trusted_networks - SpamAssassin

This is a discussion on trusted_networks - SpamAssassin ; If I do not control any mail servers is it necessary for the trusted networks line to be set in my local.cf? If so, what addresses would I enter there? I'm asking this because of this line in the Wiki: ...

+ Reply to Thread
Results 1 to 14 of 14

Thread: trusted_networks

  1. trusted_networks

    If I do not control any mail servers is it necessary for the trusted networks
    line to be set in my local.cf? If so, what addresses would I enter there?
    I'm asking this because of this line in the Wiki:

    Generally you want trusted_networks set to contain all the mailservers you
    control that add Received: headers, and nothing else.

    --
    Chris
    KeyID 0xE372A7DA98E6705C

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iEYEABECAAYFAkhQhdIACgkQ43Kn2pjmcFwEAgCeLjzQ8lMO40 6Ca/xgIx3njZMc
    eRAAmgOlKnwP/m0nmM2uCqHWTSAvDtTe
    =jhcP
    -----END PGP SIGNATURE-----


  2. Re: trusted_networks

    Chris wrote:
    > If I do not control any mail servers is it necessary for the trusted networks
    > line to be set in my local.cf?

    In most cases you want to trust all the mailservers the MX back. If you
    don't control any mailservers at all, then you would substitute to
    trusting your ISPs mailsers.

    > If so, what addresses would I enter there?
    > I'm asking this because of this line in the Wiki:
    >
    > Generally you want trusted_networks set to contain all the mailservers you
    > control that add Received: headers, and nothing else.
    >
    >



  3. Re: trusted_networks

    On 11.06.08 21:11, Chris wrote:
    > If I do not control any mail servers is it necessary for the trusted networks
    > line to be set in my local.cf? If so, what addresses would I enter there?
    > I'm asking this because of this line in the Wiki:
    >
    > Generally you want trusted_networks set to contain all the mailservers you
    > control that add Received: headers, and nothing else.


    you should put at least your MX backups into trusted_networks AND
    internal_networks, if there are any. You may put other servers, not under
    your control, to trusted_networks, if you trust them not to originate spam.

    trusted_networks and internal_networks are used to define borders for
    checking SPF, blacklists and other network stuff. For example, most
    blacklists are checked on last external relay which means your mailserver or
    MX backup

    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    Linux - It's now safe to turn on your computer.
    Linux - Teraz mozete pocitac bez obav zapnut.


  4. Re: trusted_networks

    On Thu, 12 Jun 2008, Matus UHLAR - fantomas wrote:

    > You may put other servers, not under your control, to trusted_networks,
    > if you trust them not to originate spam.

    --------------------^^^^^^^^^^^^^^^^^^^^^

    Matus, I believe that assertion is incorrect...

    --
    John Hardin KA7OHZ http://www.impsec.org/~jhardin/
    jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
    key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
    -----------------------------------------------------------------------
    People seem to have this obsession with objects and tools as being
    dangerous in and of themselves, as though a weapon will act of its
    own accord to cause harm. A weapon is just a force multiplier. It's
    *humans* that are (or are not) dangerous.
    -----------------------------------------------------------------------
    6 days until SWMBO's Birthday


  5. Re: trusted_networks

    On Thursday 12 June 2008 2:16 am, Matus UHLAR - fantomas wrote:
    > On 11.06.08 21:11, Chris wrote:
    > > If I do not control any mail servers is it necessary for the trusted
    > > networks line to be set in my local.cf? If so, what addresses would I
    > > enter there? I'm asking this because of this line in the Wiki:
    > >
    > > Generally you want trusted_networks set to contain all the mailservers
    > > you control that add Received: headers, and nothing else.

    >
    > you should put at least your MX backups into trusted_networks AND
    > internal_networks, if there are any. You may put other servers, not under
    > your control, to trusted_networks, if you trust them not to originate spam.
    >
    > trusted_networks and internal_networks are used to define borders for
    > checking SPF, blacklists and other network stuff. For example, most
    > blacklists are checked on last external relay which means your mailserver
    > or MX backup


    Hmm, I'm on DSL, so, should I place my IP in trusted_networks? If so, how
    would I go about that since being a dynamic IP it changes every so often. For
    instance, I did have this "trusted_networks 192.168/16 71.48.160.0/20",
    however, looking at the received line of the post I initally made, my IP is
    now 71.51.96.186. The received line also shows this:

    Received: from [71.51.96.186] ([71.51.96.186:27915] helo=[192.168.2.2])
    ********by mailrelay.embarq.synacor.com (envelope-from
    )


    Should I put the IP for mailrelay.embarq.synacor.com on the trusted_networks
    line? That comes out to be 208.47.184.3. I also had this as internal_networks
    internal_networks 71.48.160.0/20, is that correct?

    Thank you for any assistance

    --
    Chris
    KeyID 0xE372A7DA98E6705C

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iEYEABECAAYFAkhRqqEACgkQ43Kn2pjmcFwUuACeI3wyEcH7LH rSL3ZBJTfvYjFT
    CTQAn1KhPj8Drhfg2ZE3HrDqVxpd9K9A
    =gJBG
    -----END PGP SIGNATURE-----


  6. Re: trusted_networks

    On 12.06.08 10:25, John Hardin wrote:
    > On Thu, 12 Jun 2008, Matus UHLAR - fantomas wrote:
    >
    > >You may put other servers, not under your control, to trusted_networks,
    > >if you trust them not to originate spam.

    > --------------------^^^^^^^^^^^^^^^^^^^^^
    >
    > Matus, I believe that assertion is incorrect...


    Yes, it is. I was searching for best wording and it appeared already

    "trusted" means "does not forge headers" when talking about trusted_networks
    option.
    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    On the other hand, you have different fingers.


  7. Re: trusted_networks

    > On Thursday 12 June 2008 2:16 am, Matus UHLAR - fantomas wrote:
    > > you should put at least your MX backups into trusted_networks AND
    > > internal_networks, if there are any. You may put other servers, not under
    > > your control, to trusted_networks, if you trust them not to originate spam.
    > >
    > > trusted_networks and internal_networks are used to define borders for
    > > checking SPF, blacklists and other network stuff. For example, most
    > > blacklists are checked on last external relay which means your mailserver
    > > or MX backup


    On 12.06.08 18:00, Chris wrote:
    > Hmm, I'm on DSL, so, should I place my IP in trusted_networks? If so, how
    > would I go about that since being a dynamic IP it changes every so often. For
    > instance, I did have this "trusted_networks 192.168/16 71.48.160.0/20",
    > however, looking at the received line of the post I initally made, my IP is
    > now 71.51.96.186. The received line also shows this:
    >
    > Received: from [71.51.96.186] ([71.51.96.186:27915] helo=[192.168.2.2])
    > ********by mailrelay.embarq.synacor.com (envelope-from
    > )


    Do you relay incoming mail to yourself through your external IP? Why?

    > Should I put the IP for mailrelay.embarq.synacor.com on the
    > trusted_networks line? That comes out to be 208.47.184.3. I also had this
    > as internal_networks internal_networks 71.48.160.0/20, is that correct?


    I would be careful about that and not to trust whole ISP's dyamic IP range.
    (Yes, as an ISP I have to do that until we enforce SMTP authentication from
    dynamic ranges).

    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    I just got lost in thought. It was unfamiliar territory.


  8. Re: trusted_networks


    >Hmm, I'm on DSL, so, should I place my IP in trusted_networks?


    No. Your IP address does not relay mail to you.

    >For
    >instance, I did have this "trusted_networks 192.168/16 71.48.160.0/20",
    >however, looking at the received line of the post I initally made, my IP is
    >now 71.51.96.186.


    trusted_networks is assumed to have *mail servers* relaying mail to you. Not each and every client machine in your ISP's address space. Not yours, nor your neigbors.


    >The received line also shows this:
    >
    >Received: from [71.51.96.186] ([71.51.96.186:27915] helo=[192.168.2.2])
    > by mailrelay.embarq.synacor.com (envelope-from
    >)
    >
    >
    >Should I put the IP for mailrelay.embarq.synacor.com on the trusted_networks
    >line? That comes out to be 208.47.184.3. I also had this as internal_networks
    >internal_networks 71.48.160.0/20, is that correct?
    >


    Yes, if that mailrelay.embarq.synacor.com is your ISP's mx receiving mail sent to you.

    I did

    $ host -t mx embarqmail.com

    and it said

    embarqmail.com mail is handled by 10 smtp.embarq.synacor.com.

    $ host mailrelay.embarq.synacor.com
    mailrelay.embarq.synacor.com has address 208.47.184.3

    $ host smtp.embarq.synacor.com
    smtp.embarq.synacor.com has address 208.47.184.2

    I don't understand what is this "mailrelay", it might be the sending server, but that mx host "smtp" at least should be trusted.

    Better to put those both to your trusted_networks, I guess.


  9. Re: trusted_networks

    On Friday 13 June 2008 11:56 am, Jari Fredriksson wrote:

    > >Should I put the IP for mailrelay.embarq.synacor.com on the
    > > trusted_networks line? That comes out to be 208.47.184.3. I also had this
    > > as internal_networks internal_networks 71.48.160.0/20, is that correct?

    >
    > Yes, if that mailrelay.embarq.synacor.com is your ISP's mx receiving mail
    > sent to you.
    >
    > I did
    >
    > $ host -t mx embarqmail.com
    >
    > and it said
    >
    > embarqmail.com mail is handled by 10 smtp.embarq.synacor.com.
    >
    > $ host mailrelay.embarq.synacor.com
    > mailrelay.embarq.synacor.com has address 208.47.184.3
    >
    > $ host smtp.embarq.synacor.com
    > smtp.embarq.synacor.com has address 208.47.184.2
    >
    > I don't understand what is this "mailrelay", it might be the sending
    > server, but that mx host "smtp" at least should be trusted.
    >
    > Better to put those both to your trusted_networks, I guess.


    Thank you, now my trusted_networks line looks like this:

    trusted_networks 192.168/16 208.47.184.3 208.47.184.2

    Is that correct? Do I need the 192.168/16 entry?

    --
    Chris
    KeyID 0xE372A7DA98E6705C

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iEYEABECAAYFAkhS8vsACgkQ43Kn2pjmcFy77gCfQFKG5TV+QY bXbz4JoGSBp9Wa
    4cwAoIjsBu0hYP0a+eROpF8xh2qRaj8z
    =Myi6
    -----END PGP SIGNATURE-----


  10. Re: trusted_networks

    >Thank you, now my trusted_networks line looks like this:
    >
    >trusted_networks 192.168/16 208.47.184.3 208.47.184.2
    >
    >Is that correct? Do I need the 192.168/16 entry?


    I don't have it, my 10/8 lan network.. in my trusted.

    I think your can throw it away.


  11. Re: trusted_networks

    On Friday 13 June 2008 7:09 pm, Jari Fredriksson wrote:
    > >Thank you, now my trusted_networks line looks like this:
    > >
    > >trusted_networks 192.168/16 208.47.184.3 208.47.184.2
    > >
    > >Is that correct? Do I need the 192.168/16 entry?

    >
    > I don't have it, my 10/8 lan network.. in my trusted.
    >
    > I think your can throw it away.


    Thanks, I'll discard it then, appreciate the help.

    Chris

    --
    Chris
    KeyID 0xE372A7DA98E6705C

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iEYEABECAAYFAkhTFBIACgkQ43Kn2pjmcFyqzwCfbxtyiXP/FWV0dUYtQfmo8bY9
    E/UAn2JGbsghwhB3W1r9/GjhJ+0qvhgP
    =P5SE
    -----END PGP SIGNATURE-----


  12. Re: trusted_networks

    John Hardin wrote:
    > On Thu, 12 Jun 2008, Matus UHLAR - fantomas wrote:
    >
    >> You may put other servers, not under your control, to
    >> trusted_networks, if you trust them not to originate spam.

    > --------------------^^^^^^^^^^^^^^^^^^^^^
    >
    > Matus, I believe that assertion is incorrect...
    >

    Actually, that's not incorrect. You have to consider the ALL_TRUSTED
    rule here.

    hosts in trusted_networks primarily need to be trusted to not forge
    headers, but they also need to be trusted not to originate spam, as any
    message that has only touched trusted hosts will match the ALL_TRUSTED rule.

    Also be sure to realize there's a big difference between "originating"
    spam and "relaying it to your network".


  13. Re: trusted_networks


    On Sat, June 14, 2008 02:09, Jari Fredriksson wrote:
    >> Thank you, now my trusted_networks line looks like this:
    >> trusted_networks 192.168/16 208.47.184.3 208.47.184.2
    >> Is that correct? Do I need the 192.168/16 entry?

    > I don't have it, my 10/8 lan network.. in my trusted.
    > I think your can throw it away.


    he can do when we drop ipv4

    with trusted_networks in rfc1918 is a waste of dns to query for, since its not
    public ip servers, 10/8 is olso included in rfc1918

    rule i follow here is if i cant connect to a ip outside my network, make it
    trusted, well i still have to see problem doing so

    if not defined in spamassassin it will try to find the ip in rbl lists, but
    will properly newer hits anyway


    Benny Pedersen
    Need more webspace ? http://www.servage.net/?coupon=cust37098


  14. Re: trusted_networks


    On Sat, June 14, 2008 02:42, Chris wrote:
    > Thanks, I'll discard it then, appreciate the help.


    so one more time, you now test remote servers ip that use rfc1918 servers pools

    waste


    Benny Pedersen
    Need more webspace ? http://www.servage.net/?coupon=cust37098


+ Reply to Thread