On Tue, Oct 29, 2024 at 02:25:34PM +0100, Kirill A. Korinsky wrote:
> > According to RFC 6409, Section 3.1:
> >
> > > Although most email clients and servers can be configured to use port
> > > 587 instead of 25, there are cases where this is not possible or
> > > convenient. A site MAY choose to use port 25 for message submission
> > > by designating some hosts to be MSAs and others to be MTAs.
> >
> > My patch allows the server admin to operate it in this manner, using the
> > authentication status as an identifier.
> >
>
> Which is an interesting use case indeed.
>
> I think the right move instead of patching each filter is to add condition
> to proc-exec filters when it should or shouldn't be executed.
In theory, this is supposed to be allowed in the current syntax of filter
chains. One can match for "noauth" to terminate the chain early, so the
next filter won't be executed. For example:
filter ignore_noauth phase data match !auth bypass
filter do_dkimsign proc-exec "filter-dkimsign ..."
filter dkimsign_authonly chain { ignore_noauth, do_dkimsign }
Unfortunately it doesn't work, due to two major limitations (see
https://github.com/OpenSMTPD/OpenSMTPD/issues/1078):
1. Mixing different phases in a single filter chain is unimplemented, the
bypass action applies to a single phase only.
2. Mixing internal and external filter in a single chain is unimplemented,
do_dkimsign is always executed regardless of ignore_noauth.
gilles@ said a "super-bypass" option can be considered a wishlist feature,
but I don't think it's going to be implemented anytime soon. This is what
forced me to consider patching filter-dkimsign to solve the immediate
problem at hand, without doing surgery to OpenSMTPD.
Tom Li
