On Fri, Apr 2, 2010 at 11:20 PM, Henrik K <h...@hege.li> wrote: > On Fri, Apr 02, 2010 at 01:45:57PM -0800, Royce Williams wrote: >> What is the optimal configuration (local.cf or other) for an ISP's >> MSAs to prevent unauthenticated dynamic-IP customers from triggering >> dynamic tests, but still benefiting from general filtering? >> >> I was hoping for a magical 'mua_networks' option, which let me >> enumerate the IP space that my users submit from, and automatically >> exempt them from DOS_OE_TO_MX, etc., but I haven't been able to find >> anything like that. > > All dynamic rules look at external relays. So if you have SA on the relay > that accepts mail from dynamic space, you need to include all that in > internal_networks and disable ALL_TRUSTED since it would always hit.
Interesting. I do have SA on my MSAs. That might be the single knob that I am looking for. Some folks aren't big enough to have separated MTAs and MSAs; for their benefit, is there any other approach that would work? My imagined mua_networks would fit this bill, and it would allow the same SA configuration on both MTAs and MSAs, which would make my life as a sysadmin easier. Is everyone else solving it this way - by populating internal_networks on their MSAs with their dynamic space, combined with disabling ALL_TRUSTED? I'm trying to get a sense of 'best practice' here. Royce
