1# MAIL FROM and From authorization23Module check.authorize_sender verifies that envelope and header sender addresses belong4to the authenticated user. Address ownership is established via table5that maps each user account to a email address it is allowed to use.6There are some special cases, see `user_to_email` description below.78```9check.authorize_sender {10 prepare_email identity11 user_to_email identity12 check_header yes1314 unauth_action reject15 no_match_action reject16 malformed_action reject17 err_action reject1819 auth_normalize auto20 from_normalize auto21}22```23```24check {25 authorize_sender { ... }26}27```2829## Configuration directives3031### user_to_email _table_32Default: `identity`3334Table that maps authorization username to the list of sender emails35the user is allowed to use.3637In additional to email addresses, the table can contain domain names or38special string "\*" as a value. If the value is a domain - user39will be allowed to use any mailbox within it as a sender address.40If it is "\*" - user will be allowed to use any address.4142By default, table.identity is used, meaning that username should43be equal to the sender email.4445Before username is looked up via the table, normalization algorithm46defined by auth_normalize is applied to it.4748---4950### prepare_email _table_51Default: `identity`5253Table that is used to translate email addresses before they54are matched against user_to_email values.5556Typically used to allow users to use their aliases as sender57addresses - prepare_email in this case should translate58aliases to "canonical" addresses. This is how it is59done in default configuration.6061If table does not contain any mapping for the used sender62address, it will be used as is.6364---6566### check_header _boolean_67Default: `yes`6869Whether to verify header sender in addition to envelope.7071Either Sender or From field value should match the72authorization identity.7374---7576### unauth_action _action_77Default: `reject`7879What to do if the user is not authenticated at all.8081---8283### no_match_action _action_84Default: `reject`8586What to do if user is not allowed to use the sender address specified.8788---8990### malformed_action _action_91Default: `reject`9293What to do if From or Sender header fields contain malformed values.9495---9697### err_action _action_98Default: `reject`99100What to do if error happens during prepare_email or user_to_email lookup.101102---103104### auth_normalize _action_105Default: `auto`106107Normalization function to apply to authorization username before108further processing.109110Available options:111112- `auto` `precis_casefold_email` for valid emails, `precis_casefold` otherwise.113- `precis_casefold_email` PRECIS UsernameCaseMapped profile + U-labels form for domain114- `precis_casefold` PRECIS UsernameCaseMapped profile for the entire string115- `precis_email` PRECIS UsernameCasePreserved profile + U-labels form for domain116- `precis` PRECIS UsernameCasePreserved profile for the entire string117- `casefold` Convert to lower case118- `noop` Nothing119120PRECIS profiles are defined by RFC 8265. In short, they make sure121that Unicode strings that look the same will be compared as if they were122the same. CaseMapped profiles also convert strings to lower case.123124---125126### from_normalize _action_127Default: `auto`128129Normalization function to apply to email addresses before130further processing.131132Available options are same as for `auth_normalize`.