client_access not working

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

client_access not working

Robby Van Mieghem
Hello

I'm setting up a new postfix multi-instance and having issue with the client_access setting ( this worked fine on our other RH6 servers with postfix 2.6.6 )

Now with RH8 and postfix 3.3.1 it's not working. We are using the same config :

smtpd_client_restrictions       =

                check_client_access cidr:${config_directory}/client_access,

                reject

 

Waar de client_access bevat :

 

# EOP ranges as indicated by MS

23.103.132.0/22 OK

23.103.136.0/21 OK

23.103.156.0/22 OK

23.103.198.0/24 OK

23.103.200.0/22 OK

23.103.212.0/22 OK

…..


Tried testing it also with : postmap -q "1.1.1.1" cidr:/etc/postfix-EOP2DC/client_access à no result


So it generally allows every IP now...


Anyone else came into this one ?


regs

Reply | Threaded
Open this post in threaded view
|

Re: client_access not working

Viktor Dukhovni
On Mon, Mar 16, 2020 at 09:06:00AM +0100, Robby Van Mieghem wrote:

> smtpd_client_restrictions =
>   check_client_access cidr:${config_directory}/client_access,
>   reject
>
> # EOP ranges as indicated by MS
> 23.103.132.0/22 OK
> 23.103.136.0/21 OK
> 23.103.156.0/22 OK
> 23.103.198.0/24 OK
> 23.103.200.0/22 OK
> 23.103.212.0/22 OK

Unsurpringly, this returns "OK" for the listed entries, and
no result otherwise, which then in "smtpd_client_restrictions"
falls through to "reject".

> Tried testing it also with:
>
>  $  postmap -q "1.1.1.1" cidr:/etc/postfix-EOP2DC/client_access
>
> à no result

As expected, since "1.1.1.1" does not appear to be listed in the CIDR
table.

> So it generally allows every IP now...

No, that's not the right conclusion.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: client_access not working

Wietse Venema
Viktor Dukhovni:

> On Mon, Mar 16, 2020 at 09:06:00AM +0100, Robby Van Mieghem wrote:
>
> > smtpd_client_restrictions =
> >   check_client_access cidr:${config_directory}/client_access,
> >   reject
> >
> > # EOP ranges as indicated by MS
> > 23.103.132.0/22 OK
> > 23.103.136.0/21 OK
> > 23.103.156.0/22 OK
> > 23.103.198.0/24 OK
> > 23.103.200.0/22 OK
> > 23.103.212.0/22 OK
>
> Unsurpringly, this returns "OK" for the listed entries, and
> no result otherwise, which then in "smtpd_client_restrictions"
> falls through to "reject".
>
> > Tried testing it also with:
> >
> >  $  postmap -q "1.1.1.1" cidr:/etc/postfix-EOP2DC/client_access
> >
> > ? no result
>
> As expected, since "1.1.1.1" does not appear to be listed in the CIDR
> table.
>
> > So it generally allows every IP now...
>
> No, that's not the right conclusion.

To test access rules properly, use XCLIENT.
http://www.postfix.org/XCLIENT_README.html

        Wietse