Viktor Dukhovni: > On Mon, Mar 16, 2020 at 09:06:00AM +0100, Robby Van Mieghem wrote: > > > smtpd_client_restrictions = > > check_client_access cidr:${config_directory}/client_access, > > reject > > > > # EOP ranges as indicated by MS > > 23.103.132.0/22 OK > > 23.103.136.0/21 OK > > 23.103.156.0/22 OK > > 23.103.198.0/24 OK > > 23.103.200.0/22 OK > > 23.103.212.0/22 OK > > Unsurpringly, this returns "OK" for the listed entries, and > no result otherwise, which then in "smtpd_client_restrictions" > falls through to "reject". > > > Tried testing it also with: > > > > $ postmap -q "1.1.1.1" cidr:/etc/postfix-EOP2DC/client_access > > > > ? no result > > As expected, since "1.1.1.1" does not appear to be listed in the CIDR > table. > > > So it generally allows every IP now... > > No, that's not the right conclusion.
To test access rules properly, use XCLIENT. http://www.postfix.org/XCLIENT_README.html Wietse