Thanks. I fixed it.
On 7/5/2013 10:07 AM, Viktor Dukhovni wrote:
> On Fri, Jul 05, 2013 at 10:00:02AM -0400, W T Riker wrote:
>
>> Thanks for that explanation. I think I understand the way it works now
>> so I modified my restrictions a bit. Does this order pass the sniff test?
>>
>> smtpd_recipient_restrictions =
>> reject_non_fqdn_recipient,
>> reject_non_fqdn_sender,
>> reject_unlisted_recipient,
>> permit_mynetworks,
>> permit_sasl_authenticated,
>> reject_unauth_destination,
>> reject_invalid_helo_hostname,
>> reject_unknown_sender_domain,
> Fine up to here.
>
>> reject_unknown_recipient_domain
> This is not a good idea in this context, you've already checked
> the message is to one of your own domains. Unless you've specified
> relay_domains (and you have relay_domains listed in
> parent_domain_mathes_subdomains) or inherit relay_domains via its
> default $mydestination, every domain you accept should be "known",
> you just risk deferring mail due to transient DNS lookup errors.
>
> You should generally avoid having subdomain matching in relay_domains,
> set parent_domain_matches_subdomains empty or perhaps just:
>
> parent_domain_matches_subdomains = smtpd_access_maps
>
> if your access tables rely on this to match a domain and all its
> subdomains.
>
> The backwards compatible default is:
>
> parent_domain_matches_subdomains =
> debug_peer_list,
> fast_flush_domains,
> mynetworks,
> permit_mx_backup_networks,
> qmqpd_authorized_clients,
> relay_domains,
> smtpd_access_maps
>
