For the next part of this discussion, you need to be familiar with the SMTP protocol and how an email message is organized and submitted to the server.
When Outlook sends an email to the server using the SMTP protocol, and the author of that email (an assistant) sends it on behalf of somebody else (a manager), and SMTP authentication is enabled on the client and allowed on the server, that mail has following characteristics:
The authentication information is the assistant
The envelope from information (the address which is used in the MAIL FROM: command during the mail submission) is the assistant
The header From: address is the manager
The header Sender: field is the assistant
With this information in mind, you need to configure the Messaging Server MTA as follows:
Add autherwrite 3 to the definitions of those channels for which you want to enable the check, in the imta.cnf file. This can be, for instance, the tcp_auth channel, if the messages from authenticated users are switched to that channel.
Add the following lines to the mapping file:
AUTH_REWRITE (0) *|*|*|$2* $Y$2 (1) *|*@*|*@* $CBASE|$}$4,_base_dn_{|$1@$2|$3@$4 (2) BASE|*|*|* $CFOUND|$]ldap:///$0?uid?sub?(&(mail=$2) (3) (|(mailAlternateAddress=$1)(mailEquivalentAddress=$1)))[|$2 FOUND|*|* $Y$1 (4) BASE|*|*@*|*@* $CSECONDARY_BASE|$}$2,_base_dn_{|$1@$2|$3@$4 (5) SECONDARY_BASE|*|*|* $CSECONDARY_FOUND|$]ldap:///$0?uid?sub?(&(|(mail=$1) (6) (mailAlternateAddress=$1)(mailEquivalentAddress=$1)) (mailGrantSendPermissionsTo=$2))[|$2 SECONDARY_FOUND|*|* $Y$1 (7) * $NYou$ have$ no$ permission$ to$ send$ mail$ on$ behalf$ of$ this$ person (8) |
The numbers at the end of the lines are used for the discussion that follows. The lines (3) and the next one, and the line (6) and two following lines, should really be a single line, but they have been broken for readability.