I have tried the procedures of "Restrict Postfix Recipients" & "Restrict sending to certain domains" from ZimbraWiki to make change in /opt/zimbra/postfix/conf/main.cf ....... however, they could not fit for our requirement...

Requirement
1/ ONLY allow the specified senders could initial an email for sending to wherever (i.e. "Mail From")
2/ Restrict the allowed senders to send mails to allowed recipients ONLY (i.e. "Rcpt To")
3/ Among the specified senders, only special accounts could send to *anyone* within the allowed recipients

I would like to address above point 1 & 2, it's OK if point 3 could not be solved anyway~

---------------------------------------------------------------------------------------------------------------------------------------------------------
Referring to the setting of "Restrict Postfix Recipients", it could only control who could sending mails to the specified recipients.... but even the not allowed senders (defined in "permitted_senders") could send mails to unspecified recipients (not defined in "protected_recipients")... it's focusing on the recipients.

I have successfully restricted who can send mails using the zimbra mail server by adding this line:
smtpd_sender_restrictions = hash:/opt/zimbra/postfix/conf/permitted_senders, reject
Remark: Both of the two lines for setting of "permitted_senders_list" & "smtpd_restriction_classes" is disabled without any side effect.

However, I just cannot control the "rcpt to" behavior...... even I have changed the setting for "smtpd_recipient_restrictions", the line just returned to the original one after restart zimbra !!

Original line in main.cf
smtpd_recipient_restrictions = hash:/opt/zimbra/postfix/conf/protected_recipients, reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, reject_unauth_destination, permit

Modified line in main.cf
smtpd_recipient_restrictions = hash:/opt/zimbra/postfix/conf/protected_recipients, reject

* I though the reason which could not restrict the "Rcpt To" is because, the default of the original line is set to permit instead of reject.....

Does anyone know how to do that? And please guide me to the right track, thanks!
---------------------------------------------------------------------------------------------------------------------------------------------------------
p.s. Indeed, we just want to allow some office users with @domainB.com a/c to send mails to retail shop staff with @shop.domainB.com a/c, and only allow them to reply to the office users (no inter-mails between @shop.domainB.com is allowed). As this case is somehow complicated, so we may give up the point 3....