Bowie Bailey wrote:
X-Spam-Score: 6.87 (******) (required=4)
tests=CLICK_BELOW,EXCUSE_3,FREE_CONSULTATION,MAILTO_TO_REMOVE,
NO_OBLIGATION,ONE_TIME_MAILING,REMOVE_IN_QUOTES,REMOVE_SUBJ,RISK_FREE
I don't see ALL_TRUSTED, so apparently this email originated outside
of your network. Otherwise, there are no tests listed here that would
be affected by your trusted_networks settings.
It's definitely coming from an external network.
From the beginning, I've tried to emphasize that each of the servers in
question are hosted in different co-lo facilities, with completely
different blocks of IP addresses. We control all the servers, and
they're definitely trusted, but they're not local to each other.
That looks like a faked header. Is your server really called
"alpha.example.com"?
Real data redacted for security reasons. I don't have the freedom to be
more detailed in a public discussion. Yes, I know it makes
troubleshooting more difficult this way.
[ ... ]
As I said above, this looks like a normal email coming from outside of
your network. If it really originated inside your network, then you
need to fix your trusted_networks. Beyond that, everything looks
normal as far as I can tell from the information provided.
As noted, the message definitely originates in a different network.
Let me make sure I have the problem definition correct --
We have servers in several co-lo facilities, and each server hosts
several domains, each with its own IP address. As noted, the domains
and the servers are trusted, but they're in separate networks.
The problem that we do have is that when we list our domains via
whitelist_from, then incoming mail with forged From: lines that shows
one of those domains (typically, the same domain as the addressee) is
given a free pass.
For this, there's no reason to trust the From: line as being valid,
because it's so easily forged. However, if the message is coming from
known trusted IP addresses, then that's reason to the message a pass,
and either have SA give a low score, or not run SA at all.
In short, in the question of how the message is handled, we want to
trust the server IP address, but assume that the From: line is probably
forged.
From this discussion, I think I'm trying to do something outside the
scope of what SA is designed to do, and the better way of getting there
is the suggestion of doing it via MIMEDefang, and bypassing the call to
SA altogether if the message is coming from a trusted (but non-local)
server.
Thanks for taking the time to help on this one. I really appreciate it.
Smith
