Is there any downside to using reject_unauth_destination? I had it commented out but I did not have a note on why it was disabled. Reading the description, it seems like it should always be turned on (or at least that it couldn't possibly hurt)?
<http://www.postfix.org/postconf.5.html#reject_unauth_destination> Is it even going to trigger with Postscreen in place? (for now I've stuck warn_if_ in front of it) my smtpd_*_restrictions (mail_version = 2.10.0) smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_invalid_hostname, warn_if_reject_unauth_destination, reject_unlisted_recipient, reject_unlisted_sender, reject_unknown_reverse_client_hostname, check_client_access hash:$config_directory/access, permit smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination Can I just go with smtpd_recipient_restrictions = reject_unauth_destination,permit smtpd_relay_restrictions = and in master.cf submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=$myhostname -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o syslog_name=submit-tls ? and is client_restrictions the best choice for submission? I've see some confs have both -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_data_restrictions=permit_sasl_authenticated,reject Why? -- This wasn't a proper land. The sky was blue, not flaming with all the colours of the aurora. And time was passing. To a creature not born subject to time, it was a sensation not unakin to falling. --Lords and Ladies
