Postfix deny relay for some virtual users
This feature was available to postfix version 2.11.
You can use check_sasl_access parameter to enforce restrictions based on SASL username. Of course you need to put it above permit_sasl_authenticated. Please refer to man 5 postconf for complete documentation.
Example configuration, taken from Postfix SASL Howto
# main.cf
smtpd_relay_restrictions =
...,
check_sasl_access hash:/etc/postfix/sasl_blacklist,
permit_sasl_authenticated,
...
and
# sasl_blacklist
# Use this when smtpd_sasl_local_domain is empty.
username REJECT
# Use this when smtpd_sasl_local_domain=example.com.
[email protected] REJECT
Some workaround for postfix < 2.11
The author suggested that you need combination of reject_sender_login_mismatch and check_sender_access.
Parameter reject_sender_login_mismatch will reject if the sender doesn't defined in their permitted username. Looks like you already have query for this in
mysql_sender_maps.cf.Parameter
check_sender_accesswill reject email based on sender.
So, you need something like
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_sender_maps.cf
smtpd_relay_restriction = ...
...
reject_sender_login_mismatch
check_sender_access hash:/etc/postfix/sasl_reject
...
and
#sasl_reject
[email protected] REJECT
The alternative is using lightweight postfwd to perform some kind of restriction for SASL username. You can use sasl_username parameter to control this behavior. See this documentation page of postfwd for further information.