On 09/12/2005 5:30 PM, Matt Kettler wrote:
Daryl C. W. O'Shea wrote:
Mail to internal users (from roaming users) isn't the problem though.
It's mail to external sites that see that my smart host is the second
"public IP hop" and look it up in DUL. Since my telco continues to
refuse to change my generic rDNS, my static IP has been listed in
SORBS-DUL and any of our mail not sent from the internal network gets
hit by SpamAssassin.
Yeah, that falls under the "multi-hop behind a dynamic IP with legitimate
relaying through a non-dynamic server" case.
Really I think the use of notfirsthop in DUL testing is just plain broken. SA
should only be checking the host that drops off to your MX against the DULs. It
shouldn't be backtracking further.
Agreed. I should have some rules in my sandbox tonight/tomorrow to see
what would happen if -firstuntrusted was used.
I don't think people should be trusting other networks like the code
comments suggest... it opens up too many other problems, such as now the
sender (usually) didn't pass through an external relay and will now be
subject to DUL checks. So that whole we don't know who we're trusting
issue should be a non-issue IMHO.
The current "external, nonprivate, notfirsthop" deals with most common FP cases,
such as The "no private" fixes the "NATed co-op" case of:
private IP -> public (dyn) -> ISP -> Recipient MX -> SA.
but it is still broken for the case of:
public IP -> public (dyn) -> ISP -> Recipient MX -> SA.
Which is rare, but does exist.
Yeah, probably the only people who are doing it are those running a
personal mail server on their cable/dsl line and smart hosting to their
ISP. I actually do that for my personal mail just so I can use IMAP.
I think there are a lot of people affected by this that fall under the
"wrongly listed in DUL" case though.
That said, if there's any way of doing so, I'd
ditch your ISP ASAP. Since they can't set RDNS entries they are clearly not a
business grade service, and are only suited to SOHO and home-user operations.
It's not that they can't, it's that I've yet to find 'the' person that
can or wants to. It's Bell Canada, the owner of one of the largest IP
networks in the world.
I've worked or done work for the other ISPs in town and would have no
problem with them if they could provide serivce but they can't.
