pilot error? or idiots at microsoft?

Mark Martinec Mark.Martinec+amavis at ijs.si
Fri Aug 12 16:49:44 CEST 2011


Michael,

> in fact, any connection to amavis from 169* would be
> strange... unless your laptop also did not get a good ip and pulled a
> 169* address.

Yes. It would be unusual, although not impossible.
Possible only when both were connected to the same LAN segment
and the MTA's interface would have an 192.168.x.x address configured
as an alias - highly unlikely.

> in SA default 'local.cf'  I think they have internal_networks 192.168/16
> 10/8 172.16/12.  might need 169.254/16.
> 
> this doesn't give the internal network the right to relay, and, most
> installs will override internal_* and trusted* with their outbound mail
> server ip's, and you still have to set the mynets up in amavisd to
> include/not include 169*.
> 
> but, given this discussion, I think Ill post a bugzilla to SA.
> internal_networks don't trigger DCC, PYZON,RAZOR, SPF or RBL checks.
> 
> > It is exactly the same argument why one can and should safely
> > include the 127.0.0.0/8 in the trusted_networks list. The same
> > applies to private address ranges and link-local address space.
> 
> i think SA from (3.2* onward include 127.0.0.0/8 by default?) it you put
> it it yourself, you get a lint warning:
>   warn: netset: cannot include 127.0.0.0/8 as it has already been included

I think it was a mistake to put 127.0.0.0/8 in the list by default but not
other private and local address ranges. And even a bigger mistake to
issue a warning when one tries to explicitly add the 127.0.0.0/8 to the list.
But this is merely an aestetical / user experience topic. One should list
all private and scoped address ranges, keeping in mind that 127.0.0.0/8
is already included, and that failing to list some private address range
which is not used within an organization does no harm.

> so, question begs:  I think this is in default local.cf:
> 
> grep networks local.cf
> internal_networks  192.168/16 172.16/12 10/8
> 
> should SA add 169.254/8 by default for completeness?

As documented, the 127.0.0.0/8 and ::1 are the address ranges
that are always automatically included in internal_networks
and trusted_networks. Anything beyond that comes from
your local.cf file. There are no other defaults. The local.cf
that comes with a distribution is merely an example file,
one should check it out and adjust according to a local setup.

If 192.168/16 were to be included by default, so should the
10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16, as well as scoped IPv6
addresses. I don't think there is a need for that. I'd even exclude the
current default, but making such a change now would add to confusion.

  Mark


More information about the amavis-users mailing list