Viktor Dukhovni:
> On Tue, May 28, 2013 at 01:18:25PM -0400, Wietse Venema wrote:
>
> > I strongly suggest that you swap the order of the following
> > two rules in main.cf:
> >
> > check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
> > reject_unauth_destination,
> >
> > This should be:
> >
> > reject_unauth_destination,
> > check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
> >
> > Many open relay problems are caused by having an access table
> > before reject_unauth_destination.
>
> Indeed the second form is safer, and equivalent provided all the
> recipients are in a domain that is not rejected by
> reject_unauth_destination.
>
> Though in this case it is a *recipient* check, so problems are unlikely,
> unless the table includes unintended remote addresses. Unlike sender
> addresses, recipient addresses are not subject to "forgery".
There is no need to forge "u...@yahoo.com" if a spammer really
wants to send mail there :-)
Wietse
