On Tue, Dec 22, 2020 at 03:23:56AM +0000, Matthew Selsky wrote:
> I want to allow the Cloud provider to be able to relay all email through
> postfix.
>
> Our setup is:
>
> cloud provider -> postfix gateway -> internet
>
> I want to add a header to the messages from this cloud provider so
> that I can do additional checks in other postfix instances.
>
> The problem that I currently face is that the messages are rejected
> with "Recipient address rejected: Access denied;" when I want them to
> be relayed instead.
>
> Is this what I need to accomplish that?
>
> cidr = cidr:${config_directory}/
> smtpd_recipient_restrictions =
> reject_non_fqdn_recipient
> reject_unknown_recipient_domain
> check_client_access ${cidr}tag-cloud-email-providers.cidr
Yes, this will tag any message that is ultimately accepted.
> smtpd_relay_restrictions =
> permit_mynetworks
> check_client_access ${cidr}cloud-email-providers.cidr
> permit_tls_clientcerts
Yes, this will permit relay access for the matching IPs.
> Where tag-cloud-email-providers.cidr has:
> 209.85.128.0/17 PREPEND X-TS-Gm-Tenant: TRUE
>
> And cloud-email-providers.cidr has:
> 209.85.128.0/17 OK
>
> Or do I need to add the cloud providers blocks to mynetworks for any reason?
No, you can leave mynetworks unchanged if there is more to mynetworks
than mere relay access.
--
Viktor.
