On Thu, Apr 08, 2010 at 10:26:27PM -0800, Royce Williams wrote: > > > > It also states that msa_networks propagates those hosts *_networks settings > > recursively. Which means the dial-ups will be internal too. > > Ah, interesting. So I should explicitly *not* put my dialup MSAs in > msa_networks, and put them only in trusted_networks.
Again, rules look for first external (non-internal) relay. Your suggestion above does not make the dial-ups internal. > Maybe I'm having a vocabulary problem. My MSAs are really also MTAs - > they receive mail from the customer, do an MX lookup on the > destination domain, and relay. But they are not MXes in that they do > not receive mail from foreign MTAs. Read and re-read "msa_networks" documentation. IMHO it's very clearly defined. It's just an extender for *_networks. "MSA means that the relay hosts on these networks accept mail from your own users and authenticates them appropriately. These relays will never accept mail from hosts that aren't authenticated in some way. Examples of authentication include, IP lists, SMTP AUTH, POP-before-SMTP, etc." "All relays found in the message headers after the MSA relay will take on the same trusted and internal classifications as the MSA relay itself, as defined by your trusted_networks and internal_networks configuration." "Never include an MSA that also acts as an MX (or is also an intermediate relay for an MX) or otherwise accepts mail from non-authenticated users in msa_networks. Doing so will result in unknown external relays being trusted." So does your MSA accept mail only from your dial-up users or not? If that's the case, I don't see what's the problem here. > So maybe what I'm hearing is (thinking out loud): > > If I put my for-dialup MSAs in both msa_networks and internal_networks: > > * Everything that is in internal_networks must be included in trusted > networks, per the Conf manpage. > * Because of msa_networks propagation, my dialups become trusted to > insert headers (bad). Forget the trusted headers thing, I can't think of anything that it would make "bad" in this scenario. This is the configuration you want. > If I put my for-dialup MSAs only in msa_networks: > > * My MSAs are seen as external. > * My dialups gets penalized for non-content characteristics (coming > from Outlook, bad HELOs, etc.) (bad) Is this even possible? > If I put my for-dialup MSAs only in trusted_networks: > > * My for-dialup MSAs are seen as external. > * My dialups are seen as external and therefore penalized for > non-content characteristics (bad). Your dialup MSAs aren't external. Makes no sense. > If I put my for-dialup MSAs both in trusted_networks and > internal_networks, but not msa_networks: > > * My dialups aren't external, so they don't get spanked for being > Outlook (good). > * My dialups aren't trusted, so their headers are not trusted (good). You wanted dial-ups to be internal. Makes no sense.
