Chris Thielen wrote: > Jens Benecke said: >> Chris Santerre wrote: >> >>> WHy would you want to recieve email from dialup IPs?? >> >> Because otherwise my users would complain. They have dialup IPs. Doh. >> >> And because I want to be able to receive mail which went DUL -> ISP1 -> >> ISP2 -> my server. This currently gets scored by SA which (IMHO) is >> wrong. > > Pardon my ignorance, but isn't the scenario above exactly the same as a > "typical" mail transaction?
Yes. And if the first IP is listed as an open relay, it gets tagged as SPAM. Even if the user that has the IP is no open relay, but a _different_ user that _had_ the (dynamic) IP a couple weeks ago _was_. That is my problem. It can only be fixed (IMHO) by seperating open relay lists on dynamic and static IPs. > From what I understand, SMTP AUTH can be used > to allow users to send mail through your server from outside your server's > configured "trusted" netblocks. Yes. And because my "trusted" block consists only of 127.0.0.1, everyone *has* to use SMTP AUTH or he can't relay. > However, since your trusted netblock > configuration are not visible to the outside world wouldn't an > authenticated Received list look exactly like a "non-authenticated but > inside the trusted block" Received list? No. qmail actually puts "Received ..... by ([EMAIL PROTECTED])" in the headers if it was authenticated. And all my usernames have a "[EMAIL PROTECTED]" structure, where "domain" is one of the couple hundred domains I host. So I have "Received ... by ([EMAIL PROTECTED]@kiste.hitchhikers.de)" in the headers and that's what I currently look for. It's weak, I know. But otherwise my users would get punished for using dynamic IPs, by _my_ spamassassin. (This problem is unrelated to the one I talked about above, btw). And I don't know how to differentiate between known SMTP AUTH users using dialup IPs and unknown SMTP users sending via dialup IPs - yet. >> Unfortunately, qmail doesn't really mark the useage of SMTP AUTH in the actually, it does (see above) but weakly. > Additionally, even if qmail did indicate that the transaction was via SMTP > AUTH, SpamAssassin really couldn't trust that information in the Received > line. A spammer could simply inject a fake Received line with the AUTH > markup. SA really can't trust any headers other than those that the end > MTA (or any configured trusted servers) have added, right? Yup. I need a way to find whether my header is the _first_ Received: header. But then I'd punish people who have their SMTP local server configured to relay via mine (which can be perfectly legitimate if they have an account). -- Jens Benecke (jens at spamfreemail.de) http://www.hitchhikers.de - Europaweite kostenlose Mitfahrzentrale http://www.spamfreemail.de - 100% saubere Postf�cher - garantiert! http://www.rb-hosting.de - PHP ab 9? - SSH ab 19? - g�nstiger Traffic
