Which won't solve the problem of the trust path being incorrect and causing SA to check the wrong hosts against blacklists, etc.
If he can get his trust path working, he's much better off doing so than just masking the symptom of ALL_TRUSTED misfiring.
I would *not* recommend disabling ALL_TRUSTED except as a last resort.
I am reasonably sure that my trusted and internal network paths are correct. I base this on the fact that 1) all DNSRBL rules are being applied correctly, 2) SPF checks are working properly, and 3) I am under the illusion that I know what I am doing and can follow procedures in documentation most of the time.
Despite this, however, ALL_TRUSTED was still being hit constantly when it should not have. I don't see any reason why I should re-enable the rule. And frankly, judging by the number of other people who have also had problems with ALL_TRUSTED, I think it should just be disabled by default.
