Magnus, I really appreciate your input. Here is what I have done. I
moved reject_unauth_destination above check_sender_access, so mail is
only relayed for virtual_alias_domains unless sender is connecting from
$mynetworks. I wish for senders at example.net to be exempt from any
further tests in smtpd_recipient_restrictions. This should not be a
problem since unwanted bulk senders are unlikely to spoof example.net as
the sending domain when sending to example.com, where those are two
unrelated domain names.
.: postfix/main.cf
myhostname = mx1.example.com
myorigin = $mydomain
mydestination =
local_recipient_maps =
mynetworks_style = host
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_sender_access hash:/etc/postfix/sender_access
local_transport = error:local mail delivery is disabled
virtual_alias_domains = example.com example.co.uk
virtual_alias_maps = regexp:/etc/postfix/virtual
parent_domain_matches_subdomains =
debug_peer_list
smtpd_access_maps
.: postfix/virtual
/^foo@/ b...@example.tld
/^([...@]+)@example\.co(m|\.uk)$/ $...@example.net
.: postfix/sender_access
example.net OK
Thread branched from: "virtual alias mapping does not match postmap
query result"
