I am getting more and more confused :) If the sender is a NATed box in 192.168/16 space, and the receiver also is a NATed box in 192.168/16, rhe received message will have a by 192.168.xx.yy, and seemingly never left the trusted network. If you change trusted networks to 127. or your public ip, then mails from the local net will come from outside the trust zone. The real solution should be to teach the MTA to use the public ip in the "received by" part for mails received from the internet, and its local ip otherwise. This may be hard to achieve :) It should be possible, however, to setup the mailserver with two local ip's, and send local mails to one of them, and external mails to the other. Now, how do I declare to SA that mails received by 192.168.2.11 come from the trusted network, while those received by 192.168.2.10 are untrusted?
Wolfgang Hamann >> OK, after more R'ing TFM and some kind advice from a list member, I >> think I understand now what has been happening. >> >> >From the Mail::SpamAssassin::Conf man page: >> >> * if the ?from? IP address is on the same /16 network as the top >> Received line?s ?by? host, it?s trusted >> >> * if the address of the ?from? host is in a reserved network range, >> then it?s trusted >> >> * if any addresses of the ?by? host is in a reserved network >> range, then it?s trusted >> >> So the solution is to add these two lines to local.cf: >> >> clear_trusted_networks >> trusted_networks 127/8 24.173.79.19/32 >> >> IIUC this sets any traffic which originates from my server as trusted, >> but all other traffic is not. >> >> > trusted! That seems too permissive to me. Am I still not understanding >> > trusted_networks correctly? >> >> Yup. Those are on the other side of an *un*trusted network, so they don't >> count. >> >> Trusted networks determine where the trust stops. It doesn't (so far as I >> know) restart after that. >> >> Loren >> >>
