On Fri, 16 Sep 2011 15:57:42 +0200 Matus UHLAR - fantomas wrote:
iiuc, the msa_networks was created to explicitly tell SA that mail
was authenticated.
On 17.09.11 00:15, RW wrote:
When something relays through a server in msa_networks, anything before
that inherits its trusted/internal network status. This prevents SA
from inferring an MX handover into the internal network, and
consequently it can't run MX specific tests that are mostly
inappropriate for a mail client.
... or on outgoing mail server (MSA) itself, correct?
Is there a locical difference betwen mail authenticated by MSA in
msa_networks and mail authenticated locally, or by internal relay?
I mean, do we trust host in msa_networks more than host that
authticated locally, so we don't check in RBLs and HELO strings for
host in msa_networks, but we do if a user authenticated locally
(which should be in fact the same as if user authenticated there)?
Detecting authentication is a fallback for when msa_networks can't be
used, or is incomplete.
However, the fact that authentication was used by an trusted/internal
server does NOT cause appearing all further relays in trusted/internal
networks.
otoh, msa_networks does this, which means that SA trusts msa_networks
much more than it does to authenticated mail.
Is this a wanted difference?
SA records authentication information, but it's
up to each individual test to use that information sensibly.
Any checks on trusted/internal network boundary do not apply when
there's trusted/internal MSA in the path, since in such case there's no
boundary here.
Should I add "msa_networks 0/0" on our own MSA that authenticates all
users?
You put the msa ip addresses in msa_networks, but for it to work SA
has to be able to see the address in a received header.
when I run SA on the MSA server, there is no Received: line with IP
of the MSA server itself.
However, on such MSA, every connected client is trusted and/or internal, so
adding the Received: line and putting it to msa_networks would be the
same as putting 0/0 there...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.
