For those who've asked, here's the updated output of 'postconf -n' after
trying all the various suggestions I've gotten on-list and off:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
biff = no
bounce_template_file = /etc/postfix/bounce.cf
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_list = 127.0.0.1
default_destination_concurrency_limit = 3
delay_warning_time = 4
disable_vrfy_command = yes
mailbox_command = /usr/bin/procmail -p
mailbox_size_limit = 0
manpage_directory = /usr/share/man
masquerade_domains = example.com
masquerade_exceptions = root
mydestination = $myhostname $mydomain example.com
mydomain = example.com
mynetworks = 127.0.0.0/8, 192.168.1.101/32
myorigin = /etc/mailname
owner_request_special = no
readme_directory = /usr/share/doc/postfix
recipient_delimiter = -
relay_destination_recipient_limit = 5
relayhost = smtp.charter.net
sample_directory = /usr/share/doc/postfix/examples
setgid_group = postdrop
smtpd_authorized_verp_clients = $mynetworks
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = permit_mynetworks reject_rbl_client
zen.spamhaus.org
smtpd_delay_reject = no
smtpd_error_sleep_time = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
check_helo_mx_access hash:/etc/postfix/mx_access
smtpd_recipient_restrictions = check_recipient_mx_access
hash:/etc/postfix/mx_access check_recipient_access
hash:/etc/postfix/recipient_access reject_unauth_destination
check_policy_service inet:127.0.0.1:60000
smtpd_sender_restrictions = check_sender_mx_access
hash:/etc/postfix/mx_access check_sender_access
hash:/etc/postfix/sender_access reject_unknown_sender_domain
smtpd_soft_error_limit = 2
The outbound mail is *still* not being bounced when the RCPT TO is
the secureserver.net domain:
Jan 21 15:04:47 penguin postfix/pickup[5781]: B0CFB37CAB: uid=1000
from=<f...@example.com>
Jan 21 15:04:47 penguin postfix/cleanup[5758]: B0CFB37CAB:
message-id=<20090121230447.gm32...@penguin.example.com>
Jan 21 15:04:47 penguin postfix/qmgr[5759]: B0CFB37CAB:
from=<f...@example.com>, size=3389, nrcpt=1 (queue active)
Jan 21 15:04:49 penguin postfix/smtp[5783]: B0CFB37CAB:
to=<postmas...@secureserver.net>, relay=smtp.charter.net[209.225.8.224]:25,
delay=2.1, delays=0.05/0.02/0.31/1.7, dsn=2.0.0, status=sent (250 Message
received: 20090121230448.wvar25639.aarprv04.charter....@penguin.example.com)
Jan 21 15:04:49 penguin postfix/qmgr[5759]: B0CFB37CAB: removed
So, no matter where I put the check for the recipient MX record, it is
not being processed. And before anyone asks, the hash table has been
processed with postmap:
$ sudo postmap -s /etc/postfix/mx_access
secureserver.net REJECT
smtp.secureserver.net REJECT
so there should be no excuses for the table not to be referenced
*somewhere* in the chain.
--
"Oh, look: rocks!"
-- Doctor Who, "Destiny of the Daleks"
