> No. If you tell Postfix to match subdomains, the lookup that does
> this is the domain name WITHOUT the leading dot. For example, this:
> ihost.com permit_auth_destination
> would match for a check_sender_access lookup of
> i...@low1ap106.infra.secaucus.mebs.ihost.com . (Maybe my complaint
> went up the line, because I see that name now has an A record. Go
> figure!)
> If you unset parent_domain_matches_subdomains as I suggested, the
> lookup would be this, with the leading dot:
> .ihost.com permit_auth_destination
Yep. got that. I had set it using the .domain.tld method without including
$parent_domain_matches_subdomains initially because the way i understood the
access(5) manual page I didn't need to do this, and only using
$parent_domain_matches_subdomains without the leading '.' and in conjunction
with an smtpd access map but, I'm easily confused :-)
[ ... ]
> You have what is IMO an unwieldy and hard-to-manage set of smtpd
> restrictions. Personally, I prefer keeping most or all restrictions
> in a single stage, smtpd_recipient_restrictions. However, IIRC from
> your OP, you did have the reject_unknown_sender_domain only in
> smtpd_sender_restrictions. Therefore yes, you are right. But to
> understand why, you should know that reject_unknown_sender_domain
> that caused your rejection. Anywhere you use that restriction, you
> must precede it with your whitelist lookup.
I'm going to re-read about smtpd_*_restrictions to better understand what i've
done because from what you've said I could improve my configuration but can i
ask quickly, do you mean I can move all of the smtpd restrictions i'm using
into $smtpd_recipeint_restrictions ?
> Ugh. Do consider standing up for the principle of requiring senders
> to use real domains in their email addresses. I would have done so
> myself, but I knew they were not going to resend the bounced email.
> :) (IIRC it was just a copy of my invoice, which I had from my Web
> browser anyway.)
Yeah I feel thefrustration with that too. I mean, the fuss i've gone to today
just to get one message through my server; and the fact it's the ISP i'm paying
that has send it is not very encouraging.
Thanks again for your time and help.
Jamie.
