pilot error? or idiots at microsoft?

Mark Martinec Mark.Martinec+amavis at ijs.si
Fri Aug 12 14:49:56 CEST 2011


> If I get on a random cafe's wireless network, the local hosts might be in
>  Should I allow them to relay mail?  Should I allow their
> outbound mail to bypass spam check?  Absolutely not, I'm sure you would
> agree.

host/link/site -local IP addresses and private addressess are *not*
routable outside their scope. You can't receive/establish a TCP
session from such IP address from outside on your MX mailer.

On an inbound connection your MX MTA prepends a Received
header field to a mail header, carrying in a 'from' field a client's
IP address - which *is* a public address, otherwise the connection
would not be established (nonroutable).

When analyzing a mail header (top to bottom), SpamAssassin
breaks a trust chain on encountering a 'received from' carrying
an IP address not in your trusted_networks. Anything beyond that
does not matter, further Received trace header fileds would
not be trusted even if they carry an IP address matching the

It is exactly the same argument why one can and should safely
include the in the trusted_networks list. The same
applies to private address ranges and link-local address space.


More information about the amavis-users mailing list