pilot error? or idiots at microsoft?

Mark Martinec Mark.Martinec+amavis at ijs.si
Fri Aug 12 14:49:56 CEST 2011


Jo,

> If I get on a random cafe's wireless network, the local hosts might be in
> 192.168.1.0/24.  Should I allow them to relay mail?  Should I allow their
> outbound mail to bypass spam check?  Absolutely not, I'm sure you would
> agree.

host/link/site -local IP addresses and private addressess are *not*
routable outside their scope. You can't receive/establish a TCP
session from such IP address from outside on your MX mailer.

On an inbound connection your MX MTA prepends a Received
header field to a mail header, carrying in a 'from' field a client's
IP address - which *is* a public address, otherwise the connection
would not be established (nonroutable).

When analyzing a mail header (top to bottom), SpamAssassin
breaks a trust chain on encountering a 'received from' carrying
an IP address not in your trusted_networks. Anything beyond that
does not matter, further Received trace header fileds would
not be trusted even if they carry an IP address matching the
trusted_networks.

It is exactly the same argument why one can and should safely
include the 127.0.0.0/8 in the trusted_networks list. The same
applies to private address ranges and link-local address space.

  Mark


More information about the amavis-users mailing list