On Wed, 3 Jul 2013 12:52:43 -0700 (PDT) AndreaS Schamanek wrote:
> Anyway, using trusted_networks I found that it doesn't work fully > unless I manage to list their complete mail infrastructure. I didn't > know that IPs from trusted_networks can actually be subject to evals. >... > Only if I also add 172.31.38.210 (private address from a reserved > block) it works as I expected it. Once the chain of trust is broken by 172.31.38.210 the rest of the IP addresses wont be checked since they may be forged. I guess that private addresses are then skipped in finding the last-external address. There may be some situation where that's the best thing to do, but it doesn't seem to be in this case.
