On Mon, 2004-11-01 at 18:24, Matt Kettler wrote:
> At 01:07 PM 11/1/2004, Sean Doherty wrote:
> > > so the *next* step must be the external MX.
> >
> >My 10.x server is inside a firewall which NATs port 25 so this
> >conclusion is not correct. I imagine that my setup isn't all
> >that different from a lot of other peoples.
>
> Yes, it is incorrect, but SA can't know that. Thus, SA assumes,
> incorrectly, that any 10.x host must not be externally addressable. It's
> not a very good assumption in modern networks, but there's not much else
> one can do.
>
> SA's trust path code has pretty much always been incompatible with NAT'ed
> mailservers. And it's hard for SA to autodetect such things from mail headers.
Obviously, there's no way to deduce that the mail path has come
through a NAT'ed firewall, and as such in certain situations
guessing the trusted_networks is not the correct thing to do.
I have always (incorrectly) been running SpamAssassin without
trusted_networks been set, which when running SA 2.64 resulted
in no DNSBL checks. Because I was running Bayes, SURBLs and
a bunch of custom rules I wasn't seeing FPs.
However, after upgrading to 3.0 I suddenly started seeing much
more FPs, which I could be attributed to ALL_TRUSTED. Setting
trusted_networks appropriately has solved the problem, however,
given that the inference algorithm doesn't deal well with NAT'ed
networks - which IMO is quite common for SMEs - there should be
perhaps something in the debug output which informs the user
that trusted_networks is not set and as such will be guessed.
Another option would be to either trust nobody, or not run
those tests that rely on knowing what the trusted networks are.
Regards,
- Sean
