Index: lib/Mail/SpamAssassin/Message/Metadata/Received.pm
===================================================================
--- lib/Mail/SpamAssassin/Message/Metadata/Received.pm	(revision 420671)
+++ lib/Mail/SpamAssassin/Message/Metadata/Received.pm	(working copy)
@@ -414,6 +414,10 @@
   elsif (/\) by .+ \(\d{1,2}\.\d\.\d{3}(?:\.\d{1,3})?\) \(authenticated as .+\) id /) {
     $auth = 'CriticalPath';
   }
+  # Postfix 2.3 and later with "smtpd_sasl_authenticated_header yes"
+  elsif (/\)\s+\(Authenticated sender:\s+\S+\)\s+by\s+\S+\s+\(Postfix\)\s+with\s+/) {
+    $auth = 'Postfix';
+  }
 
   if (/^from /) {
     # try to catch enveloper senders
Index: t/rcvd_parser.t
===================================================================
--- t/rcvd_parser.t	(revision 420671)
+++ t/rcvd_parser.t	(working copy)
@@ -18,7 +18,7 @@
 
 use lib '.'; use lib 't';
 use SATest; sa_t_init("rcvd_parser");
-use Test; BEGIN { plan tests => 49 };
+use Test; BEGIN { plan tests => 50 };
 
 
 use strict;
@@ -621,6 +621,20 @@
 [ ip=70.20.57.51 rdns= helo=KRYPTIK by=host.name ident= envfrom= id=M2006040415284308595 auth= ]
 
 },
+q{
+
+Received: from bar.example.org (bar.example.org [127.0.0.1])
+	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
+	(Client did not present a certificate)
+	(Authenticated sender: sender.example.net)
+	by foo.example.net (Postfix) with ESMTP id 44A8959ED6B0
+	for <recip@example.com>; Fri, 30 Jun 2006 08:02:00 +0100 (BST) 
+
+} => q{
+
+[ ip=127.0.0.1 rdns=bar.example.org helo=bar.example.org by=foo.example.net ident= envfrom= id=44A8959ED6B0 auth=Postfix ]
+
+},
 );
 
 tstprefs ("add_header all Relays _RELAYSUNTRUSTED_ _RELAYSTRUSTED_\n");