Matt Kettler wrote:
> LuKreme wrote:
>
>> On 28-Apr-2009, at 15:38, RW wrote:
>>
>>> It's based on the first routable IP address,
>>>
>> Well, that's a very silly thing for it to be looking at. It should be
>> looking at the LAST routable IP address outside of the trusted
>> network. Looking at the first routable address is completely worthless.
>>
> It's actually based on the last IP not matching your internal_networks.
> If you haven't declared internal_networks or trusted_networks manually,
> then the auto-guesser is going to set it to be the second-to-last
> routable IP (it assumes the last routable is your MX, which may or may
> not be correct depending on how you route/firewall your DMZ.)
>
> Of course, first, or last depends on your perspective. I assume RW was
> thinking of "first" from a "starting at the inside, working backwards in
> time" approach. This is backwards, if you think about the chronology of
> the headers, like SA does. However, it makes sense from a "I'm at my
> server looking outward at the world" point of view that most folks work
> from when thinking about network topologies.
>
Darnit, I should have checked before sending.
The AWL uses the LAST non-private..
This is, IMO, completely broken. Why are we allowing folks to declare
internal_networks if we're not going to use it, and assume the last
non-private is "external". (which, mind you, is different from what the
trust-path guesser does. It assumes that IP is your MX.)
Relevant code:
foreach my $rly (reverse (@{$pms->{relays_trusted}},
@{$pms->{relays_untrusted}}))
{
next if ($rly->{ip_private});
if ($rly->{ip}) {
$origip = $rly->{ip}; last;
}
}
>
>
>
>
>
>
>
>
>
>
>
