On Fri, Apr 9, 2010 at 3:46 AM, RW <rwmailli...@googlemail.com> wrote: > On Fri, 9 Apr 2010 10:09:35 +0300 > Henrik K <h...@hege.li> wrote: > >> On Thu, Apr 08, 2010 at 10:26:27PM -0800, Royce Williams wrote: >> > > > >> > Maybe I'm having a vocabulary problem. My MSAs are really also >> > MTAs - they receive mail from the customer, do an MX lookup on the >> > destination domain, and relay. But they are not MXes in that they >> > do not receive mail from foreign MTAs. >> >> Read and re-read "msa_networks" documentation. IMHO it's very clearly >> defined. It's just an extender for *_networks. >> > I think he may have put his finger on the problem in a previous post. > > msa_networks defines the MSA by IP address. If SA runs on an MSA its > address is unlikely to be in the received headers. In that case SA has > no way of distinguishing an MSA from an MX server.
Yes! That's what Daryl was referring to here http://old.nabble.com/ALL_TRUSTED-and-DOS_OE_TO_MX-td15659736.html ... where he says: "So if (and I'll admit I don't think this occurred to me before) you're running SA on outgoing mail on your MSA right after you receive it (it's not relayed to an intermediate machine) SA can't detect the MSA and the whole msa_networks thing doesn't work." > I would think that in this case the dynamic address blocks would need to > be explicitly defined. That's why I starting this thread by saying that I went hunting for a "mua_networks" equivalent, and couldn't find one. Henrik and RW have both suggested that I should put my customer-only MSAs into msa_networks and internal_networks (which implies trusted_networks). I can state definitively that in this setup, all of the you-look-like-a-MUA rules (RDNS, Outlook, etc.) are happily applied to my dialup customers, which is consistent with RW's statement above. Royce
