I have an IPv6-only server that runs Postfix with SpamAssassin (via Amavisd). I use a trusted relay service so that I can still receive emails from IPv4-only servers. It adds SPF headers for me and I've configured pypolicyd-spf to whitelist (as in "skip and don't check SPF, adding another header") everything that the service relays (because it would give false-negatives). This is working fine, but SpamAssassin still flags all emails as failing its own SPF checks.
The correct way to fix this is to add the IP addresses of the relays to trusted_networks in /etc/mail/spamassassin/local.cf. However the service may change IPs from time-to-time (although they will always be in the results for mx.example.com). Ideally, I'd tell SpamAssassin to trust anything with an IP that matches the set for mx.example.com, but trusted_ip only takes IPs and CIDR, not hostnames.
Is there any way to trust based on DNS, other than a cron task that keeps doing the lookup, editing the config and restarting the service?
