diff --git a/roles/postfix/defaults/main/master.yml b/roles/postfix/defaults/main/master.yml
index f1d550f..02c255b 100644
--- a/roles/postfix/defaults/main/master.yml
+++ b/roles/postfix/defaults/main/master.yml
@@ -23,6 +23,7 @@ postfix_default_master_processes:
       - '-o syslog_name=postfix/submission'
       - '-o smtpd_sasl_auth_enable=yes'
       - '-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject'
+      - '-o _initial_sender_restrictions=reject_authenticated_sender_login_mismatch'
       - '-o smtpd_client_restrictions='
       - '-o smtpd_helo_restrictions='
       - '-o smtpd_tls_security_level=encrypt'
diff --git a/roles/postfix/defaults/main/restrictions.yml b/roles/postfix/defaults/main/restrictions.yml
index 614f2c9..c78c44b 100644
--- a/roles/postfix/defaults/main/restrictions.yml
+++ b/roles/postfix/defaults/main/restrictions.yml
@@ -16,7 +16,7 @@ postfix_smtpd_recipient_restrictions:
 
 postfix_smtpd_sender_restrictions:
   - permit_mynetworks
-  - reject_authenticated_sender_login_mismatch
+  - $_initial_sender_restrictions
   - permit_sasl_authenticated
   - reject_unknown_sender_domain
   - reject_unknown_reverse_client_hostname
diff --git a/roles/postfix/templates/etc/postfix/main.cf.j2 b/roles/postfix/templates/etc/postfix/main.cf.j2
index 1576b3e..429b132 100644
--- a/roles/postfix/templates/etc/postfix/main.cf.j2
+++ b/roles/postfix/templates/etc/postfix/main.cf.j2
@@ -118,6 +118,10 @@ smtpd_helo_restrictions =
 {% for restriction in postfix_smtpd_helo_restrictions %}
 	{{ restriction }},
 {% endfor %}
+# Postfix logs warnings when SASL is disabled, but authentication-related
+# restrictions are applied.  So these are now empty by default and set in
+# master.cf for SASL-enabled services, e.g. "submission".
+_initial_sender_restrictions = 
 smtpd_sender_restrictions =
 {% for restriction in postfix_smtpd_sender_restrictions %}
 	{{ restriction }},