On 10/10/21 11:28 pm, Rob Kampen wrote: > smtp inet n - n - - smtpd > -o smtpd_recipient_restrictions= -o content_filter=spamassassin I assume based on what you've said before that this is after you added the workaround you mentioned, but the logs below are without the smtpd_recipient_restrictions= part here? > Cannot see how this log listing can possibly help as it contains only > three lines Nonetheless I do appreciate seeing them, no offense but you can never tell if someone's interpretations of the logs are accurate and so it's best just to see the logs themselves. > Here is the log of the incorrectly rejected email coming into the new MX > - very short as it immediately rejects the alias recipient address - > which my other two MX do not do. Right. > This led me to the conclusion that the alias substitution is not taking > place on my new MX whereas it does on my two working MX - hence my > addition to the smtp processing line at the top of the master.cf file. I wouldn't jump to that conclusion just yet, though. That said, based on your config and logs I think I may have been wrong in my previous guess and it may very well be related to your policyd-spf. More on that in a bit. Can you provide the output of the following commands (but substitute the actual recipient domain and address for the munged versions you supplied here): postmap -q example.com mysql:/etc/postfix/mysql-virtual_alias_domains.cf postmap -q rob at example.com mysql:/etc/postfix/mysql-virtual_forwardings.cf postmap -q rob at example.com mysql:/etc/postfix/mysql-virtual_email2email.cf postmap -q example.com mysql:/etc/postfix/mysql-virtual_domains.cf postmap -q rob at example.com mysql:/etc/postfix/mysql-virtual_mailboxes.cf The results of the above should give a much better picture of what's going on. To check if it's the policyd that's causing the problem can you modify the smtpd_recipient_restrictions line in main.cf and remove just the "check_policy_service inet:localhost:12350," part? So that it reads something like: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policyd-spf Then check to see if it works after that (and provide logs again so I can check things over). Note this also means reverting your workaround in master.cf for this test. Peter