Since I have moved all local users to virtual users and switched dovecot to lmtp from lda, I was able to add reject_unverified_recipient to my restrictions, and it occurred to me maybe some of the other restrictions could be eliminated.
Do reject_non_fqdn_recipient, reject_unauth_destination, do anything that isn’t done with the check for unverified recipient? smtpd_recipient_restrictions = reject_unauth_destination reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unknown_sender_domain reject_unlisted_recipient reject_unlisted_sender reject_invalid_hostname reject_unverified_recipient reject_unknown_reverse_client_hostname reject_unknown_client_hostname permit The sample block at <http://www.postfix.org/ADDRESS_VERIFICATION_README.html> shows this being added late in the list, and after reject_unknown_recipient_domain, but is that check necessary when the probe postfix does is local (I understand the answer is different when dealing with a relay domain that is probing another server). Does it matter if there are only hundreds of addresses instead of tens of thousands? If nearly all users accounts get at least an email a day, will any probes be done at all after the first day? (That is, how persistent is the persistent database postfix keeps of verified recipients? Does it persists through reloads of postfix, reboots of the system?) -- Do not meddle in the affairs of Dragons for you are crunchy and taste good with ketchup