These restrictions are useful for accepting, rejecting and even routing messages.
Reference: smtpd_recipient_restrictions in the postfix documentation
Example:
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_unlisted_recipient
check_client_access pcre:/etc/postfix/spam-filter.cf
NOTE: reject_unlisted_recipient is the best thing since sliced bread!
It will reject mail where the recipient domain is listed in Virtual_Mailbox_Domains but the recipient is not listed in Virtual_Mailbox_Maps. You would think this goes without saying, but this isn't the default behavior. When in doubt add this line!
In the example check_client_access calls the file spam-filter.cf
This is an example of what I call message routing (Not sure if this is really whats its called :) ). Basically any message that hasn't been accepted or rejected by the precious checks is then handled by check_client_access. This PCRE file contains
/./ FILTER lmtp:unix:/spamfilter.sock
/./ is a wildcard that will catch every message and in this case send it to spamfilter.sock
The result is that messages that are NOT sent from "mynetworks", are NOT "sasl_authenticated", have a "authorized destination", and have a "listed recipient" are then routed to the spam filter.