internal_networks & trusted_networks

Fri, 16 Jan 2009 10:30:48 -0800

I've read archived posts here and elsewhere about this subject, and I'm still confused. And the log messages from SA confuse me further. So I figured I'd ask directly how this should be set up.
I'm running my own mail server at artg.tv, and my wife and I can receive email through it. My wife and I also have email accounts with Eclipse Internet (now owned by Netcarrier), our old dial-up ISP, which remain our "public" email accounts. 


On a CentOS 4.7 machine, I have set up postfix and UW IMAP to serve 
artg.tv. We use IMAP (Alpine 2.00) to read and send mail through this 
server. A few weeks ago I set up fetchmail and procmail on the same 
machine to collect mail from eclipse.net, and send it to artg.tv (delivery 
of fetched mail to artg.tv is via SMTP, as I didn't want to figure out how 
to manage local delivery). This seems to be working just swell.



During the past week or so, I've installed SA and I have been 
experimenting with the setup. At the moment, it is using DCC, pyzor, 
Razor2 and Bayes, and they all seem to be working OK. I've added SPF, and 
that's where I'm seeing things I just don't understand.



Netcarrier has three relays, mx01. mx02 and mx03.netcarrier.net. I have 
the IP address for these in trusted_networks in local.cf. I also have the 
IP of the Centos 4.7 machine, which is behind my Linksys router (NAT 
firewall) listed in both internal_networks and trusted_networks. This 
seemed to be the right thing to do after having read all I could find and 
digest on this topic.



However, it looks as if SPF is testing the MX addresses, and not the 
original sender's address. Here is an oft-repeated snipped from 
/var/log/maillog:



spamd[3393]: spamd: connection from localhost.localdomain [127.0.0.1] at port 32942 
spamd[3393]: spamd: setuid to tina succeeded 
spamd[3393]: spamd: processing message <20090116093946.3946c9d28...@mx25.onewithaura.com> for tina:501 
spamd[3393]: spf: checking to see if the message has a Received-SPF header that we can use 
spamd[3393]: spf: checking HELO (helo=mx01.netcarrier.net, ip=216.178.94.71) 
spamd[3393]: spf: query for /216.178.94.71/mx01.netcarrier.net: result: none, comment: , text: No applicable sender policy available 
spamd[3393]: spf: already checked for Received-SPF headers, proceeding with DNS based checks 
spamd[3393]: spf: relayed through one or more trusted relays, cannot use header-based Envelope-From, skipping 
spamd[3393]: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check 
sarah spamd[3393]: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check


Why is SPF testing mx01.netcarrier.net, rather than mx25.onewithaura.com?

Thanks ...

--
Art Greenberg
a...@eclipse.net















    











					Reply via email to