On 11/13/2018 10:46 AM, Tobi wrote: >> Postfix supports what you've described. You must have made some >> other mistake. > > believe me that's what I thought first :-) But the only reason this > would not fire is that a prior restriction already OK the mail. To test > I commented all client restrictions and placed my check_sender access on > (almost) top of sender_restrictions > > smtpd_sender_restrictions = reject_unknown_sender_domain, > reject_non_fqdn_sender, > check_sender_access hash:/etc/postfix/do_callahead, > [....] > > so the restriction is well before any restriction that could ACCEPT the > mail. > > postmap tells me that it gets the correct value from the map > > $ postmap -q 'example.com' /etc/postfix/do_callahead > reject_unverified_recipient > > >
Two things that come to mind... you must have smtpd_delay_reject=yes and parent_domain_matches_subdomains must contain smtpd_access_maps check your "postconf -n" output to make sure it shows what you expect. If you have more trouble, please see http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones