You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by Apache Wiki <wi...@apache.org> on 2005/06/16 21:02:28 UTC

[Spamassassin Wiki] Update of "TrustPath" by JustinMason

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Spamassassin Wiki" for change notification.

The following page has been changed by JustinMason:
http://wiki.apache.org/spamassassin/TrustPath

The comment on the change is:
adding example and a section on optimizing

------------------------------------------------------------------------------
  
  If you have these warning signs frequently, and have your gateway MX behind a NAT, you probably need to manually configure trusted_networks. See the [http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.html Mail::Spamassassin::Conf] manpage for details. Generally you want trusted_networks set to contain all the mailservers you control that add Received: headers, and nothing else.
  
+ Here's an example trusted_networks line that could be added to {{{/etc/mail/spamassassin/local.cf}}} to specify trust:
+ 
+ {{{
+ trusted_networks 123.12.34.56 123.12.35/24
+ }}}
+ 
+ That line will specify that the host at {{{123.12.34.56}}}, and all hosts in the {{{123.12.35.0 - 123.12.35.255}}} address range, are to be trusted.
+ 
- Why doesn't SpamAssassin default to not trusting any hosts? 
+ ''Why doesn't SpamAssassin default to not trusting any hosts?''
  
  Well, trusting too few is in many ways just as bad as trusting too many. Many SpamAssassin rules try to perform checks against the untrusted host that delivered mail to the first trusted server. If there's too few or too many hosts that SA trusts, these tests will be examining the wrong host. Both situations contribute greatly to false negative problems, and to a lesser extent false positive problems.
  
- Why doesn't the auto detection just work for all networks?
+ ''Why doesn't the auto detection just work for all networks?''
  
  Unfortunately there's limits to what one can automatically discover about a network from just email headers. 
  
@@ -28, +36 @@

  
  If you really want to be on the safe side, just declare your trusted_networks manually, and you'll avoid the auto detection situation entirely.
  
+ ''How can I optimize the trusted_networks setting?''
+ 
+ If you want to configure SpamAssassin with more information, you can:
+ 
+  * set 'internal_networks' to include the hosts that act as MX for your domains, or that may deliver mail internally in your organisation.
+  * set 'trusted_networks' to include the same hosts and networks as 'internal_networks', with the addition of some hosts that are external to your organisation which you trust to not be under the control of spammers.  For example, very high-volume mail relays at other ISPs, or mailing list servers.
+ 
+ By giving SpamAssassin more info about your network setup, it can perform some tests better, increase accuracy, and reduce load.
+