diff options
| author | Mark Sapiro <mark@msapiro.net> | 2017-10-07 15:28:06 -0700 |
|---|---|---|
| committer | Mark Sapiro <mark@msapiro.net> | 2017-10-07 15:28:06 -0700 |
| commit | a04f3a2976940022009c154fe0400fb8464b014c (patch) | |
| tree | a67dbf53cc6e1a82439e6fe9e62a3c5b5f244fbd | |
| parent | f48f75cccf27cdd098cb5c5e0f8c063361f80c1e (diff) | |
| download | mailman2-a04f3a2976940022009c154fe0400fb8464b014c.tar.gz mailman2-a04f3a2976940022009c154fe0400fb8464b014c.tar.xz mailman2-a04f3a2976940022009c154fe0400fb8464b014c.zip | |
Improved DMARC testing for domains with DNSSEC validation problems.
| -rw-r--r-- | Mailman/Utils.py | 16 | ||||
| -rw-r--r-- | NEWS | 5 |
2 files changed, 18 insertions, 3 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py index 75481563..9c366352 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -1267,11 +1267,23 @@ def _DMARCProhibited(mlist, email, dmarc_domain, org=False): txt_recs = resolver.query(dmarc_domain, dns.rdatatype.TXT) except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer): return 'continue' + except (dns.resolver.NoNameservers): + syslog('error', + 'DNSException: No Nameservers available for %s (%s)', + email, dmarc_domain) + # Typically this means a dnssec validation error. Clients that don't + # perform validation *may* successfully see a _dmarc RR whereas a + # validating mailman server wont see the _dmarc RR. We should mitigate + # this email to be safe. + return True except DNSException, e: syslog('error', 'DNSException: Unable to query DMARC policy for %s (%s). %s', - email, dmarc_domain, e.__doc__) - return 'continue' + email, dmarc_domain, e.__doc__) + # While we can't be sure what caused the error, there is potentially + # a DMARC policy record that we missed and that a receiver of the mail + # might see. Thus, we should err on the side of caution and mitigate. + return True else: # Be as robust as possible in parsing the result. results_by_name = {} @@ -16,7 +16,7 @@ Here is a history of user visible changes to Mailman. - The admin Membership List now includes text for screen readers which identifies the function of each checkbox. CSS is added to the page to - visually hide the text but still allow screan readers to read it. + visually hide the text but still allow screen readers to read it. Similar text has been added to some radio buttons on the admindb pages. i18n @@ -26,6 +26,9 @@ Here is a history of user visible changes to Mailman. Bug fixes and other patches + - Thanks to Jim Popovitch, certain failures in DNS lookups of DMARC policy + will now result in mitigations being applied. (LP: #1722013) + - The default DMARC reject reason now properly replaces %(listowner)s. (LP: #1718962) |