On Tue, Dec 22, 2020 at 12:27:13AM +0000, Matthew Selsky wrote:
> I'm using multi-instance postfix and I want to relay messages from a
> given CIDR block at a cloud provider, and I want to add a custom
> header.
>
> I have this in main.cf:
> cidr = cidr:${config_directory}/
> smtpd_recipient_restrictions =
> reject_non_fqdn_recipient
> reject_unknown_recipient_domain
>
> smtpd_relay_restrictions =
> permit_mynetworks
> check_client_access ${cidr}tag-cloud-email-providers.cidr
> permit_tls_clientcerts
> reject
You should probably only do the relay check in relay restrictions, and
then *again* match the CIDR block in recipient restrictions, where you
implement the PREPEND action. Assuming I've understood your question
correctly. The data provided is quite thorough, but the message is
a bit light on what you're not succeeding in doing...
> tag-cloud-email-providers.cidr contains:
> [...]
> 209.85.128.0/17 PREPEND X-Gmail-Tenant: TRUE
> [...]
>
> syslog has:
> 2020-12-21T23:35:38.737+00:00 customer.example.com
> postfix-mta-in/smtpd[2984727]: NOQUEUE: reject: RCPT from
> mail-ot1-f70.google.com[209.85.210.70]: 554 5.7.1 <[email protected]>:
> Recipient address rejected: Access denied;
> from=<[email protected]> to=<[email protected]> proto=ESMTP
> helo=<mail-ot1-f70.google.com>
>
> postmap queries seem reasonable:
> $ postmap -q 209.85.210.70
> cidr:/etc/postfix-mta-in/tag-cloud-email-providers.cidr; echo $?
> PREPEND X-Gmail-Tenant: TRUE
--
Viktor.
