Mike, I had: # postconf smtpd_client_restrictions smtpd_client_restrictions = reject_unknown_reverse_client_hostname, check_client_access hash:/etc/postfix/client_access, permit_sasl_authenticated
On 14/05/2018 12:13, Wietse Venema wrote: > jack: >> Hi, >> >> In the online documentation for access tables >> (http://www.postfix.org/access.5.html), it says: >> >> Subnetworks are matched by repeatedly truncating >> the last ".octet" from the remote IPv4 host address >> string until a match is found in the access table, or >> until further truncation is not possible. >> >> This is supposedly subject only to the restriction that the table is an >> indexed file "such as DB or DBM". > > Postfix will query hash (btreem, dbm, lmdb, ldap, etc.) table > multiple times, first with the full IP address and then with prefixes > of the IP address. With your example of 5.188.9.2 the queries would > be: > > 5.188.9.2 > 5.188.9 > > There would be more queries if there is no match. Aaaah. Light dawns. So the prefix match should be working in postfix, even if it doesn't work in postmap. That's not what I thought I observed; but I didn't test postfix thoroughly, because it was easier to test postmap. Oh well! > > (with cidr, pcre, and regexp tables there would be only one lookup). Non-indexed tables will no doubt be less efficient, beyond some threshold dataset size. And those table-types are memory-resident, AIUI, so there would be a memory-hit for large tables. Anyway, thanks for clearing this up. -- Jack.
