The reject_xxx_sender_login mismatch support has evolved over time,
and new features have been document in terms of older features,
which is not optimal.
So this is what really happens:
reject_authenticated_sender_login_mismatch
Reject the request when the client is authenticated with SASL,
but either the MAIL FROM address is not listed in
$smtpd_sender_login_maps, or the SASL login name is not an
owner for that address.
This prevents an authenticated client from using a MAIL FROM
address they do not explicity own.
This feature is available in Postfix version 2.1 and later.
reject_known_sender_login_mismatch
When the client is authenticated with SASL, reject the request
when the MAIL FROM address is listed in $smtpd_sender_login_maps,
but the SASL login name is not an owner for that address.
When the client is not authenticated with SASL, reject the
request when SASL is enabled, and the MAIL FROM address is
listed in $smtpd_sender_login_maps.
This protects any MAIL FROM address that is listed in
$smtpd_sender_login_maps, while still allowing a client to
use any unlisted MAIL FROM address.
This feature is available in Postfix version 2.11 and later.
reject_sender_login_mismatch
As of Postfix 2.1, this is an alias for
"reject_authenticated_sender_login_mismatch,
reject_unauthenticated_sender_login_mismatch".
reject_unauthenticated_sender_login_mismatch
Reject the request when SASL is enabled, the MAIL FROM address
is listed in $smtpd_sender_login_maps, but the client is not
authenticated with SASL.
With SASL enabled, this prevents an unauthenticated client
from using any MAIL FROM address that is listed in
$smtpd_sender_login_maps.
This feature is available in Postfix version 2.1 and later.
I'm bit busy now, but expect tp update documentation after this week.
Wietse
