+### Verification of sender address.
+
+SECTION(acl, misc)m4_dnl
+mail_check_auth:
+
+ ## If this isn't a submission then it doesn't need checking.
+ accept condition = ${if !eq{$acl_c_mode}{submission}}
+
+ ## If the caller hasn't formally authenticated, but this is a
+ ## loopback connection, then we can trust identd to tell us the right
+ ## answer. So we should stash the right name somewhere consistent.
+ warn set acl_c_user = $authenticated_id
+ hosts = +thishost
+ !authenticated = *
+ set acl_c_user = $sender_ident
+
+ ## User must be authenticated.
+ deny message = Sender not authenticated
+ !hosts = +thishost
+ !authenticated = *
+
+ ## Make sure that the local part is one that the authenticated sender
+ ## is allowed to claim.
+ deny message = Sender address forbidden to calling user
+ !condition = ${LOOKUP_DOMAIN($sender_address_domain,
+ {${if and {{match_local_part \
+ {$acl_c_user} \
+ {+dom_users}} \
+ {match_local_part \
+ {$sender_address_local_part} \
+ {+dom_locals}}}}},
+ {${if and {{match_local_part \
+ {$sender_address_local_part} \
+ {+user_extaddr}} \
+ {or {{eq {$sender_address_domain} \
+ {}} \
+ {match_domain \
+ {$sender_address_domain} \
+ {+public}}}}}}})}
+
+ ## All done.
+ accept
+
+DIVERT(null)
+###--------------------------------------------------------------------------