Jo Rhett wrote:
> Matt, I'm tired and my day ended badly yesterday and started badly
> today and I'm in danger of being way too bitchy (probably way past
> that point already) so I'm going to keep it simple and sweet.
Fair enough. I hope my own short-worded nature hasn't come across too
harshly. (A lot of folks tend to get the impression I'm trying to make
them feel stupid.. I'm really not. I'm just kinda short with my words
sometimes.) Any adamance on my part is just me trying to
semi-forcefully help. I'm not trying to brow-beat.
>
> 1. Assuming that the Received headers are sane ... isn't.
True, but assuming your own received headers are sane, is. I mean, if
you can't trust yourself to add a valid Received header...
>
> 2. Decrementing the spam score is not failing gracefully.
True. But the primary issue is that SA can't detect this as a failure.
The input you've given it is valid for a different kind of network. SA
is operating properly assuming that common, ordinary network configuration.
>
> 3. And just because someone is using pig blatters to communicate with
> SpamD somewhere, someplace, doesn't mean that it's a *normal* config.
> If autodetection works great for the one user communicating with pig
> bladders but fails miserably for out of the box linux/freebsd
> installs, then I think you've missed your target audience.
I hate to say it, but those examples ARE a normal config, not some rare
esoteric expert option involving animal body parts.
It's *really* common to separate spamd from the MTA for anyone that's
got any decent volume of mail. And that's not a few sites.
>
> Autodetection should work out of the box for out of the box installs.
And auto detection DOES work correctly for most out-of-the-box
installs.. AFAIK it works beautifully in MailScanner, procmail,
qmail-scanner, mimedefang, milter-spamc... I can only attest to personal
experience with procmail and MailScanner.
Let's face it, there are thousands upon thousands of SA users out
there. If this problem was so common that most "out of the box"
installs broke, we'd hear a lot more about it on this list. ALL_TRUSTED
has been around since SA 3.0.0 was released two years ago in September 2004.
AFAIK There's really only 3 cases where autodetection fails:
1) The hostname in the "by" clause of your outside-most MTA doesn't
resolve to a public IP. (This is the necessary caveat.. can't work for
both cases here)
2) some admin decided to customize their MTA and created an invalid
Received: format that SA can't parse because it's never been seen
anywhere else in the work before. (my favorite is the Received: with no
"by" clause.. )
3) There's a missing Received: header.
And none of those are really fixable without breaking another network
configuration that is equally as common as the one that's broken
Also, you're the first person I've ever heard of with problem 3. Ever.
I've been on this list since 2002 and it's completely new to me. Never
heard of anyone with this problem before. Honestly.
1) is common, because about 1/4 of the installs out there have a NATed
MTA, and about 3/4 don't. But it's not really a fixable case, there's
too little information to disambiguate the two.
2) I've seen before, but is pretty rare.. usually the result of someone
who's using qmail went overboard on the customizing.
Also, all three break so many other things in SA, ALL_TRUSTED misfires
is actually a bit of a good indicator flag that things are amiss.
Unfortunately, interpreting that requires detailed knowledge of your
network that SA doesn't have..
> Custom installations, and most especially people creating appliances
> out of this, are managed by Experts who have a clue.
True.. and writing a milter should be an expert task. I'm sorry the
milter your are using is causing you such fits, but I really don't think
it's normal for the average end-user to have to hack up their milters to
make them feed SA properly. Most milters that handle SA already do this
for you, right out of the box.
>
> Make autodetection work out of the box for the clueless people using
> it out of the box. That's your real target audience.
I'd love to, but the SA project didn't write the milter you're using,
and the problems you're having can't be "fixed" by having SpamAssassin
"detect" the problem without doing something even dumber to someone else.
It's been suggested before that SA should just remove the autodetection
code and force the user to always manually declare trusted_networks and
internal_networks and fail miserably if they don't. That's about the
only "fix" that works universally, and I'm not entirely against it myself.
