Manually treat certain domains as if they have restrictive DMARC policy
Folks:
I've got a number of subscribers who's email admins have set a policy such that, if a message is sent to them with their email address as the 'from' address, the message is rejected.
This is causing those peoples posts to bounce ... and, ultimately, they get unsubscribed.
Although the BEST course of action would be for the mail admin's to alter their spam filters or implement DMARC policies, that's a bit much to ask for.
To resolve this, I'm thinking of creating a flat file of domains that are causing this problem ... then modifying the _DMARCProhibited routine, in Utils.py, to read the flat file and treat domains found in that file as if they had a DMARC policy set to reject.
Do you think that will work ... or am I completely off base? Perhaps there's already a mechanism in MM 2.1 that would do what I want (hopeful grin)?
david
-- IBM i on Power Systems: For when you can't afford to be out of business!
I'm riding 615 miles (Yes, you read that right) in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax-deductible donation to my ride by visiting https://gmane.diabetessucks.net.
You can see where my donations come from by visiting my interactive donation map ... https://gmane.diabetessucks.net/map (it's a geeky thing).
I may have diabetes, but diabetes doesn't have me!
Hello David Gibbs via Mailman-Users. On Mon, 28 Jan 2019 13:54:21 -0600, you wrote:
I've got a number of subscribers who's email admins have set a policy such that, if a message is sent to them with their email address as the 'from' address, the message is rejected.
This is causing those peoples posts to bounce ... and, ultimately, they get unsubscribed.
This mail server setup / filter is nonsense. I usually send a Bcc of all my messages to myself to "simulate" IMAP while using POP3.
My simple "solution" would be:
- They should subscribe twice, with one address to receive the list mails, with the other to send their messages to the list.
- They should set the "sending" mail address to "silent" (i.e. "no mail")
- They should maybe use a mail program which allows to automatically reply from the other address if they want to reply to a list message. This would eliminate problems if they forget about it (what would be the case for me most of the time).
Christian
Christian F. Buser, Hohle Gasse 6, CH-5507 Mellingen (Switzerland)
Hilfe fuer Strassenkinder in Ghana: http://www.chance-for-children.org
On 1/28/19 11:54 AM, David Gibbs via Mailman-Users wrote:
To resolve this, I'm thinking of creating a flat file of domains that are causing this problem ... then modifying the _DMARCProhibited routine, in Utils.py, to read the flat file and treat domains found in that file as if they had a DMARC policy set to reject.
Do you think that will work ... or am I completely off base? Perhaps there's already a mechanism in MM 2.1 that would do what I want (hopeful grin)?
The current development branch at <https://code.launchpad.net/~mailman-coders/mailman/2.1> contains <https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1804> which implements 'dmarc_moderation_addresses which is:
List of addresses (or regexps) whose posts should always apply dmarc_moderation_action regardless of any domain specific DMARC Policy.
The intent of this feature is (almost) exactly your situation. We say this about it.
This can be utilized to automatically wrap or munge postings from known addresses or domains that might have policies rejecting external mail From: themselves.
This feature will be in the next release (no planned date yet) or you can get it now from launchpad.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 1/28/19 2:25 PM, Mark Sapiro wrote:
List of addresses (or regexps) whose posts should always apply dmarc_moderation_action regardless of any domain specific DMARC Policy.
That's close to what I want ... the only issue is that I'm looking for the behavior to be site wide not on a per-list basis.
david
-- IBM i on Power Systems: For when you can't afford to be out of business!
I'm riding 615 miles (Yes, you read that right) in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax-deductible donation to my ride by visiting https://gmane.diabetessucks.net.
You can see where my donations come from by visiting my interactive donation map ... https://gmane.diabetessucks.net/map (it's a geeky thing).
I may have diabetes, but diabetes doesn't have me!
David Gibbs via Mailman-Users writes:
On 1/28/19 2:25 PM, Mark Sapiro wrote:
List of addresses (or regexps) whose posts should always apply dmarc_moderation_action regardless of any domain specific DMARC Policy.
That's close to what I want ... the only issue is that I'm looking for the behavior to be site wide not on a per-list basis.
Unfortunately, that's a fundamental problem with Mailman 2's web admin design; it doesn't know about sites, only about lists, with the (single) site being implicit. This is addressed in Mailman 3.
I would guess that it wouldn't be hard to write a script for Mailman 2 using mailman/bin/withlist to do the updates.
Steve
On 1/28/19 8:46 PM, Stephen J. Turnbull wrote:
David Gibbs via Mailman-Users writes:
That's close to what I want ... the only issue is that I'm looking for the behavior to be site wide not on a per-list basis.
I would guess that it wouldn't be hard to write a script for Mailman 2 using mailman/bin/withlist to do the updates.
As Steve says, a withlist script to update all lists is not at all complex.
Also, Adding a global setting for dmarc_moderation_addresses on top of the per-list setting is not difficult either. See <https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1574> for how this was done for a global ban_list.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 1/29/2019 12:13 AM, Mark Sapiro wrote:
Also, Adding a global setting for dmarc_moderation_addresses on top of the per-list setting is not difficult either. See <https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1574> for how this was done for a global ban_list.
I'm by no means a Python expert (far from it), but I hacked this together... === modified file 'Mailman/Defaults.py.in' --- Mailman/Defaults.py.in 2018-07-12 03:14:02 +0000 +++ Mailman/Defaults.py.in 2019-01-29 14:27:59 +0000 @@ -145,6 +145,11 @@ # GLOBAL_BAN_LIST = ['xxx@aol\.com', '^yyy.*@gmail\.com$'] GLOBAL_BAN_LIST = [] +# Installation wide DMARC list. This is a list of email addresses and +# regexp patterns (beginning with ^) that will be treated as if they +# have a restrictive DMARC policy. Same examples as GLOBAL_BAN_LIST +GLOBAL_DMARC_LIST = [] + # If the following is set to Yes, and a web subscribe comes from an IPv4 # address and the IP is listed in Spamhaus SBL, CSS or XBL, the subscription # will be blocked. It will work with IPv6 addresses if Python's py2-ipaddress === modified file 'Mailman/Handlers/SpamDetect.py' --- Mailman/Handlers/SpamDetect.py 2018-12-01 04:13:12 +0000 +++ Mailman/Handlers/SpamDetect.py 2019-01-29 14:24:26 +0000 @@ -110,6 +110,7 @@ dn, addr = parseaddr(msg.get('from')) if addr and mlist.dmarc_moderation_action > 0: if (mlist.GetPattern(addr, mlist.dmarc_moderation_addresses) or + mlist.getPattern(addr, mm_cfg.GLOBAL_DMARC_LIST) or Utils.IsDMARCProhibited(mlist, addr)): # Note that for dmarc_moderation_action, 0 = Accept, # 1 = Munge, 2 = Wrap, 3 = Reject, 4 = Discard -- IBM i on Power Systems: For when you can't afford to be out of business! I'm riding 615 miles (Yes, you read that right) in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax-deductible donation to my ride by visiting https://gmane.diabetessucks.net. You can see where my donations come from by visiting my interactive donation map ... https://gmane.diabetessucks.net/map (it's a geeky thing). I may have diabetes, but diabetes doesn't have me!
On 1/29/19 6:55 AM, David Gibbs via Mailman-Users wrote:
I'm by no means a Python expert (far from it), but I hacked this together...
=== modified file 'Mailman/Defaults.py.in' --- Mailman/Defaults.py.in 2018-07-12 03:14:02 +0000 +++ Mailman/Defaults.py.in 2019-01-29 14:27:59 +0000 @@ -145,6 +145,11 @@ # GLOBAL_BAN_LIST = ['xxx@aol\.com', '^yyy.*@gmail\.com$'] GLOBAL_BAN_LIST = []
+# Installation wide DMARC list. This is a list of email addresses and +# regexp patterns (beginning with ^) that will be treated as if they +# have a restrictive DMARC policy. Same examples as GLOBAL_BAN_LIST +GLOBAL_DMARC_LIST = [] + # If the following is set to Yes, and a web subscribe comes from an IPv4 # address and the IP is listed in Spamhaus SBL, CSS or XBL, the subscription # will be blocked. It will work with IPv6 addresses if Python's py2-ipaddress
The above is good, but you will have to run 'configure' with appropriate options to propagate that to Defaults.py and then add your actual list by setting GLOBAL_DMARC_LIST in mm_cfg.py.
=== modified file 'Mailman/Handlers/SpamDetect.py' --- Mailman/Handlers/SpamDetect.py 2018-12-01 04:13:12 +0000 +++ Mailman/Handlers/SpamDetect.py 2019-01-29 14:24:26 +0000 @@ -110,6 +110,7 @@ dn, addr = parseaddr(msg.get('from')) if addr and mlist.dmarc_moderation_action > 0: if (mlist.GetPattern(addr, mlist.dmarc_moderation_addresses) or + mlist.getPattern(addr, mm_cfg.GLOBAL_DMARC_LIST) or
GetPattern, not getPattern. Otherwise good.
Utils.IsDMARCProhibited(mlist, addr)): # Note that for dmarc_moderation_action, 0 = Accept, # 1 = Munge, 2 = Wrap, 3 = Reject, 4 = Discard
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (4)
-
Christian F Buser
-
David Gibbs
-
Mark Sapiro
-
Stephen J. Turnbull