On Wed, Jun 25, 2008 at 08:54:20PM -0400, Matt Kettler wrote: > Benny Pedersen wrote: >> On Fredag, 20/6 2008, 10:04, Henrik K wrote: >> >>> On Fri, Jun 20, 2008 at 12:12:45AM -0400, Matt Kettler wrote: >>> >>>> That is correct, SPF checks are applied to the first untrusted host. >>>> >>> Matt, you should know better. ;) It's first _external_ host. >>> >> >> and is most of the time olso first untrusted ? :) >> >> both is imho correct >> > > Generally yes, although there are some odd cases where these differ > (only happens when you set it this way manually for various not-typical > network reasons, like those who accept mail from authenticated users on > dialup IPs.). > > It's a fine distinction, but one that does matter to some folks who are > set up this way. In most cases the two are equal, but that doesn't > excuse me from confusing the two. I should know better. :)
It should not be a fine distinction. People should take more advantage of them. Now it's too vague with documentation lacking a bit. Extending trusted_networks beyond internal offers another way to whitelist (ALL_TRUSTED) and reduces lookups (and possible RBL FPs with that). I'm currently converting DNSWL data to trusted_network entries, which works great (needs patches from bugs #5931 #5856). IMO internal_networks should be the mandatory one to configure. Now it's confusing since the "wider" rule is used and referenced everywhere by default.