Inconsistent SMTP AUTH enforcement: Outlook vs Thunderbird

[adrian.gibanel.btactic]

Could you please confirm whether you have tested this specific scenario with Outlook? In particular, whether the recipient sees the forged From address or the authenticated sender when sending without Send As permission. It would be helpful to know if you observe the same behavior on your own system when testing with Outlook.

No, we have not tested this specific scenario.

[asa]

Thanks for the clarification.

Based on our testing, this behavior is reproducible in our environment. The enforcement works correctly with Thunderbird, but Outlook is not affected and still allows a mismatched From address.

From a practical and security point of view, this looks like a problem, but it’s not clear whether Zimbra considers this expected behavior or a bug.

Has anyone else seen the same behavior with Outlook?
Is there a known workaround or recommended configuration to fully enforce sender alignment for Outlook clients?

Any input or experience would be helpful.

[yeak]

Could you show output of the following?

# su - zimbra
$ postconf smtpd_sender_restrictions
$ postconf smtpd_sender_login_maps
$ postmap -q adem@company.com ldap:/opt/zimbra/conf/ldap-slm.cf