spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jones <djo...@ena.com>
Subject Re: Question regarding trusted_networks
Date Sat, 16 Jun 2018 11:33:18 GMT
On 06/15/2018 05:44 PM, J Doe wrote:
> Hello,
> 
> I am currently using SpamAssassin 3.4.1 on Ubuntu Linux 16.04.4 LTS.  I have SA running
on a server with Postfix as the MTA on the same server.
> 
> I have a question regarding the trusted_networks configuration parameter (man Mail::SpamAssassin::Conf).
 I manually added this to a custom local.cf file and linted it:
> 
>      /etc/spamassassin/local.custom.cf:
>          trusted_networks 1.2.3.4
> 
>      $ spamassassin --lint --config-file=/etc/spamassassin/local.custom.cf
> 
> This displays:
> 
>      Jun 15 18:31:02.893 [8327] warn: netset: cannot include 1.2.3.4/32 as it has already
been included
> 
> This lead me to believe that when SpamAssassin loads, it automatically adds the IP address
of the host it is running on (along with localhost, which is mentioned in man).  As a result,
I removed the trusted_networks entry and a subsequent lint produces no warnings or errors.
> 
> When I then ran lint and added the --debug flag:
> 
>      $ spamassassin --debug --lint --config-file=/etc/spamassassin/local.custom.cf
> 
> …I see the following in the output:
> 
>      Jun 15 18:39:23.422 [8422] dbg: config: trusted_networks are not configured; it
is recommended that you configure trusted_networks manually
> 
> My question is:
> 
> — Should I manually set trusted_networks to have the IP address of the host it is running
on and ignore the warning from --lint or …
> — Should I not set trusted_networks and ignore the warning from --debug ?
> 
> Thanks,
> 
> - J
> 

internal_networks should be any RFC 1918 networks that your mail server 
sees plus any public networks that are in your control.

trusted_networks should be internal_networks plus any external networks 
that you trust to not send spam -- in other words they are known to have 
their own outbound mail filtering.  This will tell SA to go back one 
more Received: header to test for "last_external" checks and RBL checks.

For example:

internal_networks 192.168.0.0/16 fe80::/10 96.4.0.0/15 207.191.176.0/20
trusted_networks 192.168.0.0/16 fe80::/10 96.4.0.0/15 207.191.176.0/20 
162.216.126.0/23

My SA servers actually have public IPs on them so technically I don't 
need the 192.168.0.0/16 in the list but I put it in there for reference. 
  If your mail servers are NAT'd and have a private RFC 1918 IP on them 
then you need to include any internal subnet that can send outbound 
through your SA server.

-- 
David Jones

Mime
View raw message