On Fri, 17 Dec 2010 10:11:11 -0800 Ted Mittelstaedt <t...@ipinc.net> wrote:
> On 12/17/2010 9:28 AM, Jason Bertoch wrote: > > In the OP's case, his authenticating server is separate from his SA > > server. In any case, the server indicating authentication > > (localhost or otherwise) should be a trusted server, else you don't > > trust the authentication. > > > > auth-smtp is only a speedbump to the spammers, it blocks the > dumb ones. A sophisticated spammer can hijack a machine and use > it's authenticated SMTP connection to it's mailserver to send > spam. I never trust the authentication. The main reason for SA checking authentication is to turn-off MX specific tests such as PBL, for that reason you have to be able to trust the authentication. That's not the same as trusting the sender.
