This patch came about because most of my users use the AUTH command when sending mail, in order to use my server as a relay. The domainkeys patch installs a program called qmail-dk, which acts differently based on whether certain environment variables are set or not.
Normally you would create these variables in your /service/___/run script, or as arguments in your tcprules control file. This allows you to control whether the qmail-dk program signs or verifies a given message- you would normally want to verify the signature on messages coming from untrusted IP addresses, but if the client is using a "trusted" IP address, or sends an AUTH command which succeeds, you would want to sign their message instead.
Rather than try to patch qmail-dk, I created a patch for qmail-smtpd which offers a way to solve the problem- and I suspect will be able to solve other AUTH-related problems in the future as well.
Before the first time qmail-smtpd executes the program listed in the QMAILQUEUE variable (or "qmail-queue", if there is no QMAILQUEUE variable) it searches the environment and does the following:
If it finds any variables whose names start with "AUTH_SET_", it deletes them from the environment... and if there has been a successful AUTH command in the current session, it drops the "AUTH_SET_" prefix and adds or changes an environment variable as indicated.
For example, if the environment contains "AUTH_SET_DATABYTES="0"", and a successful AUTH command had been sent, it would add "DATABYTES="0"" to the environment, deleting any existing DATABYTES variable which may exist.
If it finds any variables whose names start with "AUTH_UNSET_", it deletes them from the environment... and if there has been a successful AUTH command in the current session, it drops the "AUTH_UNSET_" prefix and deletes the environment variable as indicated.
For example, if the environment contains "AUTH_UNSET_DKVERIFY=""", and a successful AUTH command had been sent, it would delete any existing "DKVERIFY" variable from the environment.
Note that because the AUTH_SET_ and AUTH_UNSET_ variables are removed from the environment when this happens, this will not work if the client connects, sends one or more messages, does a successful AUTH, and then sends another message. This is not normally an issue with mail programs, but it may be something to be aware of if you are doing manual testing on a server.
Downlod authset.patch here.
Note that this patch will not compile if you apply it directly to DJB's original qmail-1.03.tar.gz sources. It is designed to be applied on top of most of the AUTH patches out there- as long as the patch sets an "authd" variable to a non-zero value when the AUTH command is successful, this patch will work with it.
Note that this is part of my combined patch, version 6b and later.