postfix: Only apply SASL-related restrictions in SASL-enabled services

roles/postfix/defaults/main/master.yml

@@ -23,6 +23,7 @@ postfix_default_master_processes:
       - '-o syslog_name=postfix/submission'
       - '-o smtpd_sasl_auth_enable=yes'
       - '-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject'
+      - '-o _initial_sender_restrictions=reject_authenticated_sender_login_mismatch'
       - '-o smtpd_client_restrictions='
       - '-o smtpd_helo_restrictions='
       - '-o smtpd_tls_security_level=encrypt'

roles/postfix/defaults/main/restrictions.yml

@@ -16,7 +16,7 @@ postfix_smtpd_recipient_restrictions:
 
 postfix_smtpd_sender_restrictions:
   - permit_mynetworks
-  - reject_authenticated_sender_login_mismatch
+  - $_initial_sender_restrictions
   - permit_sasl_authenticated
   - reject_unknown_sender_domain
   - reject_unknown_reverse_client_hostname

roles/postfix/templates/etc/postfix/main.cf.j2

@@ -118,6 +118,10 @@ smtpd_helo_restrictions =
 {% for restriction in postfix_smtpd_helo_restrictions %}
 	{{ restriction }},
 {% endfor %}
+# Postfix logs warnings when SASL is disabled, but authentication-related
+# restrictions are applied.  So these are now empty by default and set in
+# master.cf for SASL-enabled services, e.g. "submission".
+_initial_sender_restrictions = 
 smtpd_sender_restrictions =
 {% for restriction in postfix_smtpd_sender_restrictions %}
 	{{ restriction }},