I would like to have a spamassasin rule that by default disables all external Emails to groups with exclusion of only a few groups. Thus someone@external.example should not be able to users@internal.example.
While internal users should be able to those groups.
Only some group address should be possible for external usage
someone@external.example is allowed to email SalesTeam@internal.example.
Entirely misdirected mail (or even, for the outside world, nonexisting addresses) is a separate concept from spam. This is generally not something you want to skew your spam filtering metrics - so let the mail server reject them.
For postfix, you probably want to utilize the fact that the right hand side of access maps can lead to another lookup:
smtpd_recipient_restrictions =
[..]
reject_non_fqdn_recipients
check_recipient_access pcre:/etc/postfix/access_recipient.pcre
[..]
smtpd_restriction_classes =
smtpd_restriction_sender_internal
[..]
smtpd_restriction_sender_internal =
check_recipient_access pcre:/etc/postfix/maps/access_sender_internal.pcre
/etc/postfix/access_recipient.pcre: /SalesTeam@internal\.example$/ DUNNO
/receives.external@internal\.example$/ DUNNO
/@internal\.example/ smtpd_restriction_sender_internal
/etc/postfix/maps/access_sender_internal.pcre /@internal\.example$/ DUNNO
/can.send.from.external@partner\.example$/ DUNNO
/./ DEFER 4.2.0 Internal Recipient
Note that the order of smtpd_recipient_restrictions matters here - if you were to order any whitelisting mechanism before the new access lookup, it would be circumvented.
Note also that this filters based on sender - if you for some reason accept external mail claiming to be originating from you, then filtering based on permit_sasl_authenticated or permit_mynetworks may be more appropriate, lest the otherwise restricted groups can be sent mail to if merely claiming to be an internal sender.
