https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6494
Matt Kettler <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #8 from Matt Kettler <[email protected]> 2010-09-25 01:02:12 UTC --- It would be nice if it wasn't so easy to break, but without manual configuration, the trust-path auto-guesser really just has to make educated guesses about your network. Over the years this has been discussed many, many, many times, and really it all boils down to there is no algorithm that works well in all cases. There's just too little information present to not be a fragile guess. If you can think of a better algorithm, suggestions are welcome. The best methods boil down to one of two algorithms: Currently used: Starting with the most recent (chronologically) relay: 1) If the most recent is a private IP, assume internal and assume all other private IPs are internal until you get to the first publicly routable address. 2) Assume the most recent publicly routable is your MX. Pros: works well with properly configured sites and a un-natted MX downside: breaks with broken sites, or with nated MX. Alternate algorithm: Same as above, but in step 2, assume the routable IP is external. Pros: works well with properly configured sites and a NATed MX downside: breaks with broken sites, or with un-nated MX. Other popular proposals: -Use RDNS and trust all the recent hosts that match the domain of the To: address downside: breaks for multi-domain sites, Cc, BCC, and mailing list messages -Use RDNS and trust all the recent hosts that are in the same domain as one another. downside: breaks for anyone using a forwarder, or servers in multiple domains. Breaks in the same way as current for sites failing to add a received: header -Consider nothing trusted/internal unless explicitly configured to do so downside: This ensures SA is always broken by default. So rather than guess, we're making a hard-coded choice that is always wrong.. not so good. (yes, under-trust is also bad, in some cases worse than over-trust, see the wiki on trust path). -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
