MrGibbage a écrit :
> I have read the help pages for those two settings over and over, and I guess
> I'm just not smart enough. I can't figure out what I should put for those
> two settings. Can one of you give me a hand by looking at the headers from
> an email? I can tell you that my SA installation is on
> "ps11651.dreamhostps.com" and the way I receive email is I my email is sent
> to my public email address, "s...@pelorus.org" and I have an auto-forwarder
> which sends the mail to my SA box via email, at
> skip-mor...@psoneonesixfiveone.dreamhostps.com (mangled here). I never
> receive mail directly to skip-mor...@psoneonesixfiveone.dreamhostps.com. If
> I did, it would have to be spam because they scraped the address from
> somewhere. pelorus.org and ps11651.dreamhostps.com are the same box. All
> the appriver stuff below is done on the sending side of my company's
> exchange server.
>
> Anyway, maybe I got it, but these two settings seemed too important to get
> wrong, so I just want to be sure.
>
> #ps11651.dreamhostps.com and pelorus.org
> internal_networks 75.119.219.171
> trusted_networks 75.119.219.171 #I think this is wrong
no, it is not wrong. the documentation says:
Every entry in "internal_networks" must appear in "trusted_net-
works";
so whenever you put an internal_network line, you should add the same
line with "trusted" instead of "internal".
>
> So is the idea that I could add more trusted_networks to the list, sort of
> like a whitelist. Perhaps adding my work ip addresses below? Isn't that
> trusted_networks setting above saying "**ALL** mail is trusted to not be
> spam since **ALL** mail comes in on that IP address? And what about the
> "Received: from homiemail-mx7.g.dreamhost.com
> (balanced.mail.policyd.dreamhost.com [208.97.132.119])"? I have checked and
> I do receive all mail from one of 208.97.132.* Should that be on my
> internal_networks?
> [snip]
here, trusted mostly means the relay does not forge Received headers. it
can relay spam, but it is not controlled by spammers (directly or via
trojans/open proxies/...).
to summarise:
for those relays that you trust not to be operated by spammers (directly
or not):
- if they receive mail from "residential/dynamic" IPs (without
authentication), then list them in trusted_networks only
- else, list them in both internal_networks and trusted_networks
If this is too theoritical, consider the practical side: When SA looks
up PBL, SORBS_DUL, ..., it will not look up IPs listed in
internal_networks.
in general, your own relays will be listed in both internal_networks and
trusted_networks. but if you have a forwarder that is not under your
control, and that may be used to relay mail for "residential" IPs, then
you don't want to put it in internal_networks (otherwise, mail from the
residential IPs may be caught by PBL, SORBS_DUL, ... evethough it is
relayedvia a smarthost, as is generally recommended).
