On 31 Aug 2018, at 4:53, Matus UHLAR - fantomas wrote:
Long time ago I learned to configure dynamic IP addresses (dialups) as
trusted, but not as internal.
On 31.08.18 09:37, Bill Cole wrote:
They probably should be neither.
In this case, clients are internal, not dialup, but I still think they
should not be listed in internal_networks (as I don't trust them not
to
spoof anything).
If you do not trust them not to spoof anything, they absolutely must
not be in trusted_networks.
in fact I have to trust them not to spoof at least the from/envelope
addresses. historical reasons, at least until something bad happend.
btw note that ALL_TRUSTED means that message was originated by trusted host,
not relayed by it - any untrusted host will clear this rule.
I have tried to remove them off the trusted_networks.
The only change was that ALL_TRUSTED is gone, and without it in meta,
HDR_ORDER_FTSDMCX* hit.
There are also many rules that search untrusted relays for things like
generic helo and DNS name.
In thic case, setting UP dns could mess things up even more.
As I see it, having those local machines in trusted_networks helps me even
more and it also makes me think if this isn't one of reasons
trusted_networks exist ...
It seems to me that you have a technical & management arrangement
unsuited to the SpamAssassin
trusted_networks/internal_networks/msa_networks logical model.
This is quite possible, but even you have noted that you don't know
everything about parsing Received headers.
My recommendation would NOT be to modify stock rules that are constructed
with that logical model as a base assumption, but rather to create your own
mitigating rules to handle the fact that you seem to want to always accept
mail from certain internal clients which are nameless, untrustworthy, and
sources of mail with features that in the world at large mostly correlate
to spam.
However, I encounter these problems on multiple hosts with the same
conditions, and it's quite possible that different people have similar
issues, so I am searching for solution that helps me (ans poddibly others)
while does not break anything.
--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm.
