pilot error? or idiots at microsoft?

Michael Scheidell michael.scheidell at secnap.com
Fri Aug 12 16:08:47 CEST 2011


On 8/12/11 8:49 AM, Mark Martinec wrote:
> Jo,
>
>> If I get on a random cafe's wireless network, the local hosts might be in
>> 192.168.1.0/24.  Should I allow them to relay mail?  Should I allow their
>> outbound mail to bypass spam check?  Absolutely not, I'm sure you would
>> agree.
maybe not amavid.. in fact, any connection to amavis from 169* would be 
strange... unless your laptop also did not get a good ip and pulled a 
169* address.

in SA default 'local.cf'  I think they have internal_networks 192.168/16 
10/8 172.16/12.  might need 169.254/16.

this doesn't give the internal network the right to relay, and, most 
installs will override internal_* and trusted* with their outbound mail 
server ip's, and you still have to set the mynets up in amavisd to 
include/not include 169*.

but, given this discussion, I think Ill post a bugzilla to SA. 
internal_networks don't trigger DCC, PYZON,RAZOR, SPF or RBL checks.


> It is exactly the same argument why one can and should safely
> include the 127.0.0.0/8 in the trusted_networks list. The same
> applies to private address ranges and link-local address space.
>
i think SA from (3.2* onward include 127.0.0.0/8 by default?) it you put 
it it yourself, you get a lint warning:

without 127 in local.cf:

  su - vscan -c 'spamassassin --lint'
  (no lint errors)

echo 'internal_networks 127/8' >> local.cf
(or trusted_networks, doesn't matter)

su - vscan -c 'spamassassin --lint'
Aug 12 14:06:00.917 [8635] warn: netset: cannot include 127.0.0.0/8 as 
it has already been included

so, question begs:  I think this is in default local.cf:

grep networks local.cf
internal_networks  192.168/16 172.16/12 10/8

should SA add 169.254/8 by default for completeness?


>    Mark


-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
 >*| *SECNAP Network Security Corporation

    * Best Mobile Solutions Product of 2011
    * Best Intrusion Prevention Product
    * Hot Company Finalist 2011
    * Best Email Security Product
    * Certified SNORT Integrator


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20110812/91a852be/attachment.html>


More information about the amavis-users mailing list