Message getting shunted with enabling Dmarc replace with list address
So we host a mailing list for domain X, the MX record points to us, we are domain y.
If we have Dmarc set to "no dmarc mitigations" I can send a message from my email in domain Y and it goes to the list in domain x and is processed and sent out.
If I set the dmarc to "replace with list address". the same message gets shunted. I included the logs below
Not sure why it is trying to contact publicsuffix.org?
************* /mailman/core/var/logs/mailman.log
Jan 02 20:41:50 2024 (29) No cached copy of the public suffix list found Jan 02 20:41:55 2024 (29) Uncaught runner exception: HTTPSConnectionPool(host='publicsuffix.org', port=443): Max retries exceeded with url: /list/public_suffix_list.dat (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f8b38d318a0>, 'Connection to publicsuffix.org timed out. (connect timeout=5)')) Jan 02 20:41:55 2024 (29) Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/urllib3/connection.py", line 174, in _new_conn conn = connection.create_connection( File "/usr/lib/python3.10/site-packages/urllib3/util/connection.py", line 95, in create_connection raise err File "/usr/lib/python3.10/site-packages/urllib3/util/connection.py", line 85, in create_connection sock.connect(sa) TimeoutError: timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen httplib_response = self._make_request( File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 386, in _make_request self._validate_conn(conn) File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1042, in _validate_conn conn.connect() File "/usr/lib/python3.10/site-packages/urllib3/connection.py", line 358, in connect self.sock = conn = self._new_conn() File "/usr/lib/python3.10/site-packages/urllib3/connection.py", line 179, in _new_conn raise ConnectTimeoutError( urllib3.exceptions.ConnectTimeoutError: (<urllib3.connection.HTTPSConnection object at 0x7f8b38d318a0>, 'Connection to publicsuffix.org timed out. (connect timeout=5)')
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/requests/adapters.py", line 489, in send resp = conn.urlopen( File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 787, in urlopen retries = retries.increment( File "/usr/lib/python3.10/site-packages/urllib3/util/retry.py", line 592, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='publicsuffix.org', port=443): Max retries exceeded with url: /list/public_suffix_list.dat (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f8b38d318a0>, 'Connection to publicsuffix.org timed out. (connect timeout=5)'))
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/mailman/core/runner.py", line 179, in _one_iteration self._process_one_file(msg, msgdata) File "/usr/lib/python3.10/site-packages/mailman/core/runner.py", line 272, in _process_one_file keepqueued = self._dispose(mlist, msg, msgdata) File "/usr/lib/python3.10/site-packages/mailman/runners/incoming.py", line 80, in _dispose process(mlist, msg, msgdata, start_chain) File "/usr/lib/python3.10/site-packages/mailman/core/chains.py", line 57, in process if link.rule.check(mlist, msg, msgdata): File "/usr/lib/python3.10/site-packages/mailman/rules/dmarc.py", line 316, in check if maybe_mitigate(mlist, address): File "/usr/lib/python3.10/site-packages/mailman/rules/dmarc.py", line 292, in maybe_mitigate org_dom = get_organizational_domain(from_domain) File "/usr/lib/python3.10/site-packages/mailman/rules/dmarc.py", line 142, in get_organizational_domain parse_suffix_list() File "/usr/lib/python3.10/site-packages/mailman/rules/dmarc.py", line 109, in parse_suffix_list filename = ensure_current_suffix_list() File "/usr/lib/python3.10/site-packages/mailman/rules/dmarc.py", line 77, in ensure_current_suffix_list content = get(config.dmarc.org_domain_data_url) File "/usr/lib/python3.10/site-packages/mailman/utilities/protocols.py", line 39, in get response = requests.get(url, timeout=REQUEST_TIMEOUT, **kws) File "/usr/lib/python3.10/site-packages/requests/api.py", line 73, in get return request("get", url, params=params, **kwargs) File "/usr/lib/python3.10/site-packages/requests/api.py", line 59, in request return session.request(method=method, url=url, **kwargs) File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 587, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 701, in send r = adapter.send(request, **kwargs) File "/usr/lib/python3.10/site-packages/requests/adapters.py", line 553, in send raise ConnectTimeout(e, request=request) requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='publicsuffix.org', port=443): Max retries exceeded with url: /list/public_suffix_list.dat (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f8b38d318a0>, 'Connection to publicsuffix.org timed out. (connect timeout=5)')) Jan 02 20:41:55 2024 (29) SHUNTING: 1704228115.0417743+619bfacfe7e6d030991468aa2707d065418c56e5
bob B via Mailman-users writes:
If I set the dmarc to "replace with list address". the same message gets shunted.
If you can't allow the public suffix list (PSL) to be refreshed occasionally, it's cached by mailman/rules/dmarc.py, so you can prime the cache yourself. The file is $var_dir + "public_suffix_list.dat". var_dir and the cache lifetime are set in mailman.cfg. See section [dmarc], variable "cache_lifetime". The value should be a positive integer, with optional suffix from "dhms" with interpretation days, hours, minutes, seconds. (I think you can combine them as in 1h30m, but for this purpose a 10-digit number with any suffix should do.)
If the section or value is missing, just insert it yourself so it looks like
[dmarc] cache_lifetime: 1000000000s
Not sure why it is trying to contact publicsuffix.org?
The PSL (according to the home page of publicsuffix.org) is
A "public suffix" is one under which Internet users can (or
historically could) directly register names. Some examples of
public suffixes are .com, .co.uk and pvt.k12.ma.us. The Public
Suffix List is a list of all known public suffixes.DMARC processing is quite burdensome for the DNS system, because it iterates up the chain of superdomains for the from address, looking for _dmarc.$domain each time, only stopping at the toplevel domain. Since each mail domain decides its own DMARC policies, and the public suffixes are (almost by definition) not mail domains, the PSL is an extremely useful and accurate heuristic.
The savings can be large. For mydomain.pvt.k14.ma.us, with the public suffix list I check only mydomain.pvt.k14.ma.us, and if it fails I conclude there is no DMARC policy for mydomain. Without the PSL, DMARC requires looking at _dmarc.pvt.k14.ma.us, _dmarc.k14.ma.us, _dmarc.ma.us, and _dmarc.us, as well -- *all of which will fail because the suffixes are not mail domains*. The PSL saves 80% of the requests. That's an extreme example, but most countries do have similarly deep public suffixes, and most Internet domains hang off of names at least two deep like co.uk.
Steve
participants (2)
-
bob B -
Stephen J. Turnbull