Re: Question regarding trusted_networks

Sat, 16 Jun 2018 08:13:36 -0700 

On 06/16/2018 09:37 AM, Matus UHLAR - fantomas wrote:

On 06/15/2018 05:44 PM, J Doe wrote:
    Jun 15 18:39:23.422 [8422] dbg: config: trusted_networks are not configured; it is recommended that you configure trusted_networks manually 

My question is:


— Should I manually set trusted_networks to have the IP address of 
the host it is running on and ignore the warning from --lint or …
— Should I not set trusted_networks and ignore the warning from 
--debug ?


On 16.06.18 06:33, David Jones wrote:

internal_networks should be any RFC 1918 networks that your mail 
server sees plus any public networks that are in your control.


no. only servers that deliver mail to you, as your MX servers or other
mailservers directly within your organization should be in
internal_networks.




That is basically the same thing worded a little differently.  If you 
have an internal mail relay and your SA server has a private IP on it, 
then that will be an RFC 1918 IP or range in your internal_networks.



If your SA servers only have public IPs on them, then you won't have any 
RFC 1918 IPs in the internal_networks but you may have 127.0.0.1 and 
fe80::/10 for locally generated email plus any public ranges that 
smarthost to you.



In my case, I have many customers setup to smarthost to smtp.ena.net so 
I have many large CIDRs in my Postfix mynetworks and SA internal_networks.



This can be very different for each use case and probably deserves a 
drawing to explain it better.  Seems like I have seen a graphic or 
something that shows the logic behind this setting.



Mail with all Received headers of IPs within the internal_networks will 
hit the ALL_TRUSTED rule.



trusted_networks should be internal_networks plus any external 
networks that you trust to not send spam -- in other words they are 
known to have their own outbound mail filtering.  This will tell SA to 
go back one more Received: header to test for "last_external" checks 
and RBL checks.



not external networks. only external mail servers you trust not to forge 
e-mail

headers. They may send spam but are not the spam sources.




True.  That is a better way to put it.  I have read that in the SA wiki 
documentation now that you mention it.


--
David Jones






















					Reply via email to