mailscanner behind a smtpd frontend (trusted_networks and internal_networks)

[Matt Kettler]

Glenn Steen wrote:
> Thank you. Somesay I'll actually undersatnd this SA stuff... with this
> explanation, that day might even be today:-)

Generally speaking, for most people trusted=internal=all your IPs.

The only common exception is if you have a relay that you operate which must
receive mail directly from dynamic/dialup users (ie: without being relayed
through the ISP mailserver but directly delivered to your box using pop-before
smtp or smtp AUTH).

In that case you'd still trust that relay, but you'd have to declare a separate
internal_networks which excluded it. Otherwise all the HELO_DYNAMIC and dialup
RBL rules would fire off.

I'd advise against deviating away from those two usage scenarios unless you
really understand trusted/internal networks in-depth.

Many admins over-react to the word "trusted" and try to trust nothing. But
that's impossible, SA always has to trust something. Let's face it, if you can't
even trust yourself, how can you tell what's real and not?

Trust is really important to SA. It helps it know that certain Received: headers
aren't forged, and therefore can be used to make decisions about where the mail
came from.

Trust and Internal status affects the behavior of about 2 dozen rules in SA 3.1.0.