diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 8abdaba5..29ef5782 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -103,6 +103,10 @@ template(`mta_base_mail_template',`
 		nscd_use_socket($1_mail_t)
 	')
 
+	optional_policy(`postfix',`
+		postfix_domtrans_user_mail_handler($1_mail_t)
+	')
+
 	optional_policy(`procmail',`
 		procmail_exec($1_mail_t)
 	')
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index cc1cdb63..b9ff82f9 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
 
-policy_module(mta,1.0.2)
+policy_module(mta,1.0.3)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if
index f7732410..d4afb661 100644
--- a/refpolicy/policy/modules/services/postfix.if
+++ b/refpolicy/policy/modules/services/postfix.if
@@ -132,22 +132,37 @@ template(`postfix_server_domain_template',`
 ')
 
 template(`postfix_user_domain_template',`
+	gen_require(`
+		attribute postfix_user_domains, postfix_user_domtrans;
+	')
+
 	postfix_domain_template($1)
 
+	typeattribute postfix_$1_t postfix_user_domains;
+
 	allow postfix_$1_t self:capability dac_override;
 
-	domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
-	allow user_mail_domain postfix_$1_t:fd use;
-	allow postfix_$1_t user_mail_domain:fd use;
-	allow postfix_$1_t user_mail_domain:fifo_file rw_file_perms;
-	allow postfix_$1_t user_mail_domain:process sigchld;
+	domain_auto_trans(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
+	allow postfix_user_domtrans postfix_$1_t:fd use;
+	allow postfix_$1_t postfix_user_domtrans:fd use;
+	allow postfix_$1_t postfix_user_domtrans:fifo_file rw_file_perms;
+	allow postfix_$1_t postfix_user_domtrans:process sigchld;
 
-	# this is replaced by run interfaces
-	role sysadm_r types postfix_$1_t;
-	allow postfix_$1_t userdomain:process sigchld;
-	allow postfix_$1_t userdomain:fifo_file { write getattr };
-	allow postfix_$1_t { userdomain privfd }:fd use;
+	domain_use_wide_inherit_fd(postfix_$1_t)
+')
 
+template(`postfix_per_userdomain_template',`
+	gen_require(`
+		attribute postfix_user_domains;
+	')
+
+	# cjp: perhaps this should actually be $3
+	# instead of just sysadm_r?
+	#role sysadm_r types postfix_user_domains;
+
+	allow postfix_user_domains $2:process sigchld;
+	allow postfix_user_domains $2:fifo_file { write getattr };
+	allow postfix_user_domains $2:fd use;
 ')
 
 template(`postfix_public_domain_template',`
@@ -360,3 +375,20 @@ interface(`postfix_list_spool',`
 	allow $1 postfix_spool_t:dir list_dir_perms;
 	files_search_spool($1)
 ')
+
+########################################
+## <summary>
+##	Execute postfix user mail programs
+##	in their respective domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`postfix_domtrans_user_mail_handler',`
+	gen_require(`
+		attribute postfix_user_domtrans;
+	')
+
+	typeattribute $1 postfix_user_domtrans;
+')
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index 963bce39..6cbbec10 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -1,11 +1,16 @@
 
-policy_module(postfix,1.0.2)
+policy_module(postfix,1.0.3)
 
 ########################################
 #
 # Declarations
 #
 
+attribute postfix_user_domains;
+# domains that transition to the
+# postfix user domains
+attribute postfix_user_domtrans;
+
 postfix_public_domain_template(bounce)
 
 type postfix_spool_bounce_t;