+DIVERT(null)
+###--------------------------------------------------------------------------
+### Verification of sender address.
+
+SECTION(acl, misc)m4_dnl
+mail_check_auth:
+
+ ## If this isn't a submission then it doesn't need checking.
+ accept condition = ${if !eq{$acl_c_mode}{submission}}
+
+ ## If the caller hasn't formally authenticated, but this is a
+ ## loopback connection, then we can trust identd to tell us the right
+ ## answer. So we should stash the right name somewhere consistent.
+ warn set acl_c_user = $authenticated_id
+ hosts = +thishost
+ !authenticated = *
+ condition = ${if def:sender_ident}
+ set acl_c_user = $sender_ident
+
+ ## User must be authenticated by now.
+ deny message = Sender not authenticated
+ condition = ${if !def:acl_c_user}
+
+ ## Set the per-message authentication flag, since we now know that
+ ## there's a sensible value.
+ warn set acl_m_user = $acl_c_user
+
+ ## All done.
+ accept
+