>From: Jason Voorhees <jvoorhe...@gmail.com> >Hello guys: >I'm an old spamassassin user but not an experienced one indeed. I have >a Zimbra server and a dedicated antispam with MailScanner like this:
>Zimbra: 192.168.1.25 >Antispam: 192.168.1.5 >All incoming and outgoing mail traffic goes through my antispam box. >Well, I have already working DNS based checks like "skip_rbl_checks 0" >and/or "RDNS_NONE" working fine for external mail servers. However, I >don't know how to make an exclusion for my internal network >(192.168.1.0/24). >On my Antispam box this is what I tried to put in >/etc/mail/spamassassin/MailScanner.cf: >skip_rbl_checks 0 >trusted_networks 127.0.0.1 192.168.1.0/24 >internal_networks 192.168.1.25 >I've configured a local named service on my antispam box to make sure >that 192.168.1.5 and 192.168.1.25 have a correct rDNS configuration >(in both directions). I even configured local resolution of those IPs >in /etc/hosts >However, I can see that SpamAssassin is still scoring all my outgoing >emails like this: >RDNS_NONEĀ 0.97 >RCVD_IN_BRBL_LASTEXT 1.45 >How can I effectively avoid these kind of DNS checks for my LAN? >Thanks in advance. I would need to see the actual headers, santized is fine, with the real public IPs to give an accurate answer. In general, edge mail servers, like your MailScanner server should have public IPs native on them. If you have it NAT'd then you will need to make sure it's a two-way or dedicated one-to-one NAT so traffic initiated from your server actually shows up as the same IP of the inbound NAT. I have found a lot of people that don't realize this NAT issue which will give your mail server two identities essentially meaning you will never be able to get the FCrDNS to completely match up with the SMTP HELO. Got to http://whatismyip.com from your MailScanner server and make sure that IP shows up the same as the inbound NAT IP. Then put that IP into http://multirbl.valli.org/ and make sure the top FCrDNS section is green. While you are there, make sure your IP is not listed on RBLs and that the senderscore.org score is above 90. P.S. trusted_networks and internal_networks are very important to setup correctly. trusted_networks usually contains you internal_ networks plus other networks one hop away that you want to skip some checks and trust a little more. If you relay for other networks then they should be in the trusted_networks so the last-external checks will work like you want. Dave
