Case: vu#244112
SurgeMail typically will not verify that From/Return path headers match (as they aren't required to match in many situations). If you are using surgemail as a gateway for multiple domains then it would be wise to enforce matching via one/some of the following settings, specifically g_from_relay "true"
g_from_exact "true" Ensures the from header matches the authenticated user.
g_from_must_exist "true", requires that the local from address must exist.
g_from_check "true", requires that the from address match a local domain
g_from_relay "true", requires gatewayed messages to match a local domain
We are adding a new setting to SurgeMail 7.8c and later
g_from_domain_match "true", which will require that the From and return path match at the domain level.