diff --git a/mail-server/assertions.nix b/mail-server/assertions.nix
index 0e5b15b..91921c6 100644
--- a/mail-server/assertions.nix
+++ b/mail-server/assertions.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 {
   assertions = lib.optionals config.mailserver.ldap.enable [
     {
@@ -9,10 +9,6 @@
       assertion = config.mailserver.extraVirtualAliases == {};
       message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.extraVirtualAliases";
     }
-    {
-      assertion = config.mailserver.forwards == {};
-      message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.forwards";
-    }
   ] ++ lib.optionals (config.mailserver.enable && config.mailserver.certificateScheme != "acme") [
     {
       assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
diff --git a/tests/ldap.nix b/tests/ldap.nix
index 172a77d..ee50ded 100644
--- a/tests/ldap.nix
+++ b/tests/ldap.nix
@@ -104,6 +104,10 @@ pkgs.nixosTest {
           searchScope = "sub";
         };
 
+        forwards = {
+          "bob_fw@example.com" = "bob@example.com";
+        };
+
         vmailGroupName = "vmail";
         vmailUID = 5000;
 
@@ -179,5 +183,39 @@ pkgs.nixosTest {
         "--dst-password-file <(echo '${bobPassword}')",
         "--ignore-dkim-spf"
       ]))
+
+    with subtest("Test mail forwarding works"):
+      machine.succeed(" ".join([
+        "mail-check send-and-read",
+        "--smtp-port 587",
+        "--smtp-starttls",
+        "--smtp-host localhost",
+        "--smtp-username alice@example.com",
+        "--imap-host localhost",
+        "--imap-username bob@example.com",
+        "--from-addr alice@example.com",
+        "--to-addr bob_fw@example.com",
+        "--src-password-file <(echo '${alicePassword}')",
+        "--dst-password-file <(echo '${bobPassword}')",
+        "--ignore-dkim-spf"
+      ]))
+
+    with subtest("Test cannot send mail from forwarded address"):
+      machine.fail(" ".join([
+        "mail-check send-and-read",
+        "--smtp-port 587",
+        "--smtp-starttls",
+        "--smtp-host localhost",
+        "--smtp-username bob@example.com",
+        "--imap-host localhost",
+        "--imap-username alice@example.com",
+        "--from-addr bob_fw@example.com",
+        "--to-addr alice@example.com",
+        "--src-password-file <(echo '${bobPassword}')",
+        "--dst-password-file <(echo '${alicePassword}')",
+        "--ignore-dkim-spf"
+      ]))
+      machine.succeed("journalctl -u postfix | grep -q 'Sender address rejected: not owned by user bob@example.com'")
+
   '';
 }