Skip to content

Unify forensic and aggregate report delivery in opendmarc-reports#424

Merged
thegushi merged 1 commit into
trusteddomainproject:developfrom
thegushi:feat/unify-forensic-aggregate-delivery
Jun 20, 2026
Merged

Unify forensic and aggregate report delivery in opendmarc-reports#424
thegushi merged 1 commit into
trusteddomainproject:developfrom
thegushi:feat/unify-forensic-aggregate-delivery

Conversation

@thegushi

Copy link
Copy Markdown
Collaborator

Summary

  • ReportCommand can be pointed at opendmarc-reports --forensic instead of sendmail -t to get features that are hard to do in C (SMTP AUTH, SSL/TLS, VERP), but --forensic mode had drifted from the aggregate path: it skipped NoReportsList and the suppressions table, and never applied SMTP AUTH/SSL despite the manpage already claiming both modes shared those settings.
  • Added shared skip_reason() and smtp_connect() helpers so NoReportsList, StaleMARC, the suppressions table, and SMTP AUTH/SSL apply identically to both aggregate and --forensic delivery, instead of two paths that can silently drift apart.
  • Added --archive-dir to save a copy of every outbound report (the full message as handed to SMTP, not just the gzipped XML or AFRF attachment) for later RFC-compliance review. Applies to both modes; suppressed and --test-mode reports are not archived.
  • ReportCommand now distinguishes "all recipients suppressed" (exit 2, logged at LOG_INFO) from an actual delivery failure (exit 1, logged at LOG_ERR) -- previously both cases were indistinguishable in the logs.
  • Fixed opendmarc.conf.sample, which still described NoReportsList's two-way semantics from before fix: implement @-sigil semantics for NoReportsList #404; documented the ReportCommand handoff to opendmarc-reports --forensic in both the sample and the manpage.

Test plan

  • perl -c on reports/opendmarc-reports.in (with @Version@/@SQL_BACKEND@ substituted, since the .in template isn't valid Perl on its own)
  • mandoc -Tlint on opendmarc.conf.5.in and opendmarc-reports.8.in
  • Not compiled locally: libmilter isn't available on macOS, so opendmarc.c/opendmarc.h changes are reviewed by inspection only
  • Not exercised against a live SMTP server (AUTH/SSL/VERP/archive-dir code paths)

ReportCommand can be pointed at "opendmarc-reports --forensic" instead
of "sendmail -t" to get features a milter can't easily implement in C
(SMTP AUTH, SSL/TLS, VERP). But the two delivery paths had drifted:
--forensic only applied the StaleMARC check, missing NoReportsList and
the suppressions table, and never applied SMTP AUTH/SSL even though
the manpage already claimed those settings applied to "both aggregate
and forensic reports."

- Add skip_reason() and smtp_connect() helpers shared by both the
  aggregate loop and --forensic mode, so NoReportsList, StaleMARC, the
  suppressions table, and SMTP AUTH/SSL/StartTLS apply identically
  regardless of which path is delivering mail.
- Give opendmarc-reports --forensic a distinct exit code (2) when every
  recipient is suppressed, instead of reusing 0 (sent). The milter
  (opendmarc.c/opendmarc.h: REPORTCMD_EXIT_SUPPRESSED) now logs that
  case at LOG_INFO rather than treating it as a ReportCommand failure.
- Add --archive-dir to save a copy of every outbound report (the full
  message as handed to SMTP, not just the gzipped XML or AFRF
  attachment) for later RFC-compliance review. Applies to both modes;
  suppressed and --test-mode reports are not archived.
- Fix opendmarc.conf.sample, which still described NoReportsList's
  pre-trusteddomainproject#404 two-way semantics; document the ReportCommand handoff to
  opendmarc-reports --forensic in both the sample and the manpage.
- Document no-reports-list and archive-dir in
  contrib/opendmarc-reports.conf.sample.
@thegushi thegushi merged commit 90ec525 into trusteddomainproject:develop Jun 20, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant