DNSException: No Nameservers available for ...
Hello
One member of a mailman mailing list on my system receives an error message when posting to the list:
You are not allowed to post to this mailing list From: a domain which publishes a DMARC policy of reject or quarantine, and your message has been automatically rejected. If you think that your messages are being rejected in error, contact the mailing list owner at nssf-styre-owner@nssf.us.
In /var/log/mailman/error, I have:
DNSException: No Nameservers available for username@blindeforbundet.no (_dmarc.blindeforbundet.no)
There are not published any DMARC policy for the domain.
I'm running mailman-2.1.30-1.fc31.x86_64 on a Fedora 31 server.
I hope someone on tis list can help me figure out what's going on, and hopefully a fix.
Thanks in advance Lars
Try setting up a caching name server on the local machine.
On Wed, May 27, 2020 at 12:02 PM Lars Bjørndal <lars@lamasti.net> wrote:
Hello
One member of a mailman mailing list on my system receives an error message when posting to the list:
You are not allowed to post to this mailing list From: a domain which publishes a DMARC policy of reject or quarantine, and your message has been automatically rejected. If you think that your messages are being rejected in error, contact the mailing list owner at nssf-styre-owner@nssf.us.
In /var/log/mailman/error, I have:
DNSException: No Nameservers available for username@blindeforbundet.no (_dmarc.blindeforbundet.no)
There are not published any DMARC policy for the domain.
I'm running mailman-2.1.30-1.fc31.x86_64 on a Fedora 31 server.
I hope someone on tis list can help me figure out what's going on, and hopefully a fix.
Thanks in advance Lars
Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-leave@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
-- IBM i on Power Systems: For when you can't afford to be out of business!
I'm riding in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax-deductible donation to my ride by visiting https://mideml.diabetessucks.net.
You can see where my donations come from by visiting my interactive donation map ... https://mideml.diabetessucks.net/map (it's a geeky thing).
I may have diabetes, but diabetes doesn't have me!
On 5/27/20 1:32 AM, Lars Bjørndal wrote:
Hello
One member of a mailman mailing list on my system receives an error message when posting to the list:
You are not allowed to post to this mailing list From: a domain which publishes a DMARC policy of reject or quarantine, and your message has been automatically rejected. If you think that your messages are being rejected in error, contact the mailing list owner at nssf-styre-owner@nssf.us.
The list is configured with dmarc_moderation_action = Reject. I suspect you know that.
In /var/log/mailman/error, I have:
DNSException: No Nameservers available for username@blindeforbundet.no (_dmarc.blindeforbundet.no)
There are not published any DMARC policy for the domain.
The attempt to retrieve the policy at _dmarc.blindeforbundet.no via Python's dns.resolver.Resolver().query raised dns.resolver.NoNameservers. We say this in comments:
# Typically this means a dnssec validation error. Clients that don't # perform validation *may* successfully see a _dmarc RR whereas a # validating mailman server won't see the _dmarc RR. We should # mitigate this email to be safe.
I.e, in the face of uncertainty, we choose to err on the side of applying unneeded mitigation rather than not applying a needed mitigation.
I'm running mailman-2.1.30-1.fc31.x86_64 on a Fedora 31 server.
I hope someone on tis list can help me figure out what's going on, and hopefully a fix.
The first question is why is this query raising dns.resolver.NoNameservers. I've tried this from a couple of different servers
import dns.resolver from dns.exception import DNSException resolver = dns.resolver.Resolver() txt_recs = resolver.query('_dmarc.blindeforbundet.no', dns.rdatatype.TXT)
and in both cases, I get
raise NXDOMAIN(qnames=qnames_to_try, responses=nxdomain_responses) dns.resolver.NXDOMAIN: None of DNS query names exist: _dmarc.blindeforbundet.no., ...
I.e. the expected response when there is no record for _dmarc.blindeforbundet.no
If this is a persistent error, there may be an issue with the way your server does DNS lookups.
You could avoid this in a couple of ways.
- Change the list's dmarc_moderation_action to Wrap Message. or
- Patch Mailman to not mitigate on this exception.
To do the latter, find the except (dns.resolver.NoNameservers): clause
at line 1322 in Mailman/Utils.py and change the return at the end of
that clause from return True to return False.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Wed, May 27, 2020 at 10:46:04AM -0700, Mark Sapiro wrote:
On 5/27/20 1:32 AM, Lars Bjørndal wrote:
Hello
One member of a mailman mailing list on my system receives an error message when posting to the list:
You are not allowed to post to this mailing list From: a domain which publishes a DMARC policy of reject or quarantine, and your message has been automatically rejected. If you think that your messages are being rejected in error, contact the mailing list owner at nssf-styre-owner@nssf.us.
The list is configured with dmarc_moderation_action = Reject. I suspect you know that.
Yes, and thank you very much for your explanation!
Is there any difference in the code involved, from v.29 to v.30 of Mailman 2.1? I ask because the member in quesiton has written to the list previously without problems.
Thanks in advance Lars
On 5/28/20 12:58 PM, Lars Bjørndal wrote:
Is there any difference in the code involved, from v.29 to v.30 of Mailman 2.1? I ask because the member in quesiton has written to the list previously without problems.
No. There were no changes to the DMARC lookup code code between 2.1.25 and 2.1.33
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
I tried:
On Wed, May 27, 2020 at 10:46:04AM -0700, Mark Sapiro wrote: [...]
The first question is why is this query raising dns.resolver.NoNameservers. I've tried this from a couple of different servers
import dns.resolver from dns.exception import DNSException resolver = dns.resolver.Resolver() txt_recs = resolver.query('_dmarc.blindeforbundet.no', dns.rdatatype.TXT)
and in both cases, I get
raise NXDOMAIN(qnames=qnames_to_try, responses=nxdomain_responses) dns.resolver.NXDOMAIN: None of DNS query names exist: _dmarc.blindeforbundet.no., ...
I.e. the expected response when there is no record for _dmarc.blindeforbundet.no
If this is a persistent error, there may be an issue with the way your server does DNS lookups.
I tried the code on my system as well, and get:
Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python3.7/site-packages/dns/resolver.py", line 1002, in query raise NXDOMAIN(qnames=qnames_to_try, responses=nxdomain_responses) dns.resolver.NXDOMAIN: None of DNS query names exist: _dmarc.blindeforbundet.no. , _dmarc.blindeforbundet.no.lamasti.net.
Thanks
Lars
On 5/29/20 9:54 AM, Lars Bjørndal wrote:
I tried the code on my system as well, and get:
Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python3.7/site-packages/dns/resolver.py", line 1002, in query raise NXDOMAIN(qnames=qnames_to_try, responses=nxdomain_responses) dns.resolver.NXDOMAIN: None of DNS query names exist: _dmarc.blindeforbundet.no. , _dmarc.blindeforbundet.no.lamasti.net.
So this is not consistent with what was logged. You reported Mailman's error log has
DNSException: No Nameservers available for username@blindeforbundet.no (_dmarc.blindeforbundet.no)
That message is only logged if the resolver.query() raises dns.resolver.NoNameservers.
dns.resolver.NXDOMAIN is the expected result when there are no records at _dmarc.blindeforbundet.no and results on no mitigation.
If this is a persistent error from Mailman, and Mailman is running on the same server you ran the above on, I can't explain it, but possibly is was just a transient situation and the mail from this user will now be accepted.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (3)
-
David Gibbs -
Lars Bjørndal -
Mark Sapiro