I’ve discovered a situation in which it is possible to forge the from address with some mail clients.

     The person wishing to forge the e-mail provides a fake “From: ” header but a real address in the envelope.  Because postfix only checks the envelope it does not prevent these kind of forgeries if the e-mail client displays the last From: line in the mail.