RW wrote:
On Thu, 19 Dec 2019 18:01:37 +0200
Henrik K wrote:
But if one wanted to check the forwarders after hermes.apache.org
properly, it would make more sense to add it in internal_networks,
since practicall it acts as the outer MX for you. That would enable
proper blacklist checks too.
Mostly that's the best thing to do, but there can be cases where it's
not possible to distinguish between an MX handover and submission into
the third-party network. In that case it may be better to avoid the
risk of running last-external checks on mail clients.
I take a more restrictive interpretation of the SA trust path settings.
- msa_networks is our mail servers that accept mail submissions from our
customers.
- internal_networks adds the rest of our core mail-handling servers -
note, not all of our servers!
- trusted_networks adds the rest of our core server network and a
splattering of third party mail hosting systems that our customers have
domain mail with, forwarded to their ISP mailbox with us. I've also
included a couple of outbound-filtering mail clusters, so that DNSBL
checks look at the actual sender's mail system, not the filtering platform.
The domain-forwarder IP list is hardly exhaustive; just IPs for those
customers who have reported FPs or FNs to us and I've seen enough
samples to spot the forwarder.
It's been working well for us, and I can use -lastexternal or
-firsttrusted to tweak the semantics of which relay handover a DNSBL
lookup inspects.
Adding too many systems to trusted_networks means you end up checking a
lot of end-user mail-submitting IPs on things like the Spamhaus PBL.
Aside from the outbound-filtering platforms, the relationship I feel
should be targeted with the trust path settings is where the sender's
mail system hands the message over to the primary recipient's system.
So adding the Apache listserv is wrong, because messages sent through
the list are sent to *the list*, and then from the list *to each of us*.
(All that said, I happen to skip SA entirely for this and most other
lists, with procmail recipies that file listmail in the appropriate
folder based on List-Id or some other suitable header, ahead of the
procmail recipe that calls SA.)
-kgd
