This is possible by combining check_sender_access with Postfix PCRE Support.
Your default restriction would in this case be reject, but it might be better to add a human readable explanation on why the message was rejected.
In main.cf you would have something like the following. I usually place the smtpd_sender_restrictions under the smtpd_recipient_restrictions because that would enable logging both the sender and the recipient, which is better for debugging.
smtpd_recipient_restrictions =
reject_unauth_destination,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_rbl_client sbl-xbl.spamhaus.org,
check_sender_access pcre:/etc/postfix/access/sender_access,
reject
And in the /etc/postfix/access/sender_access, according to pcre_table(5):
/\.net$/ OK
/\.org$/ OK
/\.gov$/ OK
/\.edu$/ OK
/\.([-\w]+)$/ 550 The sender TLD .$1 is not whitelisted.
Here, I left the .com out because I wanted to demonstrate the results of this PCRE map:
$ /usr/sbin/postmap -q "[email protected]" pcre:/etc/postfix/access/sender_access
OK
$ /usr/sbin/postmap -q "[email protected]" pcre:/etc/postfix/access/sender_access
550 The sender TLD .com is not whitelisted.
Please notice that if you use OK in the check_sender_access, all other controls like the Spamhaus blocklist should come before it (as in the example above). Otherwise, mail from the whitelisted TLDs would come through even if, e.g., the IP address was blocked by the RBL. Using DUNNO instead of OK would allow other restrictions after it, but that would also require permit as the last rule (instead of reject).
