Skip to main content

Restrict SASL users to certain sender domains

If you are hosting a sending infrastructure, it may be a good idea to restrict a specific SASL username to a fixed set of sending domains in order to prevent abuse. It could be that you already have users with their sending domain in the SASL username or that you need to look up this information in a external database. The following checks can be done in the MAIL FROM context or at any later stage.

If you want to check if the SASL username domain part matches the sending domain

MAIL FROM context
$saslauthed = isset($connection["auth"]);
if (!$saslauthed) Reject("Authentication Required");

$saslusername = $connection["auth"]["username"];
$senderdomain = $arguments["address"]["domain"]; // Use $transaction["senderaddress"]["domain"] in later stages
[$localpart, $domain] = str_split($saslusername, "@", -2);
if ($domain == $senderdomain)
Accept();

Reject("$saslusername is not allowed to relay for $senderdomain");

If you want to match the SASL username to one or more domains in a external list

MAIL FROM context
$saslauthed = isset($connection["auth"]);
if (!$saslauthed) Reject("Authentication Required");

$saslusername = $connection["auth"]["username"];
$senderdomain = $arguments["address"]["domain"]; // Use $transaction["senderaddress"]["domain"] in later stages
if ($saslusername == "john.doe" and array_includes($senderdomain, ["example.com", "example.net"]))
Accept();

Reject("$saslusername is not allowed to relay for $senderdomain");