From what I've experienced during my tests today, Zimbra's persona feature lets a user spoof an existing email address on the Zimbra server, which is... very unfortunate. Of course, this works as long as the user or COS has the setting "Allow sending email from any address".
I could enter an email address of a already existing user in Zimbra and successfully send a mail out of Zimbra. Is this really by design? And it seems that this setting is ON by default?
Additionaly, I've found out that replying to a mail sent by my persona (say firstname.lastname@example.org) fails with recipient address rejected message.
On a side note: is there a setting which allows an end user to create an email alias or are ZmSoap, zmprov or Admin gui the only ways to go about it?