From 7ec3c9cbbb0bb8fa4b966a52c51a9c916b8e690e Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Sun, 6 Mar 2016 12:25:06 -0800
Subject: Better logging of DMARC lookup DNS exceptions.

---
 Mailman/Utils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'Mailman/Utils.py')

diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index f821f13a..37336e0d 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -1267,7 +1267,7 @@ def _DMARCProhibited(mlist, email, dmarc_domain):
     except DNSException, e:
         syslog('error',
                'DNSException: Unable to query DMARC policy for %s (%s). %s',
-              email, dmarc_domain, e.__class__)
+              email, dmarc_domain, e.__doc__)
         return 'continue'
     else:
 # people are already being dumb, don't trust them to provide honest DNS
-- 
cgit v1.2.3


From 325a8d245275d421094f71eb026801a0bc1b8a5f Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Sat, 9 Apr 2016 15:43:47 -0700
Subject: Honor an organizational domain's DMARC sp= policy for sub-domains.

---
 Mailman/Utils.py | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

(limited to 'Mailman/Utils.py')

diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 37336e0d..f6cf607e 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -1250,12 +1250,12 @@ def IsDMARCProhibited(mlist, email):
         return x
     o_dom = get_org_dom(f_dom)
     if o_dom != f_dom:
-        x = _DMARCProhibited(mlist, email, '_dmarc.' + o_dom)
+        x = _DMARCProhibited(mlist, email, '_dmarc.' + o_dom, org=True)
         if x != 'continue':
             return x
     return False
 
-def _DMARCProhibited(mlist, email, dmarc_domain):
+def _DMARCProhibited(mlist, email, dmarc_domain, org=False):
 
     try:
         resolver = dns.resolver.Resolver()
@@ -1315,14 +1315,23 @@ def _DMARCProhibited(mlist, email, dmarc_domain):
                        testing them all""",
                         dmarc_domain, len(dmarc))
             for entry in dmarcs:
-                if re.search(r'\bp=reject\b', entry, re.IGNORECASE):
+                mo = re.search(r'\bsp=(\w*)\b', entry, re.IGNORECASE)
+                if org and mo:
+                    policy = mo.group(1).lower()
+                else:
+                    mo = re.search(r'\bp=(\w*)\b', entry, re.IGNORECASE)
+                    if mo:
+                        policy = mo.group(1).lower()
+                    else:
+                        continue
+                if policy == 'reject':
                     syslog('vette',
                       '%s: DMARC lookup for %s (%s) found p=reject in %s = %s',
                       mlist.real_name,  email, dmarc_domain, name, entry)
                     return True
 
                 if (mlist.dmarc_quarantine_moderation_action and
-                    re.search(r'\bp=quarantine\b', entry, re.IGNORECASE)):
+                    policy == 'quarantine'):
                     syslog('vette',
                   '%s: DMARC lookup for %s (%s) found p=quarantine in %s = %s',
                           mlist.real_name,  email, dmarc_domain, name, entry)
@@ -1331,7 +1340,7 @@ def _DMARCProhibited(mlist, email, dmarc_domain):
                 if (mlist.dmarc_none_moderation_action and
                     mlist.dmarc_quarantine_moderation_action and
                     mlist.dmarc_moderation_action in (1, 2) and
-                    re.search(r'\bp=none\b', entry, re.IGNORECASE)):
+                    policy == 'none'):
                     syslog('vette',
                   '%s: DMARC lookup for %s (%s) found p=none in %s = %s',
                           mlist.real_name,  email, dmarc_domain, name, entry)
-- 
cgit v1.2.3


From 35720b98bdaff9ad565fc2775f2b5aba918c52c9 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Sat, 9 Apr 2016 21:53:04 -0700
Subject: Use rfind rather than find to find '@' for domain splitting.

---
 Mailman/Utils.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'Mailman/Utils.py')

diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index f6cf607e..892bb5c8 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -1241,7 +1241,8 @@ def IsDMARCProhibited(mlist, email):
         return False
 
     email = email.lower()
-    at_sign = email.find('@')
+    # Scan from the right in case quoted local part has an '@'.
+    at_sign = email.rfind('@')
     if at_sign < 1:
         return False
     f_dom = email[at_sign+1:]
-- 
cgit v1.2.3


From 6a615a1e6c6b3b03c3d8e334e6b097f29c9c975a Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Wed, 4 May 2016 18:27:19 -0700
Subject: Allow DMARC_ORGANIZATIONAL_DOMAIN_DATA_URL to be None or the null
 string.

---
 Mailman/Utils.py | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'Mailman/Utils.py')

diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 892bb5c8..2dbaef0b 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -1170,6 +1170,8 @@ def get_suffixes(url):
     global s_dict
     if s_dict:
         return
+    if not url:
+        return
     try:
         d = urllib2.urlopen(url)
     except urllib2.URLError, e:
-- 
cgit v1.2.3