On Wed, 7 Oct 2020 at 14:04, Vieri Di Paola <vieridipa...@gmail.com> wrote: > > On Wed, Oct 7, 2020 at 2:34 PM Tom Sommer <m...@tomsommer.dk> wrote: > > > > So SASL user "t...@example.com" would be able to send only from > > "@example.com". > > smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre > > content of /etc/postfix/login_maps.pcre: > /^(.*)@your(own)?domain\.org$/ ${1} > > This would force sasl-authed user "me" to only send from > m...@yourdomain.org or m...@yourowndomain.org. > You can change the regex to allow from @domain instead.
If, for authenticated users, you also want to enforce an *exact match* between the Envelope Sender and the mail address in the 'From:' header, this is offered by the milter at https://github.com/magcks/milterfrom (but I have not tested it). To enforce a domain-only match between the Envelope Sender and the mail address in the 'From:' header the only way I can think of is to use DMARC with p=reject, which is a big hammer for the given nut. Can postfwd help here?