postsrsd VS cyrus-sasl-xoauth2

So you're saying that the alias should work just fine? Have you checked this and this? Together with this solution? It seems it is a problem that can happen with SPF enabled. I can also reproduce the issue as I mention in the Stack Exchange post.

There are 2 suggestions in that Stack Exchange topic. One is to use BCC maps, that seems odd to me as a fix. Is that a valid approach? The other one is to use https://github.com/roehling/postsrsd, which may seem more valid. But is an extra milter really needed? Isn't this something Postfix can handle itself? I'm fishing for some more detailed advice and to validate the already given suggestions.

I use PostSRSd. This implements Sender Rewriting Scheme. The envelope-FROM is rewritten to an address on your own domain — so recipients will look at your SPF record, not the original sender's record. Bounces back to that address are forwarded back to the original sender. The address includes a cryptographically-generated tag to prevent this send-bounces-back channel from being an open relay.

no you need to install both cyrus-sasl and some form or another of xoauth, such as https://github.com/moriyoshi/cyrus-sasl-xoauth2. If you're on a mac you should look at this issue: https://github.com/moriyoshi/cyrus-sasl-xoauth2/issues/9

final: prev: with prev.lib; { cyrus_sasl_xoauth2 = prev.stdenv.mkDerivation rec { name = "cyrus-sasl-xoauth2"; src = prev.fetchFromGitHub { owner = "moriyoshi"; repo = "cyrus-sasl-xoauth2"; rev = "36aabca54fd65c8fa7a707cb4936751599967904"; sha256 = "OlmHuME9idC0fWMzT4kY+YQ43GGch53snDq3w5v/cgk="; }; outputs = [ "out" ]; depsBuildBuild = with final; [ buildPackages.stdenv.cc cyrus_sasl ]; nativeBuildInputs = with final; [ autoreconfHook ] ++ optional stdenv.hostPlatform.isDarwin fixDarwinDylibNames; buildInputs = with final; [ openssl db gettext libkrb5 ] ++ optional stdenv.isLinux pam; configureFlags = [ "--with-openssl=${final.openssl.dev}" "--with-cyrus-sasl=${placeholder "out"}" "--with-plugindir=${placeholder "out"}/lib/sasl2" "--with-saslauthd=/run/saslauthd" "--enable-login" "--enable-shared" ]; installFlags = optional prev.stdenv.isDarwin [ "framedir=$(out)/Library/Frameworks/SASL2.framework" ]; # Make autoreconfHook happy postPatch = '' touch NEWS AUTHORS ChangeLog ''; meta = with prev.lib; { description = "Cyrus SASL XOAUTH2 plugin"; homepage = "https://github.com/moriyoshi/cyrus-sasl-xoauth2"; license = licenses.mit; platforms = platforms.all; }; }; }

Unfortunate things 2: it seems that even once you have cyrus-sasl installed, there might not be a standard, widely-distributed XOAUTH2 plugin. The one I found referenced the most often and ended up installing myself was here. It took me a lot of fiddling with the configure.ac file to get it to install the plugin to /usr/local/lib instead of /usr/lib, because, again, Apple does not want me to do things the default Linux way, because of reasons.