Kelson wrote:
Which won't solve the problem of the trust path being incorrect and causing SA to check the wrong hosts against blacklists, etc.
If he can get his trust path working, he's much better off doing so than just masking the symptom of ALL_TRUSTED misfiring.
I would *not* recommend disabling ALL_TRUSTED except as a last resort.
I am reasonably sure that my trusted and internal network paths are correct. I base this on the fact that 1) all DNSRBL rules are being applied correctly, 2) SPF checks are working properly, and 3) I am under the illusion that I know what I am doing and can follow procedures in documentation most of the time.
Despite this, however, ALL_TRUSTED was still being hit constantly when it should not have. I don't see any reason why I should re-enable the rule. And frankly, judging by the number of other people who have also had problems with ALL_TRUSTED, I think it should just be disabled by default.
Disabling this rule because it is misfiring is NOT a good idea as stated above. If your trust path is set correctly and it is still misfiring, there is still a problem somewhere. It may not affect you in your current setup, but the problem still exists. ALL_TRUSTED firing when it shouldnt is a symptom of the problem, not the problem itself. Disabling the rule simply makes the symptoms go away...for some people this is all they care about. For any admin worth anything, this should NOT be a solution. But hey, what do i know?
-Jim
