Put check_sender_access hash:/path/to/file INSTEAD of permit_sasl_authenticated in global config.
in "/path/to/file", put mydomain.com permit_sasl_authenticated, reject This will accomplish 2 things: unauhenticated users can't spoof your domain when sending to you. Authenticated users cannot spoof someone elses domain (they will get relay denied).
smime.p7s
Description: S/MIME Cryptographic Signature