match from mail-from <blocked_senders> reject
That line doesn't have a for option, so "for local" is implied. match from any for any mail-from <blocked_senders> reject should do the trick.
However, if i use telnet/openssl s_client to connect to the server, I get an OK in response to MAIL FROM:<t...@simonhoffmann.net> and can state RCPT TO and DATA without any problems.
The reject (550 Invalid recipient) will happen after RCPT TO. (Earlier is only possible with a filter.) That is good and bad. The bad side is that the error message is "wrong", which makes stuff harder to debug. The good side of this behaviour is that it signals "Invalid recipient" to an adversary.
hth
