Jo Rhett wrote:
Matt Kettler wrote:
There's nothing in trusted networks, I don't trust anything...
Jo, that's impossible in spamassasin. You cannot have an empty trust,
it doesn't make any logical sense, and would cause spamassassin to
fail miserably.
I should rather have said trust is only localhost.
If you don't declare a trusted_networks, SA will auto-guess for you.
(And the auto-guesser is notorious for failing if your MX is NAT mapped)
And please, understand that "trust" here means "trusted to never
forge a received header" not "trusted to never relay any spam".
I know this.
In spamassassin, under trusting is BAD. It is just as bad as
over-trusting. SA needs at least one trustworthy received header to
work with.
How and why? Are you saying I *must* have a 2nd-level MX host for SA
to work? That's not my experience, and 2-layer relays are backscatter
sources. Milter from the local MTA works just fine.
No, you don't need a second-level MX. However, to work properly, SA must
trust everything up to an including your MX, and all your trusted
mailservers need to generate Received: headers that SA can then make
sense of.
Also, to work properly, SA needs to be able to determine what is a
part of your network, and what isn't. Unless you declare
internal_networks separately, it bases internal vs external on the
trust.
There is no network. There is only a single host. I don't control
any other host on the subnet.
> "trust no-one" is NOT a valid option, and would actually result in the
problem you're suffering from. After all, if no headers are trusted,
all email comes from no server, so SA would never be able to tell the
difference between an email you really sent, vs a forgery from the
outside.
This statement parses as nonsense. SA can't parse an e-mail because
it doesn't trust the source? Isn't that all e-mail?
Erm, how did you mis-parse that statement?
This isn't about SA trusting the originating source of the message.
it's about SA trusting that at least one trusted mailserver actually
received the message. ie: the message has to have actually arrived at
your server, and not been transplanted from nowhere by magic.
If there's no trusted headers, then all messages are equally magic to
SA, and it will never distinguish mail you sent as compared to mail an
outsider forged as you.
