OK I found the line that appears to be giving me problems -- permit_mx_backup.
Now as far as I can tell, this line is required due to my servers both
performing backup for other off-site domains, and allowing those sites to
perform backup for my own domains. Those domains have been specified under
relay_domains, and the backup has been frequently tested over the past few
years, so I at least know the config works. I'll leave it up to others here to
tell me if that is the correct or best way to set it up.
Unfortunately, if I include permit_mx_backup within
smtpd_recipient_restrictions, it prevents check_policy_service from running. So
I've settled on the following config, which moves everything else to
smtpd_recipient_restrictions, but still appears to be running all of the checks
(which take about 8 seconds on my servers). Please let me know if you have any
suggestions for improvement of the following...
smtpd_client_restrictions =
permit_mx_backup
smtpd_recipient_restrictions =
permit_mynetworks,
# permit_sasl_authenticated,
check_client_access hash:/etc/postfix/pop-before-smtp,
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/whitelist_recip,
check_client_access hash:/etc/postfix/whitelist,
check_sender_access hash:/etc/postfix/reject_access_map,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client china.blackholes.us,
reject_rbl_client korea.blackholes.us,
check_policy_service unix:private/policy