Daryl C. W. O'Shea wrote: > Mail to internal users (from roaming users) isn't the problem though. > It's mail to external sites that see that my smart host is the second > "public IP hop" and look it up in DUL. Since my telco continues to > refuse to change my generic rDNS, my static IP has been listed in > SORBS-DUL and any of our mail not sent from the internal network gets > hit by SpamAssassin.
Yeah, that falls under the "multi-hop behind a dynamic IP with legitimate relaying through a non-dynamic server" case. Really I think the use of notfirsthop in DUL testing is just plain broken. SA should only be checking the host that drops off to your MX against the DULs. It shouldn't be backtracking further. The current "external, nonprivate, notfirsthop" deals with most common FP cases, such as The "no private" fixes the "NATed co-op" case of: private IP -> public (dyn) -> ISP -> Recipient MX -> SA. but it is still broken for the case of: public IP -> public (dyn) -> ISP -> Recipient MX -> SA. Which is rare, but does exist. That said, if there's any way of doing so, I'd ditch your ISP ASAP. Since they can't set RDNS entries they are clearly not a business grade service, and are only suited to SOHO and home-user operations.
