1
=== modified file 'Mailman/Utils.py'
2
--- Mailman/Utils.py	2013-03-03 08:04:37 +0000
3
+++ Mailman/Utils.py	2013-03-18 22:17:21 +0000
4
@@ -35,6 +35,7 @@
5
35
import base64
35
import base64
6
36
import random
36
import random
7
37
import urlparse
37
import urlparse
8
38
import collections
9
38
import htmlentitydefs
39
import htmlentitydefs
10
39
import email.Header
40
import email.Header
11
40
import email.Iterators
41
import email.Iterators
12
@@ -1081,18 +1082,56 @@
13
1081
        resolver.timeout = 1
1082
        resolver.timeout = 1
14
1082
        resolver.lifetime = 5
1083
        resolver.lifetime = 5
15
1083
        txt_recs = resolver.query(dmarc_domain, dns.rdatatype.TXT)
1084
        txt_recs = resolver.query(dmarc_domain, dns.rdatatype.TXT)
17
1084
    except dns.resolver.NXDOMAIN:
1085
    except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
18
1085
        return False
1086
        return False
19
1086
    except DNSException, e:
1087
    except DNSException, e:
20
1087
        syslog('error', 'DNSException: Unable to query DMARC policy for %s (%s). %s',
1088
        syslog('error', 'DNSException: Unable to query DMARC policy for %s (%s). %s',
21
1088
              email, dmarc_domain, e.__class__)
1089
              email, dmarc_domain, e.__class__)
22
1089
        return False
1090
        return False
23
1090
    else:
1091
    else:
24
1092
# people are already being dumb, don't trust them to provide honest DNS
25
1093
# where the answer section only contains what was asked for, nor to include
26
1094
# CNAMEs before the values they point to.
27
1095
        full_record = ""
28
1096
        results_by_name = collections.defaultdict(list)
29
1097
        cnames = {}
30
1098
        want_names = set([dmarc_domain + '.'])
31
1091
        for txt_rec in txt_recs.response.answer:
1099
        for txt_rec in txt_recs.response.answer:
36
1092
            assert( txt_rec.rdtype == dns.rdatatype.TXT)
1100
            if txt_rec.rdtype == dns.rdatatype.CNAME:
37
1093
            if re.search(r"[^s]p=reject", "".join(txt_rec.items[0].strings), re.IGNORECASE):
1101
                cnames[txt_rec.name.to_text()] = txt_rec.items[0].target.to_text()
38
1094
               return True
1102
            if txt_rec.rdtype != dns.rdatatype.TXT:
39
1095
    
1103
                continue
40
1104
            results_by_name[txt_rec.name.to_text()].append("".join(txt_rec.items[0].strings))
41
1105
        expands = list(want_names)
42
1106
        seen = set(expands)
43
1107
        while expands:
44
1108
            item = expands.pop(0)
45
1109
            if item in cnames:
46
1110
                if cnames[item] in seen:
47
1111
                    continue # cname loop
48
1112
                expands.append(cnames[item])
49
1113
                seen.add(cnames[item])
50
1114
                want_names.add(cnames[item])
51
1115
                want_names.discard(item)
52
1116
53
1117
        if len(want_names) != 1:
54
1118
            syslog('error', 'multiple DMARC entries in results for %s, processing each to be strict',
55
1119
                    dmarc_domain)
56
1120
        for name in want_names:
57
1121
            if name not in results_by_name:
58
1122
                continue
59
1123
            dmarcs = filter(lambda n: n.startswith('v=DMARC1;'), results_by_name[name])
60
1124
            if len(dmarcs) == 0:
61
1125
                return False
62
1126
            if len(dmarcs) > 1:
63
1127
                syslog('error', 'RRset of TXT records for %s has %d v=DMARC1 entries; testing them all',
64
1128
                        dmarc_domain, len(dmarc))
65
1129
            for entry in dmarcs:
66
1130
                if re.search(r'\bp=reject\b', entry, re.IGNORECASE):
67
1131
                    syslog('info', 'DMARC lookup for %s (%s) found p=reject in %s = %s',
68
1132
                            email, dmarc_domain, name, entry)
69
1133
                    return True
70
1134
71
1096
    return False
1135
    return False
72
1097
1136
73
1098
1137
Status:	Merged
Approved by:	Jim Popovitch on 2013-03-18
Approved revision:	1376
Merged at revision:	1376
Proposed branch:	lp:~phil.pennock/mailman/dmarc-reject
Merge into:	lp:~jimpop/mailman/dmarc-reject
Diff against target:	71 lines (+44/-5) 1 file modified Mailman/Utils.py (+44/-5)
To merge this branch:	bzr merge lp:~phil.pennock/mailman/dmarc-reject
Related bugs:	Link a bug report
Reviewer	Review Type	Date Requested	Status
Jim Popovitch		2013-03-18	Approve on 2013-03-18
Review via email: mp+153947@code.launchpad.net