John Stimson via users skrev den 2022-12-27 23:28:
I have a single SMTP server with single public IP address.  I have set
trusted_networks my.ip.num.ber

this can have all external trusted ips aswell, but minimal it should be a list of ips you have ssh root access on, nothing more nothing less

internal_networks my.ip.num.ber

should have all "ip addr show" listed

and removed the clear_originating_ip_headers line.  I also added the
line

this is safe to keep so ips only is in recieved headers, not any other bogus ips, it have nothing to do with trusted_networks anyway

add_header all RelaysUntrusted _RELAYSUNTRUSTED_

good to see so you can track errors later :=)

based on the suggestion in the TrustPath documentation at
https://cwiki.apache.org/confluence/display/SPAMASSASSIN/TrustPath

dokumention assume all do the same errors as dokumention describe, while sane configs is more or less expirence, the expirences cant be readed in books sadly

The documentation there only suggests setting my trusted_networks and
internal_networks, not clearing either of them.

so why is clearing supported ?

Now, when I manually check the messages, the X-Spam-RelaysUntrusted:
header displays the mail host that my server received the message
from. That seems proper. HOWEVER, even though that is supposed to be
the host used for all IP based checks, DNSWL_HI is being triggered.
The first untrusted host is not in the dnswl.org high confidence list.
However the IP in X-Originating-Ip: is listed in dnswl.org's high
confidence list.  I don't know why spamassassin would use that header,
though, since it is below the Received: line for the first untrusted
relay.

problem with additional header trust is that we dont know if its forged or not, with only recieved header it know what it forged, thats my point of why is it default trusted headers from untrusted sources ?


On 2022/12/27 18:20:35 Matus UHLAR - fantomas wrote:
>On 2022/12/26 23:47:41 Benny Pedersen wrote:
On 27.12.22 13:04, John Stimson via users wrote:
>Thanks -- I found a mechanism that empties the list of headers used
to
>determine the originating IP.  I added this line to my local.cf:
>
>clear_originating_ip_headers

keep this option in local.cf


I recommend checking:

trusted_networks
clear_trusted_networks

internal_networks
clear_internal_networks

these to be set up properly instead of just
clear_originating_ip_headers

- you should still check them, as they give you opportunity to check
proper
headers in DNS, not just in DNSWL.

Reply via email to