SASL authentication to authorize envelope sender address

A registered user can send email through any name(including admin@domian.tld,root@domain.tld,webmaster@domain.tld). I tested it by creating a test user on the server then trying to send mail from a random name.

I used Mozilla Thunderbird for this.

Click the account then click view setting for this account

Click manage identities

You will see your current account. Click add.

Type the name you want to be displayed for the receiver of the
email(eg.Tom,john,etc.). Type a random name in email along with the
domain(random_name@yourdomain.tld).Click ok.

Select the the newly created email address from drop down.Then add the
sender address,subject and message and send it.Message goes
successfully.

I want to limit email sender address to just the username of the yunohost use.

For this I edited the /etc/postfix/main.cf and added the following lines (lines in bold).

smtpd_sender_login_maps= hash:/etc/postfix/controlled_envelope_senders

Requirements for the sender address

smtpd_sender_restrictions = 
    permit_mynetworks, 
    permit_sasl_authenticated, 
    reject_non_fqdn_sender, 
    reject_unknown_sender_domain,
    **reject_sender_login_mismatch,**
    permit 

I edited the /etc/postfix/controlled_envelope_senders too and added the email address and the owner who can send the from that mail in this format.

john@example.com john@example.com
helpdesk@example.com john@example.com, mary@example.com
postmaster@example.com admin@example.com

Restarted the postfix.But I can still can send email from any address. So no success yet.
Any idea how this can be implemented ?

Links:

http://www.postfix.org/SASL_README.html#server_sasl_authz

up

Anybody who have experience with postfix ,please help.

Is the email flagged in some way on the receiver side?
Because your trick only seems to change the reply-to address right? You could do the same thing with "randomname@gmail.com" can’t you?

smtpd_sender_login_maps should test the From field to the logged in SASL authentication. If it mattches the email should go ,otherwise there is an error message. But its not happening in my case.

I tried this with both files /etc/postfix/main.cf and /etc/postfix/master.cf. Editing /etc/postfix/main.cf stops every mail (Admin account no effect of the rule, so try with new user account ) to be able to send and gives the error email not owned by the user. When this should not happen with the real email.(e.g. user@domain.tld should be able to send mail user@domail.tld,but it reject this scenario too.)

@scith

No in gmail the return path and from never changes. You may use any new identity but the the source only shows the real gmail email address. That way you can use gmail as SMTP relay for any of the email server, but any of the mail relayed will show the real gmail address in return path and from .

This is not in the case of Yunohost postfix server. Any one having the account in yunohost can relay any email identity from it. That makes the server open relay server for the person having account on it.

I tried lot of workarounds to stop the unassigned identities to stop being relayed from Yunohost server, but non of them worked. So the server remains open relay SMTP for the person having account on the server.

Can anyone tell me how can LDAP identity be matched with the sender envelop address of the email before sending it ?