Re: [Mailman-Users] DNS error behaviour with DMARC

[Barry S. Finkel]

On 8/27/2014 10:54 AM, Jeff White wrote:

With dmarc_moderation_notice set to anything but "Accept" Mailman will
do a DNS query for every message that comes in and check the DMARC
record of the sending domain.  I have two questions regarding this:

1. Has anyone on this list noticed any performance issues with the
overhead this adds?  I doubt there is anything noticeable but curious if
anyone has seen any issue.

2. What is Mailman's behaviour if the query fails (e.g. times out)?
Defaults.py says:

# Parameters for DMARC DNS lookups. If you are seeing 'DNSException:
# Unable to query DMARC policy ...' entries in your error log, you may need
# to adjust these.
# The time to wait for a response from a name server before timeout.
DMARC_RESOLVER_TIMEOUT = seconds(3)
# The total time to spend trying to get an answer to the question.
DMARC_RESOLVER_LIFETIME = seconds(5)

... but what happens to the post when DNSException is thrown?  Is the
message rejected and a bounce sent to the poster?  Is it re-queued and
tried again?  If so when does Mailman give up?  Does Mailman simply
shunt the post and throw an error?


If someone can point me to the file that holds this code I can review it
and report what the behaviour is.



As for item 1 - What is your DNS setup?  If the Mailman server has a
cacheing-only name server on the same box (and it is good to do so),
or if the Mailman server is contacting a local DNS server for DNS
resolution, then the local DNS server should have the information
cached (for a TTL determined by the owner of the DNS record), so DNS
traffic should be minimal.  I assume that the owner of a DMARC record
in DNS will place an appropriate TTL on the record so that the record
will remain in a DNS cache for a time that will limit the number of
DNS requests back to the master DNS server.  A domain owner should
have multiple DNS servers so that one is always accessible for queries.

--Barry Finkel
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DNS error behaviour with DMARC

[Jeff White]

With dmarc_moderation_notice set to anything but "Accept" Mailman will 
do a DNS query for every message that comes in and check the DMARC 
record of the sending domain.  I have two questions regarding this:


1. Has anyone on this list noticed any performance issues with the 
overhead this adds?  I doubt there is anything noticeable but curious if 
anyone has seen any issue.


2. What is Mailman's behaviour if the query fails (e.g. times out)? 
Defaults.py says:


# Parameters for DMARC DNS lookups. If you are seeing 'DNSException:
# Unable to query DMARC policy ...' entries in your error log, you may need
# to adjust these.
# The time to wait for a response from a name server before timeout.
DMARC_RESOLVER_TIMEOUT = seconds(3)
# The total time to spend trying to get an answer to the question.
DMARC_RESOLVER_LIFETIME = seconds(5)

... but what happens to the post when DNSException is thrown?  Is the 
message rejected and a bounce sent to the poster?  Is it re-queued and 
tried again?  If so when does Mailman give up?  Does Mailman simply 
shunt the post and throw an error?



If someone can point me to the file that holds this code I can review it 
and report what the behaviour is.


--
Jeff White - GNU+Linux Systems Administrator
University of Pittsburgh - CSSD
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org