I did that in the DATA ACL:
# Check that a From or Sender header is present.
require condition = ${if def:h_From: {1}{${if def:h_Sender: {1}{0}}}}
message = Missing From: or Sender: header. Consult RFC 5322.
# And use that to enforce our outbound policy.
require set acl_m_from_domain = ${if def:h_From: \
{${domain:$h_From:}} \
{${domain:$h_Sender:}} \
}
message = Not permitted to send as $acl_m_from_domain from here
sender_domains = +internal_domains
It at least covers the simple case; I'm not sure about handling lists in
the header---never had to. Reply-To should follow similarly.
If you're gathering data to notify users of the change in policy before
you implement it, I'd log the authenticated_id together with the
inappropriate domain to make it easy to pull out of the logs later
(change the second require to warn and message to log_message):
log_message = $authenticated_id tried to send as \
$acl_m_from_domain!
Rical
