Resolved! Another concurrent thread "SASL Authentication per recipient domain" gave additional clues.
I ended up using a PCRE map for sender_dependent_relayhost_maps (domain names changed to protect the innocent and to better illustrate what was done): main.cf: smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:$config_directory/tables/smtp_sasl_password_maps sender_dependent_relayhost_maps = pcre:$config_directory/tables/smtp_relayhost_maps.pcre smtp_tls_policy_maps = hash:$config_directory/tables/smtp_tls_policy_maps smtp_sasl_password_maps: [external.relaydomain.com]:2000 relayu...@relaydomain.com:password smtp_relayhost_maps.pcre: !/@mylocaldomain\.net$/ [external.relaydomain.com]:2000 smtp_tls_policy_maps: [external.relaydomain.com]:2000 encrypt Now all locally accepted domains except for "mylocaldomain.net" are relayed via external.relaydomain.com listening at port 2000. TLS and SASL authentication are used for external.relaydomain.com while emails sent from mylocaldomain.net domain are delivered directly to recipient smtp servers without SASL authentication or TLS. In the end the resolution always tends to be rather simple, but for people who don't live & breathe Postfix the (admittedly very good) documentation can be a beast to comb through to find the appropriate parameters and their application. But I'm not complaining, the more documentation the better! Whenever I work with Postfix I still always marvel its flexibility as compared to the ol' qmail I used to run few years back. Ville