Bowie, > > it is imperative than MSA hosts are excluded from > > internal_networks.
> What do you do if SA is running on your MSA host? I believe this is the only exception to the rule, because the following probably takes precedence: The machine you're scanning on should be internal & trusted and should add its own received header before scanning. Here are some notes (from the ML, docs and bugzilla) I kept for reference (mostly attributed to Daryl C. W. O'Shea) to remind me of the intricacies: # Anytime there are trusted relays present there will be at least one internal # relay, The machine you're scanning on should be internal & trusted and # should add its own received header before scanning. # # trusted_networks should contain "all the trusted hosts" # and internal_networks should contain "all the trusted hosts # except for your MSAs". # # Specifying internal_networks that aren't also (manually config'd) # in trusted_networks should be a configuration error. # # Internal networks IS NOT all of your IPs though. It cannot include your # MSA if you don't also include all of your user's IPs. Since some MTAs # still don't include auth tokens in their headers, we can't always extend # the trust path to roaming users who we don't know the IP of. So, for some # MTAs, even if you know all of your local dial-pool addresses, and your # users use SMTP auth, you still can't include your MSA in internal networks. # # see also: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4760 Mark
