Mauricio, > I want to use whitelist_from_rcvd, so I am trying to understand > TrustPAth. If you had your MTA outside of your LAN (outside IP LANIP, > internal subnet LANSUB) with its own public IP (say MAILIP), would you have > > internal_networks = MAILIP LANIP LANSUB > trusted_networks = MAILIP LANIP LANSUB (+ other machines you have > outside the LAN you trust) > > Am I correct?
If there are no clients of your own on the LANSUB, then you would not want to list it in internal_networks. Just keep LANSUB in trusted_networks. The rest is ok. > What would stop someone from trying to fake the > originating IP to fit the ones in the above list? If one of your trusted MTAs reports in its Received header field that it got a message from some untrusted IP address, then the trust chain breaks at that point. No matter what IP address is shown in remaining Received header fields (possibly faked), they are not considered neither trusted nor internal. The key point is: it is your own trusted MTA which stops the trust chain. Mark
