George Georgalis wrote: > In my setup, trusted relays arn't tested with SA, they go straight > to the queue. Untrusted networks must negociate SA in SMTP. I've > visited this configuration issue before, and the simple solution > has been
NOOOOOOOOOOOO. You have the wrong idea. Trusted here does NOT mean trusted to never relay spam, it means trusted to not forge headers. You MUST trust your own mailserver that receives mail from the internet. MUST! Even if it accepts spam, that's fine. But it has to be trusted. For SA to work properly you have to trust it. If set up properly this will NOT cause Internet mail to hit ALL_TRUSTED, that's the result of the opposite extreme of the same problem.. too much trust. Right now you've got too little trust. Doing what you have done breaks a LOT of SA's rules, including whitelist_from_rcvd, all dialup RBLs, etc. Without any trusted relays, SA doesn't know where the mail entered your network, so it won't run any tests that rely on recognizing the boundaries between your network and the Internet. Set your trusted_networks properly, and remove your hack-fix of reducing ALL_TRUSTED's score. Set trusted_networks to the IPs of all mail relays you control and trust to not forge headers. I suspect all your problems started because your outside mail relay is NATed, and you hit the "over trust" bug where ALL_TRUSTED matches mail from the outside. To fix this, you over-reacted and created an under-trusting configuration. That's just as broken. Read this wiki article for the lengthy details: http://wiki.apache.org/spamassassin/TrustPath
