On Sat, Apr 10, 2010 at 12:41 AM, Henrik K <h...@hege.li> wrote: > On Fri, Apr 09, 2010 at 05:43:24PM -0400, Kris Deugau wrote: >> >>>> I would think that in this case the dynamic address blocks would need to >>>> be explicitly defined. >>> >>> That's why I starting this thread by saying that I went hunting for a >>> "mua_networks" equivalent, and couldn't find one. >> >> OK, think about this: What do you do about relay IPs outside your >> network, from which your customers are sending mail through your MSA via >> SMTP AUTH? There's a good chance they're listed on eg Spamhaus PBL - >> and there's *no* way you'll ever predict them.
Agreed. I'm trying to solve the problem for my legacy-support MSAs, which are only supporting non-SMTP-AUTH clients. >From the documentation, msa_networks designates those servers that accept only authenticated messages, regardless of type. I'm the new guy on the list, and have some catching up to do with learning how the *_networks directives work, but the evidence is mounting that if MSAs listed in msa_networks can't tell that they're in msa_networks, then msa_networks does not work as documented. I know that folks are mostly straight SMTP AUTH nowadays. I still have to support IP lists, and the documentation says that they are supported. If this isn't true, then I'd like to help to make it true, or request that the documentation be updated. > If one really can't make it work by the proper msa_networks way (making sure > all the auth Received: magic is there), then probably the only option is to > use a POPAuth[1] style plugin (somewhat deprecated since it doesn't even > recognize "internal"). I'm sure there's plugin ways to add to the internal > list if the sender is authenticated, but still it probably would be more > beneficial to just change the MSA configuration to supported. > > [1] http://wiki.apache.org/spamassassin/POPAuthPlugin If I have to do something to duplicate the intended functionality of msa_networks, it would be more efficient (and benefit the user community at large) if the problem with msa_networks is addressed globally. In other words, I do not believe that I am misconfiguring my SpamAssassin. msa_networks systems are not currently aware of themselves. It sounds like SMTP AUTH connections are already covered, but other authenticated methods (specifically, "IP list" methods like sendmail's access file are not currently working with msa_networks. So, some possible options are (thinking out loud): * Insert a pseudo-header with MIMEDefang, etc. This is sub-optimal, as it becomes cross-site whack-a-mole for different platforms. * POPAuth. This is inefficient, given that we're going to lengths to recreate knowledge that we already know - that we allow everyone from certain networks to relay. * Create a mua_networks option. This would only need to interact with msa_networks, and would allow msa_networks systems to become self-aware. If a server is in msa_networks, and it sees someone connecting from a mua_network, then it would treat them as authenticated. * Other? I am not approaching this problem with a sense entitlement. If the core developers are interested in the mua_networks method, or know of another way to tackle the problem, I would like to help. I know some Perl, and could probably figure something out, but do not want to go to the effort if it will not be accepted to benefit the whole community. Royce
