So I am wondering if, by default, openfire would reject any IQ with a "from" attribute containing a JID different from the one of the user authenticated as the owner of the connection that sent this IQ?
Ideally openfire would just ignore the from attribute send by the client and replace it by the clients full JID as mandated by the spec. I didn't have a look a code yet if it's actually the case, but that is what should be done.