Mark Martinec wrote:
According to SA docs on trusted/internal_networks, the
MSA is to be included in the trusted_networks list, and not in
internal_networks.
Now the question. A mail submitted to MSA from an external
authenticated client (which also happens to be DUL-listed) uses
a sender address of our domain (as it should be, according to SPF docs).
The SPF check (as done by SA) submits this foreign IP address to SPF,
which naturally claims it is a forgery. This is clearly wrong, the IP address
submitted to SPF should be that of MSA, or SPF check should be
skipped altogether.
MSA listed in x_networks:
trusted internal
0 0 SPF ok, no DUL hit
0 1 SPF ok, no DUL hit
1 0 SPF fails, no DUL hit
1 1 SPF fails, DUL hits
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4661
Until a patch is made available a workaround is to use SMTP/POP-auth to
extend the trusted_networks to all authenticated users (and not use a
separate list of hosts in internal_networks).
Daryl
