abh
commented
6 years ago I vaguely recall that the RFC specifies some relationship between the mail from address and the AUTH address (loginas in the code). Implementing that correctly might take some care (or at least careful reading of the RFC). :-/
It's possible that the system needs to carry around "mail from" and "authenticated user" and use them differently and separately in places where we just use "mail from" now.
Is there any reasoning about this code? I have hit that when trying to setup qpsmtpd as smarthost and smtp client honestly set loginAs email address from "Mail From" header which obviously is not same as $user.
I am bit strugling with this, imho Qpsmtpd core should not decide if client is authorized if loginAs != user. Also this check can't be switched off nor customized via plugin.