Q: The dns-blocklists just don't appear to be used. What is going wrong? ... A: Third, if your email gateway is behind a firewall make sure that SpamAssassin is resolving the gateway to it's external address. If SpamAssassin resolves the gateway to an private IP or can't resolve the name at all, it may mark the sending system as a trusted relay. As a result, some or all of the spammer's systems will not be checked against the DNSBL. (I'm not aware of anyway to specify 'last trusted relay' in SA).
What is this saying? if the SMTP gateway host SpamAssassin is running on is behind the firewall and is NATed, whatever DNS server the SMTP is using should resolve itself using it's NATed (Internet) IP address?
Yes, OR you should manually set trusted_networks (generaly a better solution).
The problem lies in SA assumes that unless you set trusted_networks the first "by" server that resolves as a public IP in a received: chain is part of your network. If your email gateway resolves as a private IP, this means SA will "trust" an external mailserver that it should not.
For example, I have this problem. Xanadu is a nated mail gateway running SA, and sees itself as a 192.168.x.x IP address. I have had to hand set trusted networks:
#trust xanadu itself: trusted_networks 192.168.x.x/32 #trust internal mailserver 10.y.y.y trusted_networks 10.y.y.y/32
Other side effects of a mis-configured trust path are spam mails matching ALL_TRUSTED on 3.x
