D.J. wrote: > D.J. wrote: > > OK, after Googling around for a bit, I may have stumbled on > > something... specifically this trust path thing. I had my > > trusted_networks and internal_networks set as my SMTP's and MX's > > class C network. Because of that, is that causing SA to look at the > > relay beyond the trusted network as the agent to compare the RBL to? > > Come to think of it, this didn't appear (or at least wasn't reported > > to me) before I set those values. At any rate, I've completely > > removed the internal_networks value, and changed the trusted values > > variable to 127.0.0.1. Eventually this will be behind a NAT machine, > > so I have to set *something*. If anyone thinks I'm on the right > > path, let me know. I'm also going to continue monitoring for this > > problem, so if it goes away now, I'll let the list know for > > posterity's sake. Thanks! > > > > > > - D.J. > > The problem has indeed ceased since changing the setting. At first > it didn't quite make sense to me as to why it was working the way it > was, but I guess it makes perfect sense if you sit and think about > it. A lesson for those who don't know, you never want your MX server > to be a "trusted server" or you may have rules firing that shouldn't > ;-)
That doesn't sound quite right, but it may just be differing terminology. The mailserver doing the SA checks should have all of its IP addresses (internal and external) listed in trusted_networks. Otherwise, it may do RBL checks against itself, which is obviously not desired behavior and can cause major problems if it does get listed. You should also list any other mail servers that accept mail for your domain. This includes email gateways and relays under your control. This can also include your ISP's mailservers, but if you do that, make sure to specify internal_networks separately and leave the ISP's servers out of that one. Also, any server that receives mail from end-users on dialup/DSL/Cable connections should be listed only in trusted_networks, and not in internal_networks. Check the wiki, if you haven't already. Most of the good stuff is under the heading "How can I optimize the trusted_networks setting?" http://wiki.apache.org/spamassassin/TrustPath Also, keep in mind that you are not trusting these servers not to forward spam, you are simply trusting them not to put false information in the mail headers. -- Bowie
