Hi Viktor,
On Mon, Dec 21, 2020 at 11:20:30PM -0500, Viktor Dukhovni wrote:
> On Tue, Dec 22, 2020 at 03:23:56AM +0000, Matthew Selsky wrote:
>
> > cidr = cidr:${config_directory}/
> > smtpd_recipient_restrictions =
> > reject_non_fqdn_recipient
> > reject_unknown_recipient_domain
> > check_client_access ${cidr}tag-cloud-email-providers.cidr
>
> Yes, this will tag any message that is ultimately accepted.
>
> > smtpd_relay_restrictions =
> > permit_mynetworks
> > check_client_access ${cidr}cloud-email-providers.cidr
> > permit_tls_clientcerts
>
> Yes, this will permit relay access for the matching IPs.
Thanks, this worked perfectly!
> No, you can leave mynetworks unchanged if there is more to mynetworks
> than mere relay access.
Is there any reason not to merge ${cidr}cloud-email-providers.cidr into
mynetworks? I only reference mynetworks in the following places currently:
smtpd_helo_restrictions =
permit_mynetworks
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
smtpd_relay_restrictions =
permit_mynetworks
check_client_access ${cidr}cloud-email-providers.cidr
permit_tls_clientcerts reject
If I add ${cidr}cloud-email-providers.cidr to mynetworks, then they'd pick up
the relaxed restrictions for smtpd_helo_restrictions, so this seems reasonable
and allows me to maintain 1 fewer table. Is there anything that I'm missing?
Thanks,
-Matt
