I've discovered something odd: permit_mynetworks seems to be allowing invalid addresses in rather than just allowing relaying. The symptom is that if I connect from a local client, any rcpt to is accepted; if I connect from a non-local client, it's properly rejected.
moving reject_unlisted_recipient before permit_mynetworks seems like the right answer, except that I'm afraid that would block relaying outbound mail. The impact is to our spam filter, which validates addresses based on the rcpt to response: if it looks like a valid account, it creates its own account for quarantine, settings, etc, and thus a domain with a hundred or so users ends up with 28000 accounts in the spam filter... It also seems like it makes it a backscatter source...
smime.p7s
Description: S/MIME Cryptographic Signature
