## sender was presumably checked upstream, and we can believe that
## the name has been transmitted honestly.
accept condition = ${if def:tls_peerdn}
+ set acl_m_user = ${if match_address{$authenticated_sender} \
+ {*@CONF_master_domain} \
+ {${local_part:$authenticated_sender}}}
## If this is submission, and the client has authenticated, then we
## check that the name matches the user.
## Otherwise we can't tell who really sent it.
deny message = Authenticated user not authoritative for claimed sender.
+SECTION(acl, data-hooks)m4_dnl
+ ## Report the `AUTH=' value, if we have one. This is delayed from
+ ## the above so that Exim can figure out a queue id. Once it's done
+ ## so, apparently it reports that automatically, so we don't need to
+ ## mention `$message_exim_id' explicitly here.
+ warn condition = ${if def:acl_m_user}
+ logwrite = AUTH=${quote:$acl_m_user}
+
DIVERT(null)
###----- That's all, folks --------------------------------------------------