diff -rud /var/tmp/portage/mail-filter/spamassassin-3.3.1-r2/work/Mail-SpamAssassin-3.3.1/lib/Mail/SpamAssassin/Conf/Parser.pm Mail-SpamAssassin-3.3.1+msa_on_auth/lib/Mail/SpamAssassin/Conf/Parser.pm
--- /var/tmp/portage/mail-filter/spamassassin-3.3.1-r2/work/Mail-SpamAssassin-3.3.1/lib/Mail/SpamAssassin/Conf/Parser.pm	2010-03-16 15:49:21.000000000 +0100
+++ Mail-SpamAssassin-3.3.1+msa_on_auth/lib/Mail/SpamAssassin/Conf/Parser.pm	2010-05-26 10:42:33.000000000 +0200
@@ -1042,7 +1042,12 @@
   # validate trusted_networks and internal_networks, bug 4760.
   # check that all internal_networks are listed in trusted_networks
   # too.  do the same for msa_networks, but check msa_networks against
-  # internal_networks if trusted_networks aren't defined
+  # internal_networks if trusted_networks aren't defined.
+  # extend similar validation to msa_on_auth_networks, bug 6430.
+  # TODO: we could go further by checking that msa_on_auth_networks and
+  # msa_networks do not overlap, since this may cause problems for
+  # internal relays that use some kind of authentication. Unfortunately,
+  # NetSet doesn't (yet?) avails of a suitable method to do this
 
   my ($nt, $matching_against);
   if ($conf->{trusted_networks_configured}) {
@@ -1055,7 +1060,7 @@
     return;
   }
 
-  foreach my $net_type ('internal_networks', 'msa_networks') {
+  foreach my $net_type ('internal_networks', 'msa_networks', 'msa_on_auth_networks') {
     next unless $conf->{"${net_type}_configured"};
     next if $net_type eq $matching_against;
 
diff -rud /var/tmp/portage/mail-filter/spamassassin-3.3.1-r2/work/Mail-SpamAssassin-3.3.1/lib/Mail/SpamAssassin/Conf.pm Mail-SpamAssassin-3.3.1+msa_on_auth/lib/Mail/SpamAssassin/Conf.pm
--- /var/tmp/portage/mail-filter/spamassassin-3.3.1-r2/work/Mail-SpamAssassin-3.3.1/lib/Mail/SpamAssassin/Conf.pm	2010-03-16 15:49:21.000000000 +0100
+++ Mail-SpamAssassin-3.3.1+msa_on_auth/lib/Mail/SpamAssassin/Conf.pm	2010-05-26 11:44:14.000000000 +0200
@@ -1199,6 +1199,51 @@
     }
   });
 
+=item msa_on_auth_networks ip.add.re.ss[/mask] ...   (default: none)
+
+The networks or hosts which SA should treat like MSAs when relaying
+messages from an authenticated source.
+Unlike the hosts in msa_networks, these relays may accept mail from
+hosts that aren't authenticated in some way and SA will not trust the
+whole relay chain.
+
+When instead one of these relays is dispatching a message from an
+authenticated source, all relays found in the message headers after the
+relay itself will take on the same trusted and internal classifications
+as the MSA relay itself, as defined by your I<trusted_networks> and
+I<internal_networks> configuration.
+
+SA detects that a relay in this list is acting like an MSA when its
+received header contains some kind of authenticated protocol in the
+'via' or 'with' value. Examples of such authenticated protocols
+include SMTPA, ESMTPA, LMTPA.
+
+=cut
+
+  push (@cmds, {
+    setting => 'msa_on_auth_networks',
+    type => $CONF_TYPE_IPADDRLIST,
+  });
+
+=item clear_msa_on_auth_networks
+
+Empty the list of msa-on-auth networks.
+
+=cut
+
+  push (@cmds, {
+    setting => 'clear_msa_on_auth_networks',
+    type => $CONF_TYPE_NOARGS,
+    code => sub {
+      my ($self, $key, $value, $line) = @_;
+      unless (!defined $value || $value eq '') {
+        return $INVALID_VALUE;
+      }
+      $self->{msa_on_auth_networks} = Mail::SpamAssassin::NetSet->new(); # not new_netset
+      $self->{msa_on_auth_networks} = 0;
+    }
+  });
+
 =item originating_ip_headers header ...   (default: X-Yahoo-Post-IP X-Originating-IP X-Apparently-From X-SenderIP)
 
 A list of header field names from which an originating IP address can
@@ -3506,6 +3551,7 @@
   $self->{trusted_networks} = $self->new_netset();
   $self->{internal_networks} = $self->new_netset();
   $self->{msa_networks} = Mail::SpamAssassin::NetSet->new(); # not new_netset
+  $self->{msa_on_auth_networks} = Mail::SpamAssassin::NetSet->new();
   $self->{trusted_networks_configured} = 0;
   $self->{internal_networks_configured} = 0;
 
@@ -3870,7 +3916,7 @@
 
   # keys that should can be copied using a ->clone() method, in ->clone()
   my @CLONABLE_KEYS = qw(
-    internal_networks trusted_networks msa_networks 
+    internal_networks trusted_networks msa_networks msa_on_auth_networks
   );
 
   my %done;
diff -rud /var/tmp/portage/mail-filter/spamassassin-3.3.1-r2/work/Mail-SpamAssassin-3.3.1/lib/Mail/SpamAssassin/Message/Metadata/Received.pm Mail-SpamAssassin-3.3.1+msa_on_auth/lib/Mail/SpamAssassin/Message/Metadata/Received.pm
--- /var/tmp/portage/mail-filter/spamassassin-3.3.1-r2/work/Mail-SpamAssassin-3.3.1/lib/Mail/SpamAssassin/Message/Metadata/Received.pm	2010-03-16 15:49:21.000000000 +0100
+++ Mail-SpamAssassin-3.3.1+msa_on_auth/lib/Mail/SpamAssassin/Message/Metadata/Received.pm	2010-05-26 13:04:19.000000000 +0200
@@ -81,11 +81,13 @@
   my $trusted = $permsgstatus->{main}->{conf}->{trusted_networks};
   my $internal = $permsgstatus->{main}->{conf}->{internal_networks};
   my $msa = $permsgstatus->{main}->{conf}->{msa_networks};
+  my $msa_on_auth = $permsgstatus->{main}->{conf}->{msa_on_auth_networks};
   my $did_user_specify_trust = $permsgstatus->{main}->{conf}->{trusted_networks_configured};
   my $did_user_specify_internal = $permsgstatus->{main}->{conf}->{internal_networks_configured};
   my $in_trusted = 1;
   my $in_internal = 1;
   my $found_msa = 0;
+  my $found_on_auth_msa = 0;
 
   unless ($did_user_specify_trust && $did_user_specify_internal) {
     if (!$did_user_specify_trust && !$did_user_specify_internal) {
@@ -198,13 +200,30 @@
 	  if ($in_internal && !$relay->{auth} && !$internal->contains_ip($relay->{ip})) {
 	    $in_internal = 0;
 	  }
-	  # msa_networks matches?
+	  # msa[_on_auth]_networks matches?
 	  if ($msa->contains_ip($relay->{ip})) {
 	    dbg('received-header: found MSA relay, remaining relays will be'.
-		' considered trusted: '.($in_trusted ? 'yes' : 'no').
+		' considered trusted: yes'.
 		' internal: '.($in_internal ? 'yes' : 'no'));
 	    $found_msa = 1;
 	    $relay->{msa} = 1;
+	  } else {
+	    if ($found_on_auth_msa && $relay->{auth}) {
+	      dbg('received-header: relay '.$found_on_auth_msa->{ip}.' detected as on-auth MSA.'.
+		  ' remaining relayes will be'.
+		  ' considered trusted: yes'.
+		  ' internal: '.($in_internal ? 'yes' : 'no'));
+	      $found_msa = 1;
+	      $found_on_auth_msa->{msa} = 1;
+	      $found_on_auth_msa = 0;
+	    } else {
+	      $found_on_auth_msa = 0;
+	      if ($msa_on_auth->contains_ip($relay->{ip})) {
+		dbg('received-header: found on-auth MSA relay. Will be considered MSA'.
+		    ' if it will auth the sender');
+		$found_on_auth_msa = $relay;
+	      }
+	    }
 	  }
 	}
       }