On Mon, Jan 26, 2026 at 04:13:15PM -0800, Randy Bush via Postfix-users wrote:
> > For "reject_unknown_recipient_domain" to make sense, it would have to be
> > listed first, before "permit_mynetworks, ..." so that invalid recipient
> > domains are also rejected in outbound mail from your own users (rather
> > than queued and bounced).
>
> ok, makes sense
But generally not needed, nor even necessarily a good idea. Some MUAs
might not handle the rejection gracefully, and since this only makes
sense for outbound mail, it really goes in master.cf:
# Ditto for port 465
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
-o
smtpd_recipient_restrictions=permit_auth_destination,reject_unknown_recipient_domain
-o smtpd_data_restrictions=
-o smtpd_end_of_data_restrictions=
-o always_add_missing_headers=yes
-o header_checks=
-o body_checks=
...
> > I'm surprised to not see any mainstream RBLs in that setting. How
> > 'bout:
> >
> > smtpd_recipient_restrictions =
> > permit_mynetworks,
> > permit_sasl_authenticated,
> > reject_unauth_destination,
> > # Or if you prefer another high quality RBL, use that.
> > reject_rbl_client zen.spamhaus.org,
> > reject_unverified_recipient
>
> rather than
>
> postscreen_dnsbl_sites =
> list.dnswl.org=127.0.[0..255].[1..3]*-5
> zen.spamhaus.org*2
>
> which is what i have now
Not "rather than", but as well as. Both make sense. An IP address
recently cached as neutral by postscreen(8), may in realtime be found
listed by the RBL.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
