Our MX currently relays to one of two boxes (mail1, mail2) based on a
list of domains in transport_maps. Both mail1 and mail2 are ours, and we
have a full list of domains and recipients in relay_domains and
relay_recipient maps respectively.
Now, I would like to add a third, external, relay destination for one
domain. I can add the domain to relay_domains, but would prefer to use
address verification for the recipients (in that domain only).
My current restrictions:
smtpd_recipient_restrictions =
reject_unauth_destination,
reject_unlisted_recipient,
check_recipient_access hash:/etc/postfix/maps/rfc_addresses,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
reject_non_fqdn_sender,
check_client_access pcre:/etc/postfix/maps/reverse_dns.pcre,
reject_unknown_sender_domain,
check_client_access pcre:/etc/postfix/maps/generic_rbl_clients.pcre,
check_sender_access hash:/etc/postfix/maps/backscatter_senders,
reject_rhsbl_client dbl.spamhaus.org,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
check_policy_service unix:private/policyd-spf,
check_policy_service unix:private/postgrey,
permit
My first question is, what effect does reject_unverified_recipient
actually have? For example, if the recipient is verified, do the
restrictions continue to be evaluated, or is it the equivalent of an OK?
If the other restrictions are evaluated, wouldn't the address still be
rejected by either reject_unlisted_recipient or the default
smtpd_reject_unlisted_recipient=yes?
Regardless of the answer to that question, where is the smartest place
to stick that restriction in my current list? I would prefer to add
something like,
check_recipient_access hash:/.../recipient_verify_domains
containing,
example.com reject_unverified_recipient
so that only that domain's addresses are verified. However, this depends
on whether or not the reject_unlisted_recipient is skipped. If it isn't,
should I move the reject_unlisted/unverified restrictions to the end? Or
create a separate (almost-identical) restrictions class for the domain
in question?
