Dear Les et al, Thanks for your assistance with this thorny issue. I have finally resolved the problem by utilising the following: 1) I have added to the access map of sendmail all the domains that accept mail for any user, user at domain for those email accounts that exist and hosts that are internal to my network which will send mail via these boxes e.g. internalhost RELAY domain1 RELAY user at domain2 RELAY user at domain1 RELAY 2) I then appended to the end of this file reject lines to reject mail to unknown users e.g. domain2 REJECT So now my access map looks like this: internalhost RELAY domain1 RELAY user at domain2 RELAY user at sub.domain1 RELAY domain2 REJECT sub.domain1 REJECT 3) I created a relay-domains file and added to that all the domains that I was going to relay for e.g. domain1 domain2 etc. 4) restarted sendmail (which rebuilt access.db and allowed sendmail to read in the relay-domains file) My mail scanners now accept mail for relay/scanning from my internal hosts to any address, from external hosts to mail accounts that exist and to any account at a domain that has a catch all account setup. All other mail is rejected with either "Access denied" or Mailbox for this user is disabled". All this was achieved using a shell script to find the domains from the qmail server (pop host) and parse the .qmail-* files for each domain and account and build the relevant files. As this is a live service which has the potential to change this script is run via cron on a regular basis to catch the changes. Currently on the pop host this takes about 10 mins to run as it is trawling the filesystem for changes (due to legacy accounts being manually created outside of out provisioning tools negating the opportunity to use the database that exists.) Thanks again for your help and comments, they were and continue to be very useful. Rgds Simon.