You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Philip Prindeville <ph...@redfish-solutions.com> on 2006/06/01 03:46:14 UTC
Clarifying internal_networks
I was rereading the sections on "trusted_networks" and "internal_networks"
in Mail::SpamAssassin::Conf, but something wasn't clear to me.
It talks about MXes and relays, but... not about client workstations
that might
originate email locally and submit it via port 25 or port 465 (and not the
typical usage of submitting messages via a pipe into an exec'd sendmail
process
on the same machine, etc).
If I have a network 192.168.1.0/24, and I have workstations at 10-25 that
submit email, should I just have:
internal_networks 192.168.1.0/24
Thanks,
-Philip
Re: Clarifying internal_networks
Posted by Mark Martinec <Ma...@ijs.si>.
On Thursday June 1 2006 04:05, Matt Kettler wrote:
> Simple rule:
> trusted_networks - set to cover all machines that might generate a
> Received: header that you control.
> internal_networks - Will default to match trusted_networks if not declared.
>
> 99% of the time, you just set trusted_networks.
> The only practical time the two differ is if you have a MTA that needs
> to accept mail directly from dialup users. Then you'd set it up so that
> machine was trusted, but not internal.
Just for completeness: besides DUL checks, it also controls SPF checks,
so it is imperative than MSA hosts are excluded from internal_networks.
Mark
Re: Clarifying internal_networks
Posted by Matt Kettler <mk...@comcast.net>.
Philip Prindeville wrote:
> I was rereading the sections on "trusted_networks" and "internal_networks"
> in Mail::SpamAssassin::Conf, but something wasn't clear to me.
>
> It talks about MXes and relays, but... not about client workstations
> that might
> originate email locally and submit it via port 25 or port 465 (and not the
> typical usage of submitting messages via a pipe into an exec'd sendmail
> process
> on the same machine, etc).
>
Don't worry about clients, Worry about servers. Client IPs are
irrelevant here.
The part you care about is matching anything in your network that would
appear in the "by" clause of a Received: header. (or the IP resulting
from a DNS lookup of that host name).
> If I have a network 192.168.1.0/24, and I have workstations at 10-25 that
> submit email, should I just have:
>
> internal_networks 192.168.1.0/24
>
Simple rule:
trusted_networks - set to cover all machines that might generate a
Received: header that you control.
internal_networks - Will default to match trusted_networks if not declared.
99% of the time, you just set trusted_networks.
The only practical time the two differ is if you have a MTA that needs
to accept mail directly from dialup users. Then you'd set it up so that
machine was trusted, but not internal.