More fine tuning of dmarc_moderation_action.

4 files changed, 23 insertions, 10 deletions

diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in
index c04ba8fa..07c7a726 100755
--- a/Mailman/Defaults.py.in
+++ b/Mailman/Defaults.py.in
@@ -1074,6 +1074,14 @@ DMARC_QUARANTINE_MODERATION_ACTION = Yes
 # 4 = Discard
 DEFAULT_DMARC_MODERATION_ACTION = 0
 
+# Parameters for DMARC DNS lookups. If you are seeing 'DNSException:
+# Unable to query DMARC policy ...' entries in your error log, you may need
+# to adjust these.
+# The time to wait for a response from a name server before timeout.
+DMARC_RESOLVER_TIMEOUT = seconds(3)
+# The total time to spend trying to get an answer to the question.
+DMARC_RESOLVER_LIFETIME = seconds(5)
+
 # What shold happen to non-member posts which are do not match explicit
 # non-member actions?
 # 0 = Accept
diff --git a/Mailman/Handlers/Moderate.py b/Mailman/Handlers/Moderate.py
index 56acb4e4..55f5da21 100644
--- a/Mailman/Handlers/Moderate.py
+++ b/Mailman/Handlers/Moderate.py
@@ -50,10 +50,10 @@ class ModeratedMemberPost(Hold.ModeratedPost):
 def process(mlist, msg, msgdata):
     if msgdata.get('approved'):
         return
-    # Before anything else, check DMARC.
+    # Before anything else, check DMARC if necessary.
     msgdata['from_is_list'] = 0
     dn, addr = parseaddr(msg.get('from'))
-    if addr:
+    if addr and mlist.dmarc_moderation_action > 0:
         if Utils.IsDMARCProhibited(addr):
             # Note that for dmarc_moderation_action, 0 = Accept, 
             #    1 = Munge, 2 = Wrap, 3 = Reject, 4 = Discard
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index d62de364..eab085a8 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -1080,8 +1080,8 @@ def IsDMARCProhibited(email):
 
     try:
         resolver = dns.resolver.Resolver()
-        resolver.timeout = 3
-        resolver.lifetime = 5
+        resolver.timeout = float(mm_cfg.DMARC_RESOLVER_TIMEOUT)
+        resolver.lifetime = float(mm_cfg.DMARC_RESOLVER_LIFETIME)
         txt_recs = resolver.query(dmarc_domain, dns.rdatatype.TXT)
     except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
         return False
@@ -1137,16 +1137,16 @@ def IsDMARCProhibited(email):
                         dmarc_domain, len(dmarc))
             for entry in dmarcs:
                 if re.search(r'\bp=reject\b', entry, re.IGNORECASE):
-#                   syslog('info',
-#                       'DMARC lookup for %s (%s) found p=reject in %s = %s',
-#                       email, dmarc_domain, name, entry)
+                    syslog('vette',
+                        'DMARC lookup for %s (%s) found p=reject in %s = %s',
+                        email, dmarc_domain, name, entry)
                     return True
 
                 if (mm_cfg.DMARC_QUARANTINE_MODERATION_ACTION and
                     re.search(r'\bp=quarantine\b', entry, re.IGNORECASE)):
-#                   syslog('info',
-#                     'DMARC lookup for %s (%s) found p=quarantine in %s = %s',
-#                           email, dmarc_domain, name, entry)
+                    syslog('vette',
+                      'DMARC lookup for %s (%s) found p=quarantine in %s = %s',
+                            email, dmarc_domain, name, entry)
                     return True
 
     return False
diff --git a/NEWS b/NEWS
index 0dcc360c..04ec2788 100755
--- a/NEWS
+++ b/NEWS
@@ -38,6 +38,11 @@ Here is a history of user visible changes to Mailman.
       dmarc_moderation_action applies to that message.  Otherwise the
       from_is_list action applies.
 
+      Also associated with dmarc_moderation_action are configuration settings
+      DMARC_RESOLVER_TIMEOUT and DMARC_RESOLVER_LIFETIME. These are described
+      in more detail in Defaults.py.  There are also new vette log entries
+      written when dmarc_moderation_action is found to apply to a post.
+
   i18n
 
     - Added missing <mm-digest-question-start> tag to French listinfo template.