With my server, a first time user must sign up with email verification. This is done through automated email generation using a php function - I have postfix set up with sendmail.
When logged in as myself, I can send emails through php from the command line with no issue (sender: myself, UID: 1000), but when the remote users attempt to sign up, postfix/dovecot identifies the sender of the outgoing automatically-generated validation email as "sender: www-data, UID: 33." The sender/UID disparity was the only difference between the successful and unsuccessful emails.
mail.log shows the bounce message dsn=5.7.1 (https://support.google.com/mail/answer/10336?visit_id=638431759568336540-1876278503&p=NotAuthorizedError&rd=1) and also a message stating that Mail access for users with UID 33 is is not permitted.
After verifying that postfix was set up correctly as the MSA, (confirmed, issue not resolved) I started investigating the UID issue.
I feel I could modify the first_valid_username in dovecot's config (per https://serverfault.com/questions/291667/dovecot-getting-error-mail-access-for-users-with-uid-222-not-permitted) to allow to send from UID 33, but this sounds like a security vulnerability, so I don't want to do that, right?
I kept looking, and came across: PHP mail issue with www-data and PHP sendmail works in Ubuntu command line, but not from a php file
so I thought if I fixed the envelope "from address" by modifying the php.ini file to reflect a my real user account instead of the www-data account it would work. However, after doing so, the automated emails are still bounced. mail.log now shows the "real" username instead of www-data but the UID is still 33 (it should now be 1000) - the UID 33 permissions error persists.
Therefore it seems to me that the only real option is to get php to pass postfix both the correct username and the UID associated with it.
Am I on the right track, and if so, how do I pass the correct UID?
EDIT:
As expected, the workaround by setting first_allowed_UID to 33 did resolve this issue. However, I still believe I may be introducing a spam/security risk by allowing www-data as an approved email sender. I'm not sure how else to resolve this issue though. Would the correct action to be to use a php function to change the unix login just long enough to send an email?