[Mailman-Users] dmarc_moderation_action isn't working

Thu May 29 12:03:38 CEST 2014

Thus spake Mark Sapiro:
> On 05/28/2014 05:41 AM, Joel Uckelman wrote:
> > 
> > I'm running the just-released RPM for 2.1.18 on Fedora 20. I have the
> > python-dns package installed, which I read was required for DMARC
> > checks.
> 
> 
> The required package is dnspython. This is not the same as PyDNS. It
> looks like the Fedora python-dns package is the right one, but I'm not sure.

I'm certain I have the correct package: The URL 'rpm -qi' gives for the
pacakge is http://www.dnspython.org/, which is the same as the one given
by the 2.1.18 release announcement.

> What happens when you invoke the python that Mailman is using and type
> 
> import dns.resolver
> from dns.exception import DNSException

[uckelman at one ~]$ python 
Python 2.7.5 (default, Feb 19 2014, 13:47:28) 
[GCC 4.8.2 20131212 (Red Hat 4.8.2-7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import dns.resolver
>>> from dns.exception import DNSException
>>> 

The dns module appears to be found.

> If you get an ImportError, something is wrong. Otherwise things should
> be OK. You can see what python Mailman is using by looking at the
> command lines reported by
> 
> ps -fAw | grep qrunner

[uckelman at one ~]$ ps -fAw | grep -m 1 qrunner
mailman   2733  2700  0 May22 ?        00:01:01 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s

Looks like /usr/bin/python, which is the same one as on the path:

[uckelman at one ~]$ which python
/usr/bin/python

> There will normally be an entry in Mailman's vette log for every DMARC
> p=reject (and p=quarantine if enabled) found and possible entries in
> Mailman's error log for lookup errors and other unusual conditions.

I have five vette logs handy, going back as far as 5 May (which would be
before I installed 2.1.18). Three are empty; the other two contain one
message each about rejecting a post by a nonsubscriber. There's nothing
about DMARC in any of them.

> If there are no 'DMARC' entries in Mailman's logs, it most likely means
> the imports I show above didn't succeed in the python that Mailman is
> using, in which case dmarc_moderaction_action will not be done at all.

Do you still think that given what I found above?

> > There is one unusual thing about my list---namely that it sits at one
> > end of a bridge to a phpbb forum. That is, all of the posts from the
> > forum are posted to the list with their Sender set to a special address
> > which is subscribed to the list, and all post from the list are
> > received by that special address and posted to the forum from there.
> > This means that a lot of the addresses in From headers of messages going
> > out over the list are not actually subscribers to the list. Could this
> > be tripping up the dmarc_moderation_action?
> 
> 
> What do you mean by Sender? Do you mean the Sender: header or the From:
> header or what?

Yes, exactly. By "Sender" I'm referring to the Sender: header.

> Perhaps you can explain more precisely what you mean by the above in
> terms of the From: header seen by Mailman and the From: header in the
> list message that recipients see.
>
> If all you are saying is that a lot of posts are From: non-members
> because they come via the phpbb forum, that shouldn't matter. Mailman
> should still check the From: domain for DMARC and apply the
> dmarc_moderation_action as required regardless of list membership.

This is exactly what I'm saying. Many messages posted to the list via
the bridge have From: headers with non-list-member addresses in them.
All messages posted to the list via the bridge have the Sender: address
set to a special address which *is* a list subscriber, which is why (I
believe) Mailman does not reject such messages as originating from
non-subscribers.

-- 
J.