I hope no one minds if I change the subject since SSL was no longer the topic.
Regarding multiple from fields, I found this on serverfault : http://serverfault.com/questions/554520/smtp-allows-for-multiple-from-addresses-in-the-rfc-was-this-ever-useful-why-do I could almost see this being legitimate if from the same domain. At least the SPF would be valid. But I think the argument is weak since the clients don't handle the situation well.
