------------------------------------------------------------ revno: 1724 fixes bug: https://launchpad.net/bugs/1722013 committer: Mark Sapiro <m...@msapiro.net> branch nick: 2.1 timestamp: Sat 2017-10-07 15:28:06 -0700 message: Improved DMARC testing for domains with DNSSEC validation problems. modified: Mailman/Utils.py NEWS
-- lp:mailman/2.1 https://code.launchpad.net/~mailman-coders/mailman/2.1 Your team Mailman Checkins is subscribed to branch lp:mailman/2.1. To unsubscribe from this branch go to https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription
=== modified file 'Mailman/Utils.py' --- Mailman/Utils.py 2017-05-24 23:04:00 +0000 +++ Mailman/Utils.py 2017-10-07 22:28:06 +0000 @@ -1267,11 +1267,23 @@ txt_recs = resolver.query(dmarc_domain, dns.rdatatype.TXT) except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer): return 'continue' + except (dns.resolver.NoNameservers): + syslog('error', + 'DNSException: No Nameservers available for %s (%s)', + email, dmarc_domain) + # Typically this means a dnssec validation error. Clients that don't + # perform validation *may* successfully see a _dmarc RR whereas a + # validating mailman server wont see the _dmarc RR. We should mitigate + # this email to be safe. + return True except DNSException, e: syslog('error', 'DNSException: Unable to query DMARC policy for %s (%s). %s', - email, dmarc_domain, e.__doc__) - return 'continue' + email, dmarc_domain, e.__doc__) + # While we can't be sure what caused the error, there is potentially + # a DMARC policy record that we missed and that a receiver of the mail + # might see. Thus, we should err on the side of caution and mitigate. + return True else: # Be as robust as possible in parsing the result. results_by_name = {} === modified file 'NEWS' --- NEWS 2017-09-22 15:22:42 +0000 +++ NEWS 2017-10-07 22:28:06 +0000 @@ -16,7 +16,7 @@ - The admin Membership List now includes text for screen readers which identifies the function of each checkbox. CSS is added to the page to - visually hide the text but still allow screan readers to read it. + visually hide the text but still allow screen readers to read it. Similar text has been added to some radio buttons on the admindb pages. i18n @@ -26,6 +26,9 @@ Bug fixes and other patches + - Thanks to Jim Popovitch, certain failures in DNS lookups of DMARC policy + will now result in mitigations being applied. (LP: #1722013) + - The default DMARC reject reason now properly replaces %(listowner)s. (LP: #1718962)
_______________________________________________ Mailman-checkins mailing list Mailman-checkins@python.org Unsubscribe: https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org