Mailing List Archive

I'm missing comprehension pieces also; however, I understand that if a
message is sourced from a dynamic IP, it is expected to route it's mail
thru "the correct" smtp server.

How the correctness of the smtp server is a mystery to me; however, I
suspect it is any server with an IP which at least 2 (3?) octets in
common with the dialup IP.

In other words, the DYN RBL lists will score against you even if you are
using a "legitimate" smtp if that smtp server is not some how associated
with the dynamic IP.

This is a problem for me. We have a number of customers who use Verizon
DSL. The Verizon DSL has been refusing (I haven't tested this in the
last month or 2) to transfer any mail originating from their DSL lines
which does not conform to "[user]@verizon.net". This means that folks
trying to use their own domains cannot use Verizon's smtp for out going
mail. I provide an authenticated smtp server for them to use; but they
always get tagged by the DYN RBL rules.

Andy Spiegl wrote:

> Hi, out there.
> I thought I finally understood the concept SA is using with dialup IPs,
> but today I noticed that apparently I didn't.
>
> Please, I need help understanding why a message get's tagged with
> RCVD_IN_DYNABLOCK, RCVD_IN_NJABL, RCVD_IN_NJABL_DIALUP, RCVD_IN_SORBS
>
> It was sent from a machine (by sendmail) using this dialup IP
> But it was sent to the smarthost (which has a fixed public IP).
>>>From there it was relayed to the mailserver of the receiver machine.
>
> I thought SA only uses these tags if the message was sent directly from the
> dialup IP to the receiver's mailserver, right?
>
> What could have gone wrong? I can provide examples if necessary.
> I'd include it but would like to avoid to feed harvesters.
> Oh, wait, idea: I'll put it on my website:
> http://andy.spiegl.de/sa-dialupip-example.txt
>
> Thanks and have a nice weekend!
> Andy.
>

At 11:31 AM 2/20/2004, Andy Spiegl wrote:
>I thought SA only uses these tags if the message was sent directly from the
>dialup IP to the receiver's mailserver, right?
>
>What could have gone wrong?

Suggestion: the SpamAssassin machine might need it's trusted networks
manualy set. If SA fails to figure this out, it will default to checking
every header for dialup IPs.

add a trusted_networks statement to your local.cf... add the IP address of
your own mailserver to it... not the smarthost, but your own mailserver,
usually the same box that SA itself is running on.

ie: xanadu.evi-inc.com has:

trusted_networks 208.39.141.94/32

(Ok, technically it does not have that exact statement, as xanadu is NATed,
but it has the NAT-mapped IP that everyone else in the world sees as being
208.39.141.94. For the sake of DNS verifiability for everyone outside EVI,
that is the config line in use....)

I will repeat myself that this has absolutely nothing to do with trusting
any machines outside your network. People very often mistake what I'm
saying here and claim I'm telling them to trust the smarthost. It's not
about trusting the sending server, or any intermediate relays, it's about
trusting YOUR own server.

I've also heard rumors that the documentation doesn't match the code. The
docs claim you can truncate IPs but I've had at least one person report
that trusted_networks didn't work until the put in the whole IP with CIDR
mask. (ie: 192.168/16 did not work, 192.168.0.0/16 did, which is contrary
to the man page)

Hi Eric,

> I'm missing comprehension pieces also; however, I understand that if a
> message is sourced from a dynamic IP, it is expected to route it's mail
> thru "the correct" smtp server.
Ah, that explains a lot. Although I don't agree with the method how the
"correct" one is computed. Anyone second?

As I will write to Matt in a second my concern isn't what _my_ spamassassin
says about _my_ users' mails, but what other peoples spamassassin says
about my users' mails. I can't change the configuration of their SA.

And also what my spamassassin is saying about mails to my users from other
people who have dialup IPs and "incorrect" smtp servers. I can't add all
their server to my trusted_networks.

SA is a really great tool, there is just that tiny detail where I
disagree. Maybe we can start a serious discussion (or vote) here?

Have a great (carnival :-) weekend,
Andy.

--
o _ _ _
------- __o __o /\_ _ \\o (_)\__/o (_) -o)
----- _`\<,_ _`\<,_ _>(_) (_)/<_ \_| \ _|/' \/ /\\
---- (_)/ (_) (_)/ (_) (_) (_) (_) (_)' _\o_ _\_v
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
No matter how long or how hard you shop for an item,
after you've bought it, it will be on sale somewhere cheaper.

Hi Matt Kettler,

> Suggestion: the SpamAssassin machine might need it's trusted networks
> manualy set. If SA fails to figure this out, it will default to checking
> every header for dialup IPs.

I think you misunderstood me. My problem isn't what _my_ spamassassin says
about _my_ users' mails, but what other peoples spamassassin says about my
users' mails. I can't change the configuration of _their_ SA.

And also what my spamassassin is saying about mails to my users from other
people who have dialup IPs and "incorrect" smtp servers. I can't add all
their server to my trusted_networks.

SA is a really great tool, there is just that tiny detail where I
disagree. Maybe we can start a serious discussion (or vote) here?

> I've also heard rumors that the documentation doesn't match the code. The
> docs claim you can truncate IPs but I've had at least one person report
> that trusted_networks didn't work until the put in the whole IP with CIDR
> mask. (ie: 192.168/16 did not work, 192.168.0.0/16 did, which is contrary
> to the man page)
Hm, does it work without CIDR mask. Like this:
trusted_networks 192.168.123.45 192.168.123.46 192.168.123.47

I thought so until now, but you make me wonder whether I never noticed...?
Thanks,
Andy.

--
o _ _ _
------- __o __o /\_ _ \\o (_)\__/o (_) -o)
----- _`\<,_ _`\<,_ _>(_) (_)/<_ \_| \ _|/' \/ /\\
---- (_)/ (_) (_)/ (_) (_) (_) (_) (_)' _\o_ _\_v
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Weinberg's Principle:
An expert is a person who avoids the small errors while
sweeping on to the grand fallacy.

At 01:28 PM 2/20/2004, Andy Spiegl wrote:
>And also what my spamassassin is saying about mails to my users from other
>people who have dialup IPs and "incorrect" smtp servers. I can't add all
>their server to my trusted_networks.

Stop mis-reading my message.

Stop reading into the meaning of trusted_networks... Read exactly what I
told you to do.

At NO time did I EVER suggest you had to add an ISPs mailserver to your
config... I even explicitly told you NOT TO!


I tried VERY hard to make it clear that you don't need to add other
servers. ONLY yours... this fixes the bug for your machine entirely.

You NEVER have to add a ISP's server to your trusted_networks.... NEVER
NEVER NEVER NEVER.

if xanadu trusts xanadu, it will stop mis-marking mail from comcast, aol,
sprint, and every other dialup ISP in the entire world.

Read my message again, read it correctly, and without making assumptions.

Andy Spiegl wrote:

> Hi Eric,
>
>
>>I'm missing comprehension pieces also; however, I understand that if a
>>message is sourced from a dynamic IP, it is expected to route it's mail
>>thru "the correct" smtp server.
>
> Ah, that explains a lot. Although I don't agree with the method how the
> "correct" one is computed. Anyone second?
>
> As I will write to Matt in a second my concern isn't what _my_ spamassassin
> says about _my_ users' mails, but what other peoples spamassassin says
> about my users' mails. I can't change the configuration of their SA.
>
> And also what my spamassassin is saying about mails to my users from other
> people who have dialup IPs and "incorrect" smtp servers. I can't add all
> their server to my trusted_networks.
>
> SA is a really great tool, there is just that tiny detail where I
> disagree. Maybe we can start a serious discussion (or vote) here?
>
> Have a great (carnival :-) weekend,
> Andy.

This might make things more clear: Your email to the list only hit the
following on my SA:

score=-2.8 required=8 tests=BAYES_00,RCVD_IN_NJABL,RCVD_IN_SORBS

Which is correct, since the original IP is in NJABL and SORBS.

Note that *my* Spamassassin doesn't hit DYNABLOCK or NJABL_DIALUP on
your email. This is because you are doing exactly what you should be
doing (sending out through a smarthost).

I haven't added your IPs to my SA config... I don't have to! But, my
external MX server *is* in my trusted_networks. So, SA knows "just look
at who is connecting to the edge of my network".

In the sample message you posted, you appear to have sent to a
"non-local" email address, but the message was processed by SA on
condor. Strange, unless web.de is also local, and condor is processing
email for that server?

What do you have set in local_networks (at the time of receiving the
mail you posted)?

Is lyta.akte.de your smarthost? (appears to be)

What IP ranges are allowed to send through your smarthost?

--Rich

Hi Matt,

sorry for the long pause but during the weekend I didn't have enough spare
time to think about this thoroughly.

I don't think I mis-read your message but after reading your latest answer
I am not sure about anything anymore. This starts to get confusing.

> Stop reading into the meaning of trusted_networks... Read exactly what I
> told you to do.
Since the first day that I had installed SA on my servers I had
trusted_networks set to the IP of the machine where SA is running on.
So I thought that part of your mail can't be the solution.
Rich Puhek's answer calmed my fears because he said that my mail to the
list didn't get high scores. Well, so that leaves the (hopefully simpler)
problem that _my_ spamassassin scores mails from dialup IPs too high.

Maybe my problem (or our misunderstanding) is that SA is not running on my
local machine (condor) but on my smart host. We have several machines which
are acting as receiving mail servers and as smart hosts (using SMTP Auth).
All incoming mails from outside are piped through SA and local.cf contains
the IPs of all these servers like so:
trusted_networks host1.xx.yy.zz host2.xx.yy.zz host3.xx.yy.zz ...

> I tried VERY hard to make it clear that you don't need to add other
> servers. ONLY yours... this fixes the bug for your machine entirely.
Unfortunately not. I had my server(s) in trusted_networks from the
beginning but for example my own mails to the list get tagged this way:
X-Spam-Scores: AWL=-1.348,BAYES_00=-4.9,RCVD_IN_DYNABLOCK=2.599,
RCVD_IN_NJABL=0.1,RCVD_IN_NJABL_DIALUP=3.536,RCVD_IN_SORBS=0.1,
USER_IN_WHITELIST=-100

BTW that's why I was assuming that others see my mails like that, too.
If you could explain me why my SA acts like that I'd be really grateful.

> if xanadu trusts xanadu, it will stop mis-marking mail from comcast, aol,
> sprint, and every other dialup ISP in the entire world.
Are you saying that SA only looks at the last hop before our trusted hosts???

> Read my message again, read it correctly, and without making assumptions.
I am really trying hard but the situation still doesn't make sense to me.
Please be so kind to try again.
Thanks,
Andy.

--
o _ _ _
------- __o __o /\_ _ \\o (_)\__/o (_) -o)
----- _`\<,_ _`\<,_ _>(_) (_)/<_ \_| \ _|/' \/ /\\
---- (_)/ (_) (_)/ (_) (_) (_) (_) (_)' _\o_ _\_v
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Acupuncture is a jab well done.

Hi Rich,

> This might make things more clear: Your email to the list only hit the
> following on my SA:
Thanks a lot for that. I am glad that my mails don't get tagged
but - as I just wrote to Matt Kettler - I don't get it why my SA scores
them so high. My very own message got:
X-Spam-Scores: AWL=-1.348,BAYES_00=-4.9,RCVD_IN_DYNABLOCK=2.599,
RCVD_IN_NJABL=0.1,RCVD_IN_NJABL_DIALUP=3.536,RCVD_IN_SORBS=0.1,
USER_IN_WHITELIST=-100

> Note that *my* Spamassassin doesn't hit DYNABLOCK or NJABL_DIALUP on
> your email. This is because you are doing exactly what you should be
> doing (sending out through a smarthost).
That's what I was hoping, but then why does my own SA think so bad about my
mails? There must be some kind of mistake in my configuration. I'll
better put it up on my webserver, so you can look at it:
http://andy.spiegl.de/sa-local.cf

> In the sample message you posted, you appear to have sent to a
> "non-local" email address, but the message was processed by SA on
> condor. Strange, unless web.de is also local, and condor is processing
> email for that server?
You are right, I guess that was a bad example. I was trying to create a
mail from me to an external address, so I sent it to my web.de account.
From there I downloaded it via POP3 and then ran SA on it. What I did
wrong was that I ran SA on condor instead of on lyta. But running it on
lyta leads to the same result (just tried it):

X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on lyta.akte.de
X-Spam-Scores: BAYES_00=-4.9,RCVD_IN_DYNABLOCK=2.599,RCVD_IN_NJABL=0.1,
RCVD_IN_NJABL_DIALUP=3.536,RCVD_IN_SORBS=0.1,USER_IN_WHITELIST=-100
X-Spam-Status: No, hits=-98.6 required=5.0 tests=BAYES_00,RCVD_IN_DYNABLOCK,
RCVD_IN_NJABL,RCVD_IN_NJABL_DIALUP,RCVD_IN_SORBS,USER_IN_WHITELIST
autolearn=no version=2.63

>> What do you have set in local_networks (at the time of receiving the
> mail you posted)?
Do you mean trusted_networks? Please look at sa-local.cf from above.
I didn't change it in the meantime.

> Is lyta.akte.de your smarthost? (appears to be)
Yes.

> What IP ranges are allowed to send through your smarthost?
Anyone, but only via authenticated SMTP.

Thanks so much for trying to help me,
Andy.

--
o _ _ _
------- __o __o /\_ _ \\o (_)\__/o (_) -o)
----- _`\<,_ _`\<,_ _>(_) (_)/<_ \_| \ _|/' \/ /\\
---- (_)/ (_) (_)/ (_) (_) (_) (_) (_)' _\o_ _\_v
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The function of an expert is not to be more right than other people
but to be wrong for more sophisticated reasons. (David Butler)

Andy Spiegl wrote:
> Hi Rich,
>
>
>>This might make things more clear: Your email to the list only hit the
>>following on my SA:
>
> Thanks a lot for that. I am glad that my mails don't get tagged
> but - as I just wrote to Matt Kettler - I don't get it why my SA scores
> them so high. My very own message got:
> X-Spam-Scores: AWL=-1.348,BAYES_00=-4.9,RCVD_IN_DYNABLOCK=2.599,
> RCVD_IN_NJABL=0.1,RCVD_IN_NJABL_DIALUP=3.536,RCVD_IN_SORBS=0.1,
> USER_IN_WHITELIST=-100
>
>
>>Note that *my* Spamassassin doesn't hit DYNABLOCK or NJABL_DIALUP on
>>your email. This is because you are doing exactly what you should be
>>doing (sending out through a smarthost).
>
> That's what I was hoping, but then why does my own SA think so bad about my
> mails? There must be some kind of mistake in my configuration. I'll
> better put it up on my webserver, so you can look at it:
> http://andy.spiegl.de/sa-local.cf
>

In your case, you're sending from a dynamic IP which is not in your
trusted networks list. SA thinks "ok, a mailserver in my network
(condor) just got a connection from somewhere OUTSIDE my network, let's
check the connecting IP (217.233.34.182) against the dialup RBLS, let's
check all other IPs beyond that against other RBLs, and see what gets hit."

In my case, when receiving a mail, my SA thinks "ok, mx(n).2z.net
received a mail from outside my network (lyta.akte.de), let's check that
IP to see if it's in any dialup RBLS, and let's check all the other IPs
against the regular RBLs".

Does that help make it more clear?

The rule of thumb that I think is missing from the documentation is
(anyone please correct me if I'm wrong here) is that the
trusted_networks and internal_networks settings should contain:

trusted_networks: List the IP ranges of everything that will be using
your MTAs as smarthosts (answer the question "who is allowed to send
email out through my servers?")

internal_networks: List the IP ranges of your MX servers.

Running spamassassin -D, and looking closely at the debug output will
help show what it considers local, and what it's looking up in RBLs.

>
>>In the sample message you posted, you appear to have sent to a
>>"non-local" email address, but the message was processed by SA on
>>condor. Strange, unless web.de is also local, and condor is processing
>>email for that server?
>
> You are right, I guess that was a bad example. I was trying to create a
> mail from me to an external address, so I sent it to my web.de account.
> From there I downloaded it via POP3 and then ran SA on it. What I did
> wrong was that I ran SA on condor instead of on lyta. But running it on
> lyta leads to the same result (just tried it):
>
> X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on lyta.akte.de
> X-Spam-Scores: BAYES_00=-4.9,RCVD_IN_DYNABLOCK=2.599,RCVD_IN_NJABL=0.1,
> RCVD_IN_NJABL_DIALUP=3.536,RCVD_IN_SORBS=0.1,USER_IN_WHITELIST=-100
> X-Spam-Status: No, hits=-98.6 required=5.0 tests=BAYES_00,RCVD_IN_DYNABLOCK,
> RCVD_IN_NJABL,RCVD_IN_NJABL_DIALUP,RCVD_IN_SORBS,USER_IN_WHITELIST
> autolearn=no version=2.63
>
>
The example just made it a bit fuzzy at to what was part of your
network, and how normal email flowed.

>>>What do you have set in local_networks (at the time of receiving the
>>
>>mail you posted)?
>
> Do you mean trusted_networks? Please look at sa-local.cf from above.
> I didn't change it in the meantime.
>
>
>>Is lyta.akte.de your smarthost? (appears to be)
>
> Yes.
>
>
>>What IP ranges are allowed to send through your smarthost?
>
> Anyone, but only via authenticated SMTP.
>
That's going to cause a bit of a problem for a while, SA currently can't
tell the difference between a legit client connecting to your MTA via
authenticated SMTP and a spammer on a dialup doing direct to MX. I think
that's in the pipe to be fixed, but I'm not certain. In the mean time,
if you tend to be at the same ISP your options are to either use that
ISP's outbound SMTP server, or add that ISP's IP range to trusted_networks.

> Thanks so much for trying to help me,
> Andy.

Not a problem. It's helping me get my head around the config issues
involved.

> In your case, you're sending from a dynamic IP which is not in your
> trusted networks list. SA thinks "ok, a mailserver in my network
> (condor) just got a connection from somewhere OUTSIDE my network, let's
> check the connecting IP (217.233.34.182) against the dialup RBLS, let's
> check all other IPs beyond that against other RBLs, and see what gets hit."
>
> In my case, when receiving a mail, my SA thinks "ok, mx(n).2z.net
> received a mail from outside my network (lyta.akte.de), let's check that
> IP to see if it's in any dialup RBLS, and let's check all the other IPs
> against the regular RBLs".
>
> Does that help make it more clear?

Okay, so basically SA is testing the first IP outside the trusted network
against the dialup RBLs and every other IP beyond that only against other
RBLs. Did I understand you correctly?

If so I'll have serious problems with my own users who send mails to my
servers using authenticated SMTP. But you mentioned that yourself. I'll
just hope for the next SA version then. :-)

> In the mean time, if you tend to be at the same ISP your options are to
> either use that ISP's outbound SMTP server, or add that ISP's IP range to
> trusted_networks.
Adding the IP range would work for me (although I'd never do it, T-Online
is just too big of an ISP), but not for my other users who are connecting
from the whole range of German ISPs.

> internal_networks: List the IP ranges of your MX servers.
I've never seen that config option.
Is that from a newer version than 2.63?

> Running spamassassin -D, and looking closely at the debug output will
> help show what it considers local, and what it's looking up in RBLs.
Yep, I think I finally understood it now.

Thanks again,
Andy.

--
o _ _ _
------- __o __o /\_ _ \\o (_)\__/o (_) -o)
----- _`\<,_ _`\<,_ _>(_) (_)/<_ \_| \ _|/' \/ /\\
---- (_)/ (_) (_)/ (_) (_) (_) (_) (_)' _\o_ _\_v
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
No matter how long or how hard you shop for an item,
after you've bought it, it will be on sale somewhere cheaper.

At 10:38 AM 2/23/2004, Andy Spiegl wrote:
>sorry for the long pause but during the weekend I didn't have enough spare
>time to think about this thoroughly.

And sorry for my long pause.. I was off-site Monday, and yesterday I was
playing catch-up. Urgh.


>I don't think I mis-read your message but after reading your latest answer
>I am not sure about anything anymore. This starts to get confusing.
>
> > Stop reading into the meaning of trusted_networks... Read exactly what I
> > told you to do.
>Since the first day that I had installed SA on my servers I had
>trusted_networks set to the IP of the machine where SA is running on.
>So I thought that part of your mail can't be the solution.
>Rich Puhek's answer calmed my fears because he said that my mail to the
>list didn't get high scores. Well, so that leaves the (hopefully simpler)
>problem that _my_ spamassassin scores mails from dialup IPs too high.
>
>Maybe my problem (or our misunderstanding) is that SA is not running on my
>local machine (condor) but on my smart host. We have several machines which
>are acting as receiving mail servers and as smart hosts (using SMTP Auth).
>All incoming mails from outside are piped through SA and local.cf contains
>the IPs of all these servers like so:
> trusted_networks host1.xx.yy.zz host2.xx.yy.zz host3.xx.yy.zz ...


"host1.xx.yy.zz"... I do hope that's an IP address, and not a hostname.. Is it?


Now.. let's give a symbolic name to your smarthosts running SA.. lets call
them "saserver1" "saserver2" etc..

Using that syntax.. does trusted_networks on "saserver1" contain "saserver1"?


>Unfortunately not. I had my server(s) in trusted_networks from the
>beginning but for example my own mails to the list get tagged this way:
> X-Spam-Scores: AWL=-1.348,BAYES_00=-4.9,RCVD_IN_DYNABLOCK=2.599,
> RCVD_IN_NJABL=0.1,RCVD_IN_NJABL_DIALUP=3.536,RCVD_IN_SORBS=0.1,
> USER_IN_WHITELIST=-100
>
>BTW that's why I was assuming that others see my mails like that, too.
>If you could explain me why my SA acts like that I'd be really grateful.


Hopefully I can help out.

In depth the common cause of this problem is a cascade of events:

First, when attempting to determine the trust path. SA fails to find any
trusted hosts in the Received headers. This means the number of trusted
headers is 0.

When SA encounters a situation where no headers are trusted. ALL rules are
run against ALL Received headers. Matters of trust, first-hop, etc are
completely ignored and disabled.

However, if SA determines it can trust any of the Received: headers (which
it should be able to trust the one added by the local host), it will enable
it's trust-path code and the first-hop skip code works properly.

Hi Matt,

> And sorry for my long pause.. I was off-site Monday, and yesterday I was
> playing catch-up. Urgh.
Yep, I know what that feels like. :-(

> >All incoming mails from outside are piped through SA and local.cf contains
> >the IPs of all these servers like so:
> > trusted_networks host1.xx.yy.zz host2.xx.yy.zz host3.xx.yy.zz ...
>
> "host1.xx.yy.zz"... I do hope that's an IP address, and not a hostname.. Is it?
Sure, just IPs. Sorry I put the examples that way.

> Now.. let's give a symbolic name to your smarthosts running SA.. lets call
> them "saserver1" "saserver2" etc..
>
> Using that syntax.. does trusted_networks on "saserver1" contain
> "saserver1"?
Yes, and the IPs of all our other servers.
But I'll have to change that, too, because yesterday I discovered a new
problem. The situation is like so:
Let's call my servers
dpt1-server1, dpt1-server2, ... dpt1-server10
and
dpt2-server1, dpt2-server2, ... dpt2-server10

They belong to two different departments of my company, hosting many
different domains. They are running the exact same software and usually
trust each other. So far I have written all their IPs in trusted_networks
of all of them. But now when a user A@dpt2-server sends mail to a user
B@dpt1-server (from a dialup via SMTP-AUTH and a dpt2-server as smarthost)
the dpt2-server has to relay the mail to a dpt1-server and there SA marks
the mail with RCVD_IN_DYNABLOCK etc. because SAs reasoning seems to be:
- I trust dpt1-server (myself)
- I trust dpt2-server
- next hop after dpt2-server is a dialup-IP, so mark it

So I guess I'll remove all servers from the other departments which would
then make SA think like this:
- I trust dpt1-server (myself)
- I don't trust dpt2-server, so check it against blacklists
(hopefully without results :-)
- next hop after dpt2-server is a dialup-IP, but don't mark it
because I already tested the (untrusted) dpt2-server
Am I correct? Is this the recommended way to do it?
But the disadvantage is then that all servers from the other department are
being looked up in the blacklists which doesn't make sense. :-(


BTW, this is related to the (known) problem which happens everytime the
smarthosts call SA for mails received from our dialup-users. We are
thinking about having our mailserver add an extra header line that tells SA
that the user authenticated properly and have SA score this line with a
negative score. But then how do I teach SA to just trust our own
received-via-smtp-auth lines and not fake ones? Hm...

> First, when attempting to determine the trust path. SA fails to find any
> trusted hosts in the Received headers. This means the number of trusted
> headers is 0.
Does SA normally assume its own host is trusted?
Or why do we have to explicitly add the host which is running SA?

> Hopefully I can help out.
Thank you very much for your help!
Andy.

PS: No need to CC-me. I read the lists where I post. :-)

--
o _ _ _
------- __o __o /\_ _ \\o (_)\__/o (_) -o)
----- _`\<,_ _`\<,_ _>(_) (_)/<_ \_| \ _|/' \/ /\\
---- (_)/ (_) (_)/ (_) (_) (_) (_) (_)' _\o_ _\_v
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Year, n.: A period of three hundred and sixty-five disappointments.