Hi Matt,
> And sorry for my long pause.. I was off-site Monday, and yesterday I was
> playing catch-up. Urgh.
Yep, I know what that feels like. :-(
> >All incoming mails from outside are piped through SA and local.cf contains
> >the IPs of all these servers like so:
> > trusted_networks host1.xx.yy.zz host2.xx.yy.zz host3.xx.yy.zz ...
>
> "host1.xx.yy.zz"... I do hope that's an IP address, and not a hostname.. Is
> it?
Sure, just IPs. Sorry I put the examples that way.
> Now.. let's give a symbolic name to your smarthosts running SA.. lets call
> them "saserver1" "saserver2" etc..
>
> Using that syntax.. does trusted_networks on "saserver1" contain
> "saserver1"?
Yes, and the IPs of all our other servers.
But I'll have to change that, too, because yesterday I discovered a new
problem. The situation is like so:
Let's call my servers
dpt1-server1, dpt1-server2, ... dpt1-server10
and
dpt2-server1, dpt2-server2, ... dpt2-server10
They belong to two different departments of my company, hosting many
different domains. They are running the exact same software and usually
trust each other. So far I have written all their IPs in trusted_networks
of all of them. But now when a user [EMAIL PROTECTED] sends mail to a user
[EMAIL PROTECTED] (from a dialup via SMTP-AUTH and a dpt2-server as smarthost)
the dpt2-server has to relay the mail to a dpt1-server and there SA marks
the mail with RCVD_IN_DYNABLOCK etc. because SAs reasoning seems to be:
- I trust dpt1-server (myself)
- I trust dpt2-server
- next hop after dpt2-server is a dialup-IP, so mark it
So I guess I'll remove all servers from the other departments which would
then make SA think like this:
- I trust dpt1-server (myself)
- I don't trust dpt2-server, so check it against blacklists
(hopefully without results :-)
- next hop after dpt2-server is a dialup-IP, but don't mark it
because I already tested the (untrusted) dpt2-server
Am I correct? Is this the recommended way to do it?
But the disadvantage is then that all servers from the other department are
being looked up in the blacklists which doesn't make sense. :-(
BTW, this is related to the (known) problem which happens everytime the
smarthosts call SA for mails received from our dialup-users. We are
thinking about having our mailserver add an extra header line that tells SA
that the user authenticated properly and have SA score this line with a
negative score. But then how do I teach SA to just trust our own
received-via-smtp-auth lines and not fake ones? Hm...
> First, when attempting to determine the trust path. SA fails to find any
> trusted hosts in the Received headers. This means the number of trusted
> headers is 0.
Does SA normally assume its own host is trusted?
Or why do we have to explicitly add the host which is running SA?
> Hopefully I can help out.
Thank you very much for your help!
Andy.
PS: No need to CC-me. I read the lists where I post. :-)
--
o _ _ _
------- __o __o /\_ _ \\o (_)\__/o (_) -o)
----- _`\<,_ _`\<,_ _>(_) (_)/<_ \_| \ _|/' \/ /\\
---- (_)/ (_) (_)/ (_) (_) (_) (_) (_)' _\o_ _\_v
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Year, n.: A period of three hundred and sixty-five disappointments.
