David B Funk wrote:
On Fri, 26 Jan 2007, Daryl C. W. O'Shea wrote:
Some of my incoming mesasges involve messages forwarded to my server via a rule
from accounts that some of my clients have on other ISPs mail servers. For such
incoming messages, I have been creating a temporary copy of the message where
all headers that were ADDED by either the other ISP and/or my server are
removed so that the message is brought back to the state that it was in when
originally sent by the original sender (just prior to the ISP's mail server
received it). This way, SA can work with that the potential spammer actually
sent, without any received headers added.
But is that really necessary? Or would I get the same results if, under my
configuration described above, I just left the extra added headers in there?
To get the same functionality without stripping headers you'd have to
add the forwarders' IPs to your trusted and internal networks config.
Pardon my confusion, but wouldn't it be sufficient to just add them to
the trusted networks list? (IE not adding them to internal too).
If you haven't already defined internal_networks, yes, since
internal_networks will default to whatever you use for trusted_networks.
Having them in both trusted and internal networks is more similar to
stripping the received headers than having them in trusted but not internal.
IIUR, internal networks are for clients that will source messages,
trusted is for MTAs that feed you. Am I missing something?
I think you are.
- for something to be internal it has to be trusted
(you can't have an internal but not trusted relay)
- relays that act as MXes need to be both trusted and internal
- all relays between an MX and SA need to also be both trusted and
internal
Adding the forwarding situation described:
- the MX for the account forwarding to the local account is acting
as an MX for the final destination account (forwarding is messy)
- all relays between an MX (the one for the account forwarding to
the local account) and SA (thus all relays between the remote MX
and your MX) need to be both trusted and internal
On the submission side (not involved in the original question) it goes
something like this:
- if the MSA isn't an MX or internal relay between an MX and SA
you want it to be trusted but not internal; otherwise it has to
be both trusted and internal and you'd better have auth tokens
in the received headers (or be using the POPAuth plugin)
Daryl
