On Fri, Jul 05, 2019 at 02:42:28AM +0000, David Jones wrote: > Maybe allow the RelayCountry check to happen on the msa network or the > first relay? > > Or something like trusted_countries that could provide a limit/boundary > to the trust of trusted_networks? > > Compromised accounts often get abused from foreign/unusual countries. I > have meta rules and DWL/DBL for emails combined with RelayCountry but > these are useless in this situation.
Perhaps adding new datadata X-Relay-Countries-External would be enough, it would check all external IPs (vs untrusted for the default X-Relay-Countries). I think it could use useful in this and other situations when there are lots of additional trusted networks. Maybe also the X-Relay-Countries-MSA to check client IPs from msa_networks. Might even make it to 3.4.3 if KAM wants to delay rc4 just a little bit more. :-D