Hi,
I am using this piece of code to restrict access to some mail aliases
(only clients from the allowed IP addresses are permitted to send email
to the protected email addresses):
smtpd_restriction_classes = allowed_list1
allowed_list1 = check_client_access hash:/etc/postfix/client_acc,reject
smtpd_recipient_restrictions =
hash:/etc/postfix/protected_destinations,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
where /etc/postfix/protected_destinations is for example:
...
ali...@example.com allowed_list1
...
and /etc/postfix/client_acc is:
10.10.10.11 OK
10.10.10.12 OK
10.10.11.10 OK
The above works fine.
However, when I try to use cidr tables (because I need to define
subnets), it doesn't work correctly:
smtpd_restriction_classes = allowed_list1
allowed_list1= cidr:/etc/postfix/client.cidr,reject
smtpd_recipient_restrictions =
hash:/etc/postfix/protected_destinations,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
where /etc/postfix/protected_destinations is the same as above
and /etc/postfix/client.cidr is:
10.10.10.0/25 OK
10.10.11.0/24 OK
I've checked that for example:
postmap -q "10.10.11.10" cidr:/etc/postfix/client.cidr
returns OK, so it should be working, but it doesn't; access to
ali...@example.com is denied to client with IP address 10.10.11.10,
although it is included in a subnet in client.cidr file.
What am I doing wrong?
Thanks in advance,
Nick
Installation details (postconf -n) (postfix 2.3.3 on Centos 5.5):
alias_database = hash:/etc/postfix/aliases,
hash:/etc/postfix/aliases.d/virtual_aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_header_rewrite_clients = static:all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20971520
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = example.com
myhostname = mail.example.com
mynetworks = 10.10.0.0/16
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains =
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_canonical_maps = hash:/etc/postfix/domainrecipientmap
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sender_canonical_maps = hash:/etc/postfix/domainsendermap
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject
smtpd_delay_reject = yes
smtpd_recipient_restrictions =
hash:/etc/postfix/protected_destinations,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_restriction_classes = allowed_list1
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/pki/tls/certs/chain-180.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/cert-180.pem
smtpd_tls_key_file = /etc/pki/tls/private/key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/aliases,
hash:/etc/postfix/aliases.d/virtual_aliases,
ldap:/etc/postfix/ldap-alias-vacation.cf,
ldap:/etc/postfix/ldap-aliases.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /home/vmail/
virtual_mailbox_domains = $mydomain
virtual_mailbox_limit = 314572800
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_uid_maps = static:500
