Matt Kettler wrote:
Why do neither of those options make sense? I do both in my network,
albeit that version SPF is only in my internal view, and I actually
use 10.xx.0.0/16 not 10/8. (I only use a /16, not the whole /8)
Is there some detail that's missing here? ie: do you have a compelling
reason to not trust your internal hosts using 10/8?
Side note:
There is no risk of "trusting everyone's email" when you add 10/8 to
your trusted_networks. This is because trust in spamassassin is a chain
that must be unbroken to work. Once an message has been handled by an
untrusted host, you can't trust any earlier Recieved: headers.
Take an example where email comes from the outside (headers simplified,
it's an example...):
Received from trusted_host.jrhett.com [64.13.143.10] by
sa_box.jrett.com; 12:02:00 +0000
Received from example.somoutsidedomain.com[1.1.1.1] by
trusted_host.jrhett.com; 12:01:00 +0000
Received from insideclient.someoutsidedomain [10.1.1.1] by
example.somoutsidedomain.com; 12:00:00 +0000
Here, spamassassin will trust "trusted_host.jrhett.com [64.13.143.10]",
because it's been configured to do so. However, it does not trust
example.somoutsidedomain.com[1.1.1.1].
Because example.somoutsidedomain.com[1.1.1.1] is untrusted,
insideclient.someoutsidedomain [10.1.1.1] is also untrusted, even though
10/8 is in trusted_networks.
