On Fri, Jul 05, 2013 at 10:00:02AM -0400, W T Riker wrote:
> Thanks for that explanation. I think I understand the way it works now
> so I modified my restrictions a bit. Does this order pass the sniff test?
>
> smtpd_recipient_restrictions =
> reject_non_fqdn_recipient,
> reject_non_fqdn_sender,
> reject_unlisted_recipient,
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_destination,
> reject_invalid_helo_hostname,
> reject_unknown_sender_domain,
Fine up to here.
> reject_unknown_recipient_domain
This is not a good idea in this context, you've already checked
the message is to one of your own domains. Unless you've specified
relay_domains (and you have relay_domains listed in
parent_domain_mathes_subdomains) or inherit relay_domains via its
default $mydestination, every domain you accept should be "known",
you just risk deferring mail due to transient DNS lookup errors.
You should generally avoid having subdomain matching in relay_domains,
set parent_domain_matches_subdomains empty or perhaps just:
parent_domain_matches_subdomains = smtpd_access_maps
if your access tables rely on this to match a domain and all its
subdomains.
The backwards compatible default is:
parent_domain_matches_subdomains =
debug_peer_list,
fast_flush_domains,
mynetworks,
permit_mx_backup_networks,
qmqpd_authorized_clients,
relay_domains,
smtpd_access_maps
--
Viktor.
