Sending aggregate reports fails because the SMTP server doesn't allow unauthenticated users to send emails #269
Description
The /usr/sbin/opendmarc-reports Perl script tries to send the aggregate reports by connecting to the SMTP server in the following way:
$smtp = Net::SMTP->new($smtp_server,
'Port' => $smtp_port,
'Hello' => hostfqdn());
if (!defined($smtp))
{
print STDERR "$progname: open SMTP server $smtp_server:$smtp_port failed\n";
exit(1);
}
It only mentions the FQDN and the port number of the SMTP server. It doesn't use a username and a password to connect to the SMTP server. The problem is that no well-configured SMTP server will accept connections without authentication. So, when invoking the /usr/sbin/opendmarc-reports script to send the aggregate reports, the reports sending will always fail.
This issue was also pointed out in other places such as here, here or here.
I solved this problem by using the /usr/sbin/sendmail utility instead of the NET::SMTP Perl module to send the emails, by modifying the /usr/sbin/opendmarc-reports script like this:
# if (!$smtp->mail($repemail) ||
# !$smtp->to($repdest) ||
# !$smtp->data() ||
# !$smtp->datasend($mailout) ||
# !$smtp->dataend())
# {
# $smtpfail = 1;
# $smtpstatus = "failed to send";
# }
open(MAIL, "|/usr/sbin/sendmail -t -f " . $repemail . "");
if (!(print MAIL $mailout))
{
$smtpfail = 1;
$smtpstatus = "failed to send";
}
close(MAIL);
Since the script which will invoke the /usr/sbin/opendmarc-reports script modified as shown above, will be run by root, which is specified in /etc/postfix/main.cf in the authorized_submit_users list, the emails will be sent in this case without requiring authentication. I find this method secure enough and better than adding 2 new parameters to the /usr/sbin/opendmarc-reports script: the SMTP username and the SMTP password. The value of these 2 sensitive parameters will have to be then included in the script that is run periodically, to pass them to /usr/sbin/opendmarc-reports when invoking it.
Please, consider changing the /usr/sbin/opendmarc-reports script, so that it can send the emails with the /usr/sbin/sendmail utility instead of the NET::SMTP module, at least as one of multiple available options.
I'm using Debian 12 and Postfix 3.7.11.
Also, I couldn't find in this repository the template for the /etc/opendmarc/report_script script, that has to be run periodically using a cron job to send the aggregate reports, as mentioned in guides such as this or this. I think it should be included somewhere in this repository, otherwise it gives the impression that configuring OpenDMARC to send aggregate reports is some ezoteric process.