On 5/27/20 1:32 AM, Lars Bjørndal wrote:
> Hello
>
> One member of a mailman mailing list on my system receives an error
> message when posting to the list:
>
> You are not allowed to post to this mailing list From: a domain which
> publishes a DMARC policy of reject or quarantine, and your message has been
> automatically rejected. If you think that your messages are being rejected
> in error, contact the mailing list owner at nssf-styre-ow...@nssf.us.
The list is configured with dmarc_moderation_action = Reject. I suspect
you know that.
> In /var/log/mailman/error, I have:
>
> DNSException: No Nameservers available for
> usern...@blindeforbundet.no (_dmarc.blindeforbundet.no)
>
> There are not published any DMARC policy for the domain.
The attempt to retrieve the policy at _dmarc.blindeforbundet.no via
Python's dns.resolver.Resolver().query raised
dns.resolver.NoNameservers. We say this in comments:
# Typically this means a dnssec validation error. Clients that don't
# perform validation *may* successfully see a _dmarc RR whereas a
# validating mailman server won't see the _dmarc RR. We should
# mitigate this email to be safe.
I.e, in the face of uncertainty, we choose to err on the side of
applying unneeded mitigation rather than not applying a needed mitigation.
> I'm running mailman-2.1.30-1.fc31.x86_64 on a Fedora 31 server.
>
> I hope someone on tis list can help me figure out what's going on, and
> hopefully a fix.
The first question is why is this query raising
dns.resolver.NoNameservers. I've tried this from a couple of different
servers
import dns.resolver
from dns.exception import DNSException
resolver = dns.resolver.Resolver()
txt_recs = resolver.query('_dmarc.blindeforbundet.no', dns.rdatatype.TXT)
and in both cases, I get
raise NXDOMAIN(qnames=qnames_to_try, responses=nxdomain_responses)
dns.resolver.NXDOMAIN: None of DNS query names exist:
_dmarc.blindeforbundet.no., ...
I.e. the expected response when there is no record for
_dmarc.blindeforbundet.no
If this is a persistent error, there may be an issue with the way your
server does DNS lookups.
You could avoid this in a couple of ways.
1) Change the list's dmarc_moderation_action to Wrap Message.
or
2) Patch Mailman to not mitigate on this exception.
To do the latter, find the `except (dns.resolver.NoNameservers):` clause
at line 1322 in Mailman/Utils.py and change the return at the end of
that clause from `return True` to `return False`.
--
Mark Sapiro <m...@msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
