aboutsummaryrefslogtreecommitdiffstats
path: root/Mailman
diff options
context:
space:
mode:
authorMark Sapiro <mark@msapiro.net>2017-10-07 15:28:06 -0700
committerMark Sapiro <mark@msapiro.net>2017-10-07 15:28:06 -0700
commita04f3a2976940022009c154fe0400fb8464b014c (patch)
treea67dbf53cc6e1a82439e6fe9e62a3c5b5f244fbd /Mailman
parentf48f75cccf27cdd098cb5c5e0f8c063361f80c1e (diff)
downloadmailman2-a04f3a2976940022009c154fe0400fb8464b014c.tar.gz
mailman2-a04f3a2976940022009c154fe0400fb8464b014c.tar.xz
mailman2-a04f3a2976940022009c154fe0400fb8464b014c.zip
Improved DMARC testing for domains with DNSSEC validation problems.
Diffstat (limited to 'Mailman')
-rw-r--r--Mailman/Utils.py16
1 files changed, 14 insertions, 2 deletions
diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 75481563..9c366352 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -1267,11 +1267,23 @@ def _DMARCProhibited(mlist, email, dmarc_domain, org=False):
txt_recs = resolver.query(dmarc_domain, dns.rdatatype.TXT)
except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
return 'continue'
+ except (dns.resolver.NoNameservers):
+ syslog('error',
+ 'DNSException: No Nameservers available for %s (%s)',
+ email, dmarc_domain)
+ # Typically this means a dnssec validation error. Clients that don't
+ # perform validation *may* successfully see a _dmarc RR whereas a
+ # validating mailman server wont see the _dmarc RR. We should mitigate
+ # this email to be safe.
+ return True
except DNSException, e:
syslog('error',
'DNSException: Unable to query DMARC policy for %s (%s). %s',
- email, dmarc_domain, e.__doc__)
- return 'continue'
+ email, dmarc_domain, e.__doc__)
+ # While we can't be sure what caused the error, there is potentially
+ # a DMARC policy record that we missed and that a receiver of the mail
+ # might see. Thus, we should err on the side of caution and mitigate.
+ return True
else:
# Be as robust as possible in parsing the result.
results_by_name = {}