After setup sasl for postfix, the default case is you can use any mail from address (envelope) after passing sasl auth.

For instance, I have a sasl sender [email protected]. In a smtp session, when this sender has passed sasl auth, it can use any address like [email protected] as the envelope address. This is not what I want.

I resolved the issue by the following steps with getting help from postfix mailing list.

 smtps     inet  n       -       y       -       -       smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth

Since I use submission port 465 only (closed port 587 and disabled port 25 for sasl auth), so the sender behavior can be specified in smtps options.

 smtpd_recipient_restrictions =
check_policy_service { unix:ratelimit/policy, default_action=DUNNO },
check_policy_service { unix:private/policyd-spf, default_action=DUNNO }

smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders

Please note "reject_sender_login_mismatch" must be ahead of "permit_sasl_authenticated".


 #envelope sender    owners (SASL login names)
[email protected] [email protected]
[email protected] [email protected]
[email protected] [email protected]

Now run 'postmap controlled_envelope_senders' and restart postifx, everything should work.


Postfix SASL Howto