Sun Java System Messaging Server 6.3 Administration Guide

12.4.5 Using Authenticated Addresses from SMTP AUTH in Header

Keywords: authrewrite

The authrewrite channel keyword and associated AUTH_REWRITE mapping table allows modification of header and envelope addresses using addressing information obtained from authentication operations. Specifically, SASL authentication can be configured to provide an authorized email address. Normally the SMTP AUTH information is used, though this may be overridden via the FROM_ACCESS mapping. The authrewrite keyword takes a required bit value, according to Table 12–23.

Table 12–23 authrewrite Bit Values




Don’t change anything (default) 

Add either a Sender: or Resent-sender: header field containing the address provided by the authentication operation. The Resent-variant is used if other resent- fields are present. 

Add a Sender: header field containing the address provided by the authentication operation. 

Construct a probe in a mapping table called AUTH_REWRITE of the form:


where mail-from is the envelope From: address, sender is the address from the Sender: or Resent-sender: header field, from is the address from the From: or Resent-From: header field, and auth-sender is the address provided by the authentication operation.

The result is run through the AUTH_REWRITE mapping. The mapping should return a list of items separated by vertical bars ( | ). The items are consumed, in order, by the setting of the following flags:

$J $K Replace the envelope From: address for the message

$Y $T Add an appropriate Sender: or Resent-sender: header field.

$N Reject the message. Mapping result provides text of the error message. If no text is provided, invalid originator address used error message is displayed.

$Z Add an appropriate From: or Resent-from: header field. (Note that in general overriding a From: field is a very bad idea.)

The Resent- variants are used if other Resent- fields are present in the header.


Apply AUTH_REWRITE mapping even when authentication has not provided an authenticated address. If the bit is clear, the mapping is only applied if an authenticated address is available.


Include the source channel at the beginning of the AUTH_REWRITE mapping probe. It is separated from the remaining information by a |. If the bit is clear, the channel is not included.

Caution – Caution –

The $Z flag should be highly restricted as there are few legitimate uses for modifying envelope and header addresses.