On Fri, 15 Apr 2016 10:10:13 +0000 (UTC) Helmut Schneider wrote: > Hi, > > when further investigating my issue that ALL_TRUSTED is always true I > came along the following lines when debugging SA: > > ... > Apr 15 11:44:43.213 mail /usr/sbin/amavisd-new[9991]: (09991-02) SA > dbg: received-header: originating, 195.245.231.135 and remaining > relays will be considered trusted, but no longer internal > ... > > So SA correctly identifies an relay as external but still trusts the > whole path. Why?
It looks like it's being seen as mail submission. Do you have msa_networks set? A server should only go in msa_networks if it's a pure submission server that's outside the normal delivery path. If your MX server doubles as a submission server, submission has to be detected by a trusted received header recording authentication.
