-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Sean Doherty writes: > Justin, > > > > - if any addresses of the 'by' host is in a reserved network range, > > > then it's trusted > > > > > > However, I would have thought that this would imply that the 10.0.0.53 > > > host is trusted and not any servers connecting to it. > > > > The problem is that 10.x is a private net, therefore SpamAssassin infers > > it cannot possibly be the external MX sitting out there on the internet. > > (for a host to be sitting on the public internet accepting SMTP > > connections, it'd obviously need a public IP addr.) > > > > so the *next* step must be the external MX. > > My 10.x server is inside a firewall which NATs port 25 so this > conclusion is not correct. I imagine that my setup isn't all > that different from a lot of other peoples. > > > > Can someone please clarify this for me? Also should I be specifying > > > 10.0.0.53 in trusted_networks in local.cf? > > > > Yep, that's right -- and trusted_networks will fix it. > > Yes trusted_networks does indeed fix the issue, but I'm still > not so sure that the algorithm to deduce trusted_networks is > correct (if not specified). it's correct *except* in this kind of situation, where there's NAT and/or private IP ranges involved. we should document that more clearly, maybe. > For an inbound only relay is it correct to say that trusted_networks > should only contain the IP address of the relay itself? yep. if you have a virus-scanning gateway or firewall beyond *that*, though, you should trust that too. > For an inbound/outbound relay it should contain the local > network/mask or eg downstream Exchange server + relay host? not sure what you mean by 'downstream Exchange server' here... you can trust all the hosts you consider trustworthy; it'll skip looking them up in DNSBLs etc. You can even trust e.g. YahooGroups' outbound MTAs if you like ;) - --j. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Exmh CVS iD8DBQFBhn8aMJF5cimLx9ARAryLAJ9KziKBTJI9lqpvL2YaaD0Za5zE8ACfcBdM q3iahboiTWIbxxT1NxhgzjE= =Om5B -----END PGP SIGNATURE-----
