reject_invalid_hostname
permit_mynetworks # Move this below FQDN-checks on a "true mailhub" - some Debian daemons send to localhost
permit_sasl_authenticated # Silently ignored if TLS not in use
reject_non_fqdn_hostname
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unknown_sender_domain
reject_unknown_recipient_domain
reject_unauth_pipelining
#permit_mynetworks # Moved to top to allow Debian daemons sending to localhost
permit_mx_backup
reject_unauth_destination
reject_maps_rbl
reject # Not really needed, but just to be on the safe side...