Jim Knuth wrote:
> Gestern (24.03.2006/22:43 Uhr) schrieb Matt Kettler,
>
>> Bowie Bailey wrote:
>>> Craig McLean wrote:
>>>> Bowie Bailey wrote:
>>>> [snip]
>>>>
>>>>> You should define all of the IP addresses of your mailserver.
>
> I don`t know yet how I must determine the trusted network. :(
> 192.168.1/24 127/8 is clear for me. Right?
That should be fine, but it might not be all-inclusive.
Steps to determining your trusted network setting (for ordinary networks that
don't accept mail direct-from-dialup users):
1) identify all mailservers that YOU control that might add a "by" clause to a
Received: header that SA might see.
i.e.:
Received: from server2.xxxxxxx.de (server2.xxxxxx.de [xx.xx.xx.xx])
by xanadu.evi-inc.com (8.12.8/8.12.8) with ESMTP id ..
In this case "xanadu.evi-inc.com" is my mailserver, and that's the header format
it inserts. I'd need to repeat this for all my mailservers, including internal
servers, secondary MXes, etc.
2) identify what IP address those mailservers will appear as when your system
running SA performs a DNS lookup on their names. Use "host" or "dig" to perform
the lookup on your SA box.
i.e: host xanadu.evi-inc.com
xanadu.evi-inc.com has address 192.168.xx.yy
3) make a trusted networks that encompasses all of those IPs, as well as
127.0.0.1. Being a little over-broad is OK, as long as all of the IPs covered
are hosts you control.
In my example including 192.168.yy.0/24 or even 192.168.0.0/16 would be fine, as
nobody on the Internet could directly route mail to me from these IP addresses
to me anyway.
My real-world trusted_networks contains part of my DMZ subnet where my external
MXes live, and one internal server:
trusted_networks 192.168.yy.0/30 10.xx.yy.zz/32 127.0.0.1/32
(all of my mailservers are static nated, so no public IPs appear here. The
outside world may think of xanadu as 208.39.141.94, but it thinks of itself as
192.168.xx.yy)
