On Thu, Apr 8, 2010 at 8:25 PM, Henrik K <h...@hege.li> wrote: > On Thu, Apr 08, 2010 at 06:31:37PM -0800, Royce Williams wrote: >> On Thu, Apr 8, 2010 at 5:13 PM, Henrik K <h...@hege.li> wrote: >> > On Thu, Apr 08, 2010 at 04:52:00PM -0800, Royce Williams wrote: >> >> >> >> Answering myself, I have reworked our *_networks to reflect our >> >> architecture based on my re-re-re-reading. Nobody has said that my >> >> example was broken (or was any good, for that matter), so I'm >> >> operating from that. >> >> >> >> With all possible interfaces included from my dedicate MSAs in >> >> msa_networks, my customers are still subject to IMG_DIRECT_TO_MX, >> >> FSL_HELO_NON_FQDN_1, RDNS_NONE, HELO_NO_DOMAIN, DOS_DIRECT_TO_MX, >> >> HELO_LOCALHOST, and the other "you look like an end user, not an MTA" >> >> rules. >> >> >> >> Either my example is fundamentally broken, or everybody else is >> >> already in there ripping and gripping rules anyway, and so don't mind >> >> maintaining a similar list. >> >> >> >> Since there's no FAQ entry for this, but the reading for understanding >> >> the problem is so dense, I'm starting to doubt my own sanity. :-) >> > >> > As said, these checks are made on the external border. >> > >> > Your example does not have MSAs defined as internal. >> >> By design. From the conf document: >> >> "Trusted relays that accept mail directly from dial-up connections >> should not be listed in internal_networks. List them only in >> trusted_networks." >> >> Is this incorrect? > > It also states that msa_networks propagates those hosts *_networks settings > recursively. Which means the dial-ups will be internal too.
Ah, interesting. So I should explicitly *not* put my dialup MSAs in msa_networks, and put them only in trusted_networks. Maybe I'm having a vocabulary problem. My MSAs are really also MTAs - they receive mail from the customer, do an MX lookup on the destination domain, and relay. But they are not MXes in that they do not receive mail from foreign MTAs. So maybe what I'm hearing is (thinking out loud): If I put my for-dialup MSAs in both msa_networks and internal_networks: * Everything that is in internal_networks must be included in trusted networks, per the Conf manpage. * Because of msa_networks propagation, my dialups become trusted to insert headers (bad). If I put my for-dialup MSAs only in msa_networks: * My MSAs are seen as external. * My dialups gets penalized for non-content characteristics (coming from Outlook, bad HELOs, etc.) (bad) If I put my for-dialup MSAs only in trusted_networks: * My for-dialup MSAs are seen as external. * My dialups are seen as external and therefore penalized for non-content characteristics (bad). If I put my for-dialup MSAs both in trusted_networks and internal_networks, but not msa_networks: * My dialups aren't external, so they don't get spanked for being Outlook (good). * My dialups aren't trusted, so their headers are not trusted (good). Is this correct? Royce
