http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions

 

 

smtpd_sender_restrictions (default: empty)
Optional restrictions that the Postfix SMTP server applies in the context of the MAIL FROM command. The default is to permit everything. Specify a list of restrictions, separated by commas and/or whitespace. Continue long lines by starting the next line with whitespace. Restrictions are applied in the order as specified; the first restriction that matches wins. The following restrictions are specific to the sender address received with the MAIL FROM command.
check_sender_access type:table
Search the specified  access(5) database for the MAIL FROM address, domain, parent domains, or localpart@, and execute the corresponding action.
check_sender_mx_access type:table
Search the specified  access(5) database for the MX hosts for the MAIL FROM address, and execute the corresponding action. Note: a result of “OK” is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later.
check_sender_ns_access type:table
Search the specified  access(5) database for the DNS servers for the MAIL FROM address, and execute the corresponding action. Note: a result of “OK” is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later.
reject_authenticated_sender_login_mismatch
Enforces the  reject_sender_login_mismatch restriction for authenticated clients only. This feature is available in Postfix version 2.1 and later.
reject_non_fqdn_sender
Reject the request when the MAIL FROM address is not in fully-qualified domain form, as required by the RFC. 
The  non_fqdn_reject_code parameter specifies the response code to rejected requests (default: 504).
reject_rhsbl_sender rbl_domain=d.d.d.d
Reject the request when the MAIL FROM domain is listed with the A record “ d.d.d.d” under  rbl_domain (Postfix version 2.1 and later only). If no “ =d.d.d.d” is specified, reject the request when the reversed client network address is listed with any A record under  rbl_domain
The  maps_rbl_reject_code parameter specifies the response code for rejected requests (default: 554); the default_rbl_reply parameter specifies the default server reply; and the  rbl_reply_maps parameter specifies tables with server replies indexed by  rbl_domain. This feature is available in Postfix 2.0 and later.
reject_sender_login_mismatch
Reject the request when $ smtpd_sender_login_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesnt own the MAIL FROM address according to $ smtpd_sender_login_maps.
reject_unauthenticated_sender_login_mismatch
Enforces the  reject_sender_login_mismatch restriction for unauthenticated clients only. This feature is available in Postfix version 2.1 and later.
reject_unknown_sender_domain
Reject the request when Postfix is not final destination for the sender address, and the MAIL FROM address has no DNS A or MX record, or when it has a malformed MX record such as a record with a zero-length MX hostname (Postfix version 2.3 and later). 
The  unknown_address_reject_code parameter specifies the response code for rejected requests (default: 450). The response is always 450 in case of a temporary DNS error.
reject_unlisted_sender
Reject the request when the MAIL FROM address is not listed in the list of valid recipients for its domain class. See the  smtpd_reject_unlisted_sender parameter description for details. This feature is available in Postfix 2.1 and later.
reject_unverified_sender
Reject the request when mail to the MAIL FROM address is known to bounce, or when the sender address destination is not reachable. Address verification information is managed by the  verify(8) server; see the ADDRESS_VERIFICATION_README file for details. 
The  unverified_sender_reject_code parameter specifies the response when an address is known to bounce (default: 450, change into 550 when you are confident that it is safe to do so). Postfix replies with 450 when an address probe failed due to a temporary problem. This feature is available in Postfix 2.1 and later.

Other restrictions that are valid in this context:

  • Generic restrictions that can be used in any SMTP command context, described undersmtpd_client_restrictions.
  • SMTP command specific restrictions described under smtpd_client_restrictions and smtpd_helo_restrictions.
  • SMTP command specific restrictions described under smtpd_recipient_restrictions. When recipient restrictions are listed under smtpd_sender_restrictions, they have effect only with “smtpd_delay_reject = yes”, so that $smtpd_sender_restrictions is evaluated at the time of the RCPT TO command.

Examples: smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_sender_restrictions
= reject_unknown_sender_domain,
check_sender_access hash:/etc/postfix/access