On Thu, 08 Dec 2016 17:50:33 -0500 Kris Deugau wrote:
> Yes, both. Strictly speaking these should only go in > trusted_networks, since these are not *your* hosts, but the way the > lookups are defined you'll probably need to put them in > internal_networks. > > I took a look at the stock rules and it seems the "black" DNSBL rules > almost all use -lastexternal, where the "white" ones use > -firsttrusted. I'm not sure why things are divided that way; I would > have expected it to be more along the lines of per-DNSBL grouping to > one or the other. The idea that internal_networks represents your own servers is a misleading one. The point of it is to find the relevant MX handover, which in this case is the one into the forwarders network. It's not just about DNSBLs, there are other rules that look at the rDNS etc on this handover. Lastexternal tests are mostly unsafe to run on anything but an MX handover. The reason why the trusted network may extent beyond the internal network is that sometime other peoples' networks may contain submission servers which SA can't identify unless they record authentication. Putting such a network into internal_networks may cause FPs because an unidentified submission client can look like a spammer delivering directly to MX. Putting addresses only into trusted effectively turns-off a lot of useful tests, and it doesn't cause any DNSBL lookups that wouldn't run anyway. The reason that whitelists run on firsttrusted is that it's the only IP address that's both worth testing and unforgeable.
