On 8/12/11 8:49 AM, Mark Martinec wrote:
Jo,
If I get on a random cafe's wireless network, the local hosts might be in
192.168.1.0/24. Should I allow them to relay mail? Should I allow their
outbound mail to bypass spam check? Absolutely not, I'm sure you would
agree.
maybe not amavid.. in fact, any connection to amavis from 169* would be
strange... unless your laptop also did not get a good ip and pulled a
169* address.
in SA default 'local.cf' I think they have internal_networks 192.168/16
10/8 172.16/12. might need 169.254/16.
this doesn't give the internal network the right to relay, and, most
installs will override internal_* and trusted* with their outbound mail
server ip's, and you still have to set the mynets up in amavisd to
include/not include 169*.
but, given this discussion, I think Ill post a bugzilla to SA.
internal_networks don't trigger DCC, PYZON,RAZOR, SPF or RBL checks.
It is exactly the same argument why one can and should safely
include the 127.0.0.0/8 in the trusted_networks list. The same
applies to private address ranges and link-local address space.
i think SA from (3.2* onward include 127.0.0.0/8 by default?) it you put
it it yourself, you get a lint warning:
without 127 in local.cf:
su - vscan -c 'spamassassin --lint'
(no lint errors)
echo 'internal_networks 127/8' >> local.cf
(or trusted_networks, doesn't matter)
su - vscan -c 'spamassassin --lint'
Aug 12 14:06:00.917 [8635] warn: netset: cannot include 127.0.0.0/8 as
it has already been included
so, question begs: I think this is in default local.cf:
grep networks local.cf
internal_networks 192.168/16 172.16/12 10/8
should SA add 169.254/8 by default for completeness?
Mark
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
