Matt: I finally got the rule to fire by hacking the header. Nothing has changed on the MTA for years, and it's hard for me to believe all these rules failed in 3.1.7. Maybe they did. My logs don't go back that far (I only save 2 weeks - sacs be ignored here<g>). Maybe the SA parser is doing something "better" now that's catching an error my MTA's had for years.
I'll dig further and come up with something. Either a workaround, a fix to the MTA or a request to understand this received header format. Btw, your comments about "no rdns" got me to find for the "rdns" lines in the debug and I found the "dbg: received-header: parsed as ..." lines. Now, I can hack away at the received header and the user_prefs until I understand what will and won't parse, and then figure out if there's a reason to request a change or an easy fix in the MTA. Thanks for all the help. Dan -----Original Message----- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Saturday, January 05, 2008 12:39 PM To: Dan Barker Subject: Re: Whitelist_from_rcvd not working Dan Barker wrote: > I don't know why you'd think there is no rDNS. > > dig -x 169.200.184.174 > Says: sls-sn-smtp-pmail3.wachovia.com. > > Is there some place in the received header it needs to be that it's not? > Yes. Look at SA's parse: [9060] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=169.200.184.174 > rdns= helo=sls-sn-smtp-pmail3.wachovia.com by=mail.visioncomm.net > ident= envfrom= intl=0 id= Note that "rdns= " part.. that doesn't mean the RDNS equals the helo, it means there's no RDNS name at all. Now look at your header: Received: from 169.200.184.174 (EHLO sls-sn-smtp-pmail3.wachovia.com) (169.200.184.174) by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A1253F3B0064; Wed, 02 Jan 2008 03:53:57 -0500 The first clause following the from should be the RDNS name in this qmail-esq format for headers. You've got an IP address there, so SA assumes there's no RDNS. In fact, looking at that header, where would you expect SA would be getting the RDNS name from? The only thing resembling a hostname is the HELO, and that's not trustable. This style should be formatted as: from <rdns name> (<helo specifier, optional>) (ip address) by.. Which isn't entirely standard, but it's what qmail does, so SA understands it. Normally IPs are also in []'s, but qmail doesn't do that.. In your header, both the IP and the reverse DNS clause contain 169.200.184.174, so that's read as there's no RDNS at all. Compare with this normal qmail generated header: Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 05 Jan 2008 06:58:33 -0800 Or one that's more typical of sendmail/postfix looks like: Received: from w10.plaxo.com (w10.plaxo.com [10.1.1.19]) by mx06.plaxo.com (Postfix) with QMQP id 742362806D In that format it's from <rdns name> (<helo name>[<ip address>]) SA should understand either one.
