Configuring Postfix to Restrict User Access to the Postfix "Sendmail" Command

Reading at http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions, we see that, by default, network mail relay access to postfix is restricted to "local" or "authenticated" users:

smtpd_relay_restrictions (default: permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination)

Access restrictions for mail relay control that the Postfix SMTP server applies in the context of the RCPT TO command, before smtpd_recipient_restrictions.

At the same time, though, any user able to run applications on the mail server can bypass these network smtpd_relay_restrictions, even the SASL authentication requirement, by simply using the local postfix sendmail command to send mail. The postfix sendmail command might be run directly, from a shell, or indirectly, for example, using the Gnome Evolution "personal information manager".

Rather than restricting access to the postfix sendmail command itself, by changing the sendmail user or group permissions and per-user group memberships, how can postfix be directly configured to restrict access to the postfix sendmail command?

Reading at http://www.postfix.org/sendmail.1.html, we see:

Postfix sendmail(1) relies on the postdrop(1) command to create a queue file in the maildrop directory.

And then, reading at http://www.postfix.org/postdrop.1.html:

The following main.cf parameters are especially relevant to this program.

authorized_submit_users (static:anyone)
List of users who are authorized to submit mail with the sendmail(1) command (and with the privileged postdrop(1) helper command).

Further reading at http://www.postfix.org/postconf.5.html#authorized_submit_users, we see:

By default, all users are allowed to submit mail. Otherwise, the real UID of the process is looked up in the system password file, and access is granted only if the corresponding login name is on the access list. The username "unknown" is used for processes whose real UID is not found in the password file. To deny mail submission access to all users specify an empty list.

Specify a list of user names, "/file/name" or "type:table" patterns, separated by commas and/or whitespace. The list is matched left to right, and the search stops on the first match. A "/file/name" pattern is replaced by its contents; a "type:table" lookup table is matched when a name matches a lookup key (the lookup result is ignored). Continue long lines by starting the next line with whitespace. Specify "!pattern" to exclude a user name from the list. The form "!/file/name" is supported only in Postfix version 2.4 and later.

Example:
authorized_submit_users = !www, static:all

Additional information about "type:table" patterns can be found at http://www.postfix.org/DATABASE_README.html#types.