How to disable local relay in postfix, for unauthenticated users?

Within your Postfix configuration, you can use the setting smtpd_recipient_restrictions in order to decide who should be able do use your server as a relay.

For example, in my config it looks like this:

smtpd_recipient_restrictions = 
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination

That means that every one from my network (see also the mynetworks setting) and everyone who is authenticated can send email. Simply remove permit_mynetworks, and nobody will be able to send email without authentication anymore. Just be aware that this might break other programs that currently rely on being able to send you email without authentication, and not just your PHP application.

Are you sure your scripts send email over TCP connection to localhost? This is quite uncommon, local emails are usually injected into postfix maildrop queue directly.

As mentioned by Alex, email's from local programs often get dumped right into the queue, bypassing all the network configs that you've deployed to block this.

The setting to control this local behavior is: authorized_submit_users

In your main.cf postfix config, you may have this line:

authorized_submit_users = static:anyone

It may not be set explicitly, but the above is the default, so ANY named user on localhost can submit directly to the queue. To block the submit queue completely, just define an empty list in main.cf:

authorized_submit_users =

or, I like to do the following to only allow root to submit on localhost:

authorized_submit_users = root

Reference: http://www.postfix.org/postconf.5.html