On Fri, Jul 05, 2019 at 04:42:54PM +0000, David Jones wrote: > > X-Relay-Countries-All _RELAYCOUNTRYALL_ > > All possible relays (internal + external). > > > > Not sure how this would be helpful since it mixes everything together. > I guess it could be used as a positive indicator when certain countries > are not in the list but we kinda have this already.
I was hastily thinking about some complex multi-country multi-mta setups. So a certain continents mailflow could be checked for example. It's just an extra header, there's no need to use it. :-) > > X-Relay-Countries-Auth _RELAYCOUNTRYAUTH_ > > Auth will contain all relays starting from the first relay that used > > authentication. For example, this could be used to check for hacked > > local users coming in from unexpected countries. > > > > Perhaps we need something added like a 3rd option like boundary_networks > as an authentication boundary beyond trusted_networks? > > internal_networks = in our admin control and won't forge headers > trusted_networks = trust to not forge headers (no change) > boundary_networks = works like trusted_networks except: > > 1. X-Relay-Countries will be populated > 2. ESMTPA IP not included in ALL_TRUSTED > > Then we don't need to add new headers and no new rules to manage. As I said in another post, it doesn't make sense to add such internal feature for single plugins purposes, which many people might not even use. If all it's purposes could be clearly conceived, something to look into 4.0.0. Perhaps with any other major logic changes if needed.
