On Wed, Sep 07, 2005 at 05:31:13PM -0400, Matt Kettler wrote: >George Georgalis wrote: > >> >> Well since my MTA doesn't have an IP put in the header (it gets >> mail from stdin -- and SA runs from stdin forwarding the exit code >> to the MTA which then accept or rejects to the remote relay), I >> think I'll have to settle with incomplete functionality. > >Your MTA doesn't need to put it's IP in the received: header. Most MTA's don't. >Mine doesn't. The insertion can be a hostname as long as that's resolvable via >DNS. > >Looking at this, your MTA is inserting a perfectly usable Received header: > >2005-09-07 13:49:10.986551500 debug: received-header: parsed as [ >ip=83.x2.166.71 rdns=eac71.neoplus.adsl.tpnet.pl >helo=eac71.neoplus.adsl.tpnet.pl by=sta.galis.org ident= envfrom= intl=0 id= >auth= ] > >But whatever sta.galis.org resolves to isn't trusted, that's the problem. > >Put the IP that your spamassassin box will get if it does a DNS lookup of >"sta.galis.org" into your trusted_networks. > >i.e: I resolve sta.galis.org as 66.250.170.210, so I'd put 66.250.170.210/32 in >my trusted networks.
I tried using both the NAT subnet the MTA is on and the external subnet trusted_networks 127.0.0.1 66.250.170.208/28 192.168.80.0/24 with no change 2005-09-07 20:56:23.954657500 debug: received-header: parsed as [ ip=83.x2.166.71 rdns=eac71.neoplus.adsl.tpnet_pl helo=eac71.neoplus.adsl.tpnet_pl by=sta.galis.org ident= envfrom= intl=0 id= auth= ] 2005-09-07 20:56:23.954666500 debug: received-header: relay 83.x2.166.71 trusted? no internal? no 2005-09-07 20:56:23.954671500 debug: metadata: X-Spam-Relays-Trusted: 2005-09-07 20:56:23.954675500 debug: metadata: X-Spam-Relays-Untrusted: [ ip=83.x2.166.71 rdns=eac71.neoplus.adsl.tpnet_pl helo=eac71.neoplus.adsl.tpnet_pl by=sta.galis.org ident= envfrom= intl=0 id= auth= ] the local _resolver_ does work correctly, eg not per /etc/hosts PING sta.galis.org (192.168.80.50): 56 data bytes 64 bytes from 192.168.80.50: icmp_seq=0 ttl=64 time=0.1 ms 64 bytes from 192.168.80.50: icmp_seq=1 ttl=64 time=0.1 ms so I'm not sure why X-Spam-Relays-Trusted is empty. >Fix that, as I told you before, and quit worrying about stdin. Sorry, I think I said that twice because I was following up on two sub threads, I did try using trusted_networks when I first read that message. With same results as per above, not sure what the problem is. >> Shouldn't the default be, if nothing is trusted, test the first >> relay? > >No, because that's not safe. > >If there's no trusted Received: headers, SA cannot make any safe assumptions >about what IPs are or are not a part of your network. My thinking is (at least) the top one must be reliable, if you cannot trust your top MTA you could use 127.0.0.1 as trusted or maybe not even use rbl, but I have no reason to debate this. >At a very fundamental level it is complete garbage input. There MUST be a >Received: header that can be trusted. If there are none, the message shouldn't >be there. Well, got to agree there. // George -- George Georgalis, systems architect, administrator <IXOYE>< http://galis.org/ cell:646-331-2027 mailto:[EMAIL PROTECTED]
