[Mailman-Users] DMARC hack
Allan Hansen
hansen at rc.org
Mon May 25 00:19:37 CEST 2015
I wonder why then I got a bunch of issues with btopenworld.com, which apparently is Yahoo based.
I just checked btopenworld.com with the ‘host’ command and as you say, it has no ‘reject’:
$ host -t TXT _dmarc.btopenworld.com
_dmarc.btopenworld.com descriptive text "v=DMARC1\; p=none\; fo=1\; rua=mailto:dmarcagg at btinternet.com, mailto:dmarc_agg at auth.returnpath.net\;"
$ host -t TXT _dmarc.yahoo.com
_dmarc.yahoo.com descriptive text "v=DMARC1\; p=reject\; sp=none\; pct=100\; rua=mailto:dmarc-yahoo-rua at yahoo-inc.com, mailto:dmarc_y_rua at yahoo.com\;”
Here is the reject notice:
Final-Recipient: rfc822; subscriber at aol.com
Original-Recipient: rfc822;subscriber at aol.com
Action: failed
Status: 5.2.1
Remote-MTA: dns; mailin-04.mx.aol.com
Diagnostic-Code: smtp; 521 5.2.1 : AOL will not accept delivery of this
message.
Date: May 13, 2015 at 07:52:17 PDT
From: <sender at btopenworld.com>
To: <list address>
Subject: subject
Reply-To: sender at btopenworld.com
And yes, as I just wrote, I have good reasons for keeping this as simple as I possibly can. Upgrading is not simple, I suspect, though I’d love to move to 3.0, as I have a lot of lists, with subscribers on many lists simulteneously.
Yours,
Allan
> On May 24, 2015, at 11:14 , Stephen J. Turnbull <stephen at xemacs.org> wrote:
>
> Allan Hansen writes:
>
>> Checking for aol.com and yahoo.com here alone will not work. I have
>> a bunch of other subscribers that have accounts with providers
>> that are owned by Yahoo (mostly) and AOL, but whose addresses are
>> not of this form.
>
> Oddly enough, it turns out that they only use DMARC p=reject at their
> principal domain (aol.com and yahoo.com). You can check for any given
> domain by prepending _dmarc. and checking the TXT record. For
> example, for aol.com it would be "host -t TXT _dmarc.aol.com" if you
> have the host utility for doing DNS lookups.
>
>> I would have to do this for all addresses, to be safe.
>
> If you're worried about safety and care about conforming to standards,
> you really should upgrade to at least Mailman 2.1.18-1. That allows
> you to be nonconformant only for authors whose addresses are in
> troublesome domains, and handles the reply-to issue as well as
> possible (making everybody happy isn't quite possible). I'm sure you
> have good reason for not doing so *right* *now*, but keep it in mind.
>
>> If I do this and add the bit about the Reply-To, what would the
>> code look like?
>
> If you do it for all mail, you just delete the "if" line and shift
> everything left one dedent.
>
> name, addr = parseaddr(msg.get('from'))
> name = "%s (%s) via list" % (name if name else "Anonymous", addr)
> fromaddr = mlist.GetListEmail()
> del msg['from']
> msg['from'] = formataddr((name, addr))
> # reply-to handling goes here
>
> I'm not comfortable trying to say what to do about reply-to, because
> it's quite complicated depending on how you want to handle each of a
> large number of variations: what to do with a preexisting Reply-To and
> whether to put the list and/or the from address there. See the
> Mailman/Handlers/CookHeaders.py file in the Mailman distribution.
>
More information about the Mailman-Users
mailing list