Proper location of permit_mynetworks for mailman

[Todd A. Jacobs]

I'm running a mailman server, and was receiving a lot of errors like the
following:

    Jan 26 07:36:39 host postfix/smtpd[13212]: NOQUEUE: reject: RCPT from 
localhost.localdomain[127.0.0.1]: 554 5.7.1 <f...@remote.example.com>: Relay 
access denied; from=<example.list-boun...@example.org> 
to=<f...@remote.example.com> proto=ESMTP helo=<host.example.org>

I figured the problem was that I didn't have "permit_mynetworks"
somewhere. It seems to work with the following:

    mydestination = 
            $myhostname
            $mydomain
            localhost
            localhost.localdomain
            localhost.$mydomain
    mynetworks = 
            127.0.0.0/8
            192.168.11.0/24
    smtpd_helo_required = yes
    smtpd_delay_reject = yes
    smtpd_client_restrictions =
            reject_unauth_pipelining
            reject_rbl_client zen.spamhaus.org
            check_client_access hash:/etc/postfix/domain_access
            permit_mynetworks
    smtpd_helo_restrictions = 
            reject_invalid_helo_hostname
            reject_non_fqdn_helo_hostname
            reject_unknown_helo_hostname
    smtpd_sender_restrictions = 
            check_sender_mx_access hash:/etc/postfix/sender_mx_access
            check_sender_access hash:/etc/postfix/sender_access
            reject_unknown_sender_domain
    smtpd_recipient_restrictions = 
            permit_mynetworks
            reject_unauth_destination
            reject_unknown_recipient_domain
            check_recipient_mx_access hash:/etc/postfix/recipient_mx_access
            check_recipient_access hash:/etc/postfix/recipient_access
            check_policy_service inet:127.0.0.1:60000
    smtpd_error_sleep_time = 5
    smtpd_soft_error_limit = 2
    owner_request_special = no

but it looks like I had to list permit_mynetworks twice: once in
recipients, and once in clients. So, three questions, really:

    1. Do I really need it in both places? It seems so from trial and
       error, but maybe I'm just not understanding the evaluation order.

    2. Isn't having permit_mynetworks as the first item under
       smtpd_recipient_restrictions setting me up for anyone who spoofs
       127.0.0.1 as the destination IP address? I thought the web site
       recommended putting it at the bottom of the evaluation order.

    3. Isn't having permit_mynetworks under client restrictions exposing
       me to anyone who spoofs localhost during the SMTP connection
       setup?

I'm completely willing to own up to PEBKAC on this one, but I *have*
read the manuals on this issue...I just haven't grokked them fully.

-- 
"Oh, look: rocks!"
        -- Doctor Who, "Destiny of the Daleks"