The last hour or two, the emails that contain the login codes for cloudflare access pages, are not coming through to the people who are attempting to login.
Problem is ongoing 24 hours later. Still no emails being sent.
Submitted a support ticket.
I’m able to receive emails.
CF will not send a code to an email that isn’t allowed access via access policies. But, to prevent email fuzzing, Cloudflare will still show the “A code has been emailed to you” screen even if your email is not allowed.
For example: if
[email protected] is the only email allowed in an access policy, when
[email protected] or
[email protected] try to log in, they won’t get an email code but they will still see the “A code has been emailed to you” screen.
These “fake” access code events will show up in the Access Tab -> Events -> All access requests.
Okay. When I went to
All access requests everything was denied.
I had configured the access policy to be allow xyz emails, as well as deny everyone — as I had figured the
deny everyone was required to achieve the functionality you mentioned (to deny everyone). Removing the
deny everyone and just keeping the allow xyz emails ended up restoring the login code emails.
I wonder then why deny everyone is possible, if that is already the default?
You are right that this can be quite confusing.
If you set an Access Policy with only Allow for, say, an Access Group with x number of email addresses, the policy will deny everyone but the visitors set to be allowed, that is, those who authenticate themselves using one of the email addresses on that Access Group.
However, let’s say you want to allow a pre-defined list of emails, or even all emails ending with
example.com. This could be a large list, and you may want to create an exception for certain email addresses. In this case, you could use the Deny action to exclude from that broader authorization a subset of email addresses.
According to the documentation:
This policy is used to deny access to a user , set of users or to an access group.
Example: Say you have an employee portal application to manage payroll and vacation. You want only your full time employees to access the portal. You can create an access policy to deny access to
eportal.company.comfor everyone who is part of Contractors access group.