...
The common symptoms of a broken Trust path include:
Wiki Markup - Dialup/Dynamic IP RBLs misfiring for properly relayed mail.
- Dialup/Dynamic IP RBLs not catching direct-delivered mail.
- whitelist_from_rcvd fails to match.
- SPF tests misfiring (failing when they should pass and vice versa).
- False positives on non-spam mail coming from "dynamic" or "dialup" addresses in your own network.
- AutoWhitelist mismatches on forged mail due to confusion about the source IP.
Your trust path can be tested by adding the following to your SpamAssassin config:
| No Format |
|---|
add_header all RelaysUntrusted _RELAYSUNTRUSTED_
|
| Wiki Markup |
|---|
This will add headers similar to "{{X-Spam-RelaysUntrusted: \[ip=140.211.11.3 rdns=hermes.apache.org....}}". The first IP address is the IP which will be used for network tests like RBLs and SPF. |
If you see these warning signs frequently, you probably need to manually configure trusted_networks. See the Mail::Spamassassin::Conf\] manpage for details. Generally you want trusted_networks set to contain all the mailservers you control that add Received: headers, and nothing else. For proper operation of DUL and SPF tests on authenticated mail submission from dynamic/"dialup" hosts, see [DynablockIssues].
Here's an example trusted_networks line that could be added to /etc/mail/spamassassin/local.cf to specify trust:
...
It's pretty obvious that any RFC 1918 (which obsoleted RFC 1597) private IP's in the most recent Received: header are part of the local network. From there, tracking backwards in terms of time, each additional private IP can be safely assumed to be a part of the local network until you hit the first non-private IP.
...