> > In particular, I find these two paragraphs from > Mail::SpamAssassin::Conf to be contradictory: > > Trusted relays that accept mail directly from > dial-up connections > (i.e. are also performing a role of mail submission > agents - MSA) > should not be listed in "internal_networks". List > them only in > "trusted_networks". > > If "trusted_networks" is set and "internal_networks" > is not, the > value of "trusted_networks" will be used for this parameter. > > So my mail server handles ALL mail, incoming and outgoing. > According to the first paragraph, I should not list my mail > server under 'internal_networks' because it is an MSA. > Because I have no other MTA to list as 'internal' I have NO > setting for 'internal_networks'. > > But according to the second paragraph, this makes my MSA > 'default' to being an internal_network because its value is > lifted from 'trusted_networks'? > > I don't think our dialup IP's are triggering the direct-to-mx > rules, but that may only be because our dynamic IP's are not > listed on the appropriate RBL's. So is the second paragraph > *wrong* about the default usage? Or am I lucky? should I > specify a 'not' rule for internal networks, just to preserve > the trusted-only status of my dialups? > > - Charles
charles, i seem to recall that every time i go a check about msa_networks it that it says all connections to an MSA box must be authenticated. the language tells me all connections to an MSA must be authenticated... therefore, an MSA box cannot be a generic inbound smtp 25 generic no_auth MX right? NOTES: here is the language from the www... http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html msa_networks ip.add.re.ss[/mask] ... (default: none) The networks or hosts which are acting as MSAs in your setup (but not also as MX relays). MSA means that the relay hosts on these networks accept mail from your own users and authenticates them appropriately. These relays will never accept mail from hosts that aren't authenticated in some way. Examples of authentication include, IP lists, SMTP AUTH, POP-before-SMTP, etc. All relays found in the message headers after the MSA relay will take on the same trusted and internal classifications as the MSA relay itself, as defined by your trusted_networks and internal_networks configuration. For example, if the MSA relay is trusted and internal so will all of the relays that precede it. When using msa_networks to identify an MSA it is recommended that you treat that MSA as both trusted and internal. When an MSA is not included in msa_networks you should treat the MSA as trusted but not internal, however if the MSA is also acting as an MX or intermediate relay you must always treat it as both trusted and internal and ensure that the MSA includes visible auth tokens in its Received header to identify submission clients. Warning: Never include an MSA that also acts as an MX (or is also an intermediate relay for an MX) or otherwise accepts mail from non-authenticated users in msa_networks. Doing so will result in unknown external relays being trusted. - rh
