[Mailman-Users] dmarc_moderation_action isn't working

Mark Sapiro mark at msapiro.net
Thu May 29 17:30:34 CEST 2014 

On 05/29/2014 07:44 AM, Joel Uckelman wrote:
> 
> ;; ANSWER SECTION:
> _dmarc.yahoo.com. 1777  IN  TXT "v=DMARC1\; p=reject\; sp=none\; pct=100\; rua=mailto:dmarc-yahoo-rua at yahoo-inc.com, mailto:dmarc_y_rua at yahoo.com\;"
...
> It looks like I got a DMARC record back. Is that the expected result?


Yes.


> The script prints:
> 
> "v=DMARC1; p=reject; sp=none; pct=100; rua=mailto:dmarc-yahoo-rua at yahoo-inc.com, mailto:dmarc_y_rua at yahoo.com;"


OK. So if you look up the DMARC record for yahoo.com, you find p=reject.

Try the attached patch or similar to see what's going on.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan
-------------- next part --------------
--- /var/MM/2.1/Mailman/Utils.py	2014-05-02 20:26:19.166274000 -0700
+++ /var/MM/21/Mailman/Utils.py	2014-05-29 08:26:17.545491833 -0700
@@ -1070,9 +1070,14 @@
 # or possibly quarantine.
 def IsDMARCProhibited(mlist, email):
     if not dns_resolver:
-         return False
+        # This is a problem; log it.
+        syslog('error',
+            'DNS lookup for dmarc_moderation_action for list %s not available',
+            mlist)
+        return False
 
     email = email.lower()
+    syslog('error', 'DMARC email = %s', email)
     at_sign = email.find('@')
     if at_sign < 1:
         return False
@@ -1084,6 +1089,7 @@
         resolver.lifetime = float(mm_cfg.DMARC_RESOLVER_LIFETIME)
         txt_recs = resolver.query(dmarc_domain, dns.rdatatype.TXT)
     except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
+        syslog('error', 'DMARC DNS non exist domain or no answer')
         return False
     except DNSException, e:
         syslog('error',
@@ -1091,6 +1097,8 @@
               email, dmarc_domain, e.__class__)
         return False
     else:
+        for x in txt_recs:
+            syslog('error', 'DMARC DNS got %s', x)
 # people are already being dumb, don't trust them to provide honest DNS
 # where the answer section only contains what was asked for, nor to include
 # CNAMEs before the values they point to.

More information about the Mailman-Users mailing list