On Tue, May 28, 2013 at 01:18:25PM -0400, Wietse Venema wrote:
> I strongly suggest that you swap the order of the following
> two rules in main.cf:
>
> check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
> reject_unauth_destination,
>
> This should be:
>
> reject_unauth_destination,
> check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
>
> Many open relay problems are caused by having an access table
> before reject_unauth_destination.
Indeed the second form is safer, and equivalent provided all the
recipients are in a domain that is not rejected by
reject_unauth_destination.
Though in this case it is a *recipient* check, so problems are unlikely,
unless the table includes unintended remote addresses. Unlike sender
addresses, recipient addresses are not subject to "forgery".
--
Viktor.
