+TF/02 There have been two changes concerned with submission mode:
+
+ Until now submission mode always left the return path alone, whereas
+ locally-submitted messages from untrusted users have the return path
+ fixed to the user's email address. Submission mode now fixes the return
+ path to the same address as is used to create the Sender: header. If
+ /sender_retain is specified then both the Sender: header and the return
+ path are left alone.
+
+ Note that the changes caused by submission mode take effect after the
+ predata ACL. This means that any sender checks performed before the
+ fix-ups will use the untrusted sender address specified by the user, not
+ the trusted sender address specified by submission mode. Although this
+ might be slightly unexpected, it does mean that you can configure ACL
+ checks to spot that a user is trying to spoof another's address, for
+ example.
+
+ There is also a new /name= option for submission mode which allows you
+ to specify the user's full name to be included in the Sender: header.
+ For example:
+
+ accept authenticated = *
+ control = submission/name=${lookup {$authenticated_id} \
+ lsearch {/etc/exim/namelist} }
+
+ The namelist file contains entries like
+
+ fanf: Tony Finch