[Mailman-checkins] [Git][mailman/mailman][master] 2 commits: Extend DMARC case insensitivity to CNAMEs.

Thu, 28 May 2020 14:30:31 -0700 


Mark Sapiro pushed to branch master at GNU Mailman / Mailman Core


Commits:
4e54fc22 by Mark Sapiro at 2020-05-28T14:16:08-07:00
Extend DMARC case insensitivity to CNAMEs.

- - - - -
576407f2 by Mark Sapiro at 2020-05-28T21:28:53+00:00
Merge branch 'fix_726' into 'master'

Extend DMARC case insensitivity to CNAMEs.

See merge request mailman/mailman!655
- - - - -


2 changed files:

- src/mailman/rules/dmarc.py
- src/mailman/rules/tests/test_dmarc.py


Changes:

=====================================
src/mailman/rules/dmarc.py
=====================================
@@ -207,17 +207,17 @@ def is_reject_or_quarantine(mlist, email, dmarc_domain, 
org=False):
     # Check all the TXT records returned by DNS.  Keep track of the CNAMEs for
     # checking later on.  Ignore any other non-TXT records.
     for txt_rec in txt_recs.response.answer:
+        # Don't be fooled by an answer with uppercase in the name.
+        name = txt_rec.name.to_text().lower()
         if txt_rec.rdtype == dns.rdatatype.CNAME:
-            cnames[txt_rec.name.to_text()] = (
+            cnames[name] = (
                 txt_rec.items[0].target.to_text())
         if txt_rec.rdtype != dns.rdatatype.TXT:
             continue
         result = EMPTYSTRING.join(
             str(record, encoding='utf-8')
             for record in txt_rec.items[0].strings)
-        name = txt_rec.name.to_text()
-        # Don't be fooled by an answer with uppercase in the name.
-        results_by_name.setdefault(name.lower(), []).append(result)
+        results_by_name.setdefault(name, []).append(result)
     expands = list(want_names)
     seen = set(expands)
     while expands:


=====================================
src/mailman/rules/tests/test_dmarc.py
=====================================
@@ -51,7 +51,9 @@ def get_dns_resolver(
         cmult=False,
         cloop=False,
         cmiss=False,
-        ucase=False):
+        ucase=False,
+        cnmok=False,
+        cnuc=False):
     """Create a dns.resolver.Resolver mock.
 
     This is used to return a predictable response to a _dmarc query.  It
@@ -143,6 +145,32 @@ def get_dns_resolver(
                 self.answer = [Ans_e(), Ans_e(rdata=b'v=DMARC1; p=none;')]
             elif ucase:
                 self.answer = [Ans_e(name='_dmarc.EXAMPLE.biz.')]
+            elif cnmok:
+                self.answer = [
+                    Ans_e(
+                        rtype=CNAME,
+                        name='_dmarc.example.biz.',
+                        cname='_dmarc.example.net.'
+                        ),
+                    Ans_e(
+                        rtype=TXT,
+                        name='_dmarc.example.net.',
+                        rdata=b'v=DMARC1; p=reject;'
+                        ),
+                    ]
+            elif cnuc:
+                self.answer = [
+                    Ans_e(
+                        rtype=CNAME,
+                        name='_dmarc.EXAMPLE.biz.',
+                        cname='_dmarc.example.net.'
+                        ),
+                    Ans_e(
+                        rtype=TXT,
+                        name='_dmarc.example.net.',
+                        rdata=b'v=DMARC1; p=reject;'
+                        ),
+                    ]
             else:
                 self.answer = [Ans_e()]
 
@@ -209,6 +237,21 @@ class TestDMARCRules(TestCase):
             dmarc.get_organizational_domain('ssub.sub.city.kobe.jp'),
             'city.kobe.jp')
 
+    def test_straightforward_cname(self):
+        # Test that we can recognize an answer with case mismatch in the
+        # domain.
+        mlist = create_list('[email protected]')
+        # Use action reject.  The rule only hits on reject and discard.
+        mlist.dmarc_mitigate_action = DMARCMitigateAction.reject
+        msg = mfs("""\
+From: [email protected]
+To: [email protected]
+
+""")
+        rule = dmarc.DMARCMitigation()
+        with get_dns_resolver(cnmok=True):
+            self.assertTrue(rule.check(mlist, msg, {}))
+
     def test_uppercase_in_returned_domain(self):
         # Test that we can recognize an answer with case mismatch in the
         # domain.
@@ -224,6 +267,21 @@ To: [email protected]
         with get_dns_resolver(ucase=True):
             self.assertTrue(rule.check(mlist, msg, {}))
 
+    def test_uppercase_in_returned_cname(self):
+        # Test that we can recognize an answer with case mismatch in the
+        # domain.
+        mlist = create_list('[email protected]')
+        # Use action reject.  The rule only hits on reject and discard.
+        mlist.dmarc_mitigate_action = DMARCMitigateAction.reject
+        msg = mfs("""\
+From: [email protected]
+To: [email protected]
+
+""")
+        rule = dmarc.DMARCMitigation()
+        with get_dns_resolver(cnuc=True):
+            self.assertTrue(rule.check(mlist, msg, {}))
+
     def test_no_at_sign_in_from_address(self):
         # If there's no @ sign in the From: address, the rule can't hit.
         mlist = create_list('[email protected]')



View it on GitLab: 
https://gitlab.com/mailman/mailman/-/compare/9ecad5a6af122f4f17bd720ec8ca7e4fb26759c3...576407f2ba024b4b05466127aabd4b384a4fcb61

-- 
View it on GitLab: 
https://gitlab.com/mailman/mailman/-/compare/9ecad5a6af122f4f17bd720ec8ca7e4fb26759c3...576407f2ba024b4b05466127aabd4b384a4fcb61
You're receiving this email because of your account on gitlab.com.



_______________________________________________
Mailman-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3/lists/mailman-checkins.python.org/
Member address: [email protected]

Reply via email to