Stefan `Sec` Zehl writes: > Hi, > > Ok, I debugged this a bit more. > > Problem is, these headers were marked as ALL_TRUSTED: > > > > | Received: from mout4.freenet.de (mout4.freenet.de > > > [IPv6:2001:748:100:40::2:6]) > > > | (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) > > > | (No client certificate requested) > > > | by ice.42.org (Postfix) with ESMTPS id D189AB85A > > > | for <[EMAIL PROTECTED]>; Tue, 26 Feb 2008 11:51:08 +0100 (CET) > > > | Received: from [195.4.92.23] (helo=13.mx.freenet.de) > > > | by mout4.freenet.de with esmtpa (Exim 4.69) > > > | (envelope-from <[EMAIL PROTECTED]>) > > > | id 1JTxOR-0002Vk-38; Tue, 26 Feb 2008 11:50:39 +0100 > > > | Received: from [82.128.34.27] (port=1797 helo=User) > > > | by 13.mx.freenet.de with esmtpa (ID [EMAIL PROTECTED]) (port > > > 25) (Exim 4.69 #10) > > > | id 1JTxOO-0005uv-2T; Tue, 26 Feb 2008 11:50:38 +0100 > > The detailed problem is, the first header is completely ignored because > of its IPv6 content. > > The second line contains "with esmtpa" which makes SpamAssassin > unconditionally trust this header. Case in Point: > > SpamAssassin/Message/Metadata/Received.pm around line 192: > | # trusted_networks matches? > | if (!$relay->{auth} && !$trusted->contains_ip($relay->{ip})) { > | $in_trusted = 0; > > It is completely irrelevant if the IP is in trusted_networks or not. If > the Received line contains "auth" which at this point contains "esmtpa" > it considers the Header good and trusted. > > I fixed that particular problem for now by forcing "auth" to be empty > at the end of the "parse_received_line" function, but as $auth was > included for some reason, somebody should look closer at how to fix this > completely.
The fix would be to implement support for IPv6 trust paths: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4503 http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4964 --j.