Correct, you create the file forbidden_domain_checks. However, I've used a pcre table in the example above, which is not an indexed (eg. database) table, so it is not postmap'd. Remove the .db file if you use pcre/regexp. If you want to use a database type such as hash, you will need to change the contents of forbidden_domain_checks to suit the table type, and then postmap the indexed file.
Your check_sender_access table would be in an smtpd_sender_restrictions as mentioned above.
For your smtpd_recipient_restrictions, I move cheap checks (no additional DNS lookups, no RBL queries, etc.) up front:
Code:
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
All of my systems use FQDN recipients
Code:
reject_non_fqdn_sender,
If I can't bounce a message, I don't want it.
Code:
reject_unlisted_recipient,
I only accept mail for listed recipients
...
Code:
permit_mynetworks,
permit_sasl_authenticated,
Consider moving SASL authentication to a separate submission port (see submission, port 587, in master.cf)
Code:
reject_unauth_destination,
reject_unlisted_sender,
Where is this list of sender's coming from?
sender address verification (SAV) only if sender's systems allow it.
Code:
reject_unknown_sender_domain
Rejects when there is no MX or A record, or malformed MX for sender's address.
Code:
check_helo_access pcre:/etc/postfix/helo_checks.pcre
Create a helo_checks tables that rejects obvious forgery helos. There are lots of examples on the postfix mailing list. I've posted one or two examples in these forums.
Code:
reject_invalid_hostname,
I don't use this because I capture these in my helo_checks table above
Code:
reject_non_fqdn_hostname,
This is ok, but will reject mail from local clients such as Outlook that by default are not
configured to use FQDN.
Code:
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client safe.dnsbl.sorbs.net,
Monitor for any false positives on the latter two
Code:
reject_invalid_hostname,
reject_non_fqdn_hostname
These are duplicated above - remove.