Thanks Tony, I have a working configuration now, not clean but apparently
effective. The basic verification rules it satisfies are:
1) a locally acceptable address (anything that gives a 250 Accepted
response) must be a LHS in an alias file
2) an authenticated submitted envelope sender must:
a) be locally acceptable
b) come from an authenticated user who is, at some point, the RHS in an
alias file for the given envelope sender. That is, any local user who
"may" receive messages for an address, can also generate messages from
that address.
Note that b does not exclude that a .forward file exist that redirects all
email for that local user to a foreign address, as user forward is not
used for verification.
I do the check b in the aliases routers (there are 3) and set a flag
there. This flag is then checked in the local sender verify router.
These are the routers:
domain_aliases_unspec:
driver = redirect
allow_fail
allow_defer
domains = +local_domains
local_parts = lsearch;DOMAINS_DIR/$domain/alias
address_data = ${extract{verified}{$address_data}\
{verified=yes}\
{${ifeq{$local_part}{$authenticated_id}{verified=yes}{}}}} \
aliased=$local_part_data
data = $local_part_data
file_transport = address_file
pipe_transport = address_pipe
[two similar routers for suffixed and for system wide aliases]
# check auth id is consistent with declared sender
local_sender_verify:
driver = redirect
verify_only
verify_sender
allow_fail
allow_defer
data = $local_part@$domain
domains = +local_domains
condition = ${if !eq{${extract{verified}{$address_data}}}{yes}}
fail_verify_sender
The verify = sender condition is at the moment in the MAIL acl,
but this does not play too nice with pine, have to see if it's better to
deny later (in RCPT).
Giuliano