On 7/5/2013 10:52 AM, Tom Hendrikx wrote:
> On 07/05/2013 04:07 PM, Viktor Dukhovni wrote:
>> On Fri, Jul 05, 2013 at 10:00:02AM -0400, W T Riker wrote:
>>
>>> Thanks for that explanation. I think I understand the way it works now
>>> so I modified my restrictions a bit. Does this order pass the sniff test?
>>>
>>> smtpd_recipient_restrictions =
>>> reject_non_fqdn_recipient,
>>> reject_non_fqdn_sender,
>>> reject_unlisted_recipient,
> I'd say that reject_unlisted_recipient will also reject mail to offsite
> recipients, even when it is sent by an authenticated sender (since
> permit_sasl_authenticated is specified later).
>
>>> permit_mynetworks,
>>> permit_sasl_authenticated,
>>> reject_unauth_destination,
>>> reject_invalid_helo_hostname,
>>> reject_unknown_sender_domain,
>> Fine up to here.
>>
>>> reject_unknown_recipient_domain
>> This is not a good idea in this context, you've already checked
>> the message is to one of your own domains. Unless you've specified
>> relay_domains (and you have relay_domains listed in
>> parent_domain_mathes_subdomains) or inherit relay_domains via its
>> default $mydestination, every domain you accept should be "known",
>> you just risk deferring mail due to transient DNS lookup errors.
>>
>> You should generally avoid having subdomain matching in relay_domains,
>> set parent_domain_matches_subdomains empty or perhaps just:
>>
>> parent_domain_matches_subdomains = smtpd_access_maps
>>
>> if your access tables rely on this to match a domain and all its
>> subdomains.
>>
>> The backwards compatible default is:
>>
>> parent_domain_matches_subdomains =
>> debug_peer_list,
>> fast_flush_domains,
>> mynetworks,
>> permit_mx_backup_networks,
>> qmqpd_authorized_clients,
>> relay_domains,
>> smtpd_access_maps
>>
>
Good point. I fixed that too. Thanks.
