aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Sapiro <mark@msapiro.net>2016-04-09 15:43:47 -0700
committerMark Sapiro <mark@msapiro.net>2016-04-09 15:43:47 -0700
commit325a8d245275d421094f71eb026801a0bc1b8a5f (patch)
tree1c41ac031c5945bf0b9aa4d5475ef8d03663cde1
parent93f11f1a9b9e6f2f1251b1efb75131e0c9839029 (diff)
downloadmailman2-325a8d245275d421094f71eb026801a0bc1b8a5f.tar.gz
mailman2-325a8d245275d421094f71eb026801a0bc1b8a5f.tar.xz
mailman2-325a8d245275d421094f71eb026801a0bc1b8a5f.zip
Honor an organizational domain's DMARC sp= policy for sub-domains.
Diffstat (limited to '')
-rw-r--r--Mailman/Utils.py19
-rw-r--r--NEWS3
2 files changed, 17 insertions, 5 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 37336e0d..f6cf607e 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -1250,12 +1250,12 @@ def IsDMARCProhibited(mlist, email):
return x
o_dom = get_org_dom(f_dom)
if o_dom != f_dom:
- x = _DMARCProhibited(mlist, email, '_dmarc.' + o_dom)
+ x = _DMARCProhibited(mlist, email, '_dmarc.' + o_dom, org=True)
if x != 'continue':
return x
return False
-def _DMARCProhibited(mlist, email, dmarc_domain):
+def _DMARCProhibited(mlist, email, dmarc_domain, org=False):
try:
resolver = dns.resolver.Resolver()
@@ -1315,14 +1315,23 @@ def _DMARCProhibited(mlist, email, dmarc_domain):
testing them all""",
dmarc_domain, len(dmarc))
for entry in dmarcs:
- if re.search(r'\bp=reject\b', entry, re.IGNORECASE):
+ mo = re.search(r'\bsp=(\w*)\b', entry, re.IGNORECASE)
+ if org and mo:
+ policy = mo.group(1).lower()
+ else:
+ mo = re.search(r'\bp=(\w*)\b', entry, re.IGNORECASE)
+ if mo:
+ policy = mo.group(1).lower()
+ else:
+ continue
+ if policy == 'reject':
syslog('vette',
'%s: DMARC lookup for %s (%s) found p=reject in %s = %s',
mlist.real_name, email, dmarc_domain, name, entry)
return True
if (mlist.dmarc_quarantine_moderation_action and
- re.search(r'\bp=quarantine\b', entry, re.IGNORECASE)):
+ policy == 'quarantine'):
syslog('vette',
'%s: DMARC lookup for %s (%s) found p=quarantine in %s = %s',
mlist.real_name, email, dmarc_domain, name, entry)
@@ -1331,7 +1340,7 @@ def _DMARCProhibited(mlist, email, dmarc_domain):
if (mlist.dmarc_none_moderation_action and
mlist.dmarc_quarantine_moderation_action and
mlist.dmarc_moderation_action in (1, 2) and
- re.search(r'\bp=none\b', entry, re.IGNORECASE)):
+ policy == 'none'):
syslog('vette',
'%s: DMARC lookup for %s (%s) found p=none in %s = %s',
mlist.real_name, email, dmarc_domain, name, entry)
diff --git a/NEWS b/NEWS
index 2ebf3246..5deb83cc 100644
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,9 @@ Here is a history of user visible changes to Mailman.
Bug fixes and other patches
+ - DMARC mitigations for a sub-domain of an organizational domain will now
+ use the organizational domain's sp= policy if any. (LP: #1568398)
+
- Modified NewsRunner.py to ensure that messages gated to Usenet have a
non-blank Subject: header and when munging the Message-ID to add the
original to References: to help with threading. (LP: #557955)