From a04f3a2976940022009c154fe0400fb8464b014c Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Sat, 7 Oct 2017 15:28:06 -0700
Subject: Improved DMARC testing for domains with DNSSEC validation problems.

---
 Mailman/Utils.py | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

(limited to 'Mailman/Utils.py')

diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 75481563..9c366352 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -1267,11 +1267,23 @@ def _DMARCProhibited(mlist, email, dmarc_domain, org=False):
         txt_recs = resolver.query(dmarc_domain, dns.rdatatype.TXT)
     except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
         return 'continue'
+    except (dns.resolver.NoNameservers):
+        syslog('error',
+               'DNSException: No Nameservers available for %s (%s)',
+               email, dmarc_domain)
+        # Typically this means a dnssec validation error.  Clients that don't
+        # perform validation *may* successfully see a _dmarc RR whereas a
+        # validating mailman server wont see the _dmarc RR.  We should mitigate
+        # this email to be safe.
+        return True
     except DNSException, e:
         syslog('error',
                'DNSException: Unable to query DMARC policy for %s (%s). %s',
-              email, dmarc_domain, e.__doc__)
-        return 'continue'
+               email, dmarc_domain, e.__doc__)
+        # While we can't be sure what caused the error, there is potentially
+        # a DMARC policy record that we missed and that a receiver of the mail
+        # might see.  Thus, we should err on the side of caution and mitigate.
+        return True
     else:
         # Be as robust as possible in parsing the result.
         results_by_name = {}
-- 
cgit v1.2.3


From 1ddd44e9d3549fc2e854b6a508dc0adb6c344988 Mon Sep 17 00:00:00 2001
From: Mark Sapiro <mark@msapiro.net>
Date: Thu, 26 Oct 2017 13:37:08 -0700
Subject: Updated i18n in preparation for 2.1.25 release. Fixed a minor typo.

---
 Mailman/Utils.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'Mailman/Utils.py')

diff --git a/Mailman/Utils.py b/Mailman/Utils.py
index 9c366352..9dbd0b55 100644
--- a/Mailman/Utils.py
+++ b/Mailman/Utils.py
@@ -1273,8 +1273,8 @@ def _DMARCProhibited(mlist, email, dmarc_domain, org=False):
                email, dmarc_domain)
         # Typically this means a dnssec validation error.  Clients that don't
         # perform validation *may* successfully see a _dmarc RR whereas a
-        # validating mailman server wont see the _dmarc RR.  We should mitigate
-        # this email to be safe.
+        # validating mailman server won't see the _dmarc RR.  We should
+        # mitigate this email to be safe.
         return True
     except DNSException, e:
         syslog('error',
-- 
cgit v1.2.3