1

Topic: cron emails with errors arriving after installation

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.7.0
- Deployed with iRedMail Easy or the downloadable installer? download
- Linux/BSD distribution name and version: freebsd 14
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
so there are various errors coming to my postmaster mailbox through Cron,

here is the first:

Cron <root@mail> /usr/local/bin/python3 /opt/iredapd/tools/spf_to_greylist_whitelists.py >/dev/null

raceback (most recent call last):
  File "/opt/iredapd/tools/spf_to_greylist_whitelists.py", line 70, in <module>
    from libs import utils, dnsspf
  File "/opt/iredapd/tools/../libs/dnsspf.py", line 2, in <module>
    from dns import resolver
  File "/usr/local/lib/python3.11/site-packages/dns/resolver.py", line 30, in <module>
    import dns._ddr
  File "/usr/local/lib/python3.11/site-packages/dns/_ddr.py", line 12, in <module>
    import dns.nameserver
  File "/usr/local/lib/python3.11/site-packages/dns/nameserver.py", line 5, in <module>
    import dns.asyncquery
  File "/usr/local/lib/python3.11/site-packages/dns/asyncquery.py", line 32, in <module>
    import dns.quic
  File "/usr/local/lib/python3.11/site-packages/dns/quic/__init__.py", line 7, in <module>
    import aioquic.quic.configuration  # type: ignore
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/aioquic/quic/configuration.py", line 6, in <module>
    from ..tls import (
  File "/usr/local/lib/python3.11/site-packages/aioquic/tls.py", line 26, in <module>
    import service_identity
  File "/usr/local/lib/python3.11/site-packages/service_identity/__init__.py", line 6, in <module>
    from . import cryptography, hazmat, pyopenssl
  File "/usr/local/lib/python3.11/site-packages/service_identity/cryptography.py", line 11, in <module>
    from cryptography.x509 import (
  File "/usr/local/lib/python3.11/site-packages/cryptography/x509/__init__.py", line 7, in <module>
    from cryptography.x509 import certificate_transparency, verification
  File "/usr/local/lib/python3.11/site-packages/cryptography/x509/certificate_transparency.py", line 11, in <module>
    from cryptography.hazmat.bindings._rust import x509 as rust_x509
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration.

here is the second:

Cron <root@mail> /usr/local/bin/python3 /usr/local/www/iredadmin/tools/delete_mailboxes.py

* OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration.
Traceback (most recent call last):
  File "/usr/local/www/iredadmin/tools/delete_mailboxes.py", line 184, in <module>
    qr_mailboxes = conn_deleted_mailboxes.select('deleted_mailboxes', where=sql_where)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'select'

here is the third:

Cron <root@mail> /usr/local/bin/python3 /opt/iredapd/tools/cleanup_db.py >/dev/null

Traceback (most recent call last):
  File "/opt/iredapd/tools/cleanup_db.py", line 28, in <module>
    cleanup_sql_table(conn=conn_iredapd,
  File "/opt/iredapd/tools/../tools/__init__.py", line 89, in cleanup_sql_table
    _qr = conn.select(sql_table,
          ^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'select'


can anyone help me with this please?
thanks

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: cron emails with errors arriving after installation

Will try to reproduce this issue later, thanks for the feedback and patience. smile

3

Re: cron emails with errors arriving after installation

I'm using iRedMail 1.7.1 OPENLDAP edition on FreeBSD 14.1-RELEASEp3 and I'm running into the same thing. I'm seeing 2 symptoms:

  • The same CRYPTOGRAPHY_OPENSSL_NO_LEGACY error messages.

  • When another system connects to me, I see this in /var/log/maillog:

Oct 19 17:06:21 mail postfix/smtpd[98613]: warning: TLS library problem: error:0A0000C1:SSL routines::no shared cipher:ssl/statem/statem_srvr.c:2221:
Oct 19 17:06:21 mail postfix/smtpd[98613]: lost connection after STARTTLS from system [x.x.x.x]

I am not convinced that they are the same issue, but I have some information. I think it is a compile time option for the openssl package. Here's what I did:

cd /usr/ports
sudo git pull # get ports up to date
cd /usr/ports/security/openssl
sudo make config
# Find the option labeled LEGACY, press space to make an X next to it, press Enter to commit
# This creates an option in /var/db/ports/security_openssl with the LEGACY turned on
sudo make clean
sudo make 
sudo make reinstall

Then I restarted relevant services (Postfix, amavisd, dovecot, iredapd). You could just reboot.

This got the CRYPTOGRAPHY_OPENSSL_NO_LEGACY messages to stop. I'm still seeing the no shared ciphers messages. I need to see what the other system is doing.

4 (edited by john.blue 2024-11-27 12:50:20)

Re: cron emails with errors arriving after installation

Regarding OP's first error ... this is really about python not being able to load QUIC for spf_to_greylist_whitelists.py:

File "/usr/local/lib/python3.11/site-packages/dns/quic/__init__.py", line 7, in <module>
    import aioquic.quic.configuration  # type: ignore

If you look at the init.py file referenced above there is this line:

if dns._features.have("doq"):

A quick look at the /usr/local/lib/python3.11/site-packages/dns/_features.py file yields a list of DNS protocols:

_requirements: Dict[str, List[str]] = {
    ### BEGIN generated requirements
    "dnssec": ["cryptography>=43"],
    "doh": ["httpcore>=1.0.0", "httpx>=0.26.0", "h2>=4.1.0"],
    "doq": ["aioquic>=1.0.0"],
    "idna": ["idna>=3.7"],
    "trio": ["trio>=0.23"],
    "wmi": ["wmi>=1.5.1"],
    ### END generated requirements
}

I personally could care less if DoQ exists because DoQ is just a different version of DoH.  And I do not like DoH.

In the absence of DoQ working as complied with defaults, the question becomes do you want your iredmail server using QUIC?

The answer for me is easy: no.

Actually, a better question is how did did DoQ get into the _features.py file for DNS in site-packages?

Regardless commenting out the "doq" line in "/usr/local/lib/python3.11/site-packages/dns/_features.py" will eliminate this OpenSSL error.

Turning on legacy option in OpenSSL is, in my opinion, a misguided "solution".

Thoughts anyone?

5

Re: cron emails with errors arriving after installation

john.blue wrote:

In the absence of DoQ working as complied with defaults, the question becomes do you want your iredmail server using QUIC?
The answer for me is easy: no.

iRedAPD relies on the dns module, but it requires "quic"...