Martin von Gagern wrote:
To look at it from a different angle, whether or not an X-Authenticated
header has any special meaning at all probably depends on the MTAs in
the chain, so special knowledge is needed to be sure. And with the same
kind of knowledge you'd know that mail.gmx.net is not the MX for the
final destination, hence it's the sender's MSA, hence treat this as the
originating IP.
I know of no perfect solution, but maybe the X-Authenticated header
might be a useful rule to include, with a negative score, not as an
absolute fact but rather as an idication some check might have occurred.
So long as the "problem relays" are acting solely as MSAs and never MXes
for your mail this patch will solve your problem:
http://people.apache.org/~dos/sa-patches/msa_networks.3.1
Regards,
Daryl
