Re: smtpd_recipient_restrictions usage question.

Sat, 25 Jun 2022 07:25:31 -0700 

On 24.06.22 22:50, Gary Smith wrote:
I have an smtpd process configured with this below.  It works great when injecting the messages from localhost but fails with '5.7.1 <xxxx@xxxx>: Recipient address rejected: Access denied' when I try it from a remote node (this port is firewalled and only allowed for specific machines).  I know the quick win to make this work would be to add the IP addresses of the approved nodes to the mynetwork list of IPs.    


Would it be better to add IPs to an access hash list and use 
check_recipient_a_access so we can use update it when we need to on the 
fly?


if you tend to update that address list often, it could be better solution.
However using $mynetworks usually allows relaying, which you may need.


If so can I add subnets (10.20.30.0/24) or just single IPs?


you can add 10.20.30 instead of 10.20.30.0/24 to hash tables.
OR, you can use cidr tables for any host/mask values.


  I’m 
using https://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions 
as a reference and it says not to use OK but DUNNO, which is a little 
confusing with what DUNNO says it does, which is what also prompted this 
question.  What’s the best approach here?   



DUNNO only means that the host is to be skipped and next *_restrictions 
rules are to be applied - just as the record was not in the access table.



10026 inet    n       -       n       -       3      smtpd 
        -o content_filter= 
        -o 
receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
 



are you sure you don't want to expand aliases etc when receiving mail from 
those hosts?
If they only work as your content filters, it's probably right, otherwise 
it's probably not.



        -o smtpd_recipient_restrictions=permit_mynetworks,  
check_recipient_a_access hash:/etc/postfix/approved_ip_access, 
reject 



as it was already noted, the check_recipient_a_access is not what you want - 
it checks A address of recipient domain, not address of the server sending 
mail to you.


Also, result of OK is not allowed there:

http://www.postfix.org/postconf.5.html#check_recipient_a_access
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901






















					Reply via email to