This will depend on your providers setup so no one can comment definitively, but this should work in practice (but can't be 100% guaranteed by anyone other then the mail provider), provided that the users are all "@a.com" -in reality use a domain name recognized by the mail server and do not have SPF or similar records precluding that server being used.
SMTP authentication is done to prevent some kinds of spam, ie prevent abuse of mail servers not associated with sender or receiver from being used to send spam. Thus what is generally of interest to the mail server provider is some kind of audit trail/control of who used the server, which can be done by verifying a mail account associated with the user.
While I have no doubt it is possible to lock this down further (ie by matching sender to email from address), this would prove problematic in practice, because you need to take into account aliases and role accounts, and I expect there would be little value in return for a lot of extra processing overhead, not to mention support headaches.
FWIW, I run a fairly common mailserver setup based on Postfix, Dovecot and various spam, virus and reputation plugins, and my server - which I expect is broadly indicative of common practice - will allow any validated user to send email.
Does it work the way you want? If so, don't "fix" it. :-) Those look like aliases. Do the messages go out with the correct alias? – fixer1234 – 2019-03-24T21:33:17.950
@fixer1234 I think they're sent correctly. I don't know what's might be hiding and waiting to create a problem. As for aliases - I'm not sure what you mean, they are completely separate addresses with their own folders etc. and they can all send and receive emails. There is no alias in DNS if that's what you mean. I set the DNS myself. It just points to the web host's servers. (MX. And an IP for the rest.) – ispiro – 2019-03-24T21:38:06.900
1Send yourself emails from each address and see if they arrive showing the correct origin addresses. My reference to aliases: are these totally separate accounts or does the service provider offer multiple addresses on the same account? The latter was what I was referring to as aliases. In that case, it's common for account "business", like billing or authentication, to be internally tied to the "core" address on the account, but messages show different outgoing addresses. – fixer1234 – 2019-03-24T22:24:18.180
1@fixer1234 this test is flawed because (a) it is not a good way to verify SMTP is allowing the message through as it could accept on recipient as well, and (b) The post strongly implies these are individual addresses at the domain. – davidgo – 2019-03-25T00:59:25.593