Postfix smtpd_recipient_restrictions are ordered incorrectly in default template
The Postfix author himself, Wietse Venema, has stated that the smtpd_recipient_restrictions values should be ordered in a way that differs from the incorrect defaults that are often deployed in distro-provided Postfix packages.
Details here: http://archives.neohapsis.com/archives/postfix/2013-06/0053.html
To quote Wietse, with regard to the relevant bit:
For posteriority (i.e. people who find this with a search engine), replace these three lines:
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination,
with these three lines:
reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
As that prevents unexpected open relay problems.
In essence, Wietse is saying that reject_unauth_destination should always come before check_recipient_access. ISPConfig does not observe this precaution. I discovered this "the hard way", when an ISPConfig-powered system under my control was flooded with garbage messages due to this incorrect, default setting.