[Bug 1787054] [NEW] Attempts to get organizational domain data fail

Mark Sapiro mark at msapiro.net
Tue Aug 14 19:08:07 EDT 2018

Public bug reported:

As part of DMARC mitigation processing, Mailman looks up the DMARC
policy for the From: domain. If it doesn't find a DMARC policy it
attempts to look up the policy for the "organizational domain"
corresponding to the From: domain if the organizational domain is
different. To determine the organizational domain it uses information
from the list at https://publicsuffix.org/list/public_suffix_list.dat.

Recent changes at publicsuffix.org are causing Mailman's attempt to
retrieve the list to fail with

urllib2.URLError: <urlopen error [Errno 1] _ssl.c:510:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake

This failure has been observed with Python 2.7.6 but not with Python
2.7.12. There are changes 2.7.9 which affect the underlying ssl module,
and I think retrieval of this URL via urllib2, urllib or the Python
requests module will all fail with Python < 2.7.9.

The effect of this issue other than writing an error log entry for every
failed retrieval is that in some cases, the organizational domain will
not be properly found. If the TLD is .com, .net, .gov, .edu, etc. There
will be no issue, but if for example the From: domain is
some.sub.domain.school.k12.ca.us and that domain doesn't publish a DMARC
policy, we should look up the policy for the school.k12.ca.us
organizational domain, but instead we will look up ca.us.

This will probably be more of an issue with non-US lists than with US
lists, and it is not known how significant the issue is.

At present, the only known workaround is to upgrade the underlying

** Affects: mailman
     Importance: Undecided
         Status: New

You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.

  Attempts to get organizational domain data fail

To manage notifications about this bug go to:

More information about the Mailman-coders mailing list