I thought SA only uses these tags if the message was sent directly from the dialup IP to the receiver's mailserver, right?
What could have gone wrong?
Suggestion: the SpamAssassin machine might need it's trusted networks manualy set. If SA fails to figure this out, it will default to checking every header for dialup IPs.
add a trusted_networks statement to your local.cf... add the IP address of your own mailserver to it... not the smarthost, but your own mailserver, usually the same box that SA itself is running on.
ie: xanadu.evi-inc.com has:
trusted_networks 208.39.141.94/32
(Ok, technically it does not have that exact statement, as xanadu is NATed, but it has the NAT-mapped IP that everyone else in the world sees as being 208.39.141.94. For the sake of DNS verifiability for everyone outside EVI, that is the config line in use....)
I will repeat myself that this has absolutely nothing to do with trusting any machines outside your network. People very often mistake what I'm saying here and claim I'm telling them to trust the smarthost. It's not about trusting the sending server, or any intermediate relays, it's about trusting YOUR own server.
I've also heard rumors that the documentation doesn't match the code. The docs claim you can truncate IPs but I've had at least one person report that trusted_networks didn't work until the put in the whole IP with CIDR mask. (ie: 192.168/16 did not work, 192.168.0.0/16 did, which is contrary to the man page)
