On Thu, 9 Mar 2006, Daryl C. W. O'Shea wrote:
On 09/03/06 07:35 PM, Dan Mahoney, System Admin wrote:
On Thu, 9 Mar 2006, Daryl C. W. O'Shea wrote:
On 09/03/06 07:03 PM, Dan Mahoney, System Admin wrote:
On Thu, 9 Mar 2006, Daryl C. W. O'Shea wrote:
On 09/03/06 03:09 PM, Dan Mahoney, System Admin wrote:
Off topic, a bit, but is this harmless?
Mar 9 19:18:52 quark spamd[32106]: netset: cannot include
216.89.180.7/32 as it has already been included
Mar 9 19:18:52 quark spamd[32106]: netset: cannot include
65.125.228.128/27 as it has already been included
Mar 9 19:18:52 quark spamd[32106]: netset: cannot include
216.89.180.7/32 as it has already been included
It's harmless. It's something I've added to help people get their trust
paths configured correctly (especially when they use the new exclusion
syntax).
Since it is new though, if you don't mind checking to make sure that you
really did specify the same /32s three times and the /27 twice, I'd
appreciate it. If you'd like you can send me a copy of your
trusted_networks and internal_networks config lines and I'll check it.
Aah, this might be it...listed in both SQL -AND- the local config files.
I'll delete the file versions (unless you think that's a bad idear).
Yeah, the lint warnings are correct.
These weren't in --lint, they were in spamd output. Lint wouldn't have
reported on both.
I'd stick with the file based config for this since SQL isn't used when
running "spamassassin"... it's only used for spamd/spamc.
Yes, this is the spamd machine.
-Dan
trusted | internal
---------------------------------------------------------------------
any IP you control Yes (maybe)
any IP you trust not to forge headers (optional) Yes No
your MSA (important to get this one right) Yes No
your MTAs that aren't MSAs Yes Yes
your MXes Yes Yes
relays between your border MXes and SA machine Yes Yes
your SA machine Yes Yes
If your MSA is the same logical server as your MTA/MX then you need to have
it in both trusted & internal networks and then:
- do not define internal networks (just let SA copy trusted to internal)
- only add IPs that you control to trusted_networks
- have your roaming users use SMTP auth or POP-before-SMTP
- your MTA must place auth tokens in its headers for SMTP auth sessions
- you must use the POPAuth plugin to support POP-before-SMTP sessions
I think this list is complete for 99% of users. Someone may want to add it
to the wiki.
I'll do it later tonight if nobody else has. Yay two hour commute.
-Dan
--
"Don't think of it as beer, think of it as a flavored motor oil."
-Jeremiah Kristal, on Guinness
3/29/05, 9:52 AM
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
