Daryl C. W. O'Shea wrote: > Stephan Menzel wrote: >> Hi there, >> >> I'm currently about to customize a local (gentoo~) 3.1 installation >> to our specific needs. >> One of the first steps there was a special regex to catch our very >> own Received: headers >> >> To check if this works I modified some other SA code parts and >> enabled debug out. > > Why is the output from "spamassassin -Dreceived-header" not > sufficient for this? > > >> But here I had to realize that the Received line seems to be parsed >> correctly but the values are never recognized as part of either our >> trusted or internal network. Both are set like this (I simplyfied the >> example a bit) >> >> /etc/spamassassin/local.cf >> >> ---snip--- >> clear_trusted_networks >> trusted_networks 127.0.0 192.168 10 ... more networks to come here >> clear_internal_networks >> internal_networks 10.1.71.0/24 10.1.3.0/24 10.1.76.29/24 ... here too >> ---snip--- > > Reading the documentation we see that your configuration doesn't match > what you want to do. "127.0.0", "192.168" and "10" are taken as the > IPs "127.0.0", "192.168", and "10". Which are some of the funkiest > IPs that I've ever seen. Most IPs have 32 or 128 bits.
While daryl's comment here isn't entirely on the mark, it is close. Daryl, read the docs closer. SA does accept this format. Stephan, If you want to do an implied mask to cover a whole, you MUST end in a . ie: you must use "10." not "10". If you fail to include a trailing dot, SA will expand with zeros, but it will treat it as a single IP address, not a ranged mask. ie: trusted_networks 10 is the same as 10.0.0.0/32 trusted_networks 10. is the same as 10.0.0.0/8 Fix your trusted networks to read: trusted_networks 127.0.0. 192.168. 10. The relevant part of the manpage: If a |/mask| is specified, it's considered a CIDR-style 'netmask', specified in bits. If it is not specified, but less than 4 octets are specified with a trailing dot, that's considered a mask to allow all addresses in the remaining octets. If a mask is not specified, and there is not trailing dot, then just the single IP address specified is used, as if the mask was |/32|.
