Vadim S. Ivanov:
> I agree. I looked at rfc4422. Treating identity in MAIL FROM command as
> sasl authenticated will violate rfc itself (no auth mechanisms was
> involved).
> I won't be able do run smtpd_sender_login_mismatch,
> smtpd_sender_login_maps checks.
>
>
> But rfc4954 section 5 states:
> The optional AUTH parameter to the MAIL FROM command allows
> cooperating agents in a trusted environment to communicate the
> authorization identity associated with individual messages.
>
> If the server trusts the authenticated identity of the client to
> assert that the message was originally submitted by the supplied
> <mailbox>, then the server SHOULD supply the same <mailbox> in
> an AUTH parameter when relaying the message to any other server
> which supports the AUTH extension.
>
> For this reason, servers that advertise support for this
> extension MUST support the AUTH parameter to the MAIL FROM
> command even when the client has not authenticated itself to the
> server.
>
> So dovecot authenticated user and relayed it's mail to postfix with
> "authorization identity" in MAIL FROM:
>
> MAIL FROM:<user@domain> AUTH=user@domain BODY=8BITMIME SIZE=1545
>
> Does postfix support this AUTH extension ?
Postfix allows the parameter, and discards the result.
> If it does, is it possible to run some checks against "authorization
> identity" to prevent sender address forgery? (in my case user logs in
> using full mail address, so usermailbox=userlogin)
No. Without authentication, the MAIL FROM AUTH parameter is just
a bunch of unauthenticated data.
Wietse
