On Tue, Sep 28, 2021 at 03:50:06PM +0100, João Silva wrote:
> It would be nice to have a option to specify a list of allowed domains.
This is not meaningful, because the lookup result is a list of SASL
identities, which are just opaque octet strings, there's no notion of
"domain" there.
In fact, the identities are potentially mechanism-specific, and Postfix
could pedantically distinguish between GSSAPI:user@REALM and
PLAIN:user@REALM, as they may be semantically distinct, but that would
be rather annoying, and not a problem in practice.
[ Indeed the rabbit hole is deeper, because the meaning of a name may
depend on the underlying GSSAPI mechanism, which IIRC is not exposed
via SASL. ]
Postfix allows you to specify which SASL logins have access to a given
sender address. While the lookup key (sender address) has a domain
part, that is not the case with the lookup result.
The envelope sender address can be a domain suffix, but the list of
authorised users cannot, because Postfix does not attempt to parse
opaque SASL logins.
env sender SASL login
@domain user1, user2, ...
--
Viktor.
