Postfix options

Last week I got call from one of my colleagues complaining about the amount of spam she's receiving, so I installed SA and implemented some restricted options in postfix

smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_rbl_client list.dsbl.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client, dnsbl.sorbs.net,
reject_rbl_client spam.dnsbl.sorbs.net,
reject_rbl_client korea.services.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client pbl.spamhaus.org,
reject_rbl_client sbl.spamhaus.org,
permit

but later she called complaining that she cannot send emails using our SMTP server so for me it was what the hell is going one? later I found that Postfix is picky about the order of your options so if you do reject_non_fqdn_hostname before permitting sasl authenticated users, those authenticated will not be able to send emails.
and this was new to me.
[tags] server mail, fqdn, smtp server, spamhaus, sorbs, zen, colleagues, spam, dnsbl, korea, hell, pbl, linux [/tags]