On 11/3/2022 1:24 PM, Alex wrote:
In my rush between projects, I not only confused sqlgrey with
postscreen, but I also forgot that I already have a postscreen
section as well:
postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr,
cidr:/etc/postfix/gmail_whitelist.cidr,
cidr:/etc/postfix/postscreen_spf_whitelist.cidr,
cidr:/etc/postfix/bec-ranges.cidr,
cidr:/etc/postfix/serverion-bec.cidr
I've added it there as well, but I'm not sure I understand the
priorities. Adding the check_client_access or check_sender_access
would be consulted before postscreen? Is the postscreen_access_list
just another way of segmenting the checks?
Rule of thumb: For a message to be accepted, it must be accepted in
every stage - postscreen, smtpd_*_restrictions, policy services,
milters. For a message to be rejected, it can be rejected once
anywhere in the chain.
So even if a client is allowed in postscreen, it can still be
rejected by a later test.
You'll need to list the IP in postscreen, then also list the IP in a
check_client_access map before your policy services.
-- Noel Jones
