`make -C /usr/ports/mail/postfix-policyd-spf-perl/ all-depends-list`

Would you mind to post your /var/log/maillog?

PS. You can also read this related problem:

https://www.unbound.net/pipermail/unbound-users/2017-January/004618.html


----------

