Instead of querying LDAP in smtpd_sender_login_maps, you can make a simple one-to-one map:
It enforces strict relationship between MAIL FROM and sasl_username and does not allow sending on behalf of your aliases, like LDAP map do.
smtpd_sender_login_maps = regexp:/opt/zimbra/postfix/conf/sender_map
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
That may not be appropriate for everybody, but works fine for me.