From a04f3a2976940022009c154fe0400fb8464b014c Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Sat, 7 Oct 2017 15:28:06 -0700
Subject: Improved DMARC testing for domains with DNSSEC validation problems.

---
 Mailman/Utils.py | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

(limited to 'Mailman')

diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 75481563..9c366352 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -1267,11 +1267,23 @@ def _DMARCProhibited(mlist, email, dmarc_domain, org=False):
         txt_recs = resolver.query(dmarc_domain, dns.rdatatype.TXT)
     except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
         return 'continue'
+    except (dns.resolver.NoNameservers):
+        syslog('error',
+               'DNSException: No Nameservers available for %s (%s)',
+               email, dmarc_domain)
+        # Typically this means a dnssec validation error.  Clients that don't
+        # perform validation *may* successfully see a _dmarc RR whereas a
+        # validating mailman server wont see the _dmarc RR.  We should mitigate
+        # this email to be safe.
+        return True
     except DNSException, e:
         syslog('error',
                'DNSException: Unable to query DMARC policy for %s (%s). %s',
-              email, dmarc_domain, e.__doc__)
-        return 'continue'
+               email, dmarc_domain, e.__doc__)
+        # While we can't be sure what caused the error, there is potentially
+        # a DMARC policy record that we missed and that a receiver of the mail
+        # might see.  Thus, we should err on the side of caution and mitigate.
+        return True
     else:
         # Be as robust as possible in parsing the result.
         results_by_name = {}
-- 
cgit v1.2.3