[Mimedefang] md is not the first relay

Yizhar Hurwitz yizhar at mail.com
Tue Dec 5 15:18:05 EST 2006 

HI.

> > I am now using it and is seems to do the job.
> > I have also added the upstream mail relay to "internal_networks" for 
> > example:
> > 
> > trusted_networks a.b.c.d
> > internal_networks a.b.c.d
> > 
> > This is what I understood from "man Mail::SpamAssassin::Conf" which is a bit
> > confusing, for me at least.
>   

> You don't have to explicitly set internal_networks if it's the same
> as trusted_networks. internal_networks is supposed to be all of your
> MX hosts. trusted_networks may contain more than your MX hosts,
> if there are other hosts that you trust not to forge headers
> (eg: other mailservers you control, or that regularly forward
> mail to you, operated by trusted third parties).
>
> Does that make it clear?


No, it is still confusing.

This is what I read in "man Mail::SpamAssassin::Conf":

       trusted_networks ip.add.re.ss[/mask] ... 
(some text skipped)...
           MXes for your domain(s) and internal relays should also be speci-
           fied using the "internal_networks" setting. When there are
           trusted hosts that are not MXes or internal relays for your
           domain(s) they should only be specified in "trusted_networks".

And this:

       internal_networks ip.add.re.ss[/mask] ...   (default: none)
           What networks or hosts are internal in your setup.   Internal
           means that relay hosts on these networks are considered to be 
MXes
           for your domain(s), or internal relays.  This uses the same 
format
           as "trusted_networks", above.

           This value is used when checking dial-up or dynamic IP address
           blocklists, in order to detect direct-to-MX spamming. Trusted
           relays that accept mail directly from dial-up connections should
           not be listed in "internal_networks". List them only in
           "trusted_networks".

So, as far as I understand from the above:

The general rule is:
an MX server should be listed in "trusted_networks" and also in 
"internatl_networks"

An exception rule is:
but if the MX server is also accepting direct connections from client 
(for example an ISP outgoing mail server),
then it should be listed only in "trusted_networks".

So in my case the general rule applies, because the MX server is used 
only for incoming mail,
it is an ISP server dedicated for that purpose (as far as I know).
dial up and home users of the ISP use a different server for sending 
their outbound mail.

Am I correct?

Yizhar Hurwitz
http://yizhar.mvps.org

More information about the MIMEDefang mailing list