We have some users who would like to whitelist email based on the IP address of the last external relay. This is primarily for times like when messages are being sent from some webform they trust, or from internal systems.
My first thought was to simply add that IP to "trusted_networks" in their per-user configuration, thinking that "ALL_TRUSTED" would hit, and the shortcircuit rule would fire and just let it in. But of course, some of the messages pass through other relays first, so ALL_TRUSTED isn't firing. One message that hit had these meta headers added (identifiable info changed, of course). > X-Spam-Relays-Trusted: [ ip=1.2.3.4 rdns= helo=server.domain.com by= mail.us.com ident= envfrom= intl=0 id=3d8csD48f2UkYp auth= msa=0 ] > X-Spam-Relays-Untrusted: [ ip=10.0.20.81 rdns= helo=int-WWW01 by= server.domain.com ident= envfrom= intl=0 id= auth= msa=0 ] > X-Spam-Relays-Internal: > X-Spam-Relays-External: [ ip=1.2.3.4 rdns= helo=server.domain.com by= mail.us.com ident= envfrom= intl=0 id=3d8csD48f2UkYp auth= msa=0 ] [ ip=10.0.20.81 rdns= helo=int-WWW01 by=server.domain.com ident= envfrom= intl=0 id= auth= msa=0 ] In this case, I suppose we could add all reserved address blocks to trusted_networks globally..but that doesn't seem like such a great idea. And it won't help when there's some intermediate relay with a public IP address... The other option would be to require that the user list all the other relays in there, but we would really prefer something more simple: allow them to whitelist if the last external relay is in the trusted list. So...is there a rule or an idea on how to determine if the last external relay is also trusted? Or are we going to need to write a plugin? And if anyone thinks that there's a real problem with this whole thing, please let me know. Am I missing something obvious that's going to cause problems if we whitelist based on the IP address of the last external relay? Thanks-
