mkettler at EVI-INC.COM
Tue Nov 26 21:35:10 GMT 2002
My net suggestion is to disable MailScanner's use of DNSBL's and use
SpamAssassin to do it until MailScanner figures out how to do DNSBL's
correctly. SA does DNSBL's the correct way (you don't need to trust the
input to a blacklist) and allow you to configure the depth of scan.
Of course, SA also does DNSWL's (ie: bondedsender) the wrong way because
adding bondedsender was an afterthought and re-used the code which is
designed to properly support blacklists. My suggestion there is to just
zero that rule until a proper whitelist_check function is implemented in SA.
Check out SA's num_check_received option, which only affects RBL checks.
Eventually SA's going to have to get separate code paths for handling
blacklists and whitelists, since trust is critical in the case of white,
but does not matter in the case of black.
At 08:35 PM 11/26/2002 +0000, you wrote:
>The difference is that the first connection to the MTA can be extracted
>(fairly reliably) from the envelope, without using the headers. All further
>ones have to be read from the headers, and are hence liable to be faked.
>There's a big difference between using the first one and using any of the
>others. Which is why I only consider the first. I don't intend changing that.
More information about the MailScanner