Hi Viktor!
On Mon, Dec 21, 2020 at 07:52:49PM -0500, Viktor Dukhovni wrote:
> On Tue, Dec 22, 2020 at 12:27:13AM +0000, Matthew Selsky wrote:
>
> > I'm using multi-instance postfix and I want to relay messages from a
> > given CIDR block at a cloud provider, and I want to add a custom
> > header.
> >
> > I have this in main.cf:
>
> > cidr = cidr:${config_directory}/
> > smtpd_recipient_restrictions =
> > reject_non_fqdn_recipient
> > reject_unknown_recipient_domain
> >
> > smtpd_relay_restrictions =
> > permit_mynetworks
> > check_client_access ${cidr}tag-cloud-email-providers.cidr
> > permit_tls_clientcerts
> > reject
>
> You should probably only do the relay check in relay restrictions, and
> then *again* match the CIDR block in recipient restrictions, where you
> implement the PREPEND action. Assuming I've understood your question
> correctly. The data provided is quite thorough, but the message is
> a bit light on what you're not succeeding in doing...
I want to allow the Cloud provider to be able to relay all email through
postfix.
Our setup is:
cloud provider -> postfix gateway -> internet
I want to add a header to the messages from this cloud provider so that I can
do additional checks in other postfix instances.
The problem that I currently face is that the messages are rejected with
"Recipient address rejected: Access denied;" when I want them to be relayed
instead.
Is this what I need to accomplish that?
cidr = cidr:${config_directory}/
smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_unknown_recipient_domain
check_client_access ${cidr}tag-cloud-email-providers.cidr
smtpd_relay_restrictions =
permit_mynetworks
check_client_access ${cidr}cloud-email-providers.cidr
permit_tls_clientcerts
Where tag-cloud-email-providers.cidr has:
209.85.128.0/17 PREPEND X-TS-Gm-Tenant: TRUE
And cloud-email-providers.cidr has:
209.85.128.0/17 OK
Or do I need to add the cloud providers blocks to mynetworks for any reason?
Thanks,
-Matt
