为后缀“smtpd_recipient_restrictions”设置的最佳参数

你的规则是非常糟糕的。 如果你想保留所有这些，而不是添加任何东西，那么顺序必须是：

 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_non_fqdn_recipient 

如果仍然不够，那么请阅读http://www.postfix.org/POSTSCREEN_README.html中的 postscreen 。

我会build议一个类似于以下的smtpd_recipient_restriction：

 smtpd_recipient_restricdtions = # Whitelisting or blacklisting: check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, # Everyone should play after rules: reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_recipient_domain, reject_unknown_sender_domain, reject_unauth_pipelining, # Mails from your users: permit_mynetworks, permit_sasl_authenticated, # This will block mails from domains with no reverse DNS record. Will affect both spam and ham mails, but mostly spam. reject_unknown_reverse_client_hostname, # Instead of reject_unknown_reverse_client_hostname you can also use reject_unknown_client_hostname, which is an even harder rule. # Reject ugly HELO/EHLO-hostnames (could also affect regular mails): reject_non_fqdn_hostname, reject_invalid_helo_hostname, # Reject everything you're not responsible for: reject_unauth_destination, # Only take mails for existing accounts: reject_unverified_recipient, # DNS lookups are "expensive", therefore should be at bottom reject_rbl_client zen.spamhaus.org 

有关smtpd_recipient_restrictions的详细信息，请访问： http : //www.postfix.org/postconf.5.html#smtpd_recipient_restrictions

也许你也想使用postgrey ， postscreen ， postfwd或者其他一些策略守护进程 。

还要检查你是否在预排队模式下使用了amavisd-new。