On Sun, Jan 01, 2023 at 05:03:27PM +0100, Jesper Dybdal wrote:
> I use reject_authenticated_sender_login_mismatch to control which
> envelope sender addresses SASL clients can use. That works just fine.
>
> Is there a similar way to control which envelope sender addresses can be
> used by which system user by calling sendmail(1)?
No. Unlike the smtpd(8) service with its restriction classes and
access(5) tables, the postdrop(1) local submission handler has very
limited access control capabilities (just authorized_submit_users, which
you're already using).
Note that enforcing envelope sender restrictions breaks, for example,
use of procmail, which allows users to conditionally forward mail, ...
One way to hypothetically do more advanced filtering in postdrop(1)
could be to add milter support, with the user id as simulated
authenticated SASL account. This does not exist, and may never happen.
> (I seem to remember that there was a thread here about a similar subject
> some time ago, but I can't find it now.)
If your local submission just reinjects mail via SMTP (content filter on
pickup(8) or separate null client and MTA Postfix instances), then a
milter on the receiving end can parse the user name out of the
"Received:" header added by pickup(8), and quarantine unacceptable
messages (reject would be wrong, because the envelope sender is
presumably forged, and a reject would result in a bounce).
--
Viktor.
