On Sat, 3 Apr 2010 06:18:25 -0800 Royce Williams <royce.willi...@gmail.com> wrote:
> On Fri, Apr 2, 2010 at 11:20 PM, Henrik K <h...@hege.li> wrote: > > On Fri, Apr 02, 2010 at 01:45:57PM -0800, Royce Williams wrote: > >> What is the optimal configuration (local.cf or other) for an ISP's > >> MSAs to prevent unauthenticated dynamic-IP customers from > >> triggering dynamic tests, but still benefiting from general > >> filtering? > >> > >> I was hoping for a magical 'mua_networks' option, which let me > >> enumerate the IP space that my users submit from, and automatically > >> exempt them from DOS_OE_TO_MX, etc., but I haven't been able to > >> find anything like that. > > > > All dynamic rules look at external relays. So if you have SA on the > > relay that accepts mail from dynamic space, you need to include all > > that in internal_networks and disable ALL_TRUSTED since it would > > always hit. > > Interesting. I do have SA on my MSAs. That might be the single knob > that I am looking for. > > Some folks aren't big enough to have separated MTAs and MSAs; for > their benefit, is there any other approach that would work? My > imagined mua_networks would fit this bill, and it would allow the same > SA configuration on both MTAs and MSAs, which would make my life as a > sysadmin easier. Putting the address ranges into internal_networks is what you do if you *don't* have separate MSAs and MX servers. Otherwise you you put the MSAs into msa_networks and internal_networks. Anything that connects to a server in msa_networks inherits the internal/trusted status of the msa. Even if you don't or can't do any of the above, SA will pick-up and on authentication recorded in the received header and for the most part do the right thing, e.g. it won't run PBL/DUL lookups.
