On Fri, Jul 05, 2019 at 09:50:35AM +0300, Henrik K wrote: > On Fri, Jul 05, 2019 at 02:42:28AM +0000, David Jones wrote: > > Maybe allow the RelayCountry check to happen on the msa network or the > > first relay? > > > > Or something like trusted_countries that could provide a limit/boundary > > to the trust of trusted_networks? > > > > Compromised accounts often get abused from foreign/unusual countries. I > > have meta rules and DWL/DBL for emails combined with RelayCountry but > > these are useless in this situation. > > Perhaps adding new datadata X-Relay-Countries-External would be enough, it > would check all external IPs (vs untrusted for the default > X-Relay-Countries). I think it could use useful in this and other > situations when there are lots of additional trusted networks. > > Maybe also the X-Relay-Countries-MSA to check client IPs from msa_networks. > > Might even make it to 3.4.3 if KAM wants to delay rc4 just a little bit more. > :-D
See https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7731