diff --git a/roles/mail_server/molecule/default/tests/test_client2.py b/roles/mail_server/molecule/default/tests/test_client2.py
index 8ba434f92df4d0ed687a20a10349c278bef357f0..583dfc5533cc52c151e66c13f166b80f87b40d8b 100644
--- a/roles/mail_server/molecule/default/tests/test_client2.py
+++ b/roles/mail_server/molecule/default/tests/test_client2.py
@@ -126,11 +126,30 @@ def test_smtp_authentication(host):
     anywhere.
     """
 
-    send = host.run('swaks -tls --port 587 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-mandatory')
+    send = host.run('swaks -tls --port 587 --auth-user john.doe@domain1 --auth-password johnpassword '
+                    '--from john.doe@domain1 --to root@client1 --server parameters-mandatory')
     assert send.rc == 0
     assert "Ok: queued as" in send.stdout
 
-    send = host.run('swaks -tls --port 587 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-optional')
+    send = host.run('swaks -tls --port 587 --auth-user john.doe@domain1 --auth-password johnpassword '
+                    '--from john.doe@domain1 --to root@client1 --server parameters-optional')
+    assert send.rc == 0
+    assert "Ok: queued as" in send.stdout
+
+
+def test_smtp_authentication_with_alias_sender(host):
+    """
+    Tests if SMTP authentication works via TLS and allows sending mails to
+    anywhere while using sender alias.
+    """
+
+    send = host.run('swaks -tls --port 587 --auth-user john.doe@domain1 --auth-password johnpassword '
+                    '--from postmaster@domain1 --to root@client1 --server parameters-mandatory')
+    assert send.rc == 0
+    assert "Ok: queued as" in send.stdout
+
+    send = host.run('swaks -tls --port 587 --auth-user john.doe@domain1 --auth-password johnpassword '
+                    '--from postmaster@domain1 --to root@client1 --server parameters-optional')
     assert send.rc == 0
     assert "Ok: queued as" in send.stdout
 
@@ -142,11 +161,13 @@ def test_smtp_authentication_requires_tls(host):
 
     auth_error = 28
 
-    send = host.run('swaks --port 587 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-mandatory')
+    send = host.run('swaks --port 587 --auth-user john.doe@domain1 --auth-password johnpassword '
+                    '--from john.doe@domain1 --to root@client1 --server parameters-mandatory')
     assert send.rc == auth_error
     assert "Host did not advertise authentication" in send.stderr
 
-    send = host.run('swaks --port 587 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-optional')
+    send = host.run('swaks --port 587 --auth-user john.doe@domain1 --auth-password johnpassword '
+                    '--from john.doe@domain1 --to root@client1 --server parameters-optional')
     assert send.rc == auth_error
     assert "Host did not advertise authentication" in send.stderr
 
@@ -158,19 +179,23 @@ def test_smtp_authentication_requires_submission_port(host):
 
     auth_error = 28
 
-    send = host.run('swaks --port 25 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-mandatory')
+    send = host.run('swaks --port 25 --auth-user john.doe@domain1 --auth-password johnpassword '
+                    '--from john.doe@domain1 --to root@client1 --server parameters-mandatory')
     assert send.rc == auth_error
     assert "Host did not advertise authentication" in send.stderr
 
-    send = host.run('swaks -tls --port 25 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-mandatory')
+    send = host.run('swaks -tls --port 25 --auth-user john.doe@domain1 --auth-password johnpassword '
+                    '--from john.doe@domain1 --to root@client1 --server parameters-mandatory')
     assert send.rc == auth_error
     assert "Host did not advertise authentication" in send.stderr
 
-    send = host.run('swaks --port 25 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-optional')
+    send = host.run('swaks --port 25 --auth-user john.doe@domain1 --auth-password johnpassword '
+                    '--from john.doe@domain1 --to root@client1 --server parameters-optional')
     assert send.rc == auth_error
     assert "Host did not advertise authentication" in send.stderr
 
-    send = host.run('swaks -tls --port 25 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-optional')
+    send = host.run('swaks -tls --port 25 --auth-user john.doe@domain1 --auth-password johnpassword '
+                    '--from john.doe@domain1 --to root@client1 --server parameters-optional')
     assert send.rc == auth_error
     assert "Host did not advertise authentication" in send.stderr
 
@@ -289,11 +314,13 @@ def test_port_forwarding(host):
     assert "Ok: queued as" in send.stdout
 
     # Submission port.
-    send = host.run('swaks -tls --port 26 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-mandatory')
+    send = host.run('swaks -tls --port 26 --auth-user john.doe@domain1 --auth-password johnpassword '
+                    '--from john.doe@domain1 --to root@client1 --server parameters-mandatory')
     assert send.rc == 0
     assert "Ok: queued as" in send.stdout
 
-    send = host.run('swaks -tls --port 26 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-optional')
+    send = host.run('swaks -tls --port 26 --auth-user john.doe@domain1 --auth-password johnpassword '
+                    '--from john.doe@domain1 --to root@client1 --server parameters-optional')
     assert send.rc == 0
     assert "Ok: queued as" in send.stdout
 
@@ -318,3 +345,29 @@ def test_dovecot_sieve(host):
     command = host.run('echo janepassword | sieve-connect --list -s parameters-optional -p 4190 -u jane.doe@domain1 --password 0 || /bin/false')
     assert command.rc != 0
     assert "Authentication refused by server" in command.stderr
+
+
+def test_smtp_sender_forging(host):
+    """
+    Tests if SMTP sender forging is possible.
+    """
+
+    send = host.run('swaks -tls --port 587 --auth-user john.doe@domain1 --auth-password johnpassword '
+                    '--from jane.doe@domain2 --to root@client1 --server parameters-mandatory')
+    assert send.rc == 24
+    assert "Sender address rejected: not owned by user john.doe@domain1" in send.stdout
+
+    send = host.run('swaks -tls --port 587 --auth-user john.doe@domain1 --auth-password johnpassword '
+                    '--from jane.doe@domain2 --to root@client1 --server parameters-optional')
+    assert send.rc == 24
+    assert "Sender address rejected: not owned by user john.doe@domain1" in send.stdout
+
+    send = host.run('swaks -tls --port 587 --auth-user john.doe@domain1 --auth-password johnpassword '
+                    '--from webmaster@domain2 --to root@client1 --server parameters-mandatory')
+    assert send.rc == 24
+    assert "Sender address rejected: not owned by user john.doe@domain1" in send.stdout
+
+    send = host.run('swaks -tls --port 587 --auth-user john.doe@domain1 --auth-password johnpassword '
+                    '--from webmaster@domain2 --to root@client1 --server parameters-optional')
+    assert send.rc == 24
+    assert "Sender address rejected: not owned by user john.doe@domain1" in send.stdout