DNS error behaviour with DMARC
With dmarc_moderation_notice set to anything but "Accept" Mailman will do a DNS query for every message that comes in and check the DMARC record of the sending domain. I have two questions regarding this:
Has anyone on this list noticed any performance issues with the overhead this adds? I doubt there is anything noticeable but curious if anyone has seen any issue.
What is Mailman's behaviour if the query fails (e.g. times out)? Defaults.py says:
Parameters for DMARC DNS lookups. If you are seeing 'DNSException:
# Unable to query DMARC policy ...' entries in your error log, you may need # to adjust these. # The time to wait for a response from a name server before timeout. DMARC_RESOLVER_TIMEOUT = seconds(3) # The total time to spend trying to get an answer to the question. DMARC_RESOLVER_LIFETIME = seconds(5)
... but what happens to the post when DNSException is thrown? Is the message rejected and a bounce sent to the poster? Is it re-queued and tried again? If so when does Mailman give up? Does Mailman simply shunt the post and throw an error?
If someone can point me to the file that holds this code I can review it and report what the behaviour is.
-- Jeff White - GNU+Linux Systems Administrator University of Pittsburgh - CSSD
On 8/27/2014 10:54 AM, Jeff White wrote:
With dmarc_moderation_notice set to anything but "Accept" Mailman will do a DNS query for every message that comes in and check the DMARC record of the sending domain. I have two questions regarding this:
Has anyone on this list noticed any performance issues with the overhead this adds? I doubt there is anything noticeable but curious if anyone has seen any issue.
What is Mailman's behaviour if the query fails (e.g. times out)? Defaults.py says:
Parameters for DMARC DNS lookups. If you are seeing 'DNSException:
# Unable to query DMARC policy ...' entries in your error log, you may need # to adjust these. # The time to wait for a response from a name server before timeout. DMARC_RESOLVER_TIMEOUT = seconds(3) # The total time to spend trying to get an answer to the question. DMARC_RESOLVER_LIFETIME = seconds(5)
... but what happens to the post when DNSException is thrown? Is the message rejected and a bounce sent to the poster? Is it re-queued and tried again? If so when does Mailman give up? Does Mailman simply shunt the post and throw an error?
If someone can point me to the file that holds this code I can review it and report what the behaviour is.
As for item 1 - What is your DNS setup? If the Mailman server has a cacheing-only name server on the same box (and it is good to do so), or if the Mailman server is contacting a local DNS server for DNS resolution, then the local DNS server should have the information cached (for a TTL determined by the owner of the DNS record), so DNS traffic should be minimal. I assume that the owner of a DMARC record in DNS will place an appropriate TTL on the record so that the record will remain in a DNS cache for a time that will limit the number of DNS requests back to the master DNS server. A domain owner should have multiple DNS servers so that one is always accessible for queries.
--Barry Finkel
On Wed, Aug 27, 2014 at 11:54 AM, Jeff White <jaw171@pitt.edu> wrote:
- What is Mailman's behaviour if the query fails (e.g. times out)?
The msg is passed through as if there was no DMARC check. (Yes, it's known that it is possible for a miscreant to DDoS domain.tld's DNS servers and then send you an email From domain.tld)
... but what happens to the post when DNSException is thrown?
Same as above.
If someone can point me to the file that holds this code I can review it and report what the behaviour is.
It's in Mailman/Utils.py
Any and all improvements, suggestions, criticisms, etc. are welcome.
-Jim P.
participants (3)
-
Barry S. Finkel
-
Jeff White
-
Jim Popovitch