[opendmarc-dev] forensic reports
Murray S. Kucherawy
msk at blackops.org
Wed Jul 31 00:19:26 PDT 2013
On Wed, 31 Jul 2013, Andreas Schulze wrote:
> To implement full body failure reporting opendmarc must capture the
> body. That sounds very memory expensive. Capturing the body should only
> be done it there is clearly a need for. That point it reached after _end
> of header_ in my opinion.
There are some tradeoffs here. The way the filter is built now, it tells
the MTA at connection time that it isn't interested in the body, so the
MTA never sends the body over. This can be a huge I/O savings in the
milter protocol. We'd have to add that hook, and then receive the body
and store it someplace until it's time to generate the report (which may
not be necessary). It doesn't have to be in-memory though; it can be
written to a temporary file and then deleted after it's used.
> But the evaluation of the dmarc result is currently done in _end of
> message_, thats far later.
It's not difficult to set up something like this:
- request the body from the MTA by adding the body hook
- do the DMARC decision in end-of-header (EOH)
- if the decision is to reject, capture the body into a temporary file
- if the decision is to accept, tell the MTA to stop sending the body
- generate the forensic report if the DMARC check failed
- throw away the temporary file
But in any case, you can't get the SMTP session to be more efficient,
because for the header to come down, you're already in DATA and can't
cancel the transmission at that point; you have to wait until the "."
comes down to return a rejection.
You can open a feature request for this if it would be valuable to you.
My preference would be to make body inclusion configurable and off by
default, so the faster behaviour (and less of a possible privacy leak) is
the norm.
-MSK
More information about the opendmarc-dev
mailing list