Okay, thanks for the explanation. I was hoping to have a way of whitelisting certain servers from all DNSBL tests - but they are servers that are not within my control, not my own local server, and thus inappropriate to add them to internal_networks. And I don't want to remove my own server from trusted_networks as that would have other negative consequences.
Basically, I have some custom rulesets that I want to use to check the connecting IP against the zz.countries.nerd.dk countries list. But I don't want to check all of the IPs that the emails have passed through - I only want to check the IP that connected to my own server - hence, I should use -lastexternal, right??! But at the same time, I'd like to have the ability to whitelist certain other servers so that they are not included in this country check. Eg. maybe I want to block all emails that come from an IP in China (where the IP is the one connecting to me), *BUT* I want to exclude a particular server in China that is used by a friend who I trust, for example. How could I do that? Well, I guess I could make a meta rule that combines my zz.countries.nerd.dk rules with something else that prevents those rules from working if the trusted IP is found within the Received header or something - but that would be fiddly, and would be a nuisance if I had a whole bunch of IPs that I wanted to whitelist. It would obviously be much easier if I could simply trust/exclude from testing all the IPs listed in trusted_networks. Any ideas? Cheers, Jeremy "Matt Kettler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Jeremy Fairbrass wrote: >> Hi all, >> It says at >> http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#network_test_options >> that when an IP address is added to a 'trusted_networks' entry (eg. in >> local.cf), "DNS blacklist checks will never query for hosts on these >> networks". >> >> However, from what I can see (using SA 3.1.5), if I have a check_rbl rule >> and the set name ends with -lastexternal, then SA will still do a DNSBL >> lookup on the "lastexternal" IP address even though that IP address is >> added >> to my trusted_networks. Surely it should not do this? >> >> Is this correct, and is there any way around it, such that any IP address >> added to trusted_networks is NEVER checked by a check_rbl rule, >> regardless >> of whether -lastexternal is used or not? >> > > Technically, that documentation is mistaken, slightly. > > Trusted hosts are immune to MOST DNSBL tests. However in -notfirsthop > and -lastexternal only members of internal_networks are immune. > > If you really need a host to be immune to ALL dnsbl checks, it needs to > be in both. > > If you have a server that you operate and want it to be able to receive > mail from dynamic IPed hosts, make it a member of trusted_networks, but > not a member of internal_networks. This will cause the "lastexternal" > test to apply to the server, not the dynamic hosts, and the server > itself will not be checked against other RBLs. > > > >> Cheers, >> Jeremy
