Roman Serbski wrote: > > Thank you Matt, > > SA is called globally through qmail-scanner-st. I mean globally since > I define QMAILQUEUE in /var/qmail/supervise/qmail-smtpd/run file. It > can be also called from tcp.smtp on IP basis but in this case virus > protection becomes also disabled which I don't want to. So I'm not > quite sure how can I not call SA through qmail-scanner for a > particular IP... > > I played yesterday with trusted_networks settings. It looks like it > only accepts networks and not IPs? If I add the whole "trusted" > network as trusted_networks I can see that messages being marked with > "-1.8 ALL_TRUSTED". But if I add IP only - it doesn't work. Are you sure that adding just that single IP would result in all mailservers in all the Received: headers being trusted?
ALL_TRUSTED can only happen if all servers are trusted. If there's any discontinuity, like an untrusted server in the middle, then the originator cannot be trusted, as the untrusted server might have forged headers. Note: this is why I say you can't treat trusted_networks as a whitelist.. you can kinda get ALL_TRUSTED to work that way if you set things up right, but there's more to consider here than just adding an IP address. You have to think about the path of trust as SA works its way backwards in time through the Received: headers. Also, if you are sure, try adding the single IP with a /32 netmask. Some older versions of SA had a bug where anything without a netmask did not work. That was fixed, but for all I know it might have creeped back in. (I myself never use the single-ip format, so I'd never know)
