On 06/16/2018 06:33 AM, David Jones wrote:
On 06/15/2018 05:44 PM, J Doe wrote:
Hello,
I am currently using SpamAssassin 3.4.1 on Ubuntu Linux 16.04.4 LTS.
I have SA running on a server with Postfix as the MTA on the same server.
I have a question regarding the trusted_networks configuration
parameter (man Mail::SpamAssassin::Conf). I manually added this to a
custom local.cf file and linted it:
/etc/spamassassin/local.custom.cf:
trusted_networks 1.2.3.4
$ spamassassin --lint
--config-file=/etc/spamassassin/local.custom.cf
This displays:
Jun 15 18:31:02.893 [8327] warn: netset: cannot include
1.2.3.4/32 as it has already been included
This lead me to believe that when SpamAssassin loads, it automatically
adds the IP address of the host it is running on (along with
localhost, which is mentioned in man). As a result, I removed the
trusted_networks entry and a subsequent lint produces no warnings or
errors.
When I then ran lint and added the --debug flag:
$ spamassassin --debug --lint
--config-file=/etc/spamassassin/local.custom.cf
…I see the following in the output:
Jun 15 18:39:23.422 [8422] dbg: config: trusted_networks are not
configured; it is recommended that you configure trusted_networks
manually
My question is:
— Should I manually set trusted_networks to have the IP address of the
host it is running on and ignore the warning from --lint or …
— Should I not set trusted_networks and ignore the warning from --debug ?
Thanks,
- J
internal_networks should be any RFC 1918 networks that your mail server
sees plus any public networks that are in your control.
trusted_networks should be internal_networks plus any external networks
that you trust to not send spam -- in other words they are known to have
their own outbound mail filtering. This will tell SA to go back one
more Received: header to test for "last_external" checks and RBL checks.
For example:
internal_networks 192.168.0.0/16 fe80::/10 96.4.0.0/15 207.191.176.0/20
trusted_networks 192.168.0.0/16 fe80::/10 96.4.0.0/15 207.191.176.0/20
162.216.126.0/23
My SA servers actually have public IPs on them so technically I don't
need the 192.168.0.0/16 in the list but I put it in there for reference.
If your mail servers are NAT'd and have a private RFC 1918 IP on them
then you need to include any internal subnet that can send outbound
through your SA server.
Oh yeh, when using Postfix your internal_networks should basically match
the Postfix mynetworks value.
# postconf mynetworks
Then copy/paste the internal_networks to trusted_networks and add any
external networks that can be trusted, if any. trusted_networks might
start out identical to internal_networks until you find external sources
that you want to include later.
--
David Jones
