...

To specify multiple trusted networks, add multiple "trusted_networks" lines.

Mails from our users submitted to our MSA or "smarthost" are hitting RCVD_IN_DYNABLOCK.

In SpamAssassin 3.2.0 or later you can use the msa_networks option to list your MSAs. The syntax is identical to the trusted_networks option. Any mail submitted to a machine listed in msa_networks will be trusted (provided that all relays above/after the MSA relay are also trusted).

In versions of SpamAssassin older than 3.2.0 you will either need to use one of the other options listed on this page or, if using 3.1, apply a patch to add msa_networks to your install of SpamAssassin.

I'm an ISP, and mails from our customers, using POP-before-SMTP for authentication, are hitting RCVD_IN_DYNABLOCK.

...

Update (2006-07-14): Postfix 2.3 includes support for adding its own style of authentication info to its received headers by setting smtpd_sasl_authenticated_header = yes, which is disabled by default, in your Postfix config. SpamAssassin 3.1.4 and later includes support for this Postfix auth info.

Wiki Markup\["madduck"\this patch]: This will not fix TLS-authenticated sessions. See \ [http://dev.riseup.net/privacy/postfix/ this patch\] which munges the Received headers. \["DarylC.W.O'Shea"\]: This should work to avoid the Dynablock problem in this specific situation but isn't recommended since it destroys the audit trail provided by the Received headersheaders.

Update (2008-06-20): Postfix 2.5+ includes native support RFC 3848 setting smtpd_sasl_authenticated_header is not needed but optional.

This is another Dynablock-related issue. If:

...