Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sending aggregate reports fails because the SMTP server doesn't allow unauthenticated users to send emails #269

Open
lucas-oliver-trondsen opened this issue Nov 3, 2024 · 0 comments
Open

Sending aggregate reports fails because the SMTP server doesn't allow unauthenticated users to send emails #269

lucas-oliver-trondsen opened this issue Nov 3, 2024 · 0 comments

Comments

@lucas-oliver-trondsen
Copy link

The /usr/sbin/opendmarc-reports Perl script tries to send the aggregate reports by connecting to the SMTP server in the following way:

$smtp = Net::SMTP->new($smtp_server,
                       'Port' => $smtp_port,
                       'Hello' => hostfqdn());
if (!defined($smtp))
{
        print STDERR "$progname: open SMTP server $smtp_server:$smtp_port failed\n";
        exit(1);
}

It only mentions the FQDN and the port number of the SMTP server. It doesn't use a username and a password to connect to the SMTP server. The problem is that no well-configured SMTP server will accept connections without authentication. So, when invoking the /usr/sbin/opendmarc-reports script to send the aggregate reports, the reports sending will always fail.

This issue was also pointed out in other places such as here, here or here.

I solved this problem by using the /usr/sbin/sendmail utility instead of the NET::SMTP Perl module to send the emails, by modifying the /usr/sbin/opendmarc-reports script like this:

#              if (!$smtp->mail($repemail) ||
#                  !$smtp->to($repdest) ||
#                  !$smtp->data() ||
#                  !$smtp->datasend($mailout) ||
#                  !$smtp->dataend())
#              {
#                            $smtpfail = 1;
#                            $smtpstatus = "failed to send";
#              }

               open(MAIL, "|/usr/sbin/sendmail -t -f " . $repemail . "");
               if (!(print MAIL $mailout))
               {
                             $smtpfail = 1;
                             $smtpstatus = "failed to send";
               }
               close(MAIL);

Since the script which will invoke the /usr/sbin/opendmarc-reports script modified as shown above, will be run by root, which is specified in /etc/postfix/main.cf in the authorized_submit_users list, the emails will be sent in this case without requiring authentication. I find this method secure enough and better than adding 2 new parameters to the /usr/sbin/opendmarc-reports script: the SMTP username and the SMTP password. The value of these 2 sensitive parameters will have to be then included in the script that is run periodically, to pass them to /usr/sbin/opendmarc-reports when invoking it.

Please, consider changing the /usr/sbin/opendmarc-reports script, so that it can send the emails with the /usr/sbin/sendmail utility instead of the NET::SMTP module, at least as one of multiple available options.

I'm using Debian 12 and Postfix 3.7.11.

Also, I couldn't find in this repository the template for the /etc/opendmarc/report_script script, that has to be run periodically using a cron job to send the aggregate reports, as mentioned in guides such as this or this. I think it should be included somewhere in this repository, otherwise it gives the impression that configuring OpenDMARC to send aggregate reports is some ezoteric process.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lucas-oliver-trondsen