Mailserver behind Source-NAT

Tue Mar 22 20:56:32 CET 2016

Hi all!

I've two questions:

1) I'm using Docker with Kubernetes as management to run my mail system 
with postfix, amavis and cyrus imap. This implies that all connections 
from the outside to postfix and also all connections between postfix and 
amavis are source natted to one and the same ip address. Thus 
ALL_TRUSTED is one of the most mentioned tests in the incoming mail 
headers, which is making a lot of spam passing through! :-/

Today I set "clear_trusted_networks" and "clear_internal_networks" in 
local.cf for spamassassin to see if this helps - but nevertheless this 
does not "feel right"(TM) ;-)

Any suggestions how to handle this "postfix behind SNAT" scenario best?

2) Before setting "clear_trusted_networks" and "clear_internal_networks" 
I received a mail with the following headers:

> Return-Path: <owwiddl at intensiver.biz.ua>
> Received: from unforgotten.de ([10.244.91.1])
> 	 by imap-p299l (Cyrus v2.4.17-caldav-beta10-Debian-2.4.17+caldav~beta10-18) with LMTPA;
> 	 Tue, 22 Mar 2016 02:04:01 +0100
> X-Sieve: CMU Sieve 2.4
> Received: from localhost (unknown [10.244.91.1])
> 	by unforgotten.de (Postfix) with ESMTP id 0ED57118BB2
> 	for <fonk at unforgotten.de>; Tue, 22 Mar 2016 02:04:00 +0100 (CET)
> X-Virus-Scanned: Debian amavisd-new at unforgotten.de
> X-Spam-Flag: YES
> X-Spam-Score: 8.015
> X-Spam-Level: ********
> X-Spam-Status: Yes, score=8.015 required=5 tests=[ALL_TRUSTED=-1,
> 	DIGEST_MULTIPLE=0.001, FREEMAIL_FORGED_REPLYTO=2.503,
> 	HTML_MESSAGE=0.001, PYZOR_CHECK=1.985, RAZOR2_CF_RANGE_51_100=0.365,
> 	RAZOR2_CF_RANGE_E8_51_100=2.43, RAZOR2_CHECK=1.729,
> 	URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
> Received: from unforgotten.de ([10.244.91.1])
> 	by localhost (unforgotten.de [10.244.91.14]) (amavisd-new, port 10024)
> 	with LMTP id 90ZE38lLT2an for <fonk at unforgotten.de>;
> 	Tue, 22 Mar 2016 02:03:57 +0100 (CET)
> Received: from intensiver.biz.ua (unknown [10.244.91.1])
> 	by unforgotten.de (Postfix) with ESMTP id 86885118BAB
> 	for <frank at unforgotten.de>; Tue, 22 Mar 2016 01:03:57 +0000 (UTC)
> Received: from intensiver.biz.ua (46037.vs.webtropia.com [62.141.46.37])
> 	by intensiver.biz.ua (Postfix) with ESMTPA id 8A7B86525BF2;
> 	Tue, 22 Mar 2016 02:18:28 +0200 (EET)
> Message-ID: <ec8b01d183e1$1e5da970$085a57c4 at owwiddl>
> Reply-To: dzuris at mail.ru
> From: "Buns" <owwiddl at intensiver.biz.ua>
> To: <brigitte.koehnlein at umwelt.bremen.de>
> Subject: Unser Angebot ist der schnellste Weg zur Finanzierung Ihres Unternehmens

I'm wondering why ALL_TRUSTED is in the list, although there is an 
untrusted address: intensiver.biz.ua (unknown [10.244.91.1])
Can someone please explain this? :-)

Best regards,
Frank