Mathias Homann wrote: > Hi, > > > I'm having a bit of trouble with ALL_TRUSTED hits on spam, can someone gve me > a hand here? > > the situation is like this: > > box A has an address in a 10.x.y/24 subnet, and is (sort of) connected to the > internet by > destination nat'ing on our firewall, and is our external mail relay, running > postfix 2.0.16. > All mails to valid adresses are forwarded to box B which sits on a different > 10.a.0.0/16 > subnet, and is our internal mail router running postfix 2.2.10, spamassassin > 3.1.7 and > kasperski antivirus, and then forwarding most of the mail to our notes > server, some of the > mails to an apple xserv, some to our otrs ticket server, and some are > delivered into local > mailboxes. > > now, whenever a spam mail is directly fed to box A from the spam source, > instead of going > through some open relays on the internet first, it gets hit by ALL_TRUSTED, > because the very > first Received: header that contains an ip adress then has a private rfc > address. > > What do i put into trusted_relays and/or internal_networks to get around that? > Put your IPs into trusted_networks, no more, no less.
Basically what's happening is SA by default assumes that if it sees a non-routable IP, the first routable IP must also be a part of your network, and any non-routable that can talk to that IP must also be a part of your network. However, if you're doing destination nat or static nat on your mailserver, the first external is actually an Internet host, which breaks the auto-guesser. Thus, you need to manually declare trusted networks. See also: http://wiki.apache.org/spamassassin/TrustPath
