Thermi/main.cf

## main.cf
# Only bind to 127.0.0.1 and ::1 so local SMTP clients (msmtp) can connect to it
inet_interfaces = localhost

# Use IPv4 and IPv6
inet_protocols = all

myorigin = $myhostname

smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noplaintext noanonymous
smtp_connection_cache_on_demand = no
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password

# Disables insecure sendmail
authorized_submit_users =

# You probably don't want to send the credentials to the remote MX in the clear
smtp_tls_security_level = encrypt
smtp_tls_ciphers = high


sender_dependent_relayhost_maps = hash:/etc/postfix/sender_dependent
sender_canonical_maps = hash:/etc/postfix/sender_canonical
smtpd_sender_login_maps = regexp:/etc/postfix/sender_login_map

smtpd_helo_required = yes
smtpd_reject_unlisted_sender = yes

# For local SASL authentication where the user credentials are stored in dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_reject_unlisted_sender = yes

smtpd_sasl_security_options = noanonymous


# Point this to the right local CA bundle
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

smtpd_helo_restrictions = permit_sasl_authenticated
                      reject

smtpd_client_restrictions = permit_sasl_authenticated
                      reject

smtpd_recipient_restrictions = reject_unknown_recipient_domain
                      reject_unverified_recipient
                      reject_non_fqdn_recipient
                      permit

smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
                        reject_unauthenticated_sender_login_mismatch
                        permit


## sender_canonical
$local_user_and_domain $remote_user_and_domain

## sender_login_map
# This can be a map of many types. (hash, regexp, ...)
# Look up happens with the key being the sender address and the table should return the SASL
# user that is allowed to send as this sender
# This is regexp style
/^marketing@remotething\.com$/   local_sasl_account_goes_here
	# Only bind to 127.0.0.1 and ::1 so local SMTP clients (msmtp) can connect to it
	inet_interfaces = localhost

	# Use IPv4 and IPv6
	inet_protocols = all

	myorigin = $myhostname

	smtp_sender_dependent_authentication = yes
	smtp_sasl_auth_enable = yes
	smtp_sasl_security_options = noplaintext noanonymous
	smtp_connection_cache_on_demand = no
	smtp_sasl_password_maps = hash:/etc/postfix/sasl_password

	# Disables insecure sendmail
	authorized_submit_users =

	# You probably don't want to send the credentials to the remote MX in the clear
	smtp_tls_security_level = encrypt
	smtp_tls_ciphers = high


	sender_dependent_relayhost_maps = hash:/etc/postfix/sender_dependent
	sender_canonical_maps = hash:/etc/postfix/sender_canonical
	smtpd_sender_login_maps = regexp:/etc/postfix/sender_login_map

	smtpd_helo_required = yes
	smtpd_reject_unlisted_sender = yes

	# For local SASL authentication where the user credentials are stored in dovecot
	smtpd_sasl_type = dovecot
	smtpd_sasl_path = private/auth
	smtpd_sasl_auth_enable = yes
	smtpd_sasl_authenticated_header = yes
	smtpd_reject_unlisted_sender = yes

	smtpd_sasl_security_options = noanonymous


	# Point this to the right local CA bundle
	smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

	smtpd_helo_restrictions = permit_sasl_authenticated
	reject

	smtpd_client_restrictions = permit_sasl_authenticated
	reject

	smtpd_recipient_restrictions = reject_unknown_recipient_domain
	reject_unverified_recipient
	reject_non_fqdn_recipient
	permit

	smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
	reject_unauthenticated_sender_login_mismatch
	permit
	# This can be a map of many types. (hash, regexp, ...)
	# Look up happens with the key being the sender address and the table should return the SASL
	# user that is allowed to send as this sender
	# This is regexp style
	/^marketing@remotething\.com$/ local_sasl_account_goes_here