After setup sasl for postfix, the default case is you can use any mail from address (envelope) after passing sasl auth.
For instance, I have a sasl sender [email protected]. In a smtp session, when this sender has passed sasl auth, it can use any address like [email protected] as the envelope address. This is not what I want.
I resolved the issue by the following steps with getting help from postfix mailing list.
master.cf:
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
Since I use submission port 465 only (closed port 587 and disabled port 25 for sasl auth), so the sender behavior can be specified in smtps options.
main.cf:
smtpd_recipient_restrictions =
check_policy_service { unix:ratelimit/policy, default_action=DUNNO },
permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service { unix:private/policyd-spf, default_action=DUNNO }
smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
Please note "reject_sender_login_mismatch" must be ahead of "permit_sasl_authenticated".
controlled_envelope_senders:
#envelope sender owners (SASL login names)
[email protected] [email protected]
[email protected] [email protected]
[email protected] [email protected]
...
Now run 'postmap controlled_envelope_senders' and restart postifx, everything should work.
Reference: