You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2007/01/02 18:29:46 UTC

Re: localhost bypass?

Matt Kettler writes:
> Sander Holthaus wrote:
> > Jason Faulkner wrote:
> > >>> trusted_networks 127.0.0.1
> > >>> internal_networks 127.0.0.1
> > >>>    
> > >> trusted_networks is *NOT* a whitelist. Do NOT try to use it as one.
> > EVER.
> > >>  
> > > I'm confused as to what you mean by this. I'm using these in my
> > > environment, and they do a good job of making sure that mail relayed
> > > through my internal networks don't get marked as spam.
> >
> > I'm not sure about that either, but I would say that in many
> > environments, 127.0.0.1 belongs to both the trusted and internal
> > networks. In fact, it is hard to imagine an environment where
> > 127.0.0.1 is neither trusted or internal, as it is the host running
> > spamassassin or it refers to an external trusted host.
> 
> I'm not saying 127.0.0.1 doesn't belong in internal/trusted networks.
> 
> I'm saying that don't expect to whitelist a host by adding it to either.
> 
> trusted_networks is NOT a whitelist.
> internal_networks is NOT a whitelist.
> 
> Now, properly used they can have a significant impact on how your SA
> scores mail, but too few hosts here is just as bad as too many.
> 
> Therefore, DO NOT try to use these settings as a whitelist. Configure
> them to match your network topology, not your whitelist desires.

To be honest, I intended them as a whitelist ;)

If a message never touched an untrusted host (ALL_TRUSTED), in
a correctly-configured trust setup, is that not safe to whitelist?

--j.

Re: localhost bypass?

Posted by "Thomas S. Crum" <ts...@aaawebsolution.com>.

Then isn't it unnecessary/redundant to send it through SA at all?

On Tue, 2007-01-02 at 17:29 +0000, Justin Mason wrote:
> 
> To be honest, I intended them as a whitelist ;)
> 
> If a message never touched an untrusted host (ALL_TRUSTED), in
> a correctly-configured trust setup, is that not safe to whitelist?
> 
> --j.

Re: localhost bypass?

Posted by Matt Kettler <mk...@verizon.net>.

Justin Mason wrote:
> To be honest, I intended them as a whitelist ;)
>
> If a message never touched an untrusted host (ALL_TRUSTED), in
> a correctly-configured trust setup, is that not safe to whitelist?
>
>   
Only if the trust-path auto-detector code works perfectly, for all
sites. Which is impossible.