On Wed, 2014-08-27 at 03:01 +0200, Reindl Harald wrote: > > If it's internal, it's internal. There is a reason you are setting up > > lastexternal DNSxL rules. > > the intention is to handle the internal IP like it would be external
Again: Craft your samples to match real-life (production) environment. Do not configure or try to fake an environment that will not match production later. It won't work. You want to configure SA. So configure SA. Correctly. If you insist on not following that advice, please refrain from further postings to this list. > >> Aug 27 00:59:29.249 [30833] dbg: metadata: X-Spam-Relays-Untrusted: [ > >> ip=10.0.0.19 rdns=mail-gw.thelounge.net > >> helo=mail-gw.thelounge.net by=mail.thelounge.net ident= envfrom= intl=0 > >> id=3hjPzJ6TWVz23 auth= msa=0 ] [ > >> ip=10.0.0.6 rdns=arrakis.thelounge.net helo=arrakis.thelounge.net > >> by=mail-gw.thelounge.net ident= envfrom= intl=0 > >> id=3hjPzJ2tkPz1w auth= msa=0 ] > > > > There is no X-Spam-Relays-Trusted metadata in your grep for "dns", which > > means there is absolutely no trusted relay. Given those relays are in > > the 10/8 class A network and you deliberately breaking trusted_networks > > in a previous post, that seems about right... > > the intention to berak it was to behave like it is external > and just check the RBL behavior Read my previous post again, carefully. If you define everything to be external, there is no *last* external SA can trust. > > Anyway, there are no "dbg: dns: IPs found:" and "dbg: dns: launching" > > lines, so this clearly shows the RBLs are NOT queried. > > that's my problem :-) So you know how to fix it. Configure *_networks in SA correctly, and send a message from an external host. > > No activity with your custom RBL either. But well, how would you expect > > SA to query *last* external, given you deliberately told SA there are no > > internal relays... > > well, there will never be internal relays, just a inbound-only MX That IS an internal relay. Your MX must be in your internal_networks, and it is by the very definition of MX an SMTP relay. > > All external. No internal, no last external aka "hop before first > > internal" either. > > i want that RBL checks in general only for the *phyiscal* IP > with no header inspections - 90% of inflow will be finally > filtered out by postcsreen anyways You need an internal, trusted relay to get that IP you desire. That relay is what generates the Received header with precisely that IP. Besides: SA is not an SMTP. It does not add the Received header. And it absolutely has to inspect headers, whether you like that or not. That is how SA determines exactly that last, trustworthy, "physical" IP. And for that, trusted and internal networks need be correct, so by extension external networks also are correct. > > First of all, do read and understand the (trusted|internal)_networks > > options in the M::SA::Conf [1] docs, section Network Test Options. > > > > Then remove the current bad *_networks options in your conf. If you > > don't fully understand those docs, keep it at that, default. If you do > > understand and see an actual need to manually set them, do so, but do so > > *correctly*. > > the intention is no trust / untrust at all and handle any IP > with it's phyiscal connection Do read the docs I linked to. You are totally misunderstanding trust. It is not about what you trust, or don't. It is about which Received headers SA can trust to be correct. In particular, your MX, your first internal relay, absolutely MUST be trusted by SA. That is the SMTP relay identifying the sending host, complete with IP and rDNS. Received headers before that simply CANNOT be trusted. There is no way to guarantee the host they claim to have received the message from is legit. > > [1] http://spamassassin.apache.org/doc/Mail_SpamAssassin_Conf.html > > thanks! In general, I stand to what I wrote in the previous post. And I strongly suggest you follow that advice. The approach you tried and defended with claws in this already lengthy thread will not work and is bound to fail. Stop arguing, and start setting up a serious test environment and correct SA options. -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
