Top posting for a little clarity, but as mentioned in the inline comment, CIDR is probably what I will test.
A little more background. I'm supporting a B2B eCommerce customer that sends out a single email to the customer that buys something. The customers are a fixed list for our company. These customers have a group of people (brokers/managers/merchandisers/etc) that can place the order. This relationship with the customer and the people that manage that customer changes a lot, and there are some 60,000 of these accounts. I have implemented postfix as an incoming MX for a single domain that handles emails for the customers. When an email is received from a restricted sender list (the ecommerce platform) it is processed through a virtual alias that contains the map of the customer -> recipient list. From there we pump the email into an after queue filter that drops it into a database for rewriting and compliance tracking. From there another process will drop it back into postfix in the 10026 port. Postfix will them relay this through our primary exchange server to ensure it goes out and follows all our IT (and compliance) rules . This process works fine (and has been working for us for some time) but we are looking at having one of the processes that dump it back into postfix on 10026 run on a different server. This is where the trouble started. 😊 The virtual alias part is updated by a process every 30 minutes and even that works well, just this remote call portion. > -----Original Message----- > From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> > On Behalf Of Matus UHLAR - fantomas > Sent: Saturday, June 25, 2022 7:25 AM > To: postfix-users@postfix.org > Subject: Re: smtpd_recipient_restrictions usage question. > > CAUTION: EXTERNAL SENDER. Please use caution when opening links, > attachments, or sending information. This email did not originate from > internal staff. - IT Support > > On 24.06.22 22:50, Gary Smith wrote: > > I have an smtpd process configured with this below. It works great > > when injecting the messages from localhost but fails with '5.7.1 > <xxxx@xxxx>: > > Recipient address rejected: Access denied' when I try it from a remote > > node (this port is firewalled and only allowed for specific machines). > > I know the quick win to make this work would be to add the IP > > addresses of the approved nodes to the mynetwork list of IPs. > > > Would it be better to add IPs to an access hash list and use > > check_recipient_a_access so we can use update it when we need to on > > the fly? > > if you tend to update that address list often, it could be better solution. > However using $mynetworks usually allows relaying, which you may need. > > > If so can I add subnets (10.20.30.0/24) or just single IPs? > > you can add 10.20.30 instead of 10.20.30.0/24 to hash tables. > OR, you can use cidr tables for any host/mask values. > [Gary Smith] I think the CIDR table is what I'm looking for. > > I’m > > using > >https://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions > > as a reference and it says not to use OK but DUNNO, which is a little > >confusing with what DUNNO says it does, which is what also prompted > >this question. What’s the best approach here? > > DUNNO only means that the host is to be skipped and next *_restrictions > rules are to be applied - just as the record was not in the access table. > > >10026 inet n - n - 3 smtpd > >       -o content_filter= > >       -o > >receive_override_options=no_unknown_recipient_checks,no_header_bo > dy_che > >cks,no_milters > > are you sure you don't want to expand aliases etc when receiving mail from > those hosts? > If they only work as your content filters, it's probably right, otherwise it's > probably not. > > >       -o smtpd_recipient_restrictions=permit_mynetworks, > >check_recipient_a_access hash:/etc/postfix/approved_ip_access, > >reject > > as it was already noted, the check_recipient_a_access is not what you want - > it checks A address of recipient domain, not address of the server sending > mail to you. > > Also, result of OK is not allowed there: > > http://www.postfix.org/postconf.5.html#check_recipient_a_access > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Due to unexpected conditions Windows 2000 will be released in first quarter > of year 1901
