From 094580a732b2b7f66c09cde3739421452db481fa Mon Sep 17 00:00:00 2001 From: Mark Sapiro Date: Fri, 2 May 2014 11:42:09 -0700 Subject: More fine tuning of dmarc_moderation_action. --- Mailman/Defaults.py.in | 8 ++++++++ Mailman/Handlers/Moderate.py | 4 ++-- Mailman/Utils.py | 16 ++++++++-------- NEWS | 5 +++++ 4 files changed, 23 insertions(+), 10 deletions(-) diff --git a/Mailman/Defaults.py.in b/Mailman/Defaults.py.in index c04ba8fa..07c7a726 100755 --- a/Mailman/Defaults.py.in +++ b/Mailman/Defaults.py.in @@ -1074,6 +1074,14 @@ DMARC_QUARANTINE_MODERATION_ACTION = Yes # 4 = Discard DEFAULT_DMARC_MODERATION_ACTION = 0 +# Parameters for DMARC DNS lookups. If you are seeing 'DNSException: +# Unable to query DMARC policy ...' entries in your error log, you may need +# to adjust these. +# The time to wait for a response from a name server before timeout. +DMARC_RESOLVER_TIMEOUT = seconds(3) +# The total time to spend trying to get an answer to the question. +DMARC_RESOLVER_LIFETIME = seconds(5) + # What shold happen to non-member posts which are do not match explicit # non-member actions? # 0 = Accept diff --git a/Mailman/Handlers/Moderate.py b/Mailman/Handlers/Moderate.py index 56acb4e4..55f5da21 100644 --- a/Mailman/Handlers/Moderate.py +++ b/Mailman/Handlers/Moderate.py @@ -50,10 +50,10 @@ class ModeratedMemberPost(Hold.ModeratedPost): def process(mlist, msg, msgdata): if msgdata.get('approved'): return - # Before anything else, check DMARC. + # Before anything else, check DMARC if necessary. msgdata['from_is_list'] = 0 dn, addr = parseaddr(msg.get('from')) - if addr: + if addr and mlist.dmarc_moderation_action > 0: if Utils.IsDMARCProhibited(addr): # Note that for dmarc_moderation_action, 0 = Accept, # 1 = Munge, 2 = Wrap, 3 = Reject, 4 = Discard diff --git a/Mailman/Utils.py b/Mailman/Utils.py index d62de364..eab085a8 100644 --- a/Mailman/Utils.py +++ b/Mailman/Utils.py @@ -1080,8 +1080,8 @@ def IsDMARCProhibited(email): try: resolver = dns.resolver.Resolver() - resolver.timeout = 3 - resolver.lifetime = 5 + resolver.timeout = float(mm_cfg.DMARC_RESOLVER_TIMEOUT) + resolver.lifetime = float(mm_cfg.DMARC_RESOLVER_LIFETIME) txt_recs = resolver.query(dmarc_domain, dns.rdatatype.TXT) except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer): return False @@ -1137,16 +1137,16 @@ def IsDMARCProhibited(email): dmarc_domain, len(dmarc)) for entry in dmarcs: if re.search(r'\bp=reject\b', entry, re.IGNORECASE): -# syslog('info', -# 'DMARC lookup for %s (%s) found p=reject in %s = %s', -# email, dmarc_domain, name, entry) + syslog('vette', + 'DMARC lookup for %s (%s) found p=reject in %s = %s', + email, dmarc_domain, name, entry) return True if (mm_cfg.DMARC_QUARANTINE_MODERATION_ACTION and re.search(r'\bp=quarantine\b', entry, re.IGNORECASE)): -# syslog('info', -# 'DMARC lookup for %s (%s) found p=quarantine in %s = %s', -# email, dmarc_domain, name, entry) + syslog('vette', + 'DMARC lookup for %s (%s) found p=quarantine in %s = %s', + email, dmarc_domain, name, entry) return True return False diff --git a/NEWS b/NEWS index 0dcc360c..04ec2788 100755 --- a/NEWS +++ b/NEWS @@ -38,6 +38,11 @@ Here is a history of user visible changes to Mailman. dmarc_moderation_action applies to that message. Otherwise the from_is_list action applies. + Also associated with dmarc_moderation_action are configuration settings + DMARC_RESOLVER_TIMEOUT and DMARC_RESOLVER_LIFETIME. These are described + in more detail in Defaults.py. There are also new vette log entries + written when dmarc_moderation_action is found to apply to a post. + i18n - Added missing tag to French listinfo template. -- cgit v1.2.3