postfix-users May 2014 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: check_client_access doesn't use xforward-IP

check_client_access doesn't use xforward-IP

From: Peer Heinlein <p.heinlein_at_nospam>
Date: Sun May 04 2014 - 20:20:23 GMT
To: Postfix Users Users <postfix-users@postfix.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

as shown in the log we have a Postfix 2.9.4 with a localhost-connect
from Amavis on Port 10025 that uses the xforward-command to give us
the source IP address from the real client:

Apr 28 16:04:19 host postfix/smtpd[31803]: connect from
localhost[127.0.0.1]
[...]
Apr 28 16:04:19 host postfix/smtpd[31803]: < localhost[127.0.0.1]:
XFORWARD ADDR=10.90.x.x PORT=56465 PROTO=ESMTP
HELO=host.business.example.com SOURCE=REMOTE
Apr 28 16:04:19 host postfix/smtpd[31803]: > localhost[127.0.0.1]: 250
2.0.0 Ok

But in the smtpd_recipient_restrictions Postfix makes lookups just for
the localhost source IP 127.0.0.1:

Apr 28 16:04:19 host postfix/smtpd[31803]: >>> START Recipient address
RESTRICTIONS <<<

Apr 28 16:04:19 host postfix/smtpd[31803]: generic_checks:
name=check_client_access
Apr 28 16:04:19 host postfix/smtpd[31803]: check_namadr_access: name
localhost addr 127.0.0.1
Apr 28 16:04:19 host postfix/smtpd[31803]: check_domain_access: localhost
Apr 28 16:04:19 host postfix/smtpd[31803]: check_addr_access: 127.0.0.1
Apr 28 16:04:19 host postfix/smtpd[31803]: generic_checks:
name=check_client_access status=0

I would have expected to see Postfix also (or instead?) making lookups
for the 10.90.x.x, which is included in the client_access_map and
should match here.

We have to trigger a REDIRECT-action in the client_access_map, which
is not possible before a smtpd_proxy_filter, so having a lookup for
the real client IP on Port 10025 is important for us.

Peer

- --
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

http://www.heinlein-support.de

Tel: 030 / 405051-42
Fax: 030 / 405051-19

Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTZqEHAAoJEAOLLpq5E82HD5EIAMCA5BxN8MlzUTBpXgo06wqF
LmQBh9hoJHNI6+n3sjLagZZs6fmW0/mbO2Xc+wYc71pIYPcP+4Pfwmfxj6pEOnGK
RrkiDbC3RlXCxn05kj1V6tCED2JtCWXIf6ak7nMm28sODHfOZE2pfndly7bC/pnC
Ld0/fRQA8/GPsezx1RvhWoDxflrWNpOA4zZMQdkoPbjRf8+NvdmET7iSxxrx+Dz1
iXHaljzNEJLW2AOjiFZJvzjOPL6rVuuLevFRjNg0vhnX80LRsnYTx/F/ScN0flbP
uTMyZ4VYed0lbClBdhmqeITb73/wH9pzSXFRWTDSgu5x9tNmjQyzk1APnbIGwZc=
=4E9Q
-----END PGP SIGNATURE-----