add smtpd CIDR client access check

deploy

@@ -20,7 +20,7 @@ [email protected]
 rsync -rpcv --delete --chmod=D755,F644 --fsync --preallocate dovecot opendmarc $remote:/etc/
 rsync -rpcv --delete --chown root:opendkim --chmod=D750,F640 --fsync --preallocate opendkim $remote:/etc/
 rsync -pcv --chmod=644 --fsync --preallocate python-policyd-spf/policyd-spf.conf $remote:/etc/python-policyd-spf
-rsync -rpcv --chmod=D755,F644 --fsync --preallocate postfix/aliases postfix/body_checks postfix/main.cf postfix/header_checks postfix/sender_access postfix/submission_header_checks $remote:/etc/postfix/
+rsync -rpcv --chmod=D755,F644 --fsync --preallocate postfix/aliases postfix/body_checks postfix/client_access.cidr postfix/main.cf postfix/header_checks postfix/sender_access postfix/submission_header_checks $remote:/etc/postfix/
 ssh $remote "newaliases; postmap /etc/postfix/sender_access"
 rsync -rpcv --chmod=D755,F644 --fsync --preallocate systemd/ $remote:/etc/systemd/
 rsync -rpcv --chmod=D755,F644 --fsync --preallocate tmpfiles.d/opendmarc.conf $remote:/etc/tmpfiles.d/

postfix/main.cf

@@ -708,7 +708,7 @@ smtpd_helo_required = yes
 smtpd_helo_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname
 
 smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
-smtpd_recipient_restrictions = check_sender_access lmdb:/etc/postfix/sender_access, check_policy_service unix:private/policyd-spf
+smtpd_recipient_restrictions = check_client_access cidr:/etc/postfix/client_access.cidr, check_sender_access lmdb:/etc/postfix/sender_access, check_policy_service unix:private/policyd-spf
 
 smtpd_reject_unlisted_sender = yes
 smtpd_sender_login_maps = lmdb:/etc/postfix/sender_login_maps