RW wrote:
> On Fri, 15 Apr 2016 14:08:15 +0000 (UTC)
> Helmut Schneider wrote:
>
> > RW wrote:
> >
> > > On Fri, 15 Apr 2016 12:35:24 +0100
> > > RW wrote:
> > >
> > > > On Fri, 15 Apr 2016 10:10:13 +0000 (UTC)
> > > > Helmut Schneider wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > when further investigating my issue that ALL_TRUSTED is always
> > > > > true I came along the following lines when debugging SA:
> > > > >
> > > > > ...
> > > > > Apr 15 11:44:43.213 mail /usr/sbin/amavisd-new[9991]:
> > > > > (09991-02) SA dbg: received-header: originating,
> > > > > 195.245.231.135 and remaining relays will be considered
> > > > > trusted, but no longer internal ...
> > > > >
> > > > > So SA correctly identifies an relay as external but still
> > > > > trusts the whole path. Why?
> > > >
> > > > It looks like it's being seen as mail submission. Do you have
> > > > msa_networks set?
> > >
> > > I had a look at the code, and it looks like that particular
> > > message with "but no longer internal" can only be be reached when
> > > a flag is set that asserts that the message was submitted. This
> > > causes the point at which trust would otherwise be broken to be
> > > treated as a submission server.
> >
> > msa_networks is not set.
>
> It's when a mail client submits outgoing mail to an mta. This should
> involve some form of authentication
>
> For some reason amavisd thinks that all of your mail is being
> submitted locally. SA is finding that it's ALL_TRUSTED because amavisd
> is telling SA that it is via the SA perl library interface.
Thank you, this helped a lot:
I have 2 servers with 3 postfix instances each, postfix-in, postfix-out
and postfix-amavis with different IPs each.
All mail is received by the postfix-in instances. For some domains I
forward mails directly to their final destinations, for some I do SPAM
filtering on the postfix-amavis instances.
It seems that ALL mail is treated as relayed internally as soon as I
forward those mails to the postfix-amavis instance:
Passed CLEAN {RelayedInbound}, [52.71.20.6]:55081
52.71.20.6 is an external IP adress.
Now I have to figure out how to prevent amavis from behaving like that.
