I'd previously resisted doing this, because the full `AUTH=...' notes
I'm passing around look a lot like email addresses and this might
subvert attempts to use extension addresses or the odin forwarder. But
it seems a shame to lose this information.
Compromise: report the sender, as a bare user-name, only if the
domain-part is us. This will, at worst, repeat the user name from the
sending MTA, which told us what it was either as the origin for a local
sender, or the authenticated user name from SMTP authentication or
identd (for submission to localhost).
${if def:sender_address \
{(envelope-from $sender_address\
${if def:authenticated_id \
- {; auth=${quote_local_part:$authenticated_id}}})\n\t}}\
+ {; auth=${quote_local_part:$authenticated_id}} \
+ {${if and {{def:authenticated_sender} \
+ {match_address{$authenticated_sender} \
+ {*@CONF_master_domain}}} \
+ {; auth=${quote_local_part:\
+ ${local_part:\
+ $authenticated_sender}}}}}})\n\t}}\
id $message_exim_id\
${if def:received_for {\n\tfor $received_for}}