For those who've asked, here's the updated output of 'postconf -n' after trying all the various suggestions I've gotten on-list and off:
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases append_dot_mydomain = no biff = no bounce_template_file = /etc/postfix/bounce.cf command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix debug_peer_list = 127.0.0.1 default_destination_concurrency_limit = 3 delay_warning_time = 4 disable_vrfy_command = yes mailbox_command = /usr/bin/procmail -p mailbox_size_limit = 0 manpage_directory = /usr/share/man masquerade_domains = example.com masquerade_exceptions = root mydestination = $myhostname $mydomain example.com mydomain = example.com mynetworks = 127.0.0.0/8, 192.168.1.101/32 myorigin = /etc/mailname owner_request_special = no readme_directory = /usr/share/doc/postfix recipient_delimiter = - relay_destination_recipient_limit = 5 relayhost = smtp.charter.net sample_directory = /usr/share/doc/postfix/examples setgid_group = postdrop smtpd_authorized_verp_clients = $mynetworks smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_restrictions = permit_mynetworks reject_rbl_client zen.spamhaus.org smtpd_delay_reject = no smtpd_error_sleep_time = 5 smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname check_helo_mx_access hash:/etc/postfix/mx_access smtpd_recipient_restrictions = check_recipient_mx_access hash:/etc/postfix/mx_access check_recipient_access hash:/etc/postfix/recipient_access reject_unauth_destination check_policy_service inet:127.0.0.1:60000 smtpd_sender_restrictions = check_sender_mx_access hash:/etc/postfix/mx_access check_sender_access hash:/etc/postfix/sender_access reject_unknown_sender_domain smtpd_soft_error_limit = 2 The outbound mail is *still* not being bounced when the RCPT TO is the secureserver.net domain: Jan 21 15:04:47 penguin postfix/pickup[5781]: B0CFB37CAB: uid=1000 from=<f...@example.com> Jan 21 15:04:47 penguin postfix/cleanup[5758]: B0CFB37CAB: message-id=<20090121230447.gm32...@penguin.example.com> Jan 21 15:04:47 penguin postfix/qmgr[5759]: B0CFB37CAB: from=<f...@example.com>, size=3389, nrcpt=1 (queue active) Jan 21 15:04:49 penguin postfix/smtp[5783]: B0CFB37CAB: to=<postmas...@secureserver.net>, relay=smtp.charter.net[209.225.8.224]:25, delay=2.1, delays=0.05/0.02/0.31/1.7, dsn=2.0.0, status=sent (250 Message received: 20090121230448.wvar25639.aarprv04.charter....@penguin.example.com) Jan 21 15:04:49 penguin postfix/qmgr[5759]: B0CFB37CAB: removed So, no matter where I put the check for the recipient MX record, it is not being processed. And before anyone asks, the hash table has been processed with postmap: $ sudo postmap -s /etc/postfix/mx_access secureserver.net REJECT smtp.secureserver.net REJECT so there should be no excuses for the table not to be referenced *somewhere* in the chain. -- "Oh, look: rocks!" -- Doctor Who, "Destiny of the Daleks"