Spamassasin disable Email from external to all groups except

Entirely misdirected mail (or even, for the outside world, nonexisting addresses) is a separate concept from spam. This is generally not something you want to skew your spam filtering metrics - so let the mail server reject them.

For postfix, you probably want to utilize the fact that the right hand side of access maps can lead to another lookup:

1. Insert a map declaring what is a restricted recipient

smtpd_recipient_restrictions =
 [..]
 reject_non_fqdn_recipients
 check_recipient_access pcre:/etc/postfix/access_recipient.pcre
 [..]

2. Add a new restrictions class defining who can email those restricted addresses

    smtpd_restriction_classes =
     smtpd_restriction_sender_internal
     [..]
    smtpd_restriction_sender_internal =
     check_recipient_access pcre:/etc/postfix/maps/access_sender_internal.pcre

3. Define who is a rectricted recipient in /etc/postfix/access_recipient.pcre:

    /SalesTeam@internal\.example$/  DUNNO
    /receives.external@internal\.example$/  DUNNO
    /@internal\.example/                    smtpd_restriction_sender_internal

4. Define who can email those recipients in /etc/postfix/maps/access_sender_internal.pcre

    /@internal\.example$/                         DUNNO
    /can.send.from.external@partner\.example$/    DUNNO
    /./                                           DEFER 4.2.0 Internal Recipient

Note that the order of smtpd_recipient_restrictions matters here - if you were to order any whitelisting mechanism before the new access lookup, it would be circumvented. Note also that this filters based on sender - if you for some reason accept external mail claiming to be originating from you, then filtering based on permit_sasl_authenticated or permit_mynetworks may be more appropriate, lest the otherwise restricted groups can be sent mail to if merely claiming to be an internal sender.