trusted and internal networks

[Karsten Bräckelmann <gu...@rudersport.de>]

I recently spotted some reason to finally try to wrap my head around
trusted_networks and internal_networks, since forwarded mail falsely
triggered RVCD_IN_DNS_MED for -4.0 -- very rare, but still a reason to
fix it.

So I set it up like I understand the docs (man page and wiki). My own
server, which I got full control of, is internal, the forwarders are
trusted (which I do).

This however doesn't cut it when looking at the debug logs. We are using
lastexternal for Spamhaus Zen -- which nicely checks if the GNOME or ASF
forwarders might be listed in PBL... This doesn't seem right.

Why do we use lastexternal here? Shouldn't it be like lastuntrusted or
something?


Worked around by equalizing internal and trusted, but this doesn't feel
like a proper solution, nor actually intended.

Related bug:  RCVD_IN_XBL should use lastexternal
  https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5294


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: trusted and internal networks

[Henrik Krohns <he...@hege.li>]

On Mon, Nov 24, 2008 at 05:32:55PM +0100, Karsten Bräckelmann wrote:
> > 
> > If you want to check in RBLs the host (zombie/dynamic user?) that relays
> > through GNOME or ASF, then you could add these to internal_networks. The
> > "internal" is a bit misleading. To me it includes something like "trusted
> > third party MXs that may relay mail from zombies to you".
> 
> Isn't that the very definition of trusted_networks rather than internal?
> "Will not originate spam, but might relay it." According to all docs at
> least...
> 
> I knew this would be confusing. And now I am.

You could look at it this way also: internal_networks are always included in
trusted_networks.. so the clause applies to both. The main thing lacking is
documentation. Somewhere should be a clear list of checks with the
respective border (trusted/external) they are checked upon. But first all
developers should agree what all should be these used for. For example I use
trusted_networks heavily for whitelisting.

Re: trusted and internal networks

[Karsten Bräckelmann <gu...@rudersport.de>]

On Mon, 2008-11-24 at 18:17 +0200, Henrik Krohns wrote:
> On Mon, Nov 24, 2008 at 04:54:17PM +0100, Karsten Bräckelmann wrote:

> > So I set it up like I understand the docs (man page and wiki). My own
> > server, which I got full control of, is internal, the forwarders are
> > trusted (which I do).
> >
> > This however doesn't cut it when looking at the debug logs. We are using
> > lastexternal for Spamhaus Zen -- which nicely checks if the GNOME or ASF
> > forwarders might be listed in PBL... This doesn't seem right.
> >
> > Why do we use lastexternal here? Shouldn't it be like lastuntrusted or
> > something?
> 
> No, try reading through:
> 
> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5856

A, right -- I recall I have seen a bug about it somewhere. Will have a
look at that later, thanks.

> And probably some others.. mailing lists are pretty full of it too.. maybe
> one day it will be clear. ;)
> 
> If you don't want GNOME or ASF to be checked in RBLs, then you need to add
> them to trusted_networks so they won't be checked. Which doesn't even
> currently work right without my patch (inside the bug above).
> 
> If you want to check in RBLs the host (zombie/dynamic user?) that relays
> through GNOME or ASF, then you could add these to internal_networks. The
> "internal" is a bit misleading. To me it includes something like "trusted
> third party MXs that may relay mail from zombies to you".

Isn't that the very definition of trusted_networks rather than internal?
"Will not originate spam, but might relay it." According to all docs at
least...

I knew this would be confusing. And now I am.


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: trusted and internal networks

[Henrik Krohns <he...@hege.li>]

On Mon, Nov 24, 2008 at 04:54:17PM +0100, Karsten Bräckelmann wrote:
> I recently spotted some reason to finally try to wrap my head around
> trusted_networks and internal_networks, since forwarded mail falsely
> triggered RVCD_IN_DNS_MED for -4.0 -- very rare, but still a reason to
> fix it.
> 
> So I set it up like I understand the docs (man page and wiki). My own
> server, which I got full control of, is internal, the forwarders are
> trusted (which I do).
>
> This however doesn't cut it when looking at the debug logs. We are using
> lastexternal for Spamhaus Zen -- which nicely checks if the GNOME or ASF
> forwarders might be listed in PBL... This doesn't seem right.
>
> Why do we use lastexternal here? Shouldn't it be like lastuntrusted or
> something?

No, try reading through:

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5856

And probably some others.. mailing lists are pretty full of it too.. maybe
one day it will be clear. ;)

If you don't want GNOME or ASF to be checked in RBLs, then you need to add
them to trusted_networks so they won't be checked. Which doesn't even
currently work right without my patch (inside the bug above).

If you want to check in RBLs the host (zombie/dynamic user?) that relays
through GNOME or ASF, then you could add these to internal_networks. The
"internal" is a bit misleading. To me it includes something like "trusted
third party MXs that may relay mail from zombies to you".