Matt,
I did find some information in bugzilla regarding this as well but it still seems to be open. Is the short fix to add a single trusted net a per Bowie?
If you've got a NATed server, use trusted_networks. In fact, even if you don't have a natted server, you should consider setting trusted_networks. Without it, SA is making educated guesses, nothing more.
SA will never be able to know your network as well as you do, so manual configuration will always be better than autodetection.
As far as the bug goes, it will probably stay open forever.
I know of no good way to fix this issue in a general sense. If you fix the algorithm to deal with NAT, it's going to be broken for sites with a non-natted forwarding MX.
There's no way without manual configuration for SA to know where your trust path ends just by looking at Received: headers.
It can only make guesses that work reliably for simple configurations. Anything else just complicates SA and causes problems for different kinds of networks.
I suppose you could have a config option:
trustpath_detection_mode (normal | nat )but you'd still need to rely on admins to manually set it to NAT, and even that might not give results as good as manually configuring it. The gain there seems limited, as you're not saving anyone from a bug if they forget to set it up.
