On 19 Apr 2021, at 14:57, RW wrote:
On Mon, 19 Apr 2021 13:46:57 -0400
Bill Cole wrote:
On 19 Apr 2021, at 13:26, RW wrote:
I'm not 100% sure, but I think localhost, unlike private addresses,
is always internal/trusted.
I don't think that is relevant to the original message at hand or to
what I'm trying to match, which is the absence of any external
relays. As far as I can tell, it is impossible to make SA mark an
internal relay as external without there being an actual external
source.
See
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7590
Which describes the inverse problem: submission from an external source
being treated as internal because a (presumably) trusted internal
machine says that it is authenticated. I see that problem (although I
have not tested it) but don't immediately know what the proper behavior
is, as I've not tested the apparent weaknesses against possible
legitimate structures like authenticated smarthost & forwarding.
It's clear to me that excluding the original message (given as an
example by the OP in a side-branch of this thread) from DMARC
verification could be done with a ALL_INTERNAL, regardless of the
behavior in Bug 7590, because it originated at an internal IP.
--
Bill Cole
[email protected] or [email protected]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
