On Sun, 2009-08-09 at 00:56 +0100, RW wrote: > > Also, I'm still not sure I have my trusted_networks setting correct. I > > have this in my local.cf: > > > > trusted_networks 192.168/16 71.48.160.0/20 71.54.96/19 > > > > Here is a line of Received: from headers from a test mail to myself: > > > > Received: from [71.54.109.114] and one from someone else using embarq > > Received: from [71.48.166.180] > > > > If I read the below correct this is a listing of all CIDRs in the > > embarq AS range: > > > > http://www.cidr-report.org/cgi-bin/as-report?as=as6367&view=2.0 > > > > should all of these be listed in the trusted_networks entry or do I > > misunderstand the concept still? > > Absolutely not, it leaves thousands of back-doors open. Just use the ip > addresses used as servers, not customer addresses. /24 ranges based > on the server addresses you've seen in headers are usually a safe > compromise. Often the servers between you and the MX server use private > addresses, which makes things a lot easier - you can safely list all > private addresses. The best way to tell is to send test messages from > external mail services or look at real mail - mail from yourself can be > misleading. > > If you are using an ISP for your mail you're conservatively advised > to put them in trusted_networks because that behaves least badly for > the worst case ISPs. > > In practice it's almost always better to put them into > internal_networks so SA knows where the real MX servers are, > particularly in your case since embarq records authentication on it's > submission server, note the "with ESMTPA" in your headers.
One other note, I have a formail recipe that parses out the sender-ip, ASN and CIDR. For instance in the test I sent to myself from gmail it shows this: X-senderip: 209.85.210.204 X-asn: ASN-15169 X-cidr: 209.85.210.0/24 Would it be safe/sane to put the 208.85.210.0/24 into the trusted_networks line? -- KeyID 0xE372A7DA98E6705C
signature.asc
Description: This is a digitally signed message part
