John Stimson via users skrev den 2022-12-27 23:28:
I have a single SMTP server with single public IP address. I have set
trusted_networks my.ip.num.ber
this can have all external trusted ips aswell, but minimal it should be
a list of ips you have ssh root access on, nothing more nothing less
internal_networks my.ip.num.ber
should have all "ip addr show" listed
and removed the clear_originating_ip_headers line. I also added the
line
this is safe to keep so ips only is in recieved headers, not any other
bogus ips, it have nothing to do with trusted_networks anyway
add_header all RelaysUntrusted _RELAYSUNTRUSTED_
good to see so you can track errors later :=)
based on the suggestion in the TrustPath documentation at
https://cwiki.apache.org/confluence/display/SPAMASSASSIN/TrustPath
dokumention assume all do the same errors as dokumention describe, while
sane configs is more or less expirence, the expirences cant be readed in
books sadly
The documentation there only suggests setting my trusted_networks and
internal_networks, not clearing either of them.
so why is clearing supported ?
Now, when I manually check the messages, the X-Spam-RelaysUntrusted:
header displays the mail host that my server received the message
from. That seems proper. HOWEVER, even though that is supposed to be
the host used for all IP based checks, DNSWL_HI is being triggered.
The first untrusted host is not in the dnswl.org high confidence list.
However the IP in X-Originating-Ip: is listed in dnswl.org's high
confidence list. I don't know why spamassassin would use that header,
though, since it is below the Received: line for the first untrusted
relay.
problem with additional header trust is that we dont know if its forged
or not, with only recieved header it know what it forged, thats my point
of why is it default trusted headers from untrusted sources ?
On 2022/12/27 18:20:35 Matus UHLAR - fantomas wrote:
>On 2022/12/26 23:47:41 Benny Pedersen wrote:
On 27.12.22 13:04, John Stimson via users wrote:
>Thanks -- I found a mechanism that empties the list of headers used
to
>determine the originating IP. I added this line to my local.cf:
>
>clear_originating_ip_headers
keep this option in local.cf
I recommend checking:
trusted_networks
clear_trusted_networks
internal_networks
clear_internal_networks
these to be set up properly instead of just
clear_originating_ip_headers
- you should still check them, as they give you opportunity to check
proper
headers in DNS, not just in DNSWL.