The smtpd_sender_restrictions has reject_sender_login_mismatch:
reject_sender_login_mismatch
As of Postfix 2.1, this is an alias for "reject_authenticated_sender_login_mismatch, reject_unauthenticated_sender_login_mismatch".
reject_authenticated_sender_login_mismatch
Reject the request when the client is authenticated with SASL, but either the MAIL FROM address is not listed in $smtpd_sender_login_maps, or the SASL login name is not an owner for that address.
This prevents an authenticated client from using a MAIL FROM address that they do not explicitly own. This feature is available in Postfix version 2.1 and later.
reject_unauthenticated_sender_login_mismatch
Reject the request when SASL is enabled, the MAIL FROM address is listed in $smtpd_sender_login_maps, but the client is not authenticated with SASL.
With SASL enabled, this prevents an unauthenticated client from using any MAIL FROM address that is listed in $smtpd_sender_login_maps.
This feature is available in Postfix version 2.1 and later.
If you are using virtual_alias_maps to deliver the mail, the smtpd_sender_login_maps has the same format; the same file can be used for both, updating the allowed addresses at the same time you add addresses for delivery.
Say you are using SMTPS on port 465 for submission, you can add these directives under it in master.cf:
smtps inet n - - - - smtpd
-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
-o smtpd_sender_restrictions=reject_sender_login_mismatch
The /etc/postfix/virtual has the addresses with the corresponding users:
# address username
[email protected] joe
[email protected] jane
As it is a hash: Berkeley DB, remember sudo postmap /etc/postfix/virtual after modifications.
