Thus spake Mark Sapiro:
On 05/28/2014 05:41 AM, Joel Uckelman wrote:
I'm running the just-released RPM for 2.1.18 on Fedora 20. I have the python-dns package installed, which I read was required for DMARC checks.
The required package is dnspython. This is not the same as PyDNS. It looks like the Fedora python-dns package is the right one, but I'm not sure.
I'm certain I have the correct package: The URL 'rpm -qi' gives for the pacakge is http://www.dnspython.org/, which is the same as the one given by the 2.1.18 release announcement.
What happens when you invoke the python that Mailman is using and type
import dns.resolver from dns.exception import DNSException
[uckelman@one ~]$ python Python 2.7.5 (default, Feb 19 2014, 13:47:28) [GCC 4.8.2 20131212 (Red Hat 4.8.2-7)] on linux2 Type "help", "copyright", "credits" or "license" for more information.
import dns.resolver from dns.exception import DNSException
The dns module appears to be found.
If you get an ImportError, something is wrong. Otherwise things should be OK. You can see what python Mailman is using by looking at the command lines reported by
ps -fAw | grep qrunner
[uckelman@one ~]$ ps -fAw | grep -m 1 qrunner mailman 2733 2700 0 May22 ? 00:01:01 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s
Looks like /usr/bin/python, which is the same one as on the path:
[uckelman@one ~]$ which python /usr/bin/python
There will normally be an entry in Mailman's vette log for every DMARC p=reject (and p=quarantine if enabled) found and possible entries in Mailman's error log for lookup errors and other unusual conditions.
I have five vette logs handy, going back as far as 5 May (which would be before I installed 2.1.18). Three are empty; the other two contain one message each about rejecting a post by a nonsubscriber. There's nothing about DMARC in any of them.
If there are no 'DMARC' entries in Mailman's logs, it most likely means the imports I show above didn't succeed in the python that Mailman is using, in which case dmarc_moderaction_action will not be done at all.
Do you still think that given what I found above?
There is one unusual thing about my list---namely that it sits at one end of a bridge to a phpbb forum. That is, all of the posts from the forum are posted to the list with their Sender set to a special address which is subscribed to the list, and all post from the list are received by that special address and posted to the forum from there. This means that a lot of the addresses in From headers of messages going out over the list are not actually subscribers to the list. Could this be tripping up the dmarc_moderation_action?
What do you mean by Sender? Do you mean the Sender: header or the From: header or what?
Yes, exactly. By "Sender" I'm referring to the Sender: header.
Perhaps you can explain more precisely what you mean by the above in terms of the From: header seen by Mailman and the From: header in the list message that recipients see.
If all you are saying is that a lot of posts are From: non-members because they come via the phpbb forum, that shouldn't matter. Mailman should still check the From: domain for DMARC and apply the dmarc_moderation_action as required regardless of list membership.
This is exactly what I'm saying. Many messages posted to the list via the bridge have From: headers with non-list-member addresses in them. All messages posted to the list via the bridge have the Sender: address set to a special address which *is* a list subscriber, which is why (I believe) Mailman does not reject such messages as originating from non-subscribers.
-- J.