On Sun, 2009-08-09 at 00:56 +0100, RW wrote: > The trouble with whitelist_from_rcvd is that it relies on the MX server > recording reverse DNS - most do, some don't. > > > > Also, I'm still not sure I have my trusted_networks setting correct. I > > have this in my local.cf: > > > > trusted_networks 192.168/16 71.48.160.0/20 71.54.96/19 > > > > Here is a line of Received: from headers from a test mail to myself: > > > > Received: from [71.54.109.114] and one from someone else using embarq > > Received: from [71.48.166.180] > > > > If I read the below correct this is a listing of all CIDRs in the > > embarq AS range: > > > > http://www.cidr-report.org/cgi-bin/as-report?as=as6367&view=2.0 > > > > should all of these be listed in the trusted_networks entry or do I > > misunderstand the concept still? > > Absolutely not, it leaves thousands of back-doors open. Just use the ip > addresses used as servers, not customer addresses. /24 ranges based > on the server addresses you've seen in headers are usually a safe > compromise. Often the servers between you and the MX server use private > addresses, which makes things a lot easier - you can safely list all > private addresses. The best way to tell is to send test messages from > external mail services or look at real mail - mail from yourself can be > misleading.
I didn't think that would be necessary, after sending mail to myself from three other accounts here is what I see: Received: from [195.4.92.94] ([195.4.92.94:38943] helo=mout4.freenet.de) by smtp.embarq.synacor.com (envelope-from <@freenet.de>) (ecelerity 2.2.2.36 r(27513/27514)) with ESMTP id 8F/64-30700-A051E7A4; Sat, 08 Aug 2009 20:15:07 -0400 Received: from [195.4.92.23] (helo=13.mx.freenet.de) by mout4.freenet.de with esmtpa (ID @freenet.de) (port 25) (Exim 4.69 #92) id 1MZw42-0007og-6v for cpoll...@embarqmail.com; Sun, 09 Aug 2009 02:15:06 +0200 Received: from web13.emo.freenet-rz.de ([194.97.107.135]:51350) by 13.mx.freenet.de with esmtpa (ID @freenet.de) (port 25) (Exim 4.69 #93) id 1MZw42-0000CS-2N for cpoll...@embarqmail.com; Sun, 09 Aug 2009 02:15:06 +0200 Received: from [206.190.38.132] ([206.190.38.132:27950] helo=web51001.mail.re2.yahoo.com) by smtp.embarq.synacor.com (envelope-from <@yahoo.com>) (ecelerity 2.2.2.36 r(27513/27514)) with ESMTP id 54/BB-30700-4571E7A4; Sat, 08 Aug 2009 20:24:52 -0400 Received: from [209.85.210.204] ([209.85.210.204:50198] helo=mail-yx0-f204.google.com) by smtp.embarq.synacor.com (envelope-from <@gmail.com>) (ecelerity 2.2.2.36 r(27513/27514)) with ESMTP id D3/99-26274-D381E7A4; Sat, 08 Aug 2009 20:28:45 -0400 Received: by 10.150.218.17 with SMTP > If you are using an ISP for your mail you're conservatively advised > to put them in trusted_networks because that behaves least badly for > the worst case ISPs. > > In practice it's almost always better to put them into > internal_networks so SA knows where the real MX servers are, > particularly in your case since embarq records authentication on it's > submission server, note the "with ESMTPA" in your headers. Ok, now I am a bit confused, this 71.54.109.114 and the other IP shown at the top would go into internal_networks? -- KeyID 0xE372A7DA98E6705C
signature.asc
Description: This is a digitally signed message part