Re: [Mailman-Users] Manually treat certain domains as if they have restrictive DMARC policy

[Mark Sapiro]

On 1/29/19 6:55 AM, David Gibbs via Mailman-Users wrote:
> 
> I'm by no means a Python expert (far from it), but I hacked this
> together...
> 
> === modified file 'Mailman/Defaults.py.in'
> --- Mailman/Defaults.py.in  2018-07-12 03:14:02 +
> +++ Mailman/Defaults.py.in  2019-01-29 14:27:59 +
> @@ -145,6 +145,11 @@
>  # GLOBAL_BAN_LIST = ['xxx@aol\.com', '^yyy.*@gmail\.com$']
>  GLOBAL_BAN_LIST = []
> 
> +# Installation wide DMARC list.  This is a list of email addresses and
> +# regexp patterns (beginning with ^) that will be treated as if they
> +# have a restrictive DMARC policy. Same examples as GLOBAL_BAN_LIST
> +GLOBAL_DMARC_LIST = []
> +
>  # If the following is set to Yes, and a web subscribe comes from an IPv4
>  # address and the IP is listed in Spamhaus SBL, CSS or XBL, the subscription
>  # will be blocked.  It will work with IPv6 addresses if Python's 
> py2-ipaddress


The above is good, but you will have to run 'configure' with appropriate
options to propagate that to Defaults.py and then add your actual list
by setting GLOBAL_DMARC_LIST in mm_cfg.py.


> === modified file 'Mailman/Handlers/SpamDetect.py'
> --- Mailman/Handlers/SpamDetect.py  2018-12-01 04:13:12 +
> +++ Mailman/Handlers/SpamDetect.py  2019-01-29 14:24:26 +
> @@ -110,6 +110,7 @@
>  dn, addr = parseaddr(msg.get('from'))
>  if addr and mlist.dmarc_moderation_action > 0:
>  if (mlist.GetPattern(addr, mlist.dmarc_moderation_addresses) or
> +    mlist.getPattern(addr, mm_cfg.GLOBAL_DMARC_LIST) or

GetPattern, not getPattern. Otherwise good.

>  Utils.IsDMARCProhibited(mlist, addr)):
>  # Note that for dmarc_moderation_action, 0 = Accept,
>  #    1 = Munge, 2 = Wrap, 3 = Reject, 4 = Discard
> 


-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Manually treat certain domains as if they have restrictive DMARC policy

[David Gibbs via Mailman-Users]

On 1/29/2019 12:13 AM, Mark Sapiro wrote:

Also, Adding a global setting for dmarc_moderation_addresses on top of
the per-list setting is not difficult either. See

for how this was done for a global ban_list.


I'm by no means a Python expert (far from it), but I hacked this together...

=== modified file 'Mailman/Defaults.py.in'
--- Mailman/Defaults.py.in  2018-07-12 03:14:02 +
+++ Mailman/Defaults.py.in  2019-01-29 14:27:59 +
@@ -145,6 +145,11 @@
 # GLOBAL_BAN_LIST = ['xxx@aol\.com', '^yyy.*@gmail\.com$']
 GLOBAL_BAN_LIST = []

+# Installation wide DMARC list.  This is a list of email addresses and
+# regexp patterns (beginning with ^) that will be treated as if they
+# have a restrictive DMARC policy. Same examples as GLOBAL_BAN_LIST
+GLOBAL_DMARC_LIST = []
+
 # If the following is set to Yes, and a web subscribe comes from an IPv4
 # address and the IP is listed in Spamhaus SBL, CSS or XBL, the subscription
 # will be blocked.  It will work with IPv6 addresses if Python's py2-ipaddress

=== modified file 'Mailman/Handlers/SpamDetect.py'
--- Mailman/Handlers/SpamDetect.py  2018-12-01 04:13:12 +
+++ Mailman/Handlers/SpamDetect.py  2019-01-29 14:24:26 +
@@ -110,6 +110,7 @@
 dn, addr = parseaddr(msg.get('from'))
 if addr and mlist.dmarc_moderation_action > 0:
 if (mlist.GetPattern(addr, mlist.dmarc_moderation_addresses) or
+mlist.getPattern(addr, mm_cfg.GLOBAL_DMARC_LIST) or
 Utils.IsDMARCProhibited(mlist, addr)):
 # Note that for dmarc_moderation_action, 0 = Accept,
 #1 = Munge, 2 = Wrap, 3 = Reject, 4 = Discard





--
IBM i on Power Systems: For when you can't afford to be out of business!

I'm riding 615 miles (Yes, you read that right) in the American Diabetes 
Association's Tour de Cure to raise money for diabetes research, education, 
advocacy, and awareness.  You can make a tax-deductible donation to my ride by 
visiting https://gmane.diabetessucks.net.

You can see where my donations come from by visiting my interactive donation 
map ... https://gmane.diabetessucks.net/map (it's a geeky thing).

I may have diabetes, but diabetes doesn't have me!

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Manually treat certain domains as if they have restrictive DMARC policy

[Mark Sapiro]

On 1/28/19 8:46 PM, Stephen J. Turnbull wrote:
> David Gibbs via Mailman-Users writes:
>  > 
>  > That's close to what I want ... the only issue is that I'm looking for the 
>  > behavior to be site wide not on a per-list basis.
> 
> I would guess that it wouldn't be hard to write a script for Mailman 2
> using mailman/bin/withlist to do the updates.


As Steve says, a withlist script to update all lists is not at all complex.

Also, Adding a global setting for dmarc_moderation_addresses on top of
the per-list setting is not difficult either. See

for how this was done for a global ban_list.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Manually treat certain domains as if they have restrictive DMARC policy

[Stephen J. Turnbull]

David Gibbs via Mailman-Users writes:
 > On 1/28/19 2:25 PM, Mark Sapiro wrote:
 > > List of addresses (or regexps) whose posts should always apply 
 > > dmarc_moderation_action regardless of any domain specific DMARC Policy.
 > 
 > That's close to what I want ... the only issue is that I'm looking for the 
 > behavior to be site wide not on a per-list basis.

Unfortunately, that's a fundamental problem with Mailman 2's web admin
design; it doesn't know about sites, only about lists, with the
(single) site being implicit.  This is addressed in Mailman 3.

I would guess that it wouldn't be hard to write a script for Mailman 2
using mailman/bin/withlist to do the updates.

Steve

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Manually treat certain domains as if they have restrictive DMARC policy

[David Gibbs via Mailman-Users]

On 1/28/19 2:25 PM, Mark Sapiro wrote:
List of addresses (or regexps) whose posts should always apply 
dmarc_moderation_action regardless of any domain specific DMARC Policy.


That's close to what I want ... the only issue is that I'm looking for the 
behavior to be site wide not on a per-list basis.


david


--
IBM i on Power Systems: For when you can't afford to be out of business!

I'm riding 615 miles (Yes, you read that right) in the American Diabetes
Association's Tour de Cure to raise money for diabetes research, education,
advocacy, and awareness.  You can make a tax-deductible donation to my ride by
visiting https://gmane.diabetessucks.net.

You can see where my donations come from by visiting my interactive donation map
... https://gmane.diabetessucks.net/map (it's a geeky thing).

I may have diabetes, but diabetes doesn't have me!

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Manually treat certain domains as if they have restrictive DMARC policy

[Mark Sapiro]

On 1/28/19 11:54 AM, David Gibbs via Mailman-Users wrote:
> 
> To resolve this, I'm thinking of creating a flat file of domains that
> are causing this problem ... then modifying the _DMARCProhibited
> routine, in Utils.py, to read the flat file and treat domains found in
> that file as if they had a DMARC policy set to reject.
> 
> Do you think that will work ... or am I completely off base?  Perhaps
> there's already a mechanism in MM 2.1 that would do what I want (hopeful
> grin)?


The current development branch at
 contains

which implements 'dmarc_moderation_addresses which is:

List of addresses (or regexps) whose posts should always apply
dmarc_moderation_action regardless of any domain specific DMARC Policy.

The intent of this feature is (almost) exactly your situation. We say
this about it.

 This can be utilized to automatically wrap or munge postings from known
addresses or domains that might have policies rejecting external mail
From: themselves.

This feature will be in the next release (no planned date yet) or you
can get it now from launchpad.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Manually treat certain domains as if they have restrictive DMARC policy

[Christian F Buser via Mailman-Users]

Hello David Gibbs via Mailman-Users. On Mon, 28 Jan 2019 13:54:21 -0600, you 
wrote:

> I've got a number of subscribers who's email admins have set a policy 
> such that, if a message is sent to them with their email address as 
> the 'from' address, the message is rejected.
> 
> This is causing those peoples posts to bounce ... and, ultimately, 
> they get unsubscribed.

This mail server setup / filter is nonsense. I usually send a Bcc of all my 
messages to myself to "simulate" IMAP while using POP3. 

My simple "solution" would be:

- They should subscribe twice, with one address to receive the list mails, with 
the other to send their messages to the list. 
- They should set the "sending" mail address to "silent" (i.e. "no mail") 
- They should maybe use a mail program which allows to automatically reply from 
the other address if they want to reply to a list message. This would eliminate 
problems if they forget about it (what would be the case for me most of the 
time). 

Christian 
-- 
Christian F. Buser, Hohle Gasse 6, CH-5507 Mellingen (Switzerland)  
Hilfe fuer Strassenkinder in Ghana: http://www.chance-for-children.org
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Manually treat certain domains as if they have restrictive DMARC policy

[David Gibbs via Mailman-Users]

Folks:

I've got a number of subscribers who's email admins have set a policy such that, 
if a message is sent to them with their email address as the 'from' address, the 
message is rejected.


This is causing those peoples posts to bounce ... and, ultimately, they get 
unsubscribed.


Although the BEST course of action would be for the mail admin's to alter their 
spam filters or implement DMARC policies, that's a bit much to ask for.


To resolve this, I'm thinking of creating a flat file of domains that are 
causing this problem ... then modifying the _DMARCProhibited routine, in 
Utils.py, to read the flat file and treat domains found in that file as if they 
had a DMARC policy set to reject.


Do you think that will work ... or am I completely off base?  Perhaps there's 
already a mechanism in MM 2.1 that would do what I want (hopeful grin)?


david

--
IBM i on Power Systems: For when you can't afford to be out of business!

I'm riding 615 miles (Yes, you read that right) in the American Diabetes 
Association's Tour de Cure to raise money for diabetes research, education, 
advocacy, and awareness.  You can make a tax-deductible donation to my ride by 
visiting https://gmane.diabetessucks.net.


You can see where my donations come from by visiting my interactive donation map 
... https://gmane.diabetessucks.net/map (it's a geeky thing).


I may have diabetes, but diabetes doesn't have me!

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org