Viktor Dukhovni:
> On Mon, Mar 16, 2020 at 09:06:00AM +0100, Robby Van Mieghem wrote:
>
> > smtpd_client_restrictions =
> > check_client_access cidr:${config_directory}/client_access,
> > reject
> >
> > # EOP ranges as indicated by MS
> > 23.103.132.0/22 OK
> > 23.103.136.0/21 OK
> > 23.103.156.0/22 OK
> > 23.103.198.0/24 OK
> > 23.103.200.0/22 OK
> > 23.103.212.0/22 OK
>
> Unsurpringly, this returns "OK" for the listed entries, and
> no result otherwise, which then in "smtpd_client_restrictions"
> falls through to "reject".
>
> > Tried testing it also with:
> >
> > $ postmap -q "1.1.1.1" cidr:/etc/postfix-EOP2DC/client_access
> >
> > ? no result
>
> As expected, since "1.1.1.1" does not appear to be listed in the CIDR
> table.
>
> > So it generally allows every IP now...
>
> No, that's not the right conclusion.
To test access rules properly, use XCLIENT.
http://www.postfix.org/XCLIENT_README.html
Wietse
