SA Bugzilla – Bug 3221
make sure dynamic tests do right thing
Last modified: 2004-05-03 08:23:24 UTC
There seems to be some question about whether or not the dynamic/dial-up tests are doing the right thing. See bug 2860 and bug 2537.
no, it's safe. Here's the overview: 1. in 2.6x, we had a problem in that dynablock rules were hitting if the admin had set up SA to trust the sender's ISP's mailhost. e.g. in this setup: sender_ip -> sender_mailhost -> recip_mx if recip_mx trusted sender_mailhost, then that'd produce a dynablock FP. A lot of people ran into this. This is now fixed by the addition of "internal_networks"; an admin can set trusted_networks to include *both* recip_mx and sender_mailhost, but as long as internal_networks doesn't include sender_mailhost, it'll work fine. trusted_networks can still be used in the way it was supposed to; to specify what nets are known not to originate spam, and are trustworthy. (first part of bug 2537) 2. there's an issue if the scanner is on sender_mailhost, and a local user submits a mail from a Dynablock-listed IP. But in this case, that should be either (a) not scanned according to local policy, or (b) the Dynablock-listed local nets should be in trusted_networks; in 3.0.0 that'll get them the ALL_TRUSTED bonus score. (another part of bug 2537, grr) 3, bug 2860: a milter has to add a Received header to the message so that SA can look up the correct host. that's always been the case, and this is not in any way an SA bug. Any milter that doesn't do this is pretty much doing the wrong thing. I've added a Wiki note about this, FWIW... 4. if a user authenticates from a *remote* ISP, and their IP on that ISP is dynablock-listed, then delivers a mail to a local recipient, they will hit RCVD_IN_DYNABLOCK. The correct response here is to have some way we can tell authenticated traffic apart from unauth'd. (The final part of bug 2537) This has been moved to a separate issue in bug 2462, which is still open. So, it's all closed apart from issue 4; and that issue already has a bug open, bug 2462. I'd suggest that *this* bug ("make sure dynamic tests do the right thing") can be closed, because yes, they're doing the right thing! ;) As to whether we need to get a fix for bug 2462 into SpamAssassin 3.0.0, that's a different issue, and doesn't need this bug to track it.