...

In SpamAssassin 3.2.0 or later you can use the msa_networks option to list your MSAs. The syntax is identical to the trusted_networks option. Any mail submitted to a machine listed in msa_networks will be trusted (provided that all relays above/after the MSA relay are also trusted).

Wiki MarkupIn versions of [SpamAssassin] older than 3.2.0 you will either need to use one of the other options listed on this page or, if using 3.1, apply a \[http://people.apache.org/~dos/sa-patches/msa_networks.3.1 patch to add msa_networks\] to your install of [SpamAssassin].

I'm an ISP, and mails from our customers, using POP-before-SMTP for authentication, are hitting RCVD_IN_DYNABLOCK.

...

Update (2006-07-14): Postfix 2.3 includes support for adding its own style of authentication info to its received headers by setting smtpd_sasl_authenticated_header = yes, which is disabled by default, in your Postfix config. SpamAssassin 3.1.4 and later includes support for this Postfix auth info.

Wiki Markup\["madduck"\this patch]: This will not fix TLS-authenticated sessions. See \ [http://dev.riseup.net/privacy/postfix/ this patch\] which munges the Received headers. \["DarylC.W.O'Shea"\]: This should work to avoid the Dynablock problem in this specific situation but isn't recommended since it destroys the audit trail provided by the Received headers.

Update (2008-06-20): Postfix 2.5+ includes native support RFC 3848 setting smtpd_sasl_authenticated_header is not needed but optional.

...