If you have the following lines in netperm-table: > smap: local_nets 127.0.0.1/H 10.0.0.0/8 244.43.7.0/24 > smap: block_nets 205.198.0.0/15 > smap: local_domains my.dom.ain.com my.other.domain.com.au Any network specified by local_nets is allowed to send mail unrestrictedly. If local_nets is defined, any host within block_nets is chopped off at the knees. If local_nets is defined, any host not defined by either local_nets or block_nets is only allowed to send to an address specified by local_domains, or any subdomain of these (wildcards not necessary, or, indeed, allowed). Block_nets is, of course, not much use if you have offsite backup MX records, unless your backup sites are also filtering. Note that this filtering is based on the only information about which a client can't lie: its own address and the envelope recipient address. There are a few other relatively minor changes I have made too. Also, on many systems you will need to ensure that smap's chrooted dir has the tcp/ip devices available. (e.g. /dev/tcp /dev/udp /dev/ip: these would normally be made in the same way as they are made for an anonymopus ftp directory). These are necessary so that smap can do a DNS queries. Andrew Dunstan