> It looks like it might be a trust path issue.. are the brandeis.edu hosts trusted? If so, SA would be correct in deciding a dynamic node from attbi.com dropped mail off directly.
Nope, they're not - I had no trusted_networks or internal_networks defined.
Just because you have no trusted_networks defined does not mean a host isn't trusted... if you don't define a trusted_networks, SA tries to guess...
> What do the *.home.jay.fm hosts resolve as when the machine running SA does a DNS lookup? are they reserved IP's? If so, you'll have trust path issues and need to manualy define trusted_networks.
Yep, they're 192.168/16. According to the man page for Mail::SpamAssassin::Conf, that should be automatically trusted due to the DNS checks... is that not correct?
Yes, but this is where the problem comes.. they'll be trusted... AND the first non-reserved IP will also be trusted.
Therefore, SA is going to trust blanca.unet.brandeis.edu by default.
SA's auto-detect assumption is that the external MX must have a real-world IP. This is true in some networks, false in others. However, this algorithm is pretty much the best-case guess SA can make. Under trust and over trust are one just as bad as the other, so to make it only trust the non-reserved IP's would break networks which have NATed internal servers and non-NATed external servers. Trusting reserved plus one (the way it is now) breaks networks which are entirely NATed.
I'll try setting it manually.
This is a good idea, as SA's autodetect is not going to work for your network.
Another symptom of the trust path bug is that ALL_TRUSTED winds up firing off for spam, which should never happen.
