I solved the problem, and would like to share the solution in case someone else needs it.
(1) create /etc/postfix/main.cf.local:
smtpd_recipient_restrictions =
check_sender_access ldap:/etc/postfix/ldap.restricted_senders.cf
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unlisted_recipient,
check_policy_service inet:127.0.0.1:12340
smtpd_restriction_classes = local_only
local_only =
check_recipient_access hash:/etc/postfix/local_domains
reject
(2) create /etc/postfix/local_domains:
mydomain.org OK
(3) create /etc/postfix/ldap.restricted_senders.cf:
# common:
search_base = dc=mydomain,dc=org
search_timeout = 15
scope = sub
version = 3
bind_dn = cn=ucs-s4003,cn=dc,cn=computers,dc=mydomain,dc=org
server_host = ldap://ucs-s4003.mydomain.org:7389
bind_pw = *****
start_tls = yes
tls_require_cert = yes
tls_ca_cert_file = /etc/univention/ssl/ucsCA/CAcert.pem
debuglevel = 0
# specific:
query_filter = (&(objectClass=univentionMail)(mailPrimaryAddress=%s)(!(memberOf=cn=can-send-mail-off-site,cn=groups,dc=mydomain,dc=org)))
result_format = local_only
result_attribute = mailPrimaryAddress
(4) create a group can-send-mail-off-site and add relevant users
(5) update postfix:
postmap /etc/postfix/local_domains
ucr commit /etc/postfix/main.cf
service postfix reload