mailscanner behind a smtpd frontend

[Matt Kettler]

Glenn Steen wrote:
> On 14/02/06, Matt Kettler <mkettler at evi-inc.com> wrote:
>> Glenn Steen wrote:
> (snip)
>>> Problem 1 is that you can't really do that for all the Received
>>> lines... And the original problem is that adding such a line is an RFC
>>> MUST. Sigh.
>>>
>>> So unless one can do REs on it, you lose. Unfortunately,
>>> bayes_ignore_header doesn't seem to accept RE:s (from the man-page)...
>>> Perhaps Matt Kettler has a better clue...
>> My impression is why bother ignoring the Received: headers?
>>
>> As long as your trusted/internal networks is set correctly bayes should be able
>> to deal with extra Received: headers just fine.
> Eh, I am obviously missing something here.... You are saying that
> although all  external mail is received from that ("internal") host,
> Philipp should set it as trusted?
> 

Yes.. You should trust all your mail servers that add Received: headers. Just
because it acts as a mail relay for untrusted mail does not mean you should not
trust the box itself.

Trust here means trusted to not forge headers, and trusted to never originate
spam. It does not mean it will never relay spam from other sources.

As for SA, it will still see the mail as coming from an untrusted source. It
will merely realize that there's a trusted relay in between.

In fact, if you fail to trust the relay (and thus have it be internal), then SA
is going to treat it as being "outside" your network. This will cause any tests
that attempt to apply to the first external host to be applied to the relay
instead of the proper outside host.