GNU Mailman

DMARC policy lookup violates RFC 7849.

Bug #1931029 reported by Mark Sapiro on 2021-06-06

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	GNU Mailman	Fix Released	Low	Unassigned	GNU Mailman 2.1.35

Bug Description

If DNS lookup of TXT records for a domain finds more than one v=DMARC1; record, it checks them all for policy = reject or quarantine.
RFC 7849, Sec 6.6.3 item 5 says
   5. If the remaining set contains multiple records or no records,
       policy discovery terminates and DMARC processing is not applied
       to this message.
Thus, if we find multiple records we should assume no DMARC policy for this domain.

Related branches

Revision history for this message

Jim Popovitch (jimpop) wrote on 2021-06-06:

#1

Here's the 5 items: https://datatracker.ietf.org/doc/html/rfc7489#section-6.6.3

If item 2 matches multiple v=DMARC1 records, and therefore item 3 is ignored, does item 5 even apply?

Mark Sapiro (msapiro) on 2021-06-06

Changed in mailman:
status:	Triaged → Fix Committed

Revision history for this message

Mark Sapiro (msapiro) wrote on 2021-06-06:

#2

We are concerned about a domain which has multiple v=DMARC1 TXT records. This is exactly the case that item 5 addresses. I.e. a domain which publishes multiple _dmarc TXT records with v=DMARC1 is treated as publishing no policy.

Revision history for this message

Jim Popovitch (jimpop) wrote on 2021-06-06:

#3

I guess RFC 7849 is just not clear to me that item #5 applies if item 3 contains more than 1 v=DMARC1 record. I say this because item 2 and 4 are identical, and to me that signifies that the items are a logical path, not a list of mandatory principals.

That said, to err on the side of common sense, makes good sense, otherwise we'd have to choose which v=DMARC1 record to honor.

Revision history for this message

Mark Sapiro (msapiro) wrote on 2021-06-06:

#4

The items are steps in a process, not an unordered list of rules.

Step 3 says if There are no DMARC records for the domain, check the organizational domain if different. Thus, step 4 is saying discard any non-v=DMARC1 records from the organizational domain.

If the From: domain has any v=DMARC1 records, we skip step 3 and step 4 is moot because of step 2 and we get to step 5.

If the From: domain has no v=DMARC1 records, we check the organizational domain if different per step 3 and then we get to steps 4 and 5

Revision history for this message

Jim Popovitch (jimpop) wrote on 2021-06-06:

#5

RFCs should really include logic trees. Thanks Mark.

Mark Sapiro (msapiro) on 2021-10-20

Changed in mailman:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.