RE: SPF ignore mail clients connecting with SMTP auth

Thu, 06 May 2010 06:25:05 -0700 

> Also the SpamAssassin documentation mentions configuring msa_networks
> which sounds relevant. Can I just list my SMTP server IP in here an
> SMTP Auth connections will be trusted? Or will that cause all
> connections to be trusted, as it sounds possible reading this
> "Warning: Never include an MSA that also acts as an MX (or is also an
> intermediate relay for an MX) or otherwise accepts mail from
> non-authenticated users in msa_networks. Doing so will result in
> unknown external relays being trusted"

This is the bargain in 3.3.1:

        if (!$relay->{auth} && !$trusted->contains_ip($relay->{ip})) {
          $in_trusted = 0;
          $in_internal = 0;     # if it's not trusted it's not internal
        } else {
          # internal_networks matches?
          if ($in_internal && !$relay->{auth} &&
!$internal->contains_ip($relay->{ip})) {
            $in_internal = 0;
          }
          # msa_networks matches?
          if ($msa->contains_ip($relay->{ip})) {
            dbg('received-header: found MSA relay, remaining relays will
be'.
                ' considered trusted: '.($in_trusted ? 'yes' : 'no').
                ' internal: '.($in_internal ? 'yes' : 'no'));
            $found_msa = 1;
            $relay->{msa} = 1;
          }
        }

it seems to me that if you put your MX in both the trusted_networks *and*
the msa_networks one, you end having every incoming mail from your MX as
MSA-delivered. The paradox is that incoming, authenticated mails would be
regarded as from a trusted relay, not an MSA...

I have difficulties in understanding the logic here. The fact that a
previously received header from a trusted relay had delivered the message
via authentication, seems to me that relay acted after all like an MSA, or
at least that SA should probably trust the relay chain from there on. I
don't see why not (but it could be due to my myopia).

So, if my myopia isn't that bad, I would instead code this way:

        if (!$relay->{auth} && !$trusted->contains_ip($relay->{ip})) {
          $in_trusted = 0;
          $in_internal = 0;     # if it's not trusted it's not internal
        } else {
          # internal_networks matches?
          if ($in_internal && !$relay->{auth} &&
!$internal->contains_ip($relay->{ip})) {
            $in_internal = 0;
          }
          # msa_networks matches?
          if ($relay->{auth} || $msa->contains_ip($relay->{ip})) {
            dbg('received-header: found MSA relay, remaining relays will
be'.
                ' considered trusted: '.($in_trusted ? 'yes' : 'no').
                ' internal: '.($in_internal ? 'yes' : 'no'));
            $found_msa = 1;
            $relay->{msa} = 1;
          }
        }

which should regard a relay as MSA also when a trusted relay did auth the
user.

Hello! Any SA developer here?

Reply via email to