On 07/05/2013 04:07 PM, Viktor Dukhovni wrote: > On Fri, Jul 05, 2013 at 10:00:02AM -0400, W T Riker wrote: > >> Thanks for that explanation. I think I understand the way it works now >> so I modified my restrictions a bit. Does this order pass the sniff test? >> >> smtpd_recipient_restrictions = >> reject_non_fqdn_recipient, >> reject_non_fqdn_sender, >> reject_unlisted_recipient,
I'd say that reject_unlisted_recipient will also reject mail to offsite recipients, even when it is sent by an authenticated sender (since permit_sasl_authenticated is specified later). >> permit_mynetworks, >> permit_sasl_authenticated, >> reject_unauth_destination, >> reject_invalid_helo_hostname, >> reject_unknown_sender_domain, > > Fine up to here. > >> reject_unknown_recipient_domain > > This is not a good idea in this context, you've already checked > the message is to one of your own domains. Unless you've specified > relay_domains (and you have relay_domains listed in > parent_domain_mathes_subdomains) or inherit relay_domains via its > default $mydestination, every domain you accept should be "known", > you just risk deferring mail due to transient DNS lookup errors. > > You should generally avoid having subdomain matching in relay_domains, > set parent_domain_matches_subdomains empty or perhaps just: > > parent_domain_matches_subdomains = smtpd_access_maps > > if your access tables rely on this to match a domain and all its > subdomains. > > The backwards compatible default is: > > parent_domain_matches_subdomains = > debug_peer_list, > fast_flush_domains, > mynetworks, > permit_mx_backup_networks, > qmqpd_authorized_clients, > relay_domains, > smtpd_access_maps >
signature.asc
Description: OpenPGP digital signature
