Helmut Schneider wrote: > when further investigating my issue that ALL_TRUSTED is always true I > came along the following lines when debugging SA: > > Apr 15 11:44:43.211 mail /usr/sbin/amavisd-new[9991]: (09991-02) SA > dbg: received-header: parsed as [ ip=172.20.12.10 rdns=relay-in > helo=mail2 by=mail01 ident= envfrom= intl=0 id= auth= msa=0 ] > Apr 15 11:44:43.212 mail /usr/sbin/amavisd-new[9991]: (09991-02) SA > dbg: netset: trusted_networks lookup on 172.20.12.10, 5 networks, > result: 1, 0.617 ms > Apr 15 11:44:43.212 mail /usr/sbin/amavisd-new[9991]: (09991-02) SA > dbg: netset: internal_networks lookup on 172.20.12.10, 5 networks, > result: 1, 0.204 ms > Apr 15 11:44:43.212 mail /usr/sbin/amavisd-new[9991]: (09991-02) SA > dbg: received-header: relay 172.20.12.10 trusted? yes internal? yes > msa? no > Apr 15 11:44:43.212 mail /usr/sbin/amavisd-new[9991]: (09991-02) SA > dbg: received-header: parsed as [ ip=195.245.231.135 > rdns=mail6.bemta5.messagelabs.com helo=mail6.bemta5.messagelabs.com > by=mail2 ident= envfrom= intl=0 id=0CC1B30E auth= msa=0 ] > Apr 15 11:44:43.213 mail /usr/sbin/amavisd-new[9991]: (09991-02) SA > dbg: netset: trusted_networks lookup on 195.245.231.135, 5 networks, > result: 0, 0.204 ms > Apr 15 11:44:43.213 mail /usr/sbin/amavisd-new[9991]: (09991-02) SA > dbg: received-header: originating, 195.245.231.135 and remaining > relays will be considered trusted, but no longer internal > Apr 15 11:44:43.213 mail /usr/sbin/amavisd-new[9991]: (09991-02) SA > dbg: received-header: relay 195.245.231.135 trusted? yes internal? no > msa? no > Apr 15 11:44:43.216 mail /usr/sbin/amavisd-new[9991]: (09991-02) SA > dbg: received-header: parsed as [ ip=85.158.139.35 rdns= helo= > by=server-4.bemta-5.messagelabs.com ident= envfrom= intl=0 > id=B6/BA-18387-A08B0175 auth= msa=0 ] > Apr 15 11:44:43.216 mail /usr/sbin/amavisd-new[9991]: (09991-02) SA > dbg: received-header: relay 85.158.139.35 trusted? yes internal? no > msa? no > > So SA correctly identifies an relay as external but still trusts the > whole path. Why?
For the archives: There might be other solutions but exclude your postfix instances from @mynetworks in amavisd.conf and your fine.
