Daryl C. W. O'Shea wrote:
> [sent to just me, BTW]
Must have hit the wrong reply button...
> Bowie Bailey wrote:
> > Daryl C. W. O'Shea wrote:
> > > Bowie Bailey wrote:
> > >
> > > > You should also list any other mail servers that accept mail for
> > > > your domain. This includes email gateways and relays under your
> > > > control. This can also include your ISP's mailservers, but if
> > > > you do that, make sure to specify internal_networks separately
> > > > and leave the ISP's servers out of that one.
> > > Your ISP's mail servers, if they are accepting mail on your
> > > behalf, need to be included in your internal_networks too.
> > >
> > > ANY server from an MX accepting mail on your behalf all the way to
> > > your SA machine need to be both trusted and internal.
> >
> > An ISP's mailserver frequently also accepts direct connections from
> > their user's dialup systems. You can only put them in the internal
> > list if you are sure they don't do this or if they include the
> > authentication info in the received header. Otherwise, you will get
> > RBL hits (from the dialup IP lists) on any email from the ISP's
> > other customers.
>
> Nope, you still need to include them in internal_networks, otherwise
> tests that rely on knowing exactly where the hand off from the sender
> to the receiver is won't work (like SPF based whitelists) and will
> probably trigger FPs (like SPF_FAIL).
>
> If an ISP is small enough that is uses the same server for MSA and MX
> functions then they're most certainly small enough that you can easily
> include their entire netblocks in trusted/internal networks too.
>
> Again, if you want SA to function (the most) correctly, you need to
> include all hosts from your MX to the SA machine in trusted and
> internal networks.
>From the man page:
Trusted relays that accept mail directly from dial-up connections
should not be listed in "internal_networks". List them only in
"trusted_networks".
And the caveat that is not in the man page:
... unless all MSA traffic is authenticated and the authentication
information is in the headers.
My point was simply that you need to be careful. Since that server is
not under your control, you need to make sure you know what it is
doing so you know the right place to list it.
--
Bowie
