I need someone to fix a couple of bugs in our mailserver configuration. I believe we are currently using Dovecot and exim.
Mail whose 'Envelope-from' is a domain configured on our server should be accepted only if the user has authenticated. The same check should (I think) be applied before generating error messages to the alleged sender's mailbox.
At present, spammers seem able to send messages from user1@ourdomain to user2@ourdomain without any authentication. If user2 doesn't exist, user1 gets a bounce message. If neither user exists, the bounce lands in my catchall maildir.
OPTIONAL: If possible, I'd like to set it up such that an authenticated SMTP user can send messages only from their own address(es). If you can do this, please let me know, as I'd be willing to pay more for this functionality. This should be able to work out which users would be able to read a message sent to the alleged sender's address. (please ask if this isn't clear, I could probably explain more clearly in a dialogue)