This feature restricts which sender addresses an authenticated user is allowed to use. It maps each envelope sender (the
MAIL FROM/Fromaddress) to the SASL login name(s) permitted to send as it, and — combined with Postfix’s sender/login mismatch check — rejects any attempt by an authenticated user to send mail as someone else’s address.It is the natural companion of local SMTP authentication and Active Directory authentication: authentication proves who the client is; sender/login binding controls what address that client may claim to be.
This feature is available Artica v4.50 Service Pack 7 or Artica v4.50 Service Pack 6 Hotfix 20260704-16
By default, once a client is authenticated it can put any address in the MAIL FROM and From fields — including the CEO’s, another employee’s, or a partner’s.
This is internal spoofing, and it is a common vector for CEO-fraud / business-email-compromise attacks that originate from a single compromised or careless internal account.
Sender/login binding closes that gap: an authenticated user can only send as the addresses you explicitly bind to their login.
A compromised jdoe account can no longer send “from the CFO”.
Trade-off to understand before enabling.
Once enforcement is on, every authenticated sender address must be accounted for.
Legitimate cases — a user who also sends as a shared mailbox, an application that sends as a whole domain, aliases — must each be declared as an entry, or that mail will be rejected.
Plan your entries first, test, then enable enforcement.
maps lookup table.jdoe@corp.example.com) or a whole domain (@sales.example.com, meaning “any address in that domain”).
- Only checks authenticated clients (unauthenticated senders are handled by your other restrictions).
- Additionally requires a login for any sender that appears in the map.
Start with the authenticated variant unless you have a reason not to.
SMTP Router > Authentication > Sender/login binding.
jdoe@corp.example.com) or a domain (@example.com).
Common patterns
• One user, own address:jdoe@corp.example.com>jdoe.
• Shared mailbox:newsletter@corp.example.com>marketing(the marketing login may send as the shared newsletter address).
• Application sending as a whole domain:@sales.example.com>salesapp.
To let two logins share one address, add two entries with the same sender and different logins.
Reject Sender Login Mismatch or Reject Authenticated Sender Login Mismatch .
Before enforcing, verify your entries resolve as intended. Click test, enter a sender and a candidate SASL login, and click test.
"allowed": true with matched_login/matched_sender means that login is permitted to send as that address — the message would pass."allowed": false means the pair would be rejected once enforcement is on — either the binding is missing, or the login is genuinely not allowed to use that sender.
Click Apply in the top toolbar. Artica rebuilds the maps table, wires the chosen restriction into the SMTP daemon, and reloads Postfix.
A green confirmation appears under the toolbar.
Authenticate as one login and try to send as an address bound to a different login. Postfix rejects the message at MAIL FROM/RCPT time with:
553 5.7.1 <victim@corp.example.com>: Sender address rejected: not owned by user jdoe
Sending as an address that is bound to your login is accepted normally.
Open Parameters, turn Enable off, and Apply. Artica removes the restriction from the SMTP daemon; authenticated users can again send as any address. Your entries are kept, so you can re-enable later without re-creating them.
Legitimate mail is rejected with "Sender address rejected: not owned by user"
The sender is not bound to that login. Add an entry (full address or the @domain form), or use test to confirm the expected pair resolves to allowed: true, then Apply.
Nothing is blocked even though entries exist
Enforcement is off, or no restriction is selected. In Parameters, enable Reject_sender_login_mismatch and pick a restriction, then Apply.
A shared mailbox or alias is rejected
Add one entry per (sender, login) pair that is allowed to use it; multiple logins may map to the same sender.
Applications that send as many addresses break
Bind the application login to the whole domain with the @domain sender form instead of listing every address.