[Mailman-checkins] [Branch ~mailman-coders/mailman/2.1] Rev 1724: Improved DMARC testing for domains with DNSSEC validation problems.

Sat, 07 Oct 2017 15:41:45 -0700 

------------------------------------------------------------
revno: 1724
fixes bug: https://launchpad.net/bugs/1722013
committer: Mark Sapiro <m...@msapiro.net>
branch nick: 2.1
timestamp: Sat 2017-10-07 15:28:06 -0700
message:
  Improved DMARC testing for domains with DNSSEC validation problems.
modified:
  Mailman/Utils.py
  NEWS


--
lp:mailman/2.1
https://code.launchpad.net/~mailman-coders/mailman/2.1

Your team Mailman Checkins is subscribed to branch lp:mailman/2.1.
To unsubscribe from this branch go to 
https://code.launchpad.net/~mailman-coders/mailman/2.1/+edit-subscription

=== modified file 'Mailman/Utils.py'
--- Mailman/Utils.py	2017-05-24 23:04:00 +0000
+++ Mailman/Utils.py	2017-10-07 22:28:06 +0000
@@ -1267,11 +1267,23 @@
         txt_recs = resolver.query(dmarc_domain, dns.rdatatype.TXT)
     except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
         return 'continue'
+    except (dns.resolver.NoNameservers):
+        syslog('error',
+               'DNSException: No Nameservers available for %s (%s)',
+               email, dmarc_domain)
+        # Typically this means a dnssec validation error.  Clients that don't
+        # perform validation *may* successfully see a _dmarc RR whereas a
+        # validating mailman server wont see the _dmarc RR.  We should mitigate
+        # this email to be safe.
+        return True
     except DNSException, e:
         syslog('error',
                'DNSException: Unable to query DMARC policy for %s (%s). %s',
-              email, dmarc_domain, e.__doc__)
-        return 'continue'
+               email, dmarc_domain, e.__doc__)
+        # While we can't be sure what caused the error, there is potentially
+        # a DMARC policy record that we missed and that a receiver of the mail
+        # might see.  Thus, we should err on the side of caution and mitigate.
+        return True
     else:
         # Be as robust as possible in parsing the result.
         results_by_name = {}

=== modified file 'NEWS'
--- NEWS	2017-09-22 15:22:42 +0000
+++ NEWS	2017-10-07 22:28:06 +0000
@@ -16,7 +16,7 @@
 
     - The admin Membership List now includes text for screen readers which
       identifies the function of each checkbox.  CSS is added to the page to
-      visually hide the text but still allow screan readers to read it.
+      visually hide the text but still allow screen readers to read it.
       Similar text has been added to some radio buttons on the admindb pages.
 
   i18n
@@ -26,6 +26,9 @@
 
   Bug fixes and other patches
 
+    - Thanks to Jim Popovitch, certain failures in DNS lookups of DMARC policy
+      will now result in mitigations being applied.  (LP: #1722013)
+
     - The default DMARC reject reason now properly replaces %(listowner)s.
       (LP: #1718962)
 


_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-checkins/archive%40jab.org

Reply via email to