In case this post helps anyone...
Reject the request when $smtpd_sender_login_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner;
or when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps.
smtpd_sender_login_maps (default: empty)
Optional lookup table with the SASL login names that own sender (MAIL FROM) addresses.
Specify zero or more "type:table" lookup tables. With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, the following search operations are done with a sender address of user@domain:
This table lookup is always done and has the highest precedence.
This table lookup is done only when the domain part of the sender address matches $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces.
This table lookup is done last and has the lowest precedence.
In all cases the result of table lookup must be either "not found" or a list of SASL login names separated by comma and/or whitespace.
sender_login_maps.cf default code with iRedMail-8.0.3:
user = xxxxx
password = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
hosts = xxx.x.x.x
port = xxxx
dbname = xxxxx
query = SELECT mailbox.username FROM mailbox,domain WHERE mailbox.username='%s' AND mailbox.domain='%d' AND mailbox.domain=domain.domain AND mailbox.e$