On 31 Aug 2018, at 4:53, Matus UHLAR - fantomas wrote:
Note that I list internal clients as trusted, not as internal.
Maybe this is the problem.
Yes, maybe...
Long time ago I learned to configure dynamic IP addresses (dialups) as
trusted, but not as internal.
They probably should be neither.
In this case, clients are internal, not dialup, but I still think they
should not be listed in internal_networks (as I don't trust them not
to
spoof anything).
If you do not trust them not to spoof anything, they absolutely must not
be in trusted_networks.
It seems to me that you have a technical & management arrangement
unsuited to the SpamAssassin
trusted_networks/internal_networks/msa_networks logical model. My
recommendation would NOT be to modify stock rules that are constructed
with that logical model as a base assumption, but rather to create your
own mitigating rules to handle the fact that you seem to want to always
accept mail from certain internal clients which are nameless,
untrustworthy, and sources of mail with features that in the world at
large mostly correlate to spam.
