(Postfix 2.3.3 on FreeBSD 6.1-RELEASE-p6, installed from ports with
'POSTFIX_OPTIONS="SASL2 SASLKRB5 SPF TLS BDB MySQL OpenLDAP CDB VDA"'
and 'WITH_BDB_VER=43' set.)

I use a check_sender_access directive in $smtpd_recipient_restrictions
to allow or block mail from particular individuals as identified by
their message envelopes. If I read access(5) correctly, I should be
able to match on the domain part of a particular email address using
the hashed version (db or dbm) of the access table. In practice,
entries listing only the domain part do not match full email
addresses. For example, I have the following line in my sender access
list:

.intruguarddevices.com REJECT

(The file is in the "hash:" format, if that makes a difference.)
According to the mail logs and the Return-Path headers, sender
envelope addresses that should match this rule look like this:

webinar@intruguarddevices.com

Yet, Postfix does not block these addresses, even using the following
simplified configuration:

smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
check_sender_access hash:/usr/local/etc/postfix/maps/access_sender
permit

When I query the access list using the postmap command, I get no
result:

postmap -q webinar@intruguarddevices.com access_sender || echo not found
not found

postmap -q .intruguarddevices.com access_sender || echo not found
REJECT

Now, it's possible that postmap's -q flag does not follow the same
semantics as Postfix itself in terms of selecting a match, but I don't
know how else to test or to reproduce my problem.

What am I doing wrong? Am I using this facility correctly? Should I
switch to some other lookup method (e.g., PCRE)?

Best wishes,
Matthew

--
Every time Bruce Schneier smiles, an amateur cryptographer dies.
(http://geekz.co.uk/schneierfacts/fact/55)