Hi all,
I'm using multi-instance postfix and I want to relay messages from a given CIDR
block at a cloud provider, and I want to add a custom header.
I have this in main.cf:
cidr = cidr:${config_directory}/
smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_unknown_recipient_domain
smtpd_relay_restrictions =
permit_mynetworks
check_client_access ${cidr}tag-cloud-email-providers.cidr
permit_tls_clientcerts
reject
tag-cloud-email-providers.cidr contains:
[...]
209.85.128.0/17 PREPEND X-Gmail-Tenant: TRUE
[...]
syslog has:
2020-12-21T23:35:38.737+00:00 customer.example.com
postfix-mta-in/smtpd[2984727]: NOQUEUE: reject: RCPT from
mail-ot1-f70.google.com[209.85.210.70]: 554 5.7.1 <[email protected]>: Recipient
address rejected: Access denied; from=<[email protected]>
to=<[email protected]> proto=ESMTP helo=<mail-ot1-f70.google.com>
postmap queries seem reasonable:
$ postmap -q 209.85.210.70
cidr:/etc/postfix-mta-in/tag-cloud-email-providers.cidr; echo $?
PREPEND X-Gmail-Tenant: TRUE
My very gently sanitized "postconf -n" output is attached.
Thanks,
-Matt
alias_database =
alias_maps =
authorized_submit_users = root
body_checks = ${pcre}body-checks.pcre
bounce_size_limit = 1
cidr = cidr:${config_directory}/
compatibility_level = 2
config_directory = /etc/postfix-mta-in
data_directory = /var/lib/postfix-mta-in
default_database_type = cdb
default_transport = smtp:[127.0.0.1]:10024
disable_vrfy_command = yes
enable_long_queue_ids = yes
fast_flush_domains =
header_checks = ${pcre}header-checks.pcre
indexed = ${default_database_type}:${config_directory}/
inet_interfaces = $myhostname
inet_protocols = ipv4
local_recipient_maps =
local_transport = error:5.1.2 Mailbox unavailable
mailbox_size_limit = 157286400
message_size_limit = 157286400
mime_header_checks = ${pcre}mime-header-checks.pcre
multi_instance_enable = yes
multi_instance_group = mta
multi_instance_name = postfix-mta-in
mydestination =
mynetworks = ${cidr}auth-clients.cidr
myorigin = example.com
nested_header_checks =
notify_classes =
parent_domain_matches_subdomains = smtpd_access_maps
pcre = pcre:${config_directory}/
plaintext_reject_code = 450
propagate_unmatched_extensions =
queue_directory = /var/spool/postfix-mta-in
queue_minfree = 314572800
recipient_delimiter = +
relay_clientcerts = ${indexed}relay_clientcerts
smtpd_client_restrictions =
smtpd_discard_ehlo_keywords = etrn,silent-discard
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain
smtpd_relay_restrictions = permit_mynetworks check_client_access
${cidr}tag-cloud-email-providers.cidr permit_tls_clientcerts reject
smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
smtpd_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtputf8_enable = no
tls_preempt_cipherlist = yes
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
