On Wed, Apr 7, 2010 at 8:29 AM, Royce Williams <royce.willi...@gmail.com> wrote: > On Tue, Apr 6, 2010 at 2:13 PM, Kris Deugau <kdeu...@vianet.ca> wrote: >> Royce Williams wrote: >>> >>> Some new information. In this 2008 thread: >>> >>> http://old.nabble.com/ALL_TRUSTED-and-DOS_OE_TO_MX-td15659736.html >>> >>> ... Daryl says: >>> >>> "So if (and I'll admit I don't think this occurred to me before) you're >>> running SA on outgoing mail on your MSA right after you receive it (it's >>> not relayed to an intermediate machine) SA can't detect the MSA and the >>> whole msa_networks thing doesn't work." >>> >>> That is exactly our setup - our outbound servers are accepting mail >>> from customers and handing them off to the world, not going through >>> any other servers. Could this be the issue? >> >> Hmm. We have the same general setup, but we may be avoiding trouble because >> our outbound scan is done while the SMTP transaction is in progress, and the >> message SA sees does not have our MSA's Received: header yet. (Of course, >> we then hit NO_RECEIVED and a collection of related tests, but none of them >> score very high IIRC; have to check the specifics.) > > We also scan before accepting (MIMEDefang), so that must not be the > difference between us. > > Can anyone else speak to whether or not Daryl's observation -- about > msa_networks not applying to MSAs that are at the email "border" -- is > still in effect?
Answering myself, I have reworked our *_networks to reflect our architecture based on my re-re-re-reading. Nobody has said that my example was broken (or was any good, for that matter), so I'm operating from that. With all possible interfaces included from my dedicate MSAs in msa_networks, my customers are still subject to IMG_DIRECT_TO_MX, FSL_HELO_NON_FQDN_1, RDNS_NONE, HELO_NO_DOMAIN, DOS_DIRECT_TO_MX, HELO_LOCALHOST, and the other "you look like an end user, not an MTA" rules. Either my example is fundamentally broken, or everybody else is already in there ripping and gripping rules anyway, and so don't mind maintaining a similar list. Since there's no FAQ entry for this, but the reading for understanding the problem is so dense, I'm starting to doubt my own sanity. :-) Royce
