Ben Wylie wrote:
No. Internal only if it's not directly accepting mail from client IPs
that you WANT to accept mail from. MXes and everything (internal
relays) after them are ALWAYS in both trusted and internal networks.
>
> This is what tells SA that mail was sent directly from "questionable
> IPs" to your systems. It sees that some (questionable) IP sent mailto
> an internal host without going through some external host first.
How can an MX be internal if you say it shouldn't accept mail from
client ips who's emails are wanted? Surely the MX is where all clients
will have to connect directly to?
If you're MX and MSA is combined (clients send mail to an MSA, an MX
receives mail from other domains) then you have to satisfy one of the
three options below (as described in my first email to this thread):
You can not add your MSA to your internal_networks unless you can do one
of the following:
- have all your MSA users use SMTP auth AND use mail server software
that includes RFC 3848 or Sendmail-style auth tokens in it's received
headers
- include ALL of your MSA users' IP addresses in your trusted_networks
and internal_networks -- you can only do this if you control all of
the IP space in question and never have roaming users sending mail
from remote IP space (which is nearly never the case)
- use the POPAuth plugin to extend trusted_networks to POP-before-SMTP
clients if you use POP-before-SMTP for user authentication
Note: Only configure trusted_networks if you're using this plugin,
do not configure internal_networks
Have i misunderstood you?
I hope not. Your MX is *always* internal. If your MSA gets combined
with it then you have to satisfy one of the three options above. If
your MSA is a standalone do-nothing-else host then you get off easy and
you can just set it as trusted and not internal.
Daryl
