On Mon, Jan 26, 2026 at 08:49:45AM -0800, Randy Bush via Postfix-users wrote:
> and my main.cf used to say > > smtpd_recipient_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > permit_auth_destination, > reject_unauth_destination, > reject_unknown_recipient_domain, > reject_unverified_recipient > > yet mail to [email protected] was getting through to rspamd > > i think it was the ordering!! the following seems to work > > smtpd_recipient_restrictions = > reject_unauth_destination, > reject_unknown_recipient_domain, > reject_unverified_recipient, > permit_mynetworks, > permit_auth_destination It isn't "ordering", rather the use of "permit_auth_destination" is unnecessary and counterproductive. Just simplify to: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unverified_recipient Where I am also recommending deletion of "reject_unknown_recipient_domain", because you're unlikely to, and should not have, any "unknown" domains that pass "reject_unauth_destination". For "reject_unknown_recipient_domain" to make sense, it would have to be listed first, before "permit_mynetworks, ..." so that invalid recipient domains are also rejected in outbound mail from your own users (rather than queued and bounced). I'm surprised to not see any mainstream RBLs in that setting. How 'bout: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, # Or if you prefer another high quality RBL, use that. reject_rbl_client zen.spamhaus.org, reject_unverified_recipient -- Viktor. 🇺🇦 Слава Україні! _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
