On Tue, 24 Nov 2015 12:03:12 -0800 (PST) John Hardin wrote: > On Tue, 24 Nov 2015, Reindl Harald wrote: > > > i would suggest when the Received header for the *first* untrusted > > hop > > Just so we're clear on first vs. last: the host that submitted the > mail to the most-remote MTA whose headers you trust. > > > don't contain a reverse dns information *and only then* do that > > lookup directly in SA if network tests are enabled > > This seems to me a reasonable approach. There's no need to check RDNS > on hops prior to the final untrusted hop (chronologically speaking).
It would be the last relay into the internal network, if it's from an untrusted server. The edge of the trusted network may be a submission server.
